[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1179caca by Moritz Muehlenhoff at 2025-01-23T12:33:06+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -271,6 +271,7 @@ CVE-2025-20156 (A vulnerability in the REST API of Cisco Meeting Management coul NOT-FOR-US: Cisco CVE-2025-20128 (A vulnerability in the Object Linking and Embedding 2 (OLE2) decryptio ...) - clamav + [bookworm] - clamav (clamav is being updated via -updates) NOTE: https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html CVE-2025-0651 (Improper Privilege Management vulnerability in Cloudflare WARP on Wind ...) NOT-FOR-US: Cloudflare @@ -286,6 +287,7 @@ CVE-2025-0604 (A flaw was found in Keycloak. When an Active Directory user reset NOT-FOR-US: Keycloak CVE-2025-0395 (When the assert() function in the GNU C Library versions 2.13 to 2.40 ...) - glibc 2.40-6 + [bookworm] - glibc (Minor issue) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=32582 NOTE: https://www.openwall.com/lists/oss-security/2025/01/22/4 NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c (2.40-branch) @@ -873,6 +875,7 @@ CVE-2025-22262 (Improper Neutralization of Input During Web Page Generation ('Cr CVE-2025-22150 (Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to v ...) [experimental] - node-undici 7.2.3+dfsg1+~cs24.12.11-1 - node-undici + [bookworm] - node-undici (Minor issue) NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975 NOTE: Fixed by: https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0 (v5.28.5) NOTE: Fixed by: https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385 (v6.21.1) @@ -10095,10 +10098,12 @@ CVE-2024-37962 (Improper Neutralization of Input During Web Page Generation ('Cr NOT-FOR-US: Agency Dominion Fusion CVE-2024-12801 (Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logba ...) - logback (bug #1091320) + [bookworm] - logback (Minor issue) NOTE: https://logback.qos.ch/news.html#1.5.13 NOTE: Fixed by: https://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d (v_1.5.13) CVE-2024-12798 (ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core ...) - logback (bug #1091319) + [bookworm] - logback (Minor issue) NOTE: https://logback.qos.ch/news.html#1.5.13 NOTE: Fixed by: https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183 (v_1.5.13) CVE-2024-12794 (A vulnerability, which was classified as critical, was found in Codezi ...) @@ -10194,6 +10199,7 @@ CVE-2024-4229 (Incorrect Default Permissions vulnerability in Edgecross Basic So NOT-FOR-US: Edgecross Basic Software for Windows CVE-2024-45338 (An attacker can craft an input to the Parse functions that would be pr ...) - golang-golang-x-net (bug #1091168) + [bookworm] - golang-golang-x-net (Minor issue) [bullseye] - golang-golang-x-net (minor issue; DoS) NOTE: https://go-review.googlesource.com/c/net/+/637536 NOTE: https://github.com/golang/go/issues/70906 = data/dsa-needed.txt = @@ -47,6 +47,8 @@ mosquitto (carnil) -- nodejs -- +openjdk-17 (jmm) +-- openjpeg2 -- opennds View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1179caca34b536788b47db21b132ea2b87ee3e0c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1179caca34b536788b47db21b132ea2b87ee3e0c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 45945d7d by Moritz Muehlenhoff at 2025-01-21T18:08:52+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -113,7 +113,8 @@ CVE-2024-57930 [tracing: Have process_string() also allow arrays] CVE-2022-4975 NOT-FOR-US: Red Hat Advanced Cluster Security CVE-2025-24014 [segmentation fault in win_line()] - - vim + - vim (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955 NOTE: Fixed by: https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919 (v9.1.1043) CVE-2025-24337 (WriteFreely through 0.15.1, when MySQL is used, allows local users to ...) @@ -154,6 +155,7 @@ CVE-2024-22347 (IBM DevOps Velocity 5.0.0 and IBM UrbanCode Velocity 4.0.0 throu NOT-FOR-US: IBM CVE-2024-13176 (Issue summary: A timing side-channel which could potentially allow rec ...) - openssl + [bookworm] - openssl (Minor issue) NOTE: https://openssl-library.org/news/secadv/20250120.txt NOTE: https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f (openssl-3.4.0) NOTE: https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902 (openssl-3.3.0) @@ -1717,6 +1719,7 @@ CVE-2024-11322 (A denial-of-service vulnerability exists in CyberPower PowerPane NOT-FOR-US: CyberPower PowerPanel Business CVE-2024-11029 (A flaw was found in the FreeIPA API audit, where it sends the whole Fr ...) - freeipa (bug #1093383) + [bookworm] - freeipa (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325557 NOTE: Fixed by: https://pagure.io/freeipa/c/3b38efe75865d0696829b4f26572575a8e74ddce (release-4-12-3) NOTE: Fixed by: https://pagure.io/freeipa/c/7a5a10b6bf2e3eafd4b69362ffaece39791be2a8 (release-4-12-3) @@ -8480,6 +8483,7 @@ CVE-2024-52046 (The ObjectSerializationDecoder in Apache MINA uses Java\u2019s n [bookworm] - mina (Minor issue) [bullseye] - mina (Minor issue; need specific conditions) - mina2 (bug #1091530) + [bookworm] - mina2 (Minor issue) NOTE: https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8 CVE-2024-47978 (Dell NativeEdge, version(s) 2.1.0.0, contain(s) an Execution with Unne ...) NOT-FOR-US: Dell @@ -9158,10 +9162,12 @@ CVE-2023-4617 (Incorrect authorization vulnerability in HTTP POST method in Gove NOT-FOR-US: Govee Home application on Android and iOS CVE-2024-9102 (phpLDAPadmin since at least version 1.2.0 through the latest version 1 ...) - phpldapadmin (bug #1090914) + [bookworm] - phpldapadmin (Minor issue, revisit when fixed upstream) [bullseye] - phpldapadmin (Minor issue, revisit when fixed upstream) NOTE: https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/ CVE-2024-9101 (A reflected cross-site scripting (XSS) vulnerability in the 'Entry Cho ...) - phpldapadmin (bug #1090914) + [bookworm] - phpldapadmin (Minor issue, revisit when fixed upstream) [bullseye] - phpldapadmin (Minor issue, revisit when fixed upstream) NOTE: https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/ CVE-2024-56319 (In Matter (aka connectedhomeip or Project CHIP) through 1.4.0.0 before ...) @@ -19241,6 +19247,7 @@ CVE-2024-36276 (Insecure inherited permissions for some Intel(R) CIP software be NOT-FOR-US: Intel CVE-2024-36275 (NULL pointer dereference in some Intel(R) Optane(TM) PMem Management s ...) - ipmctl (bug #1087731) + [bookworm] - ipmctl (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01189.html NOTE: https://github.com/intel/ipmctl/commit/59d74ca68fcde3f1a11298a935b470fac09904aa (v03.00.00.0499) NOTE: Fixed in 03.00.00.0499 and later upstream. = data/dsa-needed.txt = @@ -27,6 +27,8 @@ gh -- git (carnil) -- +git-lfs (jmm) +-- jetty9 -- jpeg-xl @@ -52,6 +54,8 @@ pagure -- pam-u2f (carnil) -- +pdns-recursor (jmm) +-- php-laravel-framework -- python-django View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45945d7d8fea43f281e0c45f87092c8946b7a710 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45945d7d8fea43f281e0c45f87092c8946b7a710 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.d
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a364510 by Moritz Muehlenhoff at 2025-01-19T22:52:39+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -5204,6 +5204,7 @@ CVE-2024-56828 (File Upload vulnerability in ChestnutCMS through 1.5.0. Based on NOT-FOR-US: ChestnutCMS CVE-2024-55629 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...) - suricata 1:7.0.8-1 + [bookworm] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-69wr-vhwg-84h2 NOTE: Fixed by: https://github.com/OISF/suricata/commit/6882bcb3e51bd3cf509fb6569cc30f48d7bb53d7 (master) NOTE: Fixed by: https://github.com/OISF/suricata/commit/779f9d8ba35c3f9b5abfa327d3a4209861bd2eb8 (master) @@ -5211,6 +5212,7 @@ CVE-2024-55629 (Suricata is a network Intrusion Detection System, Intrusion Prev NOTE: Fixed by: https://github.com/OISF/suricata/commit/c4d8790db85164714c92556fbc8e849e9df6355b (suricata-7.0.8) CVE-2024-55628 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...) - suricata 1:7.0.8-1 + [bookworm] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-96w4-jqwf-qx2j NOTE: Fixed by: https://github.com/OISF/suricata/commit/19cf0f81335d9f787d587450f7105ad95a648951 (master) NOTE: Fixed by: https://github.com/OISF/suricata/commit/37f4c52b22fcdde4adf9b479cb5700f89d00768d (master) @@ -5220,6 +5222,7 @@ CVE-2024-55628 (Suricata is a network Intrusion Detection System, Intrusion Prev NOTE: Fixed by: https://github.com/OISF/suricata/commit/71212b78bd1b7b841c9d9a907d0b3eea71a54060 (suricata-7.0.8) CVE-2024-55627 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...) - suricata 1:7.0.8-1 + [bookworm] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-h2mv-7gg8-8x7v NOTE: Fixed by: https://github.com/OISF/suricata/commit/282509f70c4ce805098e59535af445362e3e9ebd (master) NOTE: Fixed by: https://github.com/OISF/suricata/commit/8900041405dbb5f9584edae994af2100733fb4be (master) @@ -5229,11 +5232,13 @@ CVE-2024-55627 (Suricata is a network Intrusion Detection System, Intrusion Prev NOTE: Fixed by: https://github.com/OISF/suricata/commit/7d47fcf7f7fefacd2b0d8f482534a83b35a3c45e (suricata-7.0.8) CVE-2024-55626 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...) - suricata 1:7.0.8-1 + [bookworm] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-wmg4-jqx5-4h9v NOTE: Fixed by: https://github.com/OISF/suricata/commit/dd71ef0af222a566e54dfc479dd1951dd17d7ceb (master) NOTE: Fixed by: https://github.com/OISF/suricata/commit/470795e65ba77cffba3aed850313a5f23c4b278d (suricata-7.0.8) CVE-2024-55605 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...) - suricata 1:7.0.8-1 + [bookworm] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-x2hr-33vp-w289 NOTE: Fixed by: https://github.com/OISF/suricata/commit/f80ebd5a30b02db5915f749f0c067c7adefbbe76 (suricata-7.0.8) NOTE: Fixed by: https://github.com/OISF/suricata/commit/c3a6abf60134c2993ee3802ee52206e9fdbf55ba (suricata-7.0.8) @@ -5313,12 +5318,15 @@ CVE-2024-12970 (Improper Neutralization of Special Elements used in an OS Comman NOT-FOR-US: TUBITAK BILGEM Pardus OS My Computer CVE-2023-6605 (A flaw was found in FFmpeg's DASH playlist support. This vulnerability ...) - ffmpeg + [bookworm] - ffmpeg (Minor issue, wait until it's fixed in the 5.1 branch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2334336 CVE-2023-6604 (A flaw was found in FFmpeg. This vulnerability allows unexpected addit ...) - ffmpeg + [bookworm] - ffmpeg (Minor issue, wait until it's fixed in the 5.1 branch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2334337 CVE-2023-6601 (A flaw was found in FFmpeg's HLS demuxer. This vulnerability allows by ...) - ffmpeg + [bookworm] - ffmpeg (Minor issue, wait until it's fixed in the 5.1 branch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2253172 CVE-2024-56769 (In the Linux kernel, the following vulnerability has been resolved: m ...) - linux 6.12.8-1 @@ -5566,6 +5574,7 @@ CVE-2024-10932 (The Backup Migration plugin for WordPress is vulnerable to PHP O NOT-FOR-US: WordPress plugin CVE-2025-22376 (In Net::OAuth::Client in the Net::OAuth package before 0.29 for Perl, ...) - libnet-oauth-perl 0.30-1 (bug #1092056) + [b
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b2dc5be3 by Moritz Muehlenhoff at 2025-01-19T13:21:13+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -52,6 +52,7 @@ CVE-2025-23208 (zot is a production-ready vendor-neutral OCI image registry. The NOT-FOR-US: zot CVE-2025-23207 (KaTeX is a fast, easy-to-use JavaScript library for TeX math rendering ...) - node-katex (bug #1093446) + [bookworm] - node-katex (Minor issue) NOTE: https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546 NOTE: https://github.com/KaTeX/KaTeX/commit/ff289955e81aab89086eef09254cbf88573d415c (v0.16.21) TODO: check embeded code copy @@ -8682,6 +8683,7 @@ CVE-2024-49336 (IBM Security Guardium 11.5 is vulnerable to server-side request NOT-FOR-US: IBM CVE-2024-47093 (Improper neutralization of input in Nagvis before version 1.9.42 which ...) - nagvis 1:1.9.42-1 + [bookworm] - nagvis (Minor issue) NOTE: https://github.com/NagVis/nagvis/commit/30e71e8167d17a1828e7da71d6942f6fb36478cd (nagvis-1.9.42) NOTE: https://github.com/NagVis/nagvis/commit/b5b1164007439de526df7d54d5c02d7732ba1c42 (nagvis-1.9.42) CVE-2024-38864 (Incorrect permissions on the Checkmk Windows Agent's data directory in ...) @@ -25033,6 +25035,7 @@ CVE-2024-49762 (Pterodactyl is a free, open-source game server management panel. NOT-FOR-US: Pterodactyl CVE-2024-49760 (OpenRefine is a free, open source tool for working with messy data. Th ...) - openrefine 3.8.7-1 (bug #1086041) + [bookworm] - openrefine (Minor issue) NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qfwq-6jh6-8xx4 NOTE: https://github.com/OpenRefine/OpenRefine/commit/24d084052dc55426fe460f2a17524fd18d28b20c NOTE: https://github.com/OpenRefine/OpenRefine/commit/478285afffea59c893ac472faa74898ab9e5e95a (3.8.3) @@ -25058,30 +25061,36 @@ CVE-2024-48208 (pure-ftpd before 1.0.52 is vulnerable to Buffer Overflow. There NOTE: No security impact, basically just terminates the user's connection CVE-2024-47883 (The OpenRefine fork of the MIT Simile Butterfly server is a modular we ...) - openrefine-butterfly 1.2.6-1 (bug #1086042) + [bookworm] - openrefine-butterfly (Minor issue) NOTE: https://github.com/OpenRefine/simile-butterfly/security/advisories/GHSA-3p8v-w8mr-m3x8 NOTE: https://github.com/OpenRefine/simile-butterfly/commit/537f64bfa72746f8b21d4bda461fad843435319c (1.2.6) CVE-2024-47882 (OpenRefine is a free, open source tool for working with messy data. Pr ...) - openrefine 3.8.7-1 (bug #1086041) + [bookworm] - openrefine (Minor issue) NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-j8hp-f2mj-586g NOTE: https://github.com/OpenRefine/OpenRefine/commit/85594e75e7b36025f7b6a67dcd3ec253c5dff8c2 NOTE: https://github.com/OpenRefine/OpenRefine/commit/b0d5dd0a6a40369593f4a6b593e3e0ffa213339e (3.8.3) CVE-2024-47881 (OpenRefine is a free, open source tool for working with messy data. St ...) - openrefine 3.8.7-1 (bug #1086041) + [bookworm] - openrefine (Minor issue) NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8 NOTE: https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056 NOTE: https://github.com/OpenRefine/OpenRefine/commit/8a5cced755f9d4544cfc9fd1b9dc9274807b5020 (3.8.3) CVE-2024-47880 (OpenRefine is a free, open source tool for working with messy data. Pr ...) - openrefine 3.8.7-1 (bug #1086041) + [bookworm] - openrefine (Minor issue) NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-79jv-5226-783f NOTE: https://github.com/OpenRefine/OpenRefine/commit/8060477fa53842ebabf43b63e039745932fa629d NOTE: https://github.com/OpenRefine/OpenRefine/commit/fbf94fe3f001d6e2aa02e890930cf1affb0847b0 (3.8.3) CVE-2024-47879 (OpenRefine is a free, open source tool for working with messy data. Pr ...) - openrefine 3.8.7-1 (bug #1086041) + [bookworm] - openrefine (Minor issue) NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-3jm4-c6qf-jrh3 NOTE: https://github.com/OpenRefine/OpenRefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126 NOTE: https://github.com/OpenRefine/OpenRefine/commit/52c882a447d9efe8d3ef73b78468887c5da39790 (3.8.3) CVE-2024-47878 (OpenRefine is a free, open source tool for working with messy data. Pr ...) - openrefine 3.8.7-1 (bug #1086041) + [bookworm] - openrefine (Minor issue) NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a3335701 by Moritz Muehlenhoff at 2025-01-18T17:16:47+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -5886,6 +5886,7 @@ CVE-2025-22214 (Landray EIS 2001 through 2006 allows Message/fi_message_receiver NOT-FOR-US: WordPress pluginEIS CVE-2024-56830 (The Net::EasyTCP package 0.15 through 0.26 for Perl uses Perl's builti ...) - libnet-easytcp-perl + [bookworm] - libnet-easytcp-perl (Scheduled for removal) NOTE: https://github.com/briandfoy/cpan-security-advisory/issues/184 NOTE: Related to CVE-2002-20002 (direct use of rand for version before < 0.15) CVE-2024-56829 (Huang Yaoshi Pharmaceutical Management Software through 16.0 allows ar ...) @@ -8227,10 +8228,12 @@ CVE-2024-56362 (Navidrome is an open source web-based music collection server an NOT-FOR-US: Navidrome CVE-2024-56326 (Jinja is an extensible templating engine. Prior to 3.1.5, An oversight ...) - jinja2 (bug #1091331) + [bookworm] - jinja2 (Minor issue) NOTE: https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h NOTE: Fixed by: https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4 (3.1.5) CVE-2024-56201 (Jinja is an extensible templating engine. In versions on the 3.x branc ...) - jinja2 (bug #1091329) + [bookworm] - jinja2 (Minor issue) NOTE: https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699 NOTE: https://github.com/pallets/jinja/issues/1792 NOTE: Fixed by: https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f (3.1.5) @@ -8723,6 +8726,7 @@ CVE-2024-55231 (An IDOR vulnerability in the edit-notes.php module of PHPGurukul NOT-FOR-US: PHPGurukul Online Notes Sharing Management System CVE-2024-53580 (iperf v3.17.1 was discovered to contain a segmentation violation via t ...) - iperf3 3.18-1 (bug #1090931) + [bookworm] - iperf3 (Minor issue) NOTE: https://github.com/esnet/iperf/pull/1810 NOTE: https://github.com/esnet/iperf/commit/3f66f604df7f1038a49108c48612c2f4fe71331f (3.18) CVE-2024-51532 (Dell PowerStore contains an Improper Neutralization of Argument Delimi ...) = data/dsa-needed.txt = @@ -29,6 +29,10 @@ git (carnil) -- jetty9 -- +jpeg-xl +-- +libreoffice (jmm) +-- libreswan Waiting on feedback from maintainer -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a33357014c147a3ca8c375a65f8c250892dd222d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a33357014c147a3ca8c375a65f8c250892dd222d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ec0464b by Moritz Muehlenhoff at 2025-01-17T09:21:21+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -324,6 +324,7 @@ CVE-2024-45341 - golang-1.23 1.23.5-1 - golang-1.22 1.22.11-1 - golang-1.19 + [bookworm] - golang-1.19 (Minor issue) - golang-1.15 NOTE: https://groups.google.com/g/golang-announce/c/sSaUhLA-2SI NOTE: https://go.dev/issue/71156 @@ -333,6 +334,7 @@ CVE-2024-45336 - golang-1.23 1.23.5-1 - golang-1.22 1.22.11-1 - golang-1.19 + [bookworm] - golang-1.19 (Minor issue) - golang-1.15 NOTE: https://groups.google.com/g/golang-announce/c/sSaUhLA-2SI NOTE: https://go.dev/issue/70530 @@ -526,6 +528,7 @@ CVE-2025-20072 (Mattermost Mobile versions <= 2.22.0 fail to properly validate t NOT-FOR-US: Mattermost Mobile CVE-2025-0518 (Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg all ...) - ffmpeg + [bookworm] - ffmpeg (Minor issue, wait until it's fixed in the 5.1 branch) NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a CVE-2025-0473 (Vulnerability in the PMB platform that allows an attacker to persist t ...) TODO: check @@ -2100,118 +2103,148 @@ CVE-2024-57811 (In Eaton X303 3.5.16 - X303 3.5.17 Build 712, an attacker with n NOT-FOR-US: Eaton CVE-2024-57664 (An issue in the sqlg_group_node component of openlink virtuoso-opensou ...) - virtuoso-opensource 7.2.12+dfsg-0.2 + [bookworm] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1211 CVE-2024-57663 (An issue in the sqlg_place_dpipes component of openlink virtuoso-opens ...) - virtuoso-opensource 7.2.12+dfsg-0.2 + [bookworm] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1218 NOTE: https://github.com/openlink/virtuoso-opensource/commit/f43a780d70544af89e9af3c62213db81fdd80b2b (v7.2.12) CVE-2024-57662 (An issue in the sqlg_hash_source component of openlink virtuoso-openso ...) - virtuoso-opensource 7.2.12+dfsg-0.2 + [bookworm] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1217 NOTE: https://github.com/openlink/virtuoso-opensource/commit/834b99868e4ac3cfd778f6f4ad9476764f3c09b6 (v7.2.12) CVE-2024-57661 (An issue in the sqlo_df component of openlink virtuoso-opensource v7.2 ...) - virtuoso-opensource 7.2.12+dfsg-0.2 + [bookworm] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1220 NOTE: https://github.com/openlink/virtuoso-opensource/commit/a6061c06256a46d87c9e037b9b462259960163bf (v7.2.12) CVE-2024-57660 (An issue in the sqlo_expand_jts component of openlink virtuoso-opensou ...) - virtuoso-opensource 7.2.12+dfsg-0.2 + [bookworm] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1221 NOTE: https://github.com/openlink/virtuoso-opensource/commit/976880190ee0fcecffac03a6929d268152de3a61 (v7.2.12) CVE-2024-57659 (An issue in the sqlg_parallel_ts_seq component of openlink virtuoso-op ...) - virtuoso-opensource 7.2.12+dfsg-0.2 + [bookworm] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1212 NOTE: https://github.com/openlink/virtuoso-opensource/commit/59c5767996062a0949b5412822ec8cca1962589f (v7.2.12) CVE-2024-57658 (An issue in the sql_tree_hash_1 component of openlink virtuoso-opensou ...) - virtuoso-opensource 7.2.12+dfsg-0.2 + [bookworm] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1209 NOTE: https://github.com/openlink/virtuoso-opensource/commit/2fdea48eba6156914c1ba4f488895166c0c00462 (v7.2.12) CVE-2024-57657 (An issue in the sqlg_vec_upd component of openlink virtuoso-opensource ...) - virtuoso-opensource 7.2.12+dfsg-0.2 + [bookworm] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1219 NOTE: https://github.com/openlink/virtuoso-opensource/commit/cdb0bc3e414e15e2153515af07056daebd3d9153 (v7.2.12) CVE-2024-57656 (An issue in the sqlc_add_distinct_node component of openlink virtuoso- ...) - virtuoso-opensource 7.2.12+dfsg-0.2 + [bookworm] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1210 NOTE: https://github.com/openlink/virtuoso-opensource/com
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 09d2782b by Moritz Muehlenhoff at 2025-01-15T10:05:54+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -958,7 +958,8 @@ CVE-2025-22613 (WeGIA is an open source web manager with a focus on the Portugue CVE-2025-22138 (@codidact/qpixel is a Q&A-based community knowledge-sharing software. ...) NOT-FOR-US: @codidact/qpixel CVE-2025-22134 (When switching to other buffers using the :all command and visual mode ...) - - vim + - vim (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8 NOTE: Fixed by: https://github.com/vim/vim/commit/c9a1e257f1630a0866447e53a564f7ff96a80ead (v9.1.1003) CVE-2025-0070 (SAP NetWeaver Application Server for ABAP and ABAP Platform allows an ...) @@ -1735,11 +1736,13 @@ CVE-2024-5872 (On affected platforms running Arista EOS, a specially crafted pac NOT-FOR-US: Arista EOS CVE-2024-57823 (In Raptor RDF Syntax Library through 2.0.16, there is an integer under ...) - raptor2 (bug #1067896) + [bookworm] - raptor2 (Minor issue, revisit when fixed upstream) [bullseye] - raptor2 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/pedrib/PoC/blob/master/fuzzing/raptor-fuzz.md NOTE: https://github.com/dajobe/raptor/issues/70 CVE-2024-57822 (In Raptor RDF Syntax Library through 2.0.16, there is a heap-based buf ...) - raptor2 (bug #1067896) + [bookworm] - raptor2 (Minor issue, revisit when fixed upstream) [bullseye] - raptor2 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/pedrib/PoC/blob/master/fuzzing/raptor-fuzz.md NOTE: https://github.com/dajobe/raptor/issues/70 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09d2782b224f8c90f34502e33304371b0463d8ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09d2782b224f8c90f34502e33304371b0463d8ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ff44 by Moritz Muehlenhoff at 2025-01-13T19:55:02+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1178,10 +1178,10 @@ CVE-2024-51737 (RediSearch is a Redis module that provides querying, secondary i CVE-2024-51480 (RedisTimeSeries is a time-series database (TSDB) module for Redis, by ...) NOT-FOR-US: RedisTimeSeries Redis module CVE-2024-51442 (Command Injection in Minidlna version v1.3.3 and before allows an atta ...) - - minidlna - [bullseye] - minidlna (Minor issue, revisit when fixed upstream) + - minidlna (unimportant) NOTE: https://sourceforge.net/p/minidlna/bugs/364/ NOTE: https://github.com/mselbrede/CVE-2024-51442 + NOTE: Doesn't cross any security boundary, non issue CVE-2024-45345 REJECTED CVE-2024-45344 @@ -5277,6 +5277,7 @@ CVE-2024-8950 (Improper Neutralization of Special Elements used in an SQL Comman NOT-FOR-US: Arne Informatics Piramit Automation CVE-2024-56431 (oc_huff_tree_unpack in huffdec.c in libtheora in Theora through 1.0 71 ...) - libtheora (bug #1091633) + [bookworm] - libtheora (Minor issue) NOTE: https://github.com/UnionTech-Software/libtheora-CVE-2024-56431-PoC NOTE: https://github.com/advisories/GHSA-8xp8-gmmj-xc8w NOTE: https://github.com/xiph/theora/issues/18 @@ -5294,6 +5295,7 @@ CVE-2024-52534 (Dell ECS, version(s) prior to ECS 3.8.1.3, contain(s) an Authent NOT-FOR-US: Dell CVE-2024-52046 (The ObjectSerializationDecoder in Apache MINA uses Java\u2019s native ...) - mina + [bookworm] - mina (Minor issue) - mina2 (bug #1091530) NOTE: https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8 CVE-2024-47978 (Dell NativeEdge, version(s) 2.1.0.0, contain(s) an Execution with Unne ...) @@ -6932,6 +6934,7 @@ CVE-2024-11841 (The Tithe.ly Giving Button WordPress plugin through 1.1 does not NOT-FOR-US: WordPress plugin CVE-2024-7701 (Use of Password Hash With Insufficient Computational Effort vulnerabil ...) - percona-toolkit (bug #1091435) + [bookworm] - percona-toolkit (Minor issue) NOTE: https://github.com/percona/percona-toolkit/pull/896 NOTE: Fixed by: https://github.com/percona/percona-toolkit/commit/78f20304859ce8d6b236bc2c9c18d74c0b273dd7 (v3.7.0) NOTE: Fixed by: https://github.com/percona/percona-toolkit/commit/3dd1f7da83f642a4e823a098cb4c97e6dc11f478 (v3.7.0) @@ -20507,6 +20510,7 @@ CVE-2024-7883 (When using Arm Cortex-M Security Extensions (CMSE), Secure stack - llvm-toolchain-17 - llvm-toolchain-18 - llvm-toolchain-19 + [bookworm] - llvm-toolchain-19 (Minor issue, doesn't affect the default build flags in Debian and no backport into release branches planned) NOTE: https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2322994 NOTE: https://github.com/llvm/llvm-project/pull/114433 @@ -264558,6 +264562,7 @@ CVE-2021-3857 (chaskiq is vulnerable to Improper Neutralization of Input During NOT-FOR-US: chaskiq CVE-2021-41973 (In Apache MINA, a specifically crafted, malformed HTTP request may cau ...) - mina + [bookworm] - mina (Minor issue) - mina2 2.1.5-1 NOTE: https://lists.apache.org/thread/sq0kkqvxcp7xjt8gxdyb650nj8dv6qv0 CVE-2021-41972 (Apache Superset up to and including 1.3.1 allowed for database connect ...) @@ -285512,18 +285517,22 @@ CVE-2021-33647 (When performing the inference shape operation of the Tile operat NOT-FOR-US: Mindspore deep learning CVE-2021-33646 (The th_read() function doesn\u2019t free a variable t->th_buf.gnu_long ...) - libtar + [bookworm] - libtar (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121295 NOTE: (not-upstream) patch from OpenEuler: https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33645-CVE-2021-33646.patch CVE-2021-33645 (The th_read() function doesn\u2019t free a variable t->th_buf.gnu_long ...) - libtar + [bookworm] - libtar (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121295 NOTE: (not-upstream) patch from OpenEuler: https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33645-CVE-2021-33646.patch CVE-2021-33644 (An attacker who submits a crafted tar file with size in header struct ...) - libtar + [bookworm] - libtar (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121292 NOTE: (not-upstream) patch from OpenEuler: https://gitee.com/src-openeuler/libtar/blob/mas
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c97f2d7 by Moritz Muehlenhoff at 2024-12-23T12:57:57+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2024-56378 (libpoppler.so in Poppler through 24.12.0 has an out-of-bounds read vul ...) - poppler + [bookworm] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1553 NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/commit/ade9b5ebed44b0c15522c27669ef6cdf93eff84e CVE-2024-56375 (An integer underflow was discovered in Fort 1.6.3 and 1.6.4 before 1.6 ...) @@ -684,6 +685,7 @@ CVE-2024-53688 (Improper neutralization of special elements used in an OS comman NOT-FOR-US: FXC AE1021 CVE-2024-52792 (LDAP Account Manager (LAM) is a php webfrontend for managing entries ( ...) - ldap-account-manager (bug #1090934) + [bookworm] - ldap-account-manager (Minor issue) NOTE: https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6cp9-j5r7-xhcc CVE-2024-51175 (An issue in H3C switch h3c-S1526 allows a remote attacker to obtain se ...) NOT-FOR-US: H3C switch h3c-S1526 @@ -30879,6 +30881,7 @@ CVE-2024-45240 (The TikTok (aka com.zhiliaoapp.musically) application before 34. CVE-2024-45239 (An issue was discovered in Fort before 1.6.3. A malicious RPKI reposit ...) - fort-validator 1.6.3-1 NOTE: https://nicmx.github.io/FORT-validator/CVE.html + NOTE: https://github.com/NICMx/FORT-validator/commit/942f921ba7244cdcf4574cedc4c16392a7cc594b (1.6.3) CVE-2024-45238 (An issue was discovered in Fort before 1.6.3. A malicious RPKI reposit ...) - fort-validator 1.6.3-1 NOTE: https://nicmx.github.io/FORT-validator/CVE.html = data/dsa-needed.txt = @@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- cacti -- +fastnetmon (jmm) +-- frr coordination with the maintainer ongoing -- @@ -52,7 +54,7 @@ trafficserver -- wordpress -- -xen +xen (jmm) -- zabbix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c97f2d70df6784c05d38a9987c8d78b5b0151c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c97f2d70df6784c05d38a9987c8d78b5b0151c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 77b66633 by Moritz Muehlenhoff at 2024-12-12T15:32:51+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -2489,6 +2489,7 @@ CVE-2024-54134 (A publish-access account was compromised for `@solana/web3.js`, NOT-FOR-US: @solana/web3.js CVE-2024-54132 (The GitHub CLI is GitHub\u2019s official command line tool. A security ...) - gh (bug #1089120) + [bookworm] - gh (Minor issue) NOTE: https://github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj NOTE: Merge commit: https://github.com/cli/cli/commit/1136764c369aaf0cae4ec2ee09dc35d871076932 (v2.63.1) CVE-2024-54002 (Dependency-Track is a Component Analysis platform that allows organiza ...) @@ -3766,6 +3767,7 @@ CVE-2024-53859 (go-gh is a Go module for interacting with the `gh` utility and t NOTE: https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh CVE-2024-53858 (The gh cli is GitHub\u2019s official command line tool. A security vul ...) - gh (bug #1088808) + [bookworm] - gh (Minor issue) NOTE: https://github.com/cli/cli/security/advisories/GHSA-jwcm-9g39-pmcw CVE-2024-53260 (Autolab is a course management service that enables auto-graded progra ...) NOT-FOR-US: Autolab = data/dsa-needed.txt = @@ -19,6 +19,12 @@ chromium (dilinger) frr coordination with the maintainer ongoing -- +gst-plugins-base1.0 (jmm) +-- +gst-plugins-good1.0 +-- +gstreamer1.0 +-- jetty9 -- libreswan View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77b66633bd26c5e8cd5074a49723cff725c6cf5c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77b66633bd26c5e8cd5074a49723cff725c6cf5c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 27d01493 by Moritz Muehlenhoff at 2024-12-11T11:42:11+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17757,6 +17757,7 @@ CVE-2024-7099 (netease-youdao/qanything version 1.4.1 contains a vulnerability w NOT-FOR-US: netease-youdao/qanything CVE-2024-49214 (QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 2.9.x b ...) - haproxy 2.9.11-1 + [bookworm] - haproxy (Minor issue and not backported to 2.6.x tree) NOTE: https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46 (v3.1-dev7) NOTE: https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=fe5685af820ae62fe5b0d80b5ed7a2ffc41a036f (v2.9.11) CVE-2024-38863 (Exposure of CSRF tokens in query parameters on specific requests in Ch ...) @@ -86831,8 +86832,9 @@ CVE-2024-24821 (Composer is a dependency Manager for the PHP language. In affect NOTE: https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5 (2.7.0) CVE-2024-24820 (Icinga Director is a tool designed to make Icinga 2 configuration hand ...) - icingaweb2-module-director 1.11.1-1 + [bookworm] - icingaweb2-module-director (Minor issue) NOTE: https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3mwp-5p5v-j6q3 - TODO: check details + NOTE: https://github.com/Icinga/icingaweb2-module-director/commit/f1e54348c8362b3010eb2d87d8cf380d5ba55135 (v1.10.3) CVE-2024-24819 (icingaweb2-module-incubator is a working project of bleeding edge Icin ...) NOT-FOR-US: icingaweb2-module-incubator CVE-2024-24499 @@ -262157,14 +262159,11 @@ CVE-2021-39360 (In GNOME libzapojit through 0.0.3, zpj-skydrive.c does not enabl NOTE: https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/ NOTE: https://gitlab.gnome.org/GNOME/libzapojit/-/issues/4 CVE-2021-39359 (In GNOME libgda through 6.0.0, gda-web-provider.c does not enable TLS ...) - - libgda5 5.2.10-5 (bug #993592) - [bookworm] - libgda5 (Minor issue) - [bullseye] - libgda5 (Minor issue) - [buster] - libgda5 (Minor issue) - [stretch] - libgda5 (Minor issue, revisit when/if fixed upstream) + - libgda5 5.2.10-5 (bug #993592; unimportant) NOTE: https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/ NOTE: https://gitlab.gnome.org/GNOME/libgda/-/issues/249 NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libgda/-/commit/bebdffb4de586fb43fd07ac549121f4b22f6812d (master) + NOTE: Debian builds with --without-libsoup, which disabled the web functionality using libsoup entirely CVE-2021-39358 (In GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not enable T ...) - gfbgraph 0.2.5-1 (bug #993537) [bullseye] - gfbgraph (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27d014930078b3966be96502eb3138e4ec2eccee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27d014930078b3966be96502eb3138e4ec2eccee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e92b0db by Moritz Muehlenhoff at 2024-12-11T10:32:16+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1097,6 +1097,7 @@ CVE-2024-55565 (nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. NOTE: https://github.com/ai/nanoid/commit/d643045f40d6dc8afa000a644d857da1436ed08c (3.3.8) CVE-2024-55564 (The POSIX::2008 package before 0.24 for Perl has a potential _execve50 ...) - libposix-2008-perl 0.24-1 + [bookworm] - libposix-2008-perl (Minor issue) CVE-2024-55563 (Bitcoin Core through 27.2 allows transaction-relay jamming via an off- ...) - bitcoin CVE-2024-55560 (MailCleaner before 28d913e has default values of ssh_host_dsa_key, ssh ...) @@ -11782,6 +11783,7 @@ CVE-2024-47939 (Stack-based buffer overflow vulnerability exists in multiple Ric NOT-FOR-US: Ricoh CVE-2024-21510 (Versions of the package sinatra from 0.0.0 are vulnerable to Reliance ...) - ruby-sinatra (bug #1087290) + [bookworm] - ruby-sinatra (Minor issue, too intrusive to backport) NOTE: https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-6483832 NOTE: https://github.com/sinatra/sinatra/pull/2053 NOTE: Rejected upstream fix: https://github.com/sinatra/sinatra/pull/2010 @@ -13411,6 +13413,7 @@ CVE-2024-49767 (Werkzeug is a Web Server Gateway Interface web application libra [bookworm] - python-werkzeug (Minor issue; can be fixed via point release) [bullseye] - python-werkzeug (Vulnerable code introduced later) - quart 0.19.9-1 (bug #1086063) + [bookworm] - quart (Minor issue) NOTE: https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2 NOTE: Introduced by: https://github.com/pallets/werkzeug/commit/cbb446fdcada7685fce936ded01b76c08dbd6eb5 (2.0.0rc1) NOTE: Fixed by: https://github.com/pallets/werkzeug/commit/8760275afb72bd10b57d92cb4d52abf759b2f3a7 (3.0.6) @@ -32003,6 +32006,7 @@ CVE-2024-42370 (Litestar is an Asynchronous Server Gateway Interface (ASGI) fram NOT-FOR-US: litestar CVE-2024-42367 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) - python-aiohttp 3.10.3-2 + [bookworm] - python-aiohttp (Minor issue) NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj NOTE: https://github.com/aio-libs/aiohttp/pull/8653 NOTE: https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f (v3.10.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e92b0db91c5b997fff1f189af1f20a9ba119482 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e92b0db91c5b997fff1f189af1f20a9ba119482 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e87abc2 by Moritz Muehlenhoff at 2024-12-11T09:47:10+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -587,7 +587,8 @@ CVE-2024-47484 (Dell Avamar, version(s) 19.9, contain(s) an Improper Neutralizat CVE-2024-47117 (IBM Carbon Design System (Carbon Charts 0.4.0 through 1.13.16) is vuln ...) NOT-FOR-US: IBM CVE-2024-46657 (Artifex Software mupdf v1.24.9 was discovered to contain a segmentatio ...) - - mupdf (bug #1089681) + - mupdf (bug #1089681; unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: Fixed by: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=b5c898a30f068b5342e8263a2cd5b9f0be291aac (1.25.0-rc1) CVE-2024-46442 (An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attacke ...) NOT-FOR-US: BYD Dilink Headunit System @@ -2930,9 +2931,11 @@ CVE-2024-36611 (In Symfony v7.07, a security vulnerability was identified in the [experimental] - symfony 7.1.0~beta1+dfsg-1 - symfony (bug #1088817) NOTE: https://github.com/symfony/symfony/commit/a804ca15fcad279d7727b91d12a667fd5b925995 (v7.1.0-BETA1) + NOTE: Not considered a security issue by upstream: https://github.com/symfony/symfony/issues/59077#issuecomment-2513935018 CVE-2024-36610 (A deserialization vulnerability exists in the Stub class of the VarDum ...) - - symfony 6.4.4+dfsg-3 + - symfony 6.4.4+dfsg-3 (unimportant) NOTE: Fixed by: https://github.com/symfony/symfony/commit/3ffd495bb3cc4d2e24e35b2d83c5b909cab7e259 (v6.4.4) + NOTE: Not considered a security issue by upstream: https://github.com/symfony/symfony/issues/59077#issuecomment-2513935018 CVE-2024-35371 (Ant-Media-Serverv2.8.2 is affected by Improper Output Neutralization f ...) NOT-FOR-US: Ant-Media-Server CVE-2024-35369 (In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c m ...) @@ -4393,8 +4396,9 @@ CVE-2024-11630 (A vulnerability has been found in E-Lins H685, H685f, H700, H720 CVE-2024-11619 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: macrozheng mall CVE-2024-11612 (7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vu ...) - - 7zip 24.08+dfsg-1 - - p7zip 16.02+transitional.1 + - 7zip 24.08+dfsg-1 (unimportant) + - p7zip 16.02+transitional.1 (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://www.zerodayinitiative.com/advisories/ZDI-24-1606/ NOTE: https://bushido-sec.com/index.php/2024/11/22/2ourc3-vulnerabiltiy-7zip-fuzzing/ NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package @@ -50797,6 +50801,7 @@ CVE-2024-2451 (Improper fingerprint validation in the TeamViewer Client (Full & NOT-FOR-US: TeamViewer CVE-2024-2199 (A denial of service vulnerability was found in 389-ds-base ldap server ...) - 389-ds-base 3.1.1+dfsg1-1 (bug #1072531) + [bookworm] - 389-ds-base (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2267976 NOTE: https://github.com/389ds/389-ds-base/commit/36a2f1d5e4e2265140320087104c6799a97c28d9 (389-ds-base-3.1.1) NOTE: https://github.com/389ds/389-ds-base/commit/63946b8e63328efc9b36a01f99d5ba71e243fcfa (389-ds-base-2.4.6) = data/dsa-needed.txt = @@ -33,6 +33,8 @@ openafs opennds pinged maintainer, but no reply yet. should most probably be bumped to 10.x -- +php-laravel-framework +-- python-aiohttp (jmm) -- python-django View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e87abc282e32e7e18a87795d273a48d937e2bfe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e87abc282e32e7e18a87795d273a48d937e2bfe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f3fbb311 by Moritz Muehlenhoff at 2024-12-10T20:09:42+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -441,6 +441,7 @@ CVE-2024-55566 (ColPack 1.0.10 through 9a7293a has a predictable temporary file NOTE: Negligible security impact with fs.protected_symlinks=1 being the standard in Debian CVE-2024-55565 (nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 ...) - node-postcss + [bookworm] - node-postcss (Minor issue) NOTE: node-postcss bundles nanoid CVE-2024-55564 (The POSIX::2008 package before 0.24 for Perl has a potential _execve50 ...) - libposix-2008-perl 0.24-1 @@ -1681,6 +1682,7 @@ CVE-2024-53984 (Nanopb is a small code-size Protocol Buffers implementation. Wh NOTE: Fixed by: https://github.com/nanopb/nanopb/commit/2b86c255aa52250438d5aba124d0e86db495b378 CVE-2024-53981 (python-multipart is a streaming multipart parser for Python. When pars ...) - python-multipart (bug #1088991) + [bookworm] - python-multipart (Minor issue) NOTE: https://github.com/Kludex/python-multipart/security/advisories/GHSA-59g5-xgcq-4qw3 NOTE: Fixed by: https://github.com/Kludex/python-multipart/commit/9205a0ec8c646b9f705430a6bfb52bd957b76c19 (0.0.18) NOTE: Fixed by: https://github.com/Kludex/python-multipart/commit/c4fe4d3cebc08c660e57dd709af1ffa7059b3177 (0.0.19) @@ -21631,6 +21633,7 @@ CVE-2024-45752 (logiops through 0.3.4, in its default configuration, allows any CVE-2024-45614 (Puma is a Ruby/Rack web server built for parallelism. In affected vers ...) {DLA-3947-1} - puma 6.4.3-1 (bug #1082379) + [bookworm] - puma (Minor issue) NOTE: https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4 NOTE: Fixed by: https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043 (v6.4.3) CVE-2024-43496 (Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability) = data/dsa-needed.txt = @@ -44,7 +44,7 @@ python-tornado -- ring -- -smarty4 +smarty4 (jmm) -- sogo -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3fbb311e94e865420604d225bb74329b577b4f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3fbb311e94e865420604d225bb74329b577b4f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ba8e02f3 by Moritz Muehlenhoff at 2024-12-10T17:34:18+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -210,6 +210,7 @@ CVE-2024-48956 (Serviceware Processes 6.0 through 7.3 allows attackers without v NOT-FOR-US: Serviceware Processes CVE-2024-46901 (Insufficient validation of filenames against control characters in Apa ...) - subversion 1.14.5-1 + [bookworm] - subversion (Minor issue) NOTE: https://subversion.apache.org/security/CVE-2024-46901-advisory.txt CVE-2024-46547 (A vulnerability was found in Romain Bourdon Wampserver all versions (d ...) NOT-FOR-US: Romain Bourdon Wampserver @@ -421,6 +422,7 @@ CVE-2023-32094 (Missing Authorization vulnerability in Felix Welberg Extended Po NOT-FOR-US: WordPress plugin CVE-2024-12224 [RUSTSEC-2024-0421] - rust-idna + [bookworm] - rust-idna (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0421.html NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1887898 CVE-2024-9651 (The Fluent Forms WordPress plugin before 5.2.1 does not sanitise and ...) @@ -434,8 +436,9 @@ CVE-2024-55579 (An issue was discovered in Qlik Sense Enterprise for Windows bef CVE-2024-55578 (Zammad before 6.4.1 places sensitive data (such as auth_microsoft_offi ...) - zammad (bug #841355) CVE-2024-55566 (ColPack 1.0.10 through 9a7293a has a predictable temporary file (locat ...) - - colpack + - colpack (unimportant) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1225617 + NOTE: Negligible security impact with fs.protected_symlinks=1 being the standard in Debian CVE-2024-55565 (nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values. 3.3.8 ...) - node-postcss NOTE: node-postcss bundles nanoid View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba8e02f3509a9886548f91c2ad5d0bd5ac9a1c22 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba8e02f3509a9886548f91c2ad5d0bd5ac9a1c22 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b2b74b4f by Moritz Muehlenhoff at 2024-12-06T16:40:06+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -5274,7 +5274,7 @@ CVE-2024-52511 (Nextcloud Tables allows users to to create tables with individua NOT-FOR-US: Nextcloud Tables CVE-2024-52510 (The Nextcloud Desktop Client is a tool to synchronize files from Nextc ...) - nextcloud-desktop 3.15.0-1 (bug #1087885) - [bookworm] - nextcloud-desktop (Minor issue) + [bookworm] - nextcloud-desktop (Minor issue, too intrusive to backport) [bullseye] - nextcloud-desktop (Minor issue) NOTE: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4qc-m9mj-452v NOTE: https://github.com/nextcloud/desktop/pull/7333 @@ -12638,6 +12638,7 @@ CVE-2024-9987 (A post-authentication SQL Injection vulnerability within the filt NOT-FOR-US: Pandora FMS CVE-2024-53899 (virtualenv before 20.26.6 allows command injection through the activat ...) - python-virtualenv 20.26.6+ds-1 + [bookworm] - python-virtualenv (Minor issue) [bullseye] - python-virtualenv (Minor issue) NOTE: https://github.com/pypa/virtualenv/issues/2768 NOTE: https://github.com/pypa/virtualenv/pull/2771 = data/dsa-needed.txt = @@ -32,6 +32,8 @@ linux (carnil) -- mosquitto -- +openafs +-- opennds pinged maintainer, but no reply yet. should most probably be bumped to 10.x -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2b74b4f470e123d3b08c12dc25f7dff6e5ec7e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2b74b4f470e123d3b08c12dc25f7dff6e5ec7e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bba6a790 by Moritz Muehlenhoff at 2024-12-06T14:21:13+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -13,6 +13,7 @@ CVE-2024-6219 (Mark Laing discovered in LXD's PKI mode, until version 5.21.1, th NOTE: incus: https://github.com/lxc/incus/commit/d2bb0d86031cb0c1319914f1fb3842c058edb776 (v0.3.0) CVE-2024-6156 (Mark Laing discovered that LXD's PKI mode, until version 5.21.2, could ...) - lxd + [bookworm] - lxd (Minor issue) - incus NOTE: https://github.com/canonical/lxd/security/advisories/GHSA-4c49-9fpc-hc3v CVE-2024-54140 (sigstore-java is a sigstore java client for interacting with sigstore ...) @@ -20,7 +21,7 @@ CVE-2024-54140 (sigstore-java is a sigstore java client for interacting with sig CVE-2024-53589 (GNU objdump 2.43 is vulnerable to Buffer Overflow in the BFD (Binary F ...) - binutils (unimportant) NOTE: https://bushido-sec.com/index.php/2024/12/05/binutils-objdump-tekhex-buffer-overflow/ - NOTE: NOTE: binutils not covered by security support + NOTE: binutils not covered by security support CVE-2024-53523 (JSFinder commit d70ab9bc5221e016c08cffaf0d9ac79646c90645 is vulnerable ...) NOT-FOR-US: JSFinder CVE-2024-53457 (A stored cross-site scripting (XSS) vulnerability in the Device Settin ...) @@ -101938,7 +101939,7 @@ CVE-2023-47117 (Label Studio is an open source data labeling tool. In all curren CVE-2023-46446 (An issue in AsyncSSH before 2.14.1 allows attackers to control the rem ...) {DLA-3899-1} - python-asyncssh 2.15.0-1 (bug #1055999) - [bookworm] - python-asyncssh (Minor issue) + [bookworm] - python-asyncssh (Minor issue) [buster] - python-asyncssh (Minor issue) NOTE: https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm NOTE: https://github.com/ronf/asyncssh/commit/83e43f5ea3470a8617fc388c72b062c7136efd7e (v2.14.1) = data/dsa-needed.txt = @@ -35,8 +35,13 @@ mosquitto opennds pinged maintainer, but no reply yet. should most probably be bumped to 10.x -- +proftpd-dfsg +-- python-aiohttp (jmm) -- +python-django + Chris is working on it +-- python-tornado -- ring View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bba6a7907bb64b88c192142f5061998171ac445d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bba6a7907bb64b88c192142f5061998171ac445d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d4762c0c by Moritz Muehlenhoff at 2024-12-05T11:11:29+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -527,6 +527,7 @@ CVE-2024-53990 (The AsyncHttpClient (AHC) library allows Java applications to ea NOTE: https://github.com/AsyncHttpClient/async-http-client/commit/d5a83362f7aed81b93ebca559746ac9be0f95425 (async-http-client-project-3.0.1) CVE-2024-53984 (Nanopb is a small code-size Protocol Buffers implementation. When the ...) - nanopb 0.4.9.1-1 (bug #1088994) + [bookworm] - nanopb (Minor issue) NOTE: https://github.com/nanopb/nanopb/security/advisories/GHSA-xwqq-qxmw-hj5r NOTE: Fixed by: https://github.com/nanopb/nanopb/commit/2b86c255aa52250438d5aba124d0e86db495b378 CVE-2024-53981 (python-multipart is a streaming multipart parser for Python. When pars ...) @@ -7887,6 +7888,7 @@ CVE-2024-48010 (Dell PowerProtect DD, versions prior to 8.1.0.0, 7.13.1.10, 7.10 NOT-FOR-US: Dell CVE-2024-47072 (XStream is a simple library to serialize objects to XML and back again ...) - libxstream-java 1.4.21-1 (bug #1087274) + [bookworm] - libxstream-java (Minor issue) NOTE: https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q NOTE: https://x-stream.github.io/CVE-2024-47072.html CVE-2024-46961 (The Inshot com.downloader.privatebrowser (aka Video Downloader - XDown ...) @@ -12392,6 +12394,7 @@ CVE-2024-9287 (A vulnerability has been found in the CPython `venv` module and C - python3.9 - python2.7 (Vulnerable code not present) - pypy3 + [bookworm] - pypy3 (Minor issue) NOTE: https://mail.python.org/archives/list/security-annou...@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/ NOTE: https://github.com/python/cpython/issues/124651 NOTE: https://github.com/python/cpython/pull/124712 = data/dsa-needed.txt = @@ -21,6 +21,8 @@ chromium (dilinger) frr coordination with the maintainer ongoing -- +jetty9 +-- libreswan Waiting on feedback from maintainer -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4762c0cc5a596df636a6bfd38db52e4c4b2a61f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4762c0cc5a596df636a6bfd38db52e4c4b2a61f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 008559c0 by Moritz Muehlenhoff at 2024-12-04T10:07:26+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -423,6 +423,7 @@ CVE-2024-53364 (A SQL injection vulnerability was found in PHPGURUKUL Vehicle Pa NOT-FOR-US: PHPGURUKUL Vehicle Parking Management System CVE-2024-53259 (quic-go is an implementation of the QUIC protocol in Go. An off-path a ...) - golang-github-lucas-clemente-quic-go + [bookworm] - golang-github-lucas-clemente-quic-go (Minor issue) NOTE: https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr NOTE: https://github.com/quic-go/quic-go/pull/4729 NOTE: https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50 (master) @@ -874,18 +875,24 @@ CVE-2024-36620 (moby v25.0.0 - v26.0.2 is vulnerable to NULL Pointer Dereference NOTE: Introduced in https://github.com/moby/moby/commit/2a6ff3c24fd790e5d42d2eabaf6acf06edfe6975 (v25.0.0-beta.1) CVE-2024-36619 (FFmpeg n6.1.1 has a vulnerability in the WAVARC decoder of the libavco ...) - ffmpeg 7:7.1-3 + [bookworm] - ffmpeg (Vulnerable decoder added in 6.0) + [bullseye] - ffmpeg (Vulnerable decoder added in 6.0) NOTE: https://github.com/ffmpeg/ffmpeg/commit/28c7094b25b689185155a6833caf2747b94774a4 (n7.1) CVE-2024-36618 (FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the libavforma ...) - ffmpeg 7:7.0.1-3 + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) NOTE: https://github.com/ffmpeg/ffmpeg/commit/7a089ed8e049e3bfcb22de1250b86f2106060857 (n7.0) CVE-2024-36617 (FFmpeg n6.1.1 has an integer overflow vulnerability in the FFmpeg CAF ...) - ffmpeg 7:7.0.1-3 NOTE: https://github.com/ffmpeg/ffmpeg/commit/d973fcbcc2f944752ff10e6a76b0b2d9329937a7 (n7.0) + NOTE: https://github.com/ffmpeg/ffmpeg/commit/f0e780370cc1c437d64f10d326b1d656ef490b5f (n5.1.5) CVE-2024-36616 (An integer overflow in the component /libavformat/westwood_vqa.c of FF ...) - ffmpeg 7:7.0.1-3 NOTE: https://github.com/ffmpeg/ffmpeg/commit/86f73277bf014e2ce36dd2594f1e0fb8b3bd6661 (n7.0) + NOTE: https://github.com/ffmpeg/ffmpeg/commit/a8beef67993aa267de87599007143d9f0ba67c23 (n5.1.5) CVE-2024-36615 (FFmpeg n7.0 has a race condition vulnerability in the VP9 decoder. Thi ...) - ffmpeg 7:7.1-3 + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) NOTE: https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61 (n7.1) CVE-2024-36612 (Zulip from 8.0 to 8.3 contains a memory leak vulnerability in the hand ...) NOT-FOR-US: Zulip @@ -900,16 +907,20 @@ CVE-2024-35371 (Ant-Media-Serverv2.8.2 is affected by Improper Output Neutraliza NOT-FOR-US: Ant-Media-Server CVE-2024-35369 (In FFmpeg version n6.1.1, specifically within the avcodec/speexdec.c m ...) - ffmpeg 7:7.0.1-3 + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) NOTE: https://github.com/ffmpeg/ffmpeg/commit/0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c (n7.0) CVE-2024-35368 (FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame ...) - ffmpeg 7:7.1-3 + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) NOTE: https://github.com/ffmpeg/ffmpeg/commit/4513300989502090c4fd6560544dce399a8cd53c (n7.1) CVE-2024-35367 (FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_alti ...) - ffmpeg 7:7.0.1-3 + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) NOTE: https://github.com/ffmpeg/ffmpeg/commit/09e6840cf7a3ee07a73c3ae88a020bf27ca1a667 (n7.0) CVE-2024-35366 (FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in the par ...) - ffmpeg 7:7.0.1-3 NOTE: https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6 (n7.0) + NOTE: https://github.com/ffmpeg/ffmpeg/commit/4db0eb4653efad967ddcf71f564fd2f1169bafcb (n5.1.5) CVE-2024-11992 (Absolute path traversal vulnerability in Quick.CMS, version 6.7, the e ...) NOT-FOR-US: Quick.CMS CVE-2024-11990 (A Cross-Site Scripting (XSS) vulnerability in SurgeMail v78c2 could al ...) = data/DSA/list = @@ -362,7 +362,7 @@ [bullseye] - libndp 1.6-1+deb11u1 [bookworm] - libndp 1.8-1+deb12u1 [15 Jun 2024] DSA-5712-1 ffmpeg - security update - {CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795 CVE-2023-51798 CVE-2024-31585 CVE-2024-32230} + {CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795 CVE-2023-51798 CVE-2024-31585 CVE-2024-32230 CVE-2024-36617 CVE-2024-36616 CVE-2024-35366} [bookworm] - ffmpe
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 493f0ae9 by Moritz Muehlenhoff at 2024-12-04T09:23:33+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -4780,6 +4780,7 @@ CVE-2024-52511 (Nextcloud Tables allows users to to create tables with individua NOT-FOR-US: Nextcloud Tables CVE-2024-52510 (The Nextcloud Desktop Client is a tool to synchronize files from Nextc ...) - nextcloud-desktop (bug #1087885) + [bookworm] - nextcloud-desktop (Minor issue) NOTE: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4qc-m9mj-452v NOTE: https://github.com/nextcloud/desktop/pull/7333 NOTE: https://github.com/nextcloud/desktop/commit/8cce183ba4ce46ddef58751fe5358efdea8d0114 = data/dsa-needed.txt = @@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- cacti -- +ceph +-- frr coordination with the maintainer ongoing -- @@ -24,6 +26,8 @@ linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more 6.1.y versions -- +mosquitto +-- opennds pinged maintainer, but no reply yet. should most probably be bumped to 10.x -- @@ -40,6 +44,8 @@ smarty4 -- sogo -- +tcpdf +-- trafficserver -- wordpress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/493f0ae988cbf0944b2bd69e3dace55f4e1ace3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/493f0ae988cbf0944b2bd69e3dace55f4e1ace3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9494fe83 by Moritz Muehlenhoff at 2024-11-29T17:18:48+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -251,6 +251,7 @@ CVE-2024-11738 NOTE: https://github.com/rustls/rustls/issues/2227 CVE-2024-53920 (In elisp-mode.el in GNU Emacs through 30.0.92, a user who chooses to i ...) - emacs + [bookworm] - emacs (Minor issue, revisit when fixed upstream) NOTE: https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html NOTE: https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg%40mail.gmail.com/ CVE-2024-53855 (Centurion ERP (Enterprise Rescource Planning) is a simple application ...) @@ -794,6 +795,7 @@ CVE-2024-53930 (WikiDocs before 1.0.65 allows stored XSS by authenticated users NOT-FOR-US: WikiDocs CVE-2024-53916 (In OpenStack Neutron through 25.0.0, neutron/extensions/tagging.py can ...) - neutron + [bookworm] - neutron (Minor issue, revisit when fixed upstream) NOTE: https://review.opendev.org/c/openstack/neutron/+/935883 CVE-2024-53915 (An issue was discovered in the server in Veritas Enterprise Vault befo ...) NOT-FOR-US: Veritas Enterprise Vault @@ -891,6 +893,7 @@ CVE-2024-11646 (A vulnerability classified as critical was found in 1000 Project NOT-FOR-US: 1000 Projects Beauty Parlour Management System CVE-2024-11498 (There exists a stack buffer overflow in libjxl.A specifically-crafted ...) - jpeg-xl + [bookworm] - jpeg-xl (Minor issue) NOTE: https://github.com/libjxl/libjxl/pull/3943 NOTE: https://github.com/libjxl/libjxl/commit/bf4781a2eed2eef664790170977d1d3d8347efb9 CVE-2024-11403 (There exists an out of bounds read/write in LibJXL versions prior to c ...) @@ -4597,6 +4600,7 @@ CVE-2024-23919 (Improper buffer restrictions in some Intel(R) Graphics software NOT-FOR-US: Intel CVE-2024-23918 (Improper conditions check in some Intel(R) Xeon(R) processor memory co ...) - intel-microcode 3.20241112.1 (bug #1087532) + [bookworm] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01079.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112 CVE-2024-23312 (Uncontrolled search path for some Intel(R) Binary Configuration Tool s ...) @@ -4616,12 +4620,14 @@ CVE-2024-22185 (Time-of-check Time-of-use Race Condition in some Intel(R) proces NOT-FOR-US: Intel CVE-2024-21853 (Improper finite state machines (FSMs) in the hardware logic in some 4t ...) - intel-microcode 3.20241112.1 (bug #1087532) + [bookworm] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01101.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112 CVE-2024-21850 (Sensitive information in resource not removed before reuse in some Int ...) NOT-FOR-US: Intel CVE-2024-21820 (Incorrect default permissions in some Intel(R) Xeon(R) processor memor ...) - intel-microcode 3.20241112.1 (bug #1087532) + [bookworm] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01079.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112 CVE-2024-21808 (Improper buffer restrictions in some Intel(R) VPL software before vers ...) @@ -128445,6 +128451,7 @@ CVE-2023-2143 (The Enable SVG, WebP & ICO Upload WordPress plugin through 1.0.3 NOT-FOR-US: WordPress plugin CVE-2023-2142 (In Nunjucks versions prior to version 3.2.4, it was possible to bypas ...) - node-nunjucks (bug #1088331) + [bookworm] - node-nunjucks (Minor issue) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1825980 NOTE: https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw CVE-2023-2141 (An unsafe .NET object deserialization in DELMIA Apriso Release 2017 th ...) @@ -135258,6 +135265,7 @@ CVE-2023-1522 (SQL Injection in the Hardware Inventory report of Security Center NOT-FOR-US: Security Center CVE-2023-1521 (On Linux the sccache client can execute arbitrary code with the privil ...) - sccache 0.5.3-1 + [bookworm] - sccache (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-046_ScCache/ NOTE: https://github.com/advisories/GHSA-x7fr-pg8f-93f5 NOTE: ttps://github.com/mozilla/sccache/pull/1663 = data/dsa-needed.txt
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e17e5e2a by Moritz Muehlenhoff at 2024-11-25T10:52:49+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2024-53901 (The Imager package before 1.025 for Perl has a heap-based buffer overf ...) - libimager-perl 1.025+dfsg-1 + [bookworm] - libimager-perl (Minor issue) NOTE: https://github.com/tonycoz/imager/issues/534 NOTE: https://github.com/tonycoz/imager/commit/7851737838aa86113b276aea02729cc1f6e9eed0 (v1.025) NOTE: https://github.com/briandfoy/cpan-security-advisory/issues/167 @@ -1076,9 +1077,11 @@ CVE-2024-52765 (H3C GR-1800AX MiniGRW1B0V100R007 is vulnerable to remote code ex NOT-FOR-US: H3C GR-1800AX MiniGRW1B0V100R007 CVE-2024-52763 (A cross-site scripting (XSS) vulnerability in the component /graph_all ...) - ganglia-web + [bookworm] - ganglia-web (Minor issue, revisit when fixed upstream) NOTE: https://github.com/ganglia/ganglia-web/issues/382 CVE-2024-52762 (A cross-site scripting (XSS) vulnerability in the component /master/he ...) - ganglia-web + [bookworm] - ganglia-web (Minor issue, revisit when fixed upstream) NOTE: https://github.com/ganglia/ganglia-web/issues/382 CVE-2024-52757 (D-LINK DI-8003 v16.07.16A1 was discovered to contain a buffer overflow ...) NOT-FOR-US: D-LINK = data/dsa-needed.txt = @@ -27,13 +27,15 @@ linux (carnil) opennds pinged maintainer, but no reply yet. should most probably be bumped to 10.x -- -php8.2 +php8.2 (jmm) -- python-aiohttp (jmm) -- +python-tornado +-- ring -- -smarty3 +smarty3 (jmm) Tobias Frost posted a debdiff for review addressing CVE-2023-28447 and CVE-2024-35226 -- smarty4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e17e5e2abbab32e25994ab5be3f247f30029830c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e17e5e2abbab32e25994ab5be3f247f30029830c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8126cd6c by Moritz Muehlenhoff at 2024-11-23T20:34:11+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -834,6 +834,7 @@ CVE-2024-53426 (A heap-buffer-overflow vulnerability has been identified in ntop NOTE: https://github.com/ntop/ntopng/issues/8793 CVE-2024-53425 (A heap-buffer-overflow vulnerability was discovered in the SkipSpacesA ...) - assimp + [bookworm] - assimp (Minor issue, revisit when fixed upstream) NOTE: https://github.com/assimp/assimp/issues/5860 CVE-2024-53335 (TOTOLINK A810R V4.1.2cu.5182_B20201026 is vulnerable to Buffer Overflo ...) NOT-FOR-US: TOTOLINK @@ -963,10 +964,12 @@ CVE-2024-52067 (Apache NiFi 1.16.0 through 1.28.0 and 2.0.0-M1 through 2.0.0-M4 NOT-FOR-US: Apache NiFi CVE-2024-11596 (ECMP dissector crash in Wireshark 4.4.0 to 4.4.1 and 4.2.0 to 4.2.8 al ...) - wireshark 4.4.2-1 + [bookworm] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-15.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/20214 CVE-2024-11595 (FiveCo RAP dissector infinite loop in Wireshark 4.4.0 to 4.4.1 and 4.2 ...) - wireshark 4.4.2-1 + [bookworm] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-14.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/20176 CVE-2024-53095 (In the Linux kernel, the following vulnerability has been resolved: s ...) @@ -2311,6 +2314,7 @@ CVE-2023-52921 (In the Linux kernel, the following vulnerability has been resolv NOTE: https://git.kernel.org/linus/90e065677e0362a777b9db97ea21d43a39211399 (6.5-rc6) CVE-2024-10524 (Applications that use Wget to access a remote resource using shorthand ...) - wget (bug #1088023) + [bookworm] - wget (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/11/18/6 NOTE: https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability/ NOTE: Fixed by: https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778 (v1.25.0) @@ -2501,9 +2505,11 @@ CVE-2024-5030 (The CM Table Of Contents WordPress plugin before 1.2.3 does not NOT-FOR-US: WordPress plugin CVE-2024-52947 (A cross-site scripting (XSS) vulnerability in LemonLDAP::NG before 2.2 ...) - lemonldap-ng 2.20.1+ds-1 + [bookworm] - lemonldap-ng (Minor issue, will be fixed via spu) NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3257 CVE-2024-52946 (An issue was discovered in LemonLDAP::NG before 2.20.1. An Improper Ch ...) - lemonldap-ng 2.20.1+ds-1 + [bookworm] - lemonldap-ng (Minor issue, will be fixed via spu) NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3255 CVE-2024-52945 (An issue was discovered in Veritas NetBackup before 10.5. This only ap ...) NOT-FOR-US: Veritas NetBackup @@ -2778,6 +2784,7 @@ CVE-2024-52523 (Nextcloud Server is a self hosted personal cloud system. After s - nextcloud-server (bug #941708) CVE-2024-52522 (Rclone is a command-line program to sync files and directories to and ...) - rclone (bug #1088107) + [bookworm] - rclone (Minor issue) NOTE: https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv NOTE: https://github.com/rclone/rclone/commit/01ccf204f42b4f68541b16843292439090a2dcf0 (master) NOTE: https://github.com/rclone/rclone/commit/669b2f2669cacd634faa2bcecb589b76e1402533 (v1.68.2) @@ -5930,6 +5937,7 @@ CVE-2024-10964 (A vulnerability classified as critical has been found in emqx ne NOT-FOR-US: emqx neuron CVE-2024-10963 (A flaw was found in pam_access, where certain rules in its configurati ...) - pam (bug #1087019) + [bookworm] - pam (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2324291 NOTE: https://github.com/linux-pam/linux-pam/issues/834 CVE-2024-10668 (There exists an auth bypass in Google Quickshare where an attacker can ...) @@ -6900,6 +6908,7 @@ CVE-2023-34443 (Combodo iTop is a simple, web based IT Service Management tool. NOT-FOR-US: Combodo iTop CVE-2024-51744 (golang-jwt is a Go implementation of JSON Web Tokens. Unclear document ...) - golang-github-golang-jwt-jwt (bug #1086792) + [bookworm] - golang-github-golang-jwt-jwt (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2323735 NOTE: https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c (v4.5.1) CVE-2024-9147 (Improper Neutralization of Script-Related HTML Tags in a Web Page (Bas ...) = data/d
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 525ce4c4 by Moritz Muehlenhoff at 2024-11-12T14:22:10+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -16,19 +16,25 @@ CVE-2024-52533 (gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-on TODO: check if has impact on embedded copy in src:gobject-introspection CVE-2024-52532 (GNOME libsoup before 3.6.1 has an infinite loop, and memory consumptio ...) - libsoup3 + [bookworm] - libsoup3 (Minor issue) - libsoup2.4 + [bookworm] - libsoup2.4 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/391 NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/410 NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c CVE-2024-52531 (GNOME libsoup before 3.6.1 allows a buffer overflow in applications th ...) - libsoup3 + [bookworm] - libsoup3 (Minor issue) - libsoup2.4 + [bookworm] - libsoup2.4 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407 NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/commit/3c54033634ae537b52582900a7ba432c52ae8174 NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283 CVE-2024-52530 (GNOME libsoup before 3.6.0 allows HTTP request smuggling in some confi ...) - libsoup3 3.5.2-1 + [bookworm] - libsoup3 (Minor issue) - libsoup2.4 + [bookworm] - libsoup2.4 (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/377 NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b (3.5.2) CVE-2024-52288 (libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised D ...) @@ -229,18 +235,25 @@ CVE-2024-10179 (The Slickstream: Engagement and Conversions plugin for WordPress TODO: check CVE-2024-49395 (In mutt and neomutt, PGP encryption does not use the --hidden-recipien ...) - mutt + [bookworm] - mutt (Minor issue) - neomutt + [bookworm] - neomutt (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325332 CVE-2024-49394 (In mutt and neomutt the In-Reply-To email header field is not protecte ...) - mutt + [bookworm] - mutt (Minor issue) - neomutt + [bookworm] - neomutt (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325330 CVE-2024-49393 (In neomutt and mutt, the To and Cc email headers are not validated by ...) - mutt + [bookworm] - mutt (Minor issue) - neomutt + [bookworm] - neomutt (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325317 CVE-2024-11079 (A flaw was found in Ansible-Core. This vulnerability allows attackers ...) - ansible-core + [bookworm] - ansible-core (Minor issue) - ansible 5.4.0-1 NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in experimental/5.4.0-1 in sid NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325171 @@ -1542,6 +1555,7 @@ CVE-2024-10027 (The WP Booking Calendar WordPress plugin before 10.6.3 does not NOT-FOR-US: WordPress plugin CVE-2024-9902 (A flaw was found in Ansible. The ansible-core `user` module can allow ...) - ansible-core 2.18.0-1 (bug #1086883) + [bookworm] - ansible-core (Minor issue) - ansible 5.4.0-1 NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in experimental/5.4.0-1 in sid NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2318271 @@ -1563,11 +1577,13 @@ CVE-2024-51757 (happy-dom is a JavaScript implementation of a web browser withou NOT-FOR-US: happy-dom CVE-2024-51755 (Twig is a template language for PHP. In a sandbox, an attacker can acc ...) - php-twig 3.14.2-1 (bug #1086884) + [bookworm] - php-twig (Minor issue) - twig NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh NOTE: Fixed by: https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21 (v3.14.1) CVE-2024-51754 (Twig is a template language for PHP. In a sandbox, an attacker can cal ...) - php-twig 3.14.2-1 (bug #1086884) + [bookworm] - php-twig (Minor issue) - twig NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6 NOTE: Fixed by: https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73 (v3.14.1) @@ -4432,6 +4448,7 @@ CVE-2024-10214 (Mattermost versions 9.11.X <= 9.11.1, 9.5.x <= 9.5.9 icorrectly - mattermost-server (bug #823556) CVE-2024-45802 (Squid is an open
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6bf6ebf2 by Moritz Muehlenhoff at 2024-11-05T17:31:24+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -406,6 +406,7 @@ CVE-2024-10310 (The Element Pack Elementor Addons (Header Footer, Template Libra NOT-FOR-US: WordPress plugin CVE-2024-51774 (qBittorrent before 5.0.1 proceeds with use of https URLs even after ce ...) - qbittorrent 5.0.1-1 + [bookworm] - qbittorrent (Minor issue) NOTE: https://sharpsec.run/rce-vulnerability-in-qbittorrent/ CVE-2024-7456 (A SQL injection vulnerability exists in the `/api/v1/external-users` r ...) NOT-FOR-US: lunary-ai/lunary @@ -903,8 +904,11 @@ CVE-2024-8185 (Vault Community and Vault Enterprise (\u201cVault\u201d) clusters NOT-FOR-US: HashiCorp Vault CVE-2024-7883 (When using Arm Cortex-M Security Extensions (CMSE), Secure stack cont ...) - llvm-toolchain-14 + [bookworm] - llvm-toolchain-14 (Minor issue) - llvm-toolchain-15 + [bookworm] - llvm-toolchain-15 (Minor issue) - llvm-toolchain-16 + [bookworm] - llvm-toolchain-16 (Minor issue) - llvm-toolchain-17 - llvm-toolchain-18 NOTE: https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability @@ -1564,6 +1568,7 @@ CVE-2024-22066 (There is a privilege escalation vulnerability in ZTE ZXR10 ZSR V NOT-FOR-US: ZTE CVE-2024-10491 (A vulnerability has been identified in the Express response.linksfunct ...) - node-express + [bookworm] - node-express (Minor issue) NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-10491 NOTE: check details, affects only <=3.21.4, so possibly fixed in 4.1.1~dfsg-1 onwards CVE-2024-10474 (Focus was incorrectly allowing internal links to utilize the app schem ...) @@ -2297,6 +2302,7 @@ CVE-2024-10413 (A vulnerability, which was classified as critical, has been foun NOT-FOR-US: SourceCodester CVE-2024-50602 (An issue was discovered in libexpat before 2.6.4. There is a crash wit ...) - expat 2.6.3-2 (bug #1086134) + [bookworm] - expat (Minor issue) NOTE: https://github.com/libexpat/libexpat/pull/915 CVE-2024-10412 (A vulnerability was found in Poco-z Guns-Medical 1.0. It has been decl ...) NOT-FOR-US: Poco-z Guns-Medical @@ -6787,6 +6793,7 @@ CVE-2024-49193 (Zendesk before 2024-07-02 allows remote attackers to read ticket NOT-FOR-US: Zendesk CVE-2024-6519 (A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI H ...) - qemu (bug #1085299) + [bookworm] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2292089 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-24-1382/ CVE-2024-9860 (The Bridge Core plugin for WordPress is vulnerable to unauthorized mod ...) @@ -94492,10 +94499,8 @@ CVE-2023-46478 (An issue in minCal v.1.0.0 allows a remote attacker to execute a CVE-2023-46451 (Best Courier Management System v1.0 is vulnerable to Cross Site Script ...) NOT-FOR-US: Best Courier Management System CVE-2023-46361 (Artifex Software jbig2dec v0.20 was discovered to contain a SEGV vulne ...) - - jbig2dec (bug #1055387) - [bookworm] - jbig2dec (Minor issue) - [bullseye] - jbig2dec (Minor issue) - [buster] - jbig2dec (Minor issue) + - jbig2dec (bug #1055387; unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/jbig2dec-SEGV/jbig2dec-SEGV.md NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707308 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=705041 @@ -127929,8 +127934,8 @@ CVE-2023-28430 (OneSignal is an email, sms, push notification, and in-app messag CVE-2023-28429 (Pimcore is an open source data and experience management platform. Ver ...) NOT-FOR-US: Pimcore CVE-2023-28428 (PDFio is a C library for reading and writing PDF files. In versions 1. ...) - - ippsample (bug #1034155) - [bookworm] - ippsample (Minor issue) + - ippsample (bug #1034155; unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/michaelrsweet/pdfio/commit/97d4955666779dc5b0665e15dd951a5c12426a31 (v1.1.1) NOTE: https://github.com/michaelrsweet/pdfio/security/advisories/GHSA-68x8-9phf-j7jf CVE-2023-28427 (matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for Jav ...) @@ -322400,6 +322405,7 @@ CVE-2020-23885 CVE-2020-23884 (A buffer overflow in Nomacs v3.15.0 allows attackers to cause a denial ...) - qt6-base (Fixed before initial upload to the archive) - qtimageformats-opensourc
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fee93e6 by Moritz Muehlenhoff at 2024-10-29T12:21:49+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -491,6 +491,7 @@ CVE-2024-9162 (The All-in-One WP Migration and Backup plugin for WordPress is vu CVE-2024-50624 (ispdbservice.cpp in KDE Kmail before 6.2.0 allows man-in-the-middle at ...) [experimental] - kmail-account-wizard 4:24.08.0-1 - kmail-account-wizard (bug #1086198) + [bookworm] - kmail-account-wizard (Minor issue) NOTE: https://bugs.kde.org/show_bug.cgi?id=487882 NOTE: https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41c3aff435d4a88afb25585180a62ee4 (v24.07.80) CVE-2024-50623 (In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and LexiCom ...) @@ -499,20 +500,25 @@ CVE-2024-50616 (Ironman PowerShell Universal 5.x before 5.0.12 allows an authent NOT-FOR-US: Ironman PowerShell Universal CVE-2024-50615 (TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/digit, ...) - tinyxml2 + [bookworm] - tinyxml2 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/leethomason/tinyxml2/issues/997 CVE-2024-50614 (TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/16, tha ...) - tinyxml2 + [bookworm] - tinyxml2 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/leethomason/tinyxml2/issues/996 CVE-2024-50613 (libsndfile through 1.2.2 has a reachable assertion, that may lead to a ...) - libsndfile + [bookworm] - libsndfile (Minor issue, revisit when fixed upstream) NOTE: https://github.com/libsndfile/libsndfile/issues/1034 CVE-2024-50612 (libsndfile through 1.2.2 has an ogg_vorbis.c vorbis_analysis_wrote out ...) - libsndfile + [bookworm] - libsndfile (Minor issue, revisit when fixed upstream) NOTE: https://github.com/libsndfile/libsndfile/issues/1035 CVE-2024-50611 (CycloneDX cdxgen through 10.10.7, when run against an untrusted codeba ...) NOT-FOR-US: CycloneDX cdxgen CVE-2024-50610 (GSL (GNU Scientific Library) through 2.8 has an integer signedness err ...) - gsl 2.8+dfsg-4 (bug #1086206) + [bookworm] - gsl (Minor issue) NOTE: https://lists.gnu.org/archive/html/bug-gsl/2024-09/msg0.html CVE-2024-50307 (Use of potentially dangerous function issue exists in Chatwork Desktop ...) NOT-FOR-US: Chatwork Desktop Application @@ -1181,9 +1187,11 @@ CVE-2024-0126 (NVIDIA GPU Display Driver for Windows and Linux contains a vulner [bullseye] - nvidia-graphics-drivers-tesla-460 (Non-free not supported) NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470 - nvidia-graphics-drivers-tesla-470 (bug #1085974) + [bookworm] - nvidia-graphics-drivers-tesla-470 (Non-free not supported) - nvidia-graphics-drivers-tesla 525.147.05-6 (bug #1085975) NOTE: 525.147.05-6 turned the package into a metapackage to aid switching to nvidia-graphics-drivers - nvidia-open-gpu-kernel-modules (bug #1085976) + [bookworm] - nvidia-open-gpu-kernel-modules (Contrib not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5586 CVE-2024-48936 (SchedMD Slurm before 24.05.4 has Incorrect Authorization. A mistake in ...) - slurm-wlm (bug #1086003) @@ -1408,6 +1416,7 @@ CVE-2024-10250 (The Nioland theme for WordPress is vulnerable to Reflected Cross NOT-FOR-US: WordPress theme CVE-2024-10041 (A vulnerability was found in PAM. The secret information is stored in ...) - pam (bug #1086038) + [bookworm] - pam (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2319212 NOTE: https://github.com/linux-pam/linux-pam/issues/846 NOTE: https://github.com/linux-pam/linux-pam/pull/686 @@ -4330,13 +4339,10 @@ CVE-2024-9925 (SQL injection vulnerability in TAI Smart Factory's QPLANT SF vers CVE-2024-9895 (The Smart Online Order for Clover plugin for WordPress is vulnerable t ...) NOT-FOR-US: WordPress plugin CVE-2024-9676 (A vulnerability was found in Podman, Buildah, and CRI-O. A symlink tra ...) - - cri-o (bug #979702) - golang-github-containers-buildah [bookworm] - golang-github-containers-buildah (Minor issue) - golang-github-containers-storage 1.55.1+ds1-1 [bookworm] - golang-github-containers-storage (Minor issue) - - libpod - - podman NOTE: https://github.com/advisories/GHSA-wq2p-5pc6-wpgf NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2317467 NOTE: https://github.com/containers/buildah/pull/5786 ==
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0334f2bf by Moritz Muehlenhoff at 2024-10-23T18:02:03+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -2955,6 +2955,7 @@ CVE-2024-47876 (Sakai is a Collaboration and Learning Environment. Starting in v NOT-FOR-US: Sakai CVE-2024-47874 (Starlette is an Asynchronous Server Gateway Interface (ASGI) framework ...) - starlette 0.41.0-1 (bug #1085295) + [bookworm] - starlette (Minor issue) NOTE: https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw NOTE: https://github.com/encode/starlette/commit/fd038f3070c302bff17ef7d173dbb0b007617733 (0.40.0) CVE-2024-47824 (matrix-react-sdk is react-based software development kit for inserting ...) @@ -5704,6 +5705,7 @@ CVE-2023-37822 (The Eufy Homebase 2 before firmware version 3.3.4.1h creates a d NOT-FOR-US: Eufy HomeBase 2 model T8010X CVE-2024-8508 (NLnet Labs Unbound up to and including version 1.21.0 contains a vulne ...) - unbound 1.21.1-1 (bug #1083282) + [bookworm] - unbound (Minor issue) NOTE: Advisory: https://nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt NOTE: Patch: https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-8508.diff NOTE: Fixed by: https://github.com/NLnetLabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259 (release-1.21.1) @@ -7592,6 +7594,7 @@ CVE-2024-46639 (A cross-site scripting (XSS) vulnerability in HelpDeskZ v2.0.2 a CVE-2024-46544 (Incorrect Default Permissions vulnerability in Apache Tomcat Connector ...) {DLA-3919-1} - libapache-mod-jk (bug #1082713) + [bookworm] - libapache-mod-jk (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/09/23/1 NOTE: Fixed by: https://github.com/apache/tomcat-connectors/commit/d55706e92b65018c2e4c7ab14014a996b0174966 (JK_1_2_50) CVE-2024-46241 (PHPGurukul Dairy Farm Shop Management System v1.1 is vulnerable to Cro ...) @@ -7808,6 +7811,7 @@ CVE-2024-8612 (A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and vir NOTE: https://gitlab.com/qemu-project/qemu/-/commit/637b0aa139565cb82a7b9269e62214f87082635c CVE-2024-45769 (A vulnerability was found in Performance Co-Pilot (PCP). This flaw all ...) - pcp 6.3.1-1 + [bookworm] - pcp (Minor issue) [bullseye] - pcp (The vulnerable code was introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2310452 NOTE: https://www.openwall.com/lists/oss-security/2024/09/20/1 @@ -7815,6 +7819,7 @@ CVE-2024-45769 (A vulnerability was found in Performance Co-Pilot (PCP). This fl NOTE: Fixed by: https://github.com/performancecopilot/pcp/commit/eadb79aab46175d7a58d0fa88028408743e2a93f (6.3.1) CVE-2024-45770 (A vulnerability was found in Performance Co-Pilot (PCP). This flaw can ...) - pcp 6.3.1-1 + [bookworm] - pcp (Minor issue) [bullseye] - pcp (Minor issue, requires root access) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2310451 NOTE: https://www.openwall.com/lists/oss-security/2024/09/20/1 @@ -24597,6 +24602,7 @@ CVE-2024-6643 REJECTED CVE-2024-6531 (A vulnerability has been identified in Bootstrap that exposes users to ...) - twitter-bootstrap4 (bug #1084059) + [bookworm] - twitter-bootstrap4 (Minor issue) - twitter-bootstrap3 (Only affects 4.x) NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6531 CVE-2024-6528 (CWE-79: Improper Neutralization of Input During Web Page Generation (' ...) @@ -24604,10 +24610,12 @@ CVE-2024-6528 (CWE-79: Improper Neutralization of Input During Web Page Generati CVE-2024-6485 (A security vulnerability has been discovered in bootstrap that could e ...) - twitter-bootstrap4 (Only affects 3.x) - twitter-bootstrap3 (bug #1084060) + [bookworm] - twitter-bootstrap3 (Minor issue) NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6485 CVE-2024-6484 (A vulnerability has been identified in Bootstrap that exposes users to ...) - twitter-bootstrap4 (Only affects 3.x) - twitter-bootstrap3 (bug #1084060) + [bookworm] - twitter-bootstrap3 (Minor issue) NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6484 CVE-2024-6407 (CWE-200: Information Exposure vulnerability exists that could cause di ...) NOT-FOR-US: Schneider Electric = data/dsa-needed.txt = @@ -23,7 +23,7 @@ chromium (dilinger) frr coordination with the maintainer ongoing -- -libheif +libheif (jmm) -- libreswan Waiting on feedback from maintainer @@ -32,6 +32,8 @@ linux (carnil) Wait
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5816881c by Moritz Muehlenhoff at 2024-10-23T11:01:45+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1783,6 +1783,7 @@ CVE-2024-10195 (A vulnerability was found in Tecno 4G Portable WiFi TR118 V008-2 NOT-FOR-US: Tecno 4G Portable WiFi TR118 CVE-2024- [XSS Vulnerability in matrix.pl] - dbeacon 0.4.0-3 (bug #1031542) + [bookworm] - dbeacon (Minor issue) CVE-2024-49631 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...) NOT-FOR-US: WordPress plugin CVE-2024-49630 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...) @@ -2489,16 +2490,19 @@ CVE-2024-47637 (: Relative Path Traversal vulnerability in LiteSpeed Technologie NOT-FOR-US: WordPress plugin CVE-2024-47522 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...) - suricata 1:7.0.7-1 + [bookworm] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-w5xv-6586-jpm7 NOTE: https://redmine.openinfosecfoundation.org/issues/7267 CVE-2024-47351 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) NOT-FOR-US: WordPress plugin CVE-2024-47188 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...) - suricata 1:7.0.7-1 + [bookworm] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-qq5v-qcjx-f872 NOTE: https://redmine.openinfosecfoundation.org/issues/7289 CVE-2024-47187 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...) - suricata 1:7.0.7-1 + [bookworm] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-64ww-4f6x-863p NOTE: https://redmine.openinfosecfoundation.org/issues/7209 CVE-2024-47139 (A stored cross-site scripting (XSS) vulnerability exists in an undiscl ...) @@ -2511,14 +2515,17 @@ CVE-2024-45844 (BIG-IP monitor functionality may allow an attacker to bypass acc NOT-FOR-US: BIG-IP CVE-2024-45797 (LibHTP is a security-aware parser for the HTTP protocol and the relate ...) - libhtp 1:0.5.49-1 + [bookworm] - libhtp (Minor issue) NOTE: https://github.com/OISF/libhtp/security/advisories/GHSA-rqqp-24ch-248f NOTE: https://redmine.openinfosecfoundation.org/issues/7191 CVE-2024-45796 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...) - suricata 1:7.0.7-1 + [bookworm] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-mf6r-3xp2-v7xg NOTE: https://redmine.openinfosecfoundation.org/issues/7067 CVE-2024-45795 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...) - suricata 1:7.0.7-1 + [bookworm] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-6r8w-fpw6-cp9g NOTE: https://redmine.openinfosecfoundation.org/issues/7195 CVE-2024-45072 (IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to an XML E ...) @@ -2885,7 +2892,9 @@ CVE-2024-9895 (The Smart Online Order for Clover plugin for WordPress is vulnera CVE-2024-9676 (A vulnerability was found in Podman, Buildah, and CRI-O. A symlink tra ...) - cri-o (bug #979702) - golang-github-containers-buildah + [bookworm] - golang-github-containers-buildah (Minor issue) - golang-github-containers-storage 1.55.1+ds1-1 + [bookworm] - golang-github-containers-storage (Minor issue) - libpod - podman NOTE: https://github.com/advisories/GHSA-wq2p-5pc6-wpgf @@ -2913,6 +2922,7 @@ CVE-2024-49195 (Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-10-1/ CVE-2024-48948 (The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementatio ...) - node-elliptic (bug #1085298) + [bookworm] - node-elliptic (Minor issue) NOTE: https://github.com/indutny/elliptic/issues/321 NOTE: https://github.com/indutny/elliptic/pull/322 CVE-2024-48915 (Agent Dart is an agent library built for Internet Computer for Dart an ...) @@ -2971,6 +2981,7 @@ CVE-2024-45271 (An unauthenticated local attacker can gain admin privileges by d NOT-FOR-US: MB connect line GmbH CVE-2024-44337 (The package `github.com/gomarkdown/markdown` is a Go library for parsi ...) - golang-github-gomarkdown-markdown (bug #1085377) + [bookworm] - golang-github-gomarkdown-markdown (Minor issue) NOTE: https://github.com/Brinmon/CVE-2024-4433
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 63f3ffef by Moritz Mühlenhoff at 2024-10-16T18:21:09+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -2029,6 +2029,7 @@ CVE-2024-27457 (Improper check for unusual or exceptional conditions in Intel(R) NOT-FOR-US: Intel CVE-2024-25885 (An issue in the getcolor function in utils.py of xhtml2pdf v0.2.13 all ...) - xhtml2pdf (bug #1084986) + [bookworm] - xhtml2pdf (Minor issue) NOTE: https://gist.github.com/salvatore-abello/c88dd0027496774023ef36c7b576d206 CVE-2024-25825 (FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS for You 1 ...) NOT-FOR-US: FydeOS @@ -2050,6 +2051,7 @@ CVE-2023-52952 (A vulnerability has been identified in HiMed Cockpit 12 pro (J31 NOT-FOR-US: Siemens CVE-2024-28168 (Improper Restriction of XML External Entity Reference ('XXE') vulnerab ...) - fop (bug #1084985) + [bookworm] - fop (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/10/09/1 NOTE: https://issues.apache.org/jira/browse/FOP-3168 NOTE: https://github.com/apache/xmlgraphics-fop/commit/d96ba9a11710d02716b6f4f6107ebfa9ccec7134 (2_10) @@ -9185,6 +9187,7 @@ CVE-2024-20439 (A vulnerability in Cisco Smart Licensing Utility could allow an NOT-FOR-US: Cisco CVE-2024-44082 (In OpenStack Ironic before 26.0.1 and ironic-python-agent before 9.13. ...) - ironic 1:26.1.0-1 + [bookworm] - ironic (Minor issue) - ironic-python-agent 9.14.0-1 NOTE: https://www.openwall.com/lists/oss-security/2024/09/04/4 NOTE: https://bugs.launchpad.net/ironic/+bug/2071740 = data/dsa-needed.txt = @@ -26,6 +26,8 @@ linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more 6.1.y versions -- +openjdk-17 (jmm) +-- opennds pinged maintainer, but no reply yet. should most probably be bumped to 10.x -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63f3ffef71bf21f95979bb533e4c945d90f92e88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63f3ffef71bf21f95979bb533e4c945d90f92e88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 090b27e7 by Moritz Muehlenhoff at 2024-10-13T20:36:48+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -204,6 +204,7 @@ CVE-2024-46088 (An arbitrary file upload vulnerability in the ProductAction.entp NOT-FOR-US: Zhejiang University Entersoft Customer Resource Management System CVE-2024-45403 (h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Wh ...) - h2o (bug #1084984) + [bookworm] - h2o (Minor issue) NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-4xp5-3jhc-3m92 NOTE: https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562 NOTE: https://github.com/h2o/h2o/commit/1ed32b23f999acf0c5029f09c8525f93eb1d354c @@ -211,6 +212,7 @@ CVE-2024-45402 (Picotls is a TLS protocol library that allows users select diffe - picotls (bug #925405) CVE-2024-45397 (h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Wh ...) - h2o (bug #1084984) + [bookworm] - h2o (Minor issue) NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c NOTE: https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a CVE-2024-45396 (Quicly is an IETF QUIC protocol implementation. Quicly up to commtit d ...) @@ -257,6 +259,7 @@ CVE-2024-33578 (A DLL hijack vulnerability was reported in Lenovo Leyun that cou NOT-FOR-US: Lenovo CVE-2024-25622 (h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Th ...) - h2o (bug #1084984) + [bookworm] - h2o (Minor issue) NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-5m7v-cj65-h6pj NOTE: https://github.com/h2o/h2o/issues/3332 NOTE: https://github.com/h2o/h2o/commit/123f5e2b65dcdba8f7ef659a00d24bd1249141be @@ -670,6 +673,7 @@ CVE-2024-48957 (execute_filter_audio in archive_read_support_format_rar.c in lib NOTE: https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b (v3.7.5) CVE-2024-48949 (The verify function in lib/elliptic/eddsa/index.js in the Elliptic pac ...) - node-elliptic 6.5.7+dfsg-1 + [bookworm] - node-elliptic (Minor issue) NOTE: https://github.com/indutny/elliptic/commit/7ac5360118f74eb02da73bdf9f24fd0c72ff5281 (v6.5.6) CVE-2024-48942 (The Syracom Secure Login (2FA) plugin for Jira, Confluence, and Bitbuc ...) NOT-FOR-US: Jira plugin @@ -686,6 +690,7 @@ CVE-2024-9680 (An attacker was able to achieve code execution in the content pro NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/ CVE-2024-9675 (A vulnerability was found in Buildah. Cache mounts do not properly val ...) - golang-github-containers-buildah (bug #1084980) + [bookworm] - golang-github-containers-buildah (Minor issue) [bullseye] - golang-github-containers-buildah (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2317458 CVE-2024-9671 (A vulnerability was found in 3Scale. There is no auth mechanism to see ...) @@ -892,6 +897,7 @@ CVE-2024-46307 (A loop hole in the payment logic of Sparkshop v1.16 allows attac NOT-FOR-US: Sparkshop CVE-2024-46304 (A NULL pointer dereference in libcoap v4.3.5-rc2 and below allows a re ...) - libcoap3 (bug #1084981) + [bookworm] - libcoap3 (Minor issue) - libcoap2 - libcoap NOTE: https://github.com/obgm/libcoap/issues/1509 @@ -1978,6 +1984,7 @@ CVE-2024-47765 (Minecraft MOTD Parser is a PHP library to parse minecraft server NOT-FOR-US: Minecraft MOTD Parser CVE-2024-47764 (cookie is a basic HTTP cookie parser and serializer for HTTP servers. ...) - node-cookie 0.7.1+~0.6.0-1 + [bookworm] - node-cookie (Minor issue) NOTE: https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x NOTE: https://github.com/jshttp/cookie/pull/167 NOTE: https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c (v0.7.0) @@ -1997,6 +2004,7 @@ CVE-2024-47651 (This vulnerability exists in Shilpi Client Dashboard due to impr NOT-FOR-US: Shilpi Client Dashboard CVE-2024-47211 (In OpenStack Ironic before 21.4.4, 22.x and 23.x before 23.0.3, 23.x a ...) - ironic 1:26.1.0-1 + [bookworm] - ironic (Minor issue) NOTE: https://security.openstack.org/ossa/OSSA-2024-004.html CVE-2024-47183 (Parse Server is an open source backend that can be deployed to any inf ...) NOT-FOR-US: Parse Server @@ -2411,6 +2419,7 @@ CVE-2024-20365 (A vulnerability in the Redfish API of Cisco UCS B-Series, Cisco NOT-FOR-US: Cisco CVE-2024-9407 (A vulnerability exists in the bind-propagation option of the Dockerfil ...)
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ff23c741 by Moritz Muehlenhoff at 2024-10-09T12:35:22+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -33,6 +33,7 @@ CVE-2024-47817 (Lara-zeus Dynamic Dashboard simple way to manage widgets for you NOT-FOR-US: Lara-zeus Dynamic Dashboard CVE-2024-47814 (Vim is an open source, command line text editor. A use-after-free was ...) - vim (bug #1084806) + [bookworm] - vim (Minor issue) NOTE: https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg NOTE: https://github.com/vim/vim/commit/51b62387be93c65fa56bbabe1c3 (v9.1.0764) CVE-2024-47782 (WikiDiscover is an extension designed for use with a CreateWiki manage ...) @@ -1511,6 +1512,7 @@ CVE-2024-46280 (PIX-LINK LV-WR22 RE3002-P1-01_V117.0 is vulnerable to Improper A NOT-FOR-US: PIX-LINK CVE-2024-45993 (Giflib Project v5.2.2 is vulnerable to a heap buffer overflow via gif2 ...) - giflib (bug #1084058) + [bookworm] - giflib (Minor issue) NOTE: https://gitlab.com/mthandazo/project-pov CVE-2024-45920 (A Stored Cross-Site Scripting (XSS) vulnerability in Solvait 24.4.2 al ...) NOT-FOR-US: Solvait @@ -1647,6 +1649,7 @@ CVE-2024-46453 (A cross-site scripting (XSS) vulnerability in the component /tes NOT-FOR-US: iq3xcite CVE-2024-38796 (EDK2 contains a vulnerability in the PeCoffLoaderRelocateImage(). An A ...) - edk2 (bug #1084055) + [bookworm] - edk2 (Minor issue) NOTE: https://github.com/tianocore/edk2/security/advisories/GHSA-xpcr-7hjq-m6qm NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1993 NOTE: https://github.com/tianocore/edk2/pull/6249 @@ -2235,6 +2238,7 @@ CVE-2024-47003 (Mattermost versions 9.11.x <= 9.11.0 and 9.5.x <= 9.5.8 fail to - mattermost-server (bug #823556) CVE-2024-46632 (Assimp v5.4.3 is vulnerable to Buffer Overflow via the MD5Importer::Lo ...) - assimp (bug #1082857) + [bookworm] - assimp (Minor issue) NOTE: https://github.com/assimp/assimp/issues/5771 CVE-2024-46627 (Incorrect access control in BECN DATAGERRY v2.2 allows attackers to ex ...) NOT-FOR-US: BECN DATAGERRY @@ -5534,6 +5538,7 @@ CVE-2024-45591 (XWiki Platform is a generic wiki platform. The REST API exposes NOT-FOR-US: XWiki CVE-2024-45590 (body-parser is Node.js body parsing middleware. body-parser <1.20.3 is ...) - node-body-parser 1.20.3+~1.19.5-1 (bug #1081657) + [bookworm] - node-body-parser (Minor issue) NOTE: https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7 NOTE: https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce (1.20.3) CVE-2024-45412 (Yeti bridges the gap between CTI and DFIR practitioners by providing a ...) @@ -136282,7 +136287,9 @@ CVE-2023-22925 RESERVED CVE-2023-22656 (Out-of-bounds read in Intel(R) Media SDK and some Intel(R) oneVPL soft ...) - intel-mediasdk (bug #1082866) + [bookworm] - intel-mediasdk (Minor issue) - onevpl (bug #1082867) + [bookworm] - onevpl (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html CVE-2023-22433 RESERVED = data/DSA/list = @@ -19,7 +19,7 @@ {CVE-2024-7025 CVE-2024-9369 CVE-2024-9370} [bookworm] - chromium 129.0.6668.89-1~deb12u1 [02 Oct 2024] DSA-5780-1 php8.2 - security update - {CVE-2024-8925 CVE-2024-8926 CVE-2024-8927} + {CVE-2024-8925 CVE-2024-8926 CVE-2024-8927 CVE-2024-9026} [bookworm] - php8.2 8.2.24-1~deb12u1 [29 Sep 2024] DSA-5779-1 cups - security update {CVE-2024-47175} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff23c741d367a2f3d0c745b5bdc28e964e75b19f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff23c741d367a2f3d0c745b5bdc28e964e75b19f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ca874b5c by Moritz Muehlenhoff at 2024-09-27T13:42:49+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -4,6 +4,7 @@ CVE-2024-9049 (The Beaver Builder \u2013 WordPress Page Builder plugin for WordP NOT-FOR-US: WordPress plugin CVE-2024-9029 (A flaw was found in freeimage library. Processing a crafted image can ...) - freeimage + [bookworm] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/351/ CVE-2024-8991 (The OSM \u2013 OpenStreetMap plugin for WordPress is vulnerable to Sto ...) NOT-FOR-US: WordPress plugin @@ -290,6 +291,7 @@ CVE-2022-49037 (Insertion of sensitive information into log file vulnerability i NOT-FOR-US: Synology CVE-2024-8805 [BlueZ HID over GATT Profile Improper Access Control Remote Code Execution Vulnerability] - bluez + [bookworm] - bluez (Minor issue) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-24-1229/ NOTE: https://patchwork.kernel.org/project/bluetooth/patch/20240912204458.3037144-1-luiz.de...@gmail.com/ NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=41f943630d9a03c40e95057b2ac3d96470b9c71e @@ -914,6 +916,7 @@ CVE-2023-47480 (An issue in Pure Data 0.54-0 and fixed in 0.54-1 allows a local NOTE: https://github.com/pure-data/pure-data/commit/0b5e467b8728b3ed56e1a8ee5b367ce78e7e6e5d (0.54-1test1) CVE-2024-8612 (A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-c ...) - qemu (bug #1082406) + [bookworm] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2313760 NOTE: https://gitlab.com/qemu-project/qemu/-/commit/637b0aa139565cb82a7b9269e62214f87082635c CVE-2024-45769 (A vulnerability was found in Performance Co-Pilot (PCP). This flaw all ...) @@ -35139,7 +35142,9 @@ CVE-2023-45315 (Improper initialization in some Intel(R) Power Gadget software f NOT-FOR-US: Intel CVE-2023-45221 (Improper buffer restrictions in Intel(R) Media SDK all versions may al ...) - intel-mediasdk + [bookworm] - intel-mediasdk (Minor issue) - onevpl + [bookworm] - onevpl (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html CVE-2023-45217 (Improper access control in Intel(R) Power Gadget software for Windows ...) NOT-FOR-US: Intel = data/dsa-needed.txt = @@ -34,6 +34,8 @@ node-dompurify opennds pinged maintainer, but no reply yet. should most probably be bumped to 10.x -- +php8.2 (jmm) +-- python-aiohttp -- python-reportlab View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca874b5c73ffe4673ab37243ec02bdd27ae13745 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca874b5c73ffe4673ab37243ec02bdd27ae13745 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 35d88ae3 by Moritz Muehlenhoff at 2024-09-25T22:48:29+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -34707,17 +34707,23 @@ CVE-2023-49614 (Out of bounds write in firmware for some Intel(R) FPGA products NOT-FOR-US: Intel CVE-2023-48727 (NULL pointer dereference in some Intel(R) oneVPL software before versi ...) - intel-mediasdk + [bookworm] - intel-mediasdk (Minor issue) - onevpl + [bookworm] - onevpl (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html CVE-2023-48368 (Improper input validation in Intel(R) Media SDK software all versions ...) - intel-mediasdk + [bookworm] - intel-mediasdk (Minor issue) - onevpl + [bookworm] - onevpl (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html CVE-2023-47859 (Improper access control for some Intel(R) Wireless Bluetooth products ...) NOT-FOR-US: Intel CVE-2023-47282 (Out-of-bounds write in Intel(R) Media SDK all versions and some Intel( ...) - intel-mediasdk + [bookworm] - intel-mediasdk (Minor issue) - onevpl + [bookworm] - onevpl (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html CVE-2023-47210 (Improper input validation for some Intel(R) PROSet/Wireless WiFi softw ...) - firmware-nonfree 20240610-1 @@ -34726,7 +34732,9 @@ CVE-2023-47210 (Improper input validation for some Intel(R) PROSet/Wireless WiFi NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html CVE-2023-47169 (Improper buffer restrictions in Intel(R) Media SDK software all versio ...) - intel-mediasdk + [bookworm] - intel-mediasdk (Minor issue) - onevpl + [bookworm] - onevpl (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html CVE-2023-47165 (Improper conditions check in the Intel(R) Data Center GPU Max Series 1 ...) NOT-FOR-US: Intel = data/dsa-needed.txt = @@ -14,7 +14,7 @@ If needed, specify the release by adding a slash after the name of the source pa -- activemq -- -booth +booth (jmm) Adrian Bunk proposed an debdiff for review, cf. #1082674 -- chromium (dilinger) @@ -22,8 +22,6 @@ chromium (dilinger) frr coordination with the maintainer ongoing -- -libreoffice (jmm) --- libreswan Waiting on feedback from maintainer -- @@ -44,8 +42,6 @@ python-reportlab -- ring -- -setuptools --- smarty3 -- smarty4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35d88ae3fb989bcb4342280a55605eef8bfc6509 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35d88ae3fb989bcb4342280a55605eef8bfc6509 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b2ef6c0b by Moritz Muehlenhoff at 2024-09-25T09:21:46+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -173,6 +173,7 @@ CVE-2024-47069 (Oveleon Cookie Bar is a cookie bar is for the Contao Open Source NOT-FOR-US: Contao CMS CVE-2024-47068 (Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 an ...) - node-rollup (bug #1082712) + [bookworm] - node-rollup (Minor issue) NOTE: https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm NOTE: https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4 (v3.29.5) NOTE: https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541 (v4.22.4) @@ -390,6 +391,7 @@ CVE-2024-37879 (Improper input validation in /admin/config/save in User-friendly NOT-FOR-US: User-friendly SVN (USVN) CVE-2023-47480 (An issue in Pure Data 0.54-0 and fixed in 0.54-1 allows a local attack ...) - puredata 0.54.1+ds-1 + [bookworm] - puredata (Minor issue) NOTE: https://github.com/pure-data/pure-data/issues/2063 NOTE: https://github.com/pure-data/pure-data/commit/0b5e467b8728b3ed56e1a8ee5b367ce78e7e6e5d (0.54-1test1) CVE-2024-8612 (A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2ef6c0b0cc38a06e751eb352d7db2e42f9cd290 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2ef6c0b0cc38a06e751eb352d7db2e42f9cd290 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c8af8242 by Moritz Muehlenhoff at 2024-09-20T17:18:06+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -39,6 +39,7 @@ CVE-2024-8375 (There exists a use after free vulnerability in Reverb.Reverb supp NOT-FOR-US: Google Reverb CVE-2024-8354 (A flaw was found in QEMU. An assertion failure was present in the usb_ ...) - qemu (bug #1082377) + [bookworm] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2313497 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2548 CVE-2024-7785 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...) @@ -83,6 +84,7 @@ CVE-2024-45806 (Envoy is a cloud-native high-performance edge/middle/service pro - envoyproxy (bug #987544) CVE-2024-45752 (logiops through 0.3.4, in its default configuration, allows any unpriv ...) - logiops (bug #1082378) + [bookworm] - logiops (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1226598 CVE-2024-45614 (Puma is a Ruby/Rack web server built for parallelism. In affected vers ...) - puma (bug #1082379) @@ -104,6 +106,7 @@ CVE-2024-33109 (Directory Traversal in the web interface of the Tiptel IP 286 wi NOT-FOR-US: Tiptel CVE-2024-31570 (libfreeimage in FreeImage 3.4.0 through 3.18.0 has a stack-based buffe ...) - freeimage (bug #1082380) + [bookworm] - freeimage (Minor issue#) NOTE: https://sourceforge.net/p/freeimage/bugs/355/ NOTE: https://www.openwall.com/lists/oss-security/2024/04/11/10 CVE-2024-25673 (Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and all earli ...) @@ -124,6 +127,7 @@ CVE-2024-8364 (The WP Custom Fields Search plugin for WordPress is vulnerable to NOT-FOR-US: WordPress plugin CVE-2024-7254 (Any project that parses untrusted Protocol Buffers datacontaining an a ...) - protobuf (bug #1082381) + [bookworm] - protobuf (Minor issue) NOTE: https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa CVE-2024-47089 (This vulnerability exists in the Apex Softcell LD Geo due to improper ...) NOT-FOR-US: Apex Softcell LD Geo @@ -291,6 +295,7 @@ CVE-2024-45813 (find-my-way is a fast, open source HTTP router, internally using NOT-FOR-US: find-my-way CVE-2024-45679 (Heap-based buffer overflow vulnerability in Assimp versions prior to 5 ...) - assimp 5.4.0+ds-1 + [bookworm] - assimp (Minor issue) NOTE: https://github.com/assimp/assimp/pull/5310 NOTE: https://github.com/assimp/assimp/commit/e4e2c63e0c2c449cd69fb9a3269e865eb83c241d (v5.4.0) CVE-2024-45601 (Mesop is a Python-based UI framework designed for rapid web apps devel ...) @@ -400,8 +405,10 @@ CVE-2024-36981 (An out-of-bounds read vulnerability exists in the OpenPLC Runtim CVE-2024-36980 (An out-of-bounds read vulnerability exists in the OpenPLC Runtime Ethe ...) NOT-FOR-US: OpenPLC CVE-2024-35515 (Insecure deserialization in sqlitedict up to v2.1.0 allows attackers t ...) - - sqlitedict + - sqlitedict (unimportant) NOTE: https://wha13.github.io/2024/06/13/mfcve/ + NOTE: https://github.com/piskvorky/sqlitedict/issues/174 + NOTE: Not considered a security issue by upstream CVE-2024-34399 (**UNSUPPORTED WHEN ASSIGNED** An issue was discovered in BMC Remedy Mi ...) NOT-FOR-US: BMC Remedy Mid Tier CVE-2024-34057 (Triangle Microworks TMW IEC 61850 Client source code libraries before ...) @@ -4558,6 +4565,7 @@ CVE-2024-34577 (Cross-site scripting vulnerability exists in WRC-X3000GS2-B, WRC NOT-FOR-US: WRC-X3000GS2-B, WRC-X3000GS2-W, and WRC-X3000GS2A-B CVE-2024-2881 (Fault Injection vulnerability inwc_ed25519_sign_msg function in wolfss ...) - wolfssl 5.7.0-0.3 + [bookworm] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable CVE-2024-2694 (The Betheme theme for WordPress is vulnerable to PHP Object Injection ...) NOT-FOR-US: WordPress theme @@ -5114,6 +5122,7 @@ CVE-2024-36068 (An incorrect access control vulnerability in Rubrik CDM versions NOT-FOR-US: Rubrik CDM CVE-2024-1544 (Generating the ECDSA nonce k samples a random number r and then trunc ...) - wolfssl (bug #1081789) + [bookworm] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable NOTE: https://github.com/wolfSSL/wolfssl/pull/7020 CVE-2024-8046 (The Logo Showcase Ultimate \u2013 Logo Carousel, Logo Slider & Logo Gr ...) = data/dsa-needed.txt = @@ -50,6 +50,8 @@ smarty3
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a08776e7 by Moritz Muehlenhoff at 2024-09-18T10:46:52+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -438,6 +438,7 @@ CVE-2024-8421 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309710#c7 CVE-2024- [RUSTSEC-2023-0086] - rust-lexical-core (bug #1082053) + [bookworm] - rust-lexical-core (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0086.html NOTE: https://github.com/Alexhuszagh/rust-lexical/issues/102 NOTE: https://github.com/Alexhuszagh/rust-lexical/issues/101 @@ -1922,6 +1923,7 @@ CVE-2024-43800 (serve-static serves static files. serve-static passes untrusted NOTE: https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa (2.1.0) CVE-2024-43799 (Send is a library for streaming files from the file system as a http r ...) - node-send (bug #1081483) + [bookworm] - node-send (Minor issue) NOTE: https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg NOTE: https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35 (0.19.0) CVE-2024-43796 (Express.js minimalist web framework for node. In express < 4.20.0, pas ...) @@ -76072,19 +76074,18 @@ CVE-2023-49465 (Libde265 v1.0.14 was discovered to contain a heap-buffer-overflo NOTE: Fixed by: https://github.com/strukturag/libde265/commit/1475c7d2f0a6dc35c27e18abc4db9679bfd32568 (v1.0.15) CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - libheif 1.17.6-1 (bug #1059151) - [bookworm] - libheif (Minor issue) - [bullseye] - libheif (Minor issue) + [bookworm] - libheif (Vulnerable code not present) + [bullseye] - libheif (Vulnerable code not present) [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1044 NOTE: https://github.com/strukturag/libheif/pull/1049 NOTE: https://github.com/strukturag/libheif/commit/2bf226a300951e6897ee7267d0dd379ba5ad7287 (v1.17.6) CVE-2023-49463 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - - libheif 1.17.6-1 (bug #1059151) - [bookworm] - libheif (Minor issue) - [bullseye] - libheif (Minor issue) + - libheif 1.17.6-1 (bug #1059151; unimportant) [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1042 NOTE: https://github.com/strukturag/libheif/commit/26ec3953d46bb5756b97955661565bcbc6647abf (v1.17.6) + NOTE: Crash in CLI tool, no security impact (only affects example tool shipped in libheif-examples) CVE-2023-49462 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - libheif 1.17.6-1 (bug #1059151) [bookworm] - libheif (Minor issue) @@ -76094,8 +76095,8 @@ CVE-2023-49462 (libheif v1.17.5 was discovered to contain a segmentation violati NOTE: https://github.com/strukturag/libheif/commit/730a9d80bea3434f75c79e721878cc67f3889969 (v1.17.6) CVE-2023-49460 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - libheif 1.17.6-1 (bug #1059151) - [bookworm] - libheif (Minor issue) - [bullseye] - libheif (Minor issue) + [bookworm] - libheif (Vulnerable code not present) + [bullseye] - libheif (Vulnerable code not present) [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1046 NOTE: https://github.com/strukturag/libheif/commit/fd5b02aca3e29088bf0a1fc400bd661be4a6ed76 (v1.17.6) = data/dsa-needed.txt = @@ -33,6 +33,8 @@ linux (carnil) -- nodejs (aron) -- +node-dompurify +-- opennds pinged maintainer, but no reply yet. should most probably be bumped to 10.x -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a08776e77cff56224fc28f5a9f12bdc4d7fa1abe -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a08776e77cff56224fc28f5a9f12bdc4d7fa1abe You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3213b35b by Moritz Muehlenhoff at 2024-09-15T12:21:29+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -40,6 +40,7 @@ CVE-2024-8797 (The WP Booking System \u2013 Booking Calendar plugin for WordPres NOT-FOR-US: WordPress plugin CVE-2024-8775 (A flaw was found in Ansible, where sensitive information stored in Ans ...) - ansible-core + [bookworm] - ansible-core (Minor issue) - ansible 5.4.0-1 NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in experimental/5.4.0-1 in sid NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2312119 @@ -1468,9 +1469,11 @@ CVE-2024-8601 (This vulnerability exists in TechExcel Back Office Software versi NOT-FOR-US: TechExcel Back Office Software CVE-2024-8373 (Improper sanitization of the value of the [srcset] attribute in + [bookworm] - angular.js (Minor issue) NOTE: https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b CVE-2024-8372 (Improper sanitization of the value of the '[srcset]' attribute in Angu ...) - angular.js + [bookworm] - angular.js (Minor issue) NOTE: https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017 CVE-2024-8042 (Rapid7 Insight Platform versions between November 2019 and August 14, ...) NOT-FOR-US: Rapid7 Insight Platform @@ -3702,11 +3705,13 @@ CVE-2024-5991 (In function MatchDomainName(), input param str is treated as a NU NOTE: https://github.com/wolfSSL/wolfssl/pull/7604 CVE-2024-5814 (A malicious TLS1.2 server can force a TLS1.3 client with downgrade cap ...) - wolfssl (bug #1081791) + [bookworm] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable NOTE: https://github.com/wolfSSL/wolfssl/pull/7619 NOTE: https://tches.iacr.org/index.php/TCHES/article/view/11259 CVE-2024-5288 (An issue was discovered in wolfSSL before 5.7.0. A safe-error attack v ...) - wolfssl (bug #1081790) + [bookworm] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable NOTE: https://github.com/wolfSSL/wolfssl/pull/7416 CVE-2024-4872 (The product does not validate any query towards persistent data, resul ...) @@ -14259,6 +14264,7 @@ CVE-2024-6540 (Improper filtering of fields when using the export function in th CVE-2024-6345 (A vulnerability in the package_index module of pypa/setuptools version ...) {DLA-3876-1} - setuptools 70.3.0-2 + [bookworm] - setuptools (Minor issue) NOTE: https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5 NOTE: Fixed by merge: https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0 (v70.0.0) CVE-2024-6289 (The WPS Hide Login WordPress plugin before 1.9.16.4 does not prevent r ...) = data/dsa-needed.txt = @@ -35,7 +35,7 @@ nodejs (aron) opennds pinged maintainer, but no reply yet. should most probably be bumped to 10.x -- -php-twig +php-twig (jmm) Maintainer prepared an update and is acked for upload -- python-aiohttp @@ -44,6 +44,8 @@ python-reportlab -- ring -- +ruby-saml +-- setuptools -- smarty3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3213b35b1caf88cc040af84acd3d3ed8b1194572 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3213b35b1caf88cc040af84acd3d3ed8b1194572 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c2b7b239 by Moritz Muehlenhoff at 2024-09-13T21:41:43+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -851,6 +851,7 @@ CVE-2024-44087 (A vulnerability has been identified in Automation License Manage NOT-FOR-US: Siemens CVE-2024-43800 (serve-static serves static files. serve-static passes untrusted user i ...) - node-serve-static (bug #1081482) + [bookworm] - node-serve-static (Minor issue) NOTE: https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p NOTE: https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b (1.16.0) NOTE: https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa (2.1.0) @@ -860,6 +861,7 @@ CVE-2024-43799 (Send is a library for streaming files from the file system as a NOTE: https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35 (0.19.0) CVE-2024-43796 (Express.js minimalist web framework for node. In express < 4.20.0, pas ...) - node-express (bug #1081481) + [bookworm] - node-express (Minor issue) NOTE: https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx NOTE: https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553 (4.20.0) CVE-2024-43781 (A vulnerability has been identified in SINUMERIK 828D V4 (All versions ...) @@ -1265,6 +1267,7 @@ CVE-2024-45406 (Craft is a content management system (CMS). Craft CMS 5 stored X NOT-FOR-US: Craft CMS CVE-2024-45296 (path-to-regexp turns path strings into a regular expressions. In certa ...) - node-path-to-regexp (bug #1081656) + [bookworm] - node-path-to-regexp (Minor issue) NOTE: https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j NOTE: https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6 (v8.0.0) CVE-2024-45041 (External Secrets Operator is a Kubernetes operator that integrates ext ...) @@ -2480,6 +2483,7 @@ CVE-2024-6232 (There is a MEDIUM severity vulnerability affecting CPython. - python3.13 3.13.0~rc2-1 - python3.12 3.12.6-1 - python3.11 + [bookworm] - python3.11 (Minor issue) - python3.9 - python2.7 [bullseye] - python2.7 (Unsupported in Bullseye, only included to build a few applications) @@ -3450,6 +3454,7 @@ CVE-2024-6632 (A vulnerability exists in FileCatalyst Workflow whereby a field a NOT-FOR-US: FileCatalyst Workflow CVE-2024-5991 (In function MatchDomainName(), input param str is treated as a NULL te ...) - wolfssl + [bookworm] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable NOTE: https://github.com/wolfSSL/wolfssl/pull/7604 CVE-2024-5814 (A malicious TLS1.2 server can force a TLS1.3 client with downgrade cap ...) @@ -48076,7 +48081,8 @@ CVE-2024-3221 (A vulnerability classified as critical was found in SourceCodeste CVE-2024-3218 (A vulnerability classified as critical has been found in Shibang Commu ...) NOT-FOR-US: Shibang Communications IP Network Intercom Broadcasting System CVE-2024-3209 (A vulnerability was found in UPX up to 4.2.2. It has been rated as cri ...) - - upx-ucl 4.2.4-1 + - upx-ucl 4.2.4-1 (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/upx/upx/issues/841 CVE-2024-3207 (A vulnerability was found in ermig1979 Simd up to 6.0.134. It has been ...) NOT-FOR-US: ermig1979 Simd = data/dsa-needed.txt = @@ -49,5 +49,7 @@ smarty4 -- twisted (jmm) -- +xen +-- zabbix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2b7b23945a0aa1e9b9f134831e3c0c33eb5878e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2b7b23945a0aa1e9b9f134831e3c0c33eb5878e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 52b60e84 by Moritz Muehlenhoff at 2024-09-11T09:22:10+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -919,6 +919,7 @@ CVE-2024-6792 (The WP ULike WordPress plugin before 4.7.2.1 does not properly s NOT-FOR-US: WordPress plugin CVE-2024-45751 (tgt (aka Linux target framework) before 1.0.93 attempts to achieve ent ...) - tgt (bug #1081158) + [bookworm] - tgt (Minor issue) NOTE: https://github.com/fujita/tgt/pull/67 NOTE: https://github.com/fujita/tgt/commit/abd8e0d987ab56013d360077202bf2aca20a42dd (v1.0.93) NOTE: https://www.openwall.com/lists/oss-security/2024/09/07/2 @@ -1017,6 +1018,7 @@ CVE-2024-45158 (An issue was discovered in Mbed TLS 3.6 before 3.6.1. A stack bu NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-2/ CVE-2024-45157 (An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1 ...) - mbedtls + [bookworm] - mbedtls (Minor issue) NOTE: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1/ CVE-2024-45107 (Acrobat Reader versions 20.005.30636, 24.002.20964, 24.001.30123, 24.0 ...) NOT-FOR-US: Adobe = data/dsa-needed.txt = @@ -11,13 +11,15 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. +-- +activemq -- chromium (dilinger) -- dnsmasq Lee Garrett showed interest to prepare an update for review -- -expat +expat (jmm) Maintainer proposed debdiffs for review -- frr @@ -51,10 +53,7 @@ smarty3 -- smarty4 -- -twisted --- -xen - Might not be needed as maintainer did aim to have the version included in the upcoming point release +twisted (jmm) -- zabbix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52b60e84e7ef13f7193fde87b7842d770e03bec6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52b60e84e7ef13f7193fde87b7842d770e03bec6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 34dc22b8 by Moritz Muehlenhoff at 2024-09-06T13:44:32+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,6 +3,7 @@ CVE-2024-34158 - golang-1.22 - golang-1.21 - golang-1.19 + [bookworm] - golang-1.19 (Minor issue) - golang-1.15 NOTE: https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc NOTE: https://go.dev/issue/69141 @@ -11,6 +12,7 @@ CVE-2024-34156 - golang-1.22 - golang-1.21 - golang-1.19 + [bookworm] - golang-1.19 (Minor issue) - golang-1.15 NOTE: https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc NOTE: https://go.dev/issue/69139 @@ -19,6 +21,7 @@ CVE-2024-34155 - golang-1.22 - golang-1.21 - golang-1.19 + [bookworm] - golang-1.19 (Minor issue) - golang-1.15 NOTE: https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc NOTE: https://go.dev/issue/69138 @@ -212,6 +215,7 @@ CVE-2024-20505 (A vulnerability in the PDF parsing module of Clam AntiVirus (Cla NOTE: https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html CVE-2024-8418 (A flaw was found in Aardvark-dns versions 1.12.0 and 1.12.1. They cont ...) - aardvark-dns 1.12.2-1 (bug #1080964) + [bookworm] - aardvark-dns (Minor issue) NOTE: https://github.com/containers/aardvark-dns/issues/500 NOTE: https://github.com/containers/aardvark-dns/pull/503 NOTE: https://github.com/containers/aardvark-dns/commit/6d76c50978755b8162d176ec7eea0e09f8d57a42 @@ -833,10 +837,12 @@ CVE-2024-6232 (There is a MEDIUM severity vulnerability affecting CPython. NOTE: https://github.com/python/cpython/commit/743acbe872485dc18df4d8ab2dc7895187f062c4 (3.10-branch) CVE-2024-45231 - python-django 3:4.2.16-1 + [bookworm] - python-django (Minor issue) NOTE: https://www.djangoproject.com/weblog/2024/sep/03/security-releases/ NOTE: https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199 (4.2.16) CVE-2024-45230 - python-django 3:4.2.16-1 + [bookworm] - python-django (Minor issue) NOTE: https://www.djangoproject.com/weblog/2024/sep/03/security-releases/ NOTE: https://github.com/django/django/commit/d147a8ebbdf28c17cafbbe2884f0bc57e2bf82e2 (4.2.16) CVE-2024-45506 (HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1 ...) @@ -1028,6 +1034,7 @@ CVE-2024-45509 (In MISP through 2.4.196, app/Controller/BookmarksController.php NOT-FOR-US: MISP CVE-2024-45508 (HTMLDOC before 1.9.19 has an out-of-bounds write in parse_paragraph in ...) - htmldoc + [bookworm] - htmldoc (Minor issue) NOTE: https://github.com/michaelrsweet/htmldoc/issues/528 NOTE: https://github.com/michaelrsweet/htmldoc/commit/2d5b2ab9ddbf2aee2209010cebc11efdd1cab6e2 CVE-2024-45270 (WordPress plugin "Carousel Slider" provided by Sayful Islam contains a ...) @@ -1289,9 +1296,11 @@ CVE-2024-2502 (An application can be configured to block boot attempts after con NOT-FOR-US: Silabs CVE-2024-1545 (Fault Injection vulnerability in RsaPrivateDecryption function in wolf ...) - wolfssl 5.7.0-0.3 + [bookworm] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable CVE-2024-1543 (The side-channel protected T-Table implementation in wolfSSL up to ver ...) - wolfssl 5.6.6-1.2 + [bookworm] - wolfssl (Minor issue) NOTE: https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-566-dec-19-2023 NOTE: https://github.com/wolfSSL/wolfssl/pull/6854 CVE-2024-8285 (A flaw was found in Kroxylicious. When establishing the connection wit ...) @@ -1841,6 +1850,7 @@ CVE-2024-6688 (The Oxygen Builder plugin for WordPress is vulnerable to unauthor NOT-FOR-US: WordPress plugin CVE-2024-45321 (The App::cpanminus package through 1.7047 for Perl downloads code via ...) - cpanminus + [bookworm] - cpanminus (Minor issue) NOTE: https://security.metacpan.org/2024/08/26/cpanminus-downloads-code-using-insecure-http.html NOTE: https://github.com/miyagawa/cpanminus/issues/611 NOTE: https://github.com/miyagawa/cpanminus/pull/674 @@ -2080,6 +2090,7 @@ CVE-2024-28077 (A denial-of-service issue was discovered on certain GL-iNet devi NOT-FOR-US: GL-iNet devices CVE-2023-49582 (Lax permissions set by the Apache Portable Runtime library on Unix pla ...) - apr (bug #1080375) + [bookworm] - apr (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/08/26/1 NOTE: https://lists.apache.org/thread/h5f1c2dqm8b
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9fa9faca by Moritz Muehlenhoff at 2024-09-03T17:15:53+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24,24 +24,31 @@ CVE-2024-37136 (Dell Path to PowerProtect, versions 1.1, 1.2, contains an Exposu NOT-FOR-US: Dell CVE-2024-45620 - opensc + [bookworm] - opensc (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309289 CVE-2024-45619 - opensc + [bookworm] - opensc (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309288 CVE-2024-45618 - opensc + [bookworm] - opensc (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309287 CVE-2024-45617 - opensc + [bookworm] - opensc (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309286 CVE-2024-45616 - opensc + [bookworm] - opensc (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309290 CVE-2024-45615 - opensc + [bookworm] - opensc (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309285 CVE-2024-45310 - runc + [bookworm] - runc (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/09/03/1 NOTE: https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv CVE-2024-8004 (A stored Cross-site Scripting (XSS) vulnerability affecting ENOVIA Col ...) @@ -437,6 +444,7 @@ CVE-2024-8285 (A flaw was found in Kroxylicious. When establishing the connectio NOT-FOR-US: kroxylicious CVE-2024-42934 - openipmi + [bookworm] - openipmi (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2308375 CVE-2024-8304 (A vulnerability has been found in jpress up to 5.1.1 and classified as ...) NOT-FOR-US: jpress @@ -1155,6 +1163,7 @@ CVE-2024-43966 (Improper Neutralization of Special Elements used in an SQL Comma NOT-FOR-US: WordPress plugin CVE-2024-43806 (Rustix is a set of safe Rust bindings to POSIX-ish APIs. When using `r ...) - rust-rustix 0.38.21-1 + [bookworm] - rust-rustix (Minor issue) NOTE: https://github.com/bytecodealliance/rustix/security/advisories/GHSA-c827-hfw6-qwvm CVE-2024-43802 (Vim is an improved version of the unix vi text editor. When flushing t ...) - vim 2:9.1.0698-1 @@ -1572,6 +1581,7 @@ CVE-2024-42364 (Homepage is a highly customizable homepage with Docker and servi NOT-FOR-US: gethomepage/homepage CVE-2024-42040 (Buffer Overflow vulnerability in the net/bootp.c in DENEX U-Boot from ...) - u-boot + [bookworm] - u-boot (Minor issue) NOTE: https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-004.txt CVE-2024-41878 (Adobe Experience Manager versions 6.5.19 and earlier are affected by a ...) NOT-FOR-US: Adobe @@ -20950,6 +20960,7 @@ CVE-2024-37569 (An issue was discovered on Mitel 6869i through 4.5.0.41 and 5.x NOT-FOR-US: Mitel CVE-2024-37568 (lepture Authlib before 1.3.1 has algorithm confusion with asymmetric p ...) - python-authlib 1.3.1-1 + [bookworm] - python-authlib (Minor issue) NOTE: https://github.com/lepture/authlib/issues/654 NOTE: https://github.com/lepture/authlib/commit/3bea812acefebc9ee108aa24557be3ba8971daf1 (v1.3.1) CVE-2024-35748 (Missing Authorization vulnerability in OPMC WooCommerce Dropshipping.T ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fa9facaec71df343fc0d154683386f4df814fcb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fa9facaec71df343fc0d154683386f4df814fcb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: acc83b25 by Moritz Muehlenhoff at 2024-09-01T17:53:56+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,12 +10,15 @@ CVE-2024-7717 (The WP Events Manager plugin for WordPress is vulnerable to time- NOT-FOR-US: WordPress plugin CVE-2024-0111 (NVIDIA CUDA Toolkit contains a vulnerability in command 'cuobjdump' wh ...) - nvidia-cuda-toolkit + [bookworm] - nvidia-cuda-toolkit (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5564 CVE-2024-0110 (NVIDIA CUDA Toolkit contains a vulnerability in command `cuobjdump` wh ...) - nvidia-cuda-toolkit + [bookworm] - nvidia-cuda-toolkit (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5564 CVE-2024-0109 (NVIDIA CUDA Toolkit contains a vulnerability in command `cuobjdump` wh ...) - nvidia-cuda-toolkit + [bookworm] - nvidia-cuda-toolkit (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5564 CVE-2024-44946 (In the Linux kernel, the following vulnerability has been resolved: k ...) - linux 6.10.7-1 @@ -432,6 +435,7 @@ CVE-2021-4442 (In the Linux kernel, the following vulnerability has been resolve NOTE: https://git.kernel.org/linus/8811f4a9836e31c14ecdf79d9f3cb7c5d463265d (5.12-rc3) CVE-2024-8250 (NTLMSSP dissector crash in Wireshark 4.2.0 to 4.0.6 and 4.0.0 to 4.0.1 ...) - wireshark + [bookworm] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-11.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19943 CVE-2024-8198 (Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.113 ...) @@ -716,6 +720,7 @@ CVE-2024-44340 (D-Link DIR-846W A1 FW100A43 was discovered to contain a remote c CVE-2024-43788 (Webpack is a module bundler. Its main purpose is to bundle JavaScript ...) [experimental] - node-webpack 5.94.0+dfsg1+~cs11.18.26-1 - node-webpack + [bookworm] - node-webpack (Minor issue) NOTE: https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986 NOTE: Fixed by: https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61 (v5.94.0) CVE-2024-43783 (The Apollo Router Core is a configurable, high-performance graph route ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acc83b2568010adc0ec7b83d99f7190f693711db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acc83b2568010adc0ec7b83d99f7190f693711db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e8480ffa by Moritz Muehlenhoff at 2024-08-27T08:52:19+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -104,6 +104,7 @@ CVE-2024-43806 (Rustix is a set of safe Rust bindings to POSIX-ish APIs. When us TODO: check CVE-2024-43802 (Vim is an improved version of the unix vi text editor. When flushing t ...) - vim + [bookworm] - vim (Minor issue) NOTE: https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh NOTE: https://github.com/vim/vim/commit/322ba9108612bead5eb7731ccb66763dec69ef1b (v9.1.0697) CVE-2024-43444 (Passwords of agents and customers are displayed in plain text in the O ...) @@ -13344,7 +13345,7 @@ CVE-2024-29506 (Artifex Ghostscript before 10.03.0 has a stack-based buffer over CVE-2023-52169 (The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) conta ...) - 7zip 24.05+dfsg-1 (unimportant) NOTE: Crash in CLI tool, no security impact - - p7zip 16.02+transitional.1 + - p7zip 16.02+transitional.1 (unimportant) NOTE: https://sourceforge.net/p/sevenzip/bugs/2402/ NOTE: https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/ NOTE: https://www.openwall.com/lists/oss-security/2024/07/03/10 @@ -13354,6 +13355,7 @@ CVE-2023-52168 (The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) - 7zip 24.05+dfsg-1 [bookworm] - 7zip (Minor issue) - p7zip 16.02+transitional.1 + [bookworm] - p7zip (Minor issue) NOTE: https://sourceforge.net/p/sevenzip/bugs/2402/ NOTE: https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/ NOTE: https://www.openwall.com/lists/oss-security/2024/07/03/10 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8480ffaf10e92e82094f61d9dc0836ab4e85ab2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8480ffaf10e92e82094f61d9dc0836ab4e85ab2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2adf6964 by Moritz Muehlenhoff at 2024-08-26T10:11:32+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -168,6 +168,7 @@ CVE-2024-42852 (Cross Site Scripting vulnerability in AcuToWeb server v.10.5.0.7 NOT-FOR-US: AcuToWeb server CVE-2024-42845 (An eval Injection vulnerability in the component invesalius/reader/dic ...) - invesalius + [bookworm] - invesalius (Minor issue) NOTE: https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845 CVE-2024-42766 (Kashipara Bus Ticket Reservation System v1.0 0 is vulnerable to Incorr ...) NOT-FOR-US: Kashipara Bus Ticket Reservation System @@ -780,6 +781,7 @@ CVE-2024-43410 (Russh is a Rust SSH client & server library. Allocating an untru NOT-FOR-US: Russh CVE-2024-43407 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor + [bookworm] - ckeditor (Minor issue) [bullseye] - ckeditor (Minor issue) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv NOTE: Fixed by removing the plugins/codesnippetgeshi/dev directory completely. @@ -32112,6 +32114,7 @@ CVE-2024-34467 (ThinkPHP 8.0.3 allows remote attackers to exploit XSS due to ina NOT-FOR-US: ThinkPHP CVE-2024-34462 (Alinto SOGo through 5.10.0 allows XSS during attachment preview.) - sogo 5.11.0-1 (bug #1071163) + [bookworm] - sogo (Minor issue) [buster] - sogo (Minor issue) NOTE: https://github.com/Alinto/sogo/commit/2e37e59ed140d4aee0ff2fba579ca5f83f2c5920 (SOGo-5.11.0) CVE-2023-52729 (TCPServer.cpp in SimpleNetwork through 29bc615 has an off-by-one error ...) @@ -63352,6 +63355,7 @@ CVE-2023-49106 (Missing Password Field Masking vulnerability in Hitachi Device M NOT-FOR-US: Hitachi CVE-2023-48104 (Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.) - sogo 5.9.1-1 (bug #1060925) + [bookworm] - sogo (Minor issue) [buster] - sogo (Minor issue) NOTE: Fixed by: https://github.com/Alinto/sogo/commit/7481ccf37087c3f456d7e5a844da01d0f8883098 (SOGo-5.9.1) CVE-2023-47460 (SQL injection vulnerability in Knovos Discovery v.22.67.0 allows a rem ...) = data/dsa-needed.txt = @@ -38,6 +38,8 @@ opennds -- pymatgen -- +python3.11 (jmm) +-- python-aiohttp -- python-reportlab @@ -54,5 +56,7 @@ twisted -- webkit2gtk (berto) -- +xen +-- zabbix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2adf69643e1290bbfb67556425fe8ad4d3ab583e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2adf69643e1290bbfb67556425fe8ad4d3ab583e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Bookworm triage for python-django issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 07196966 by Salvatore Bonaccorso at 2024-08-23T21:34:02+02:00 Bookworm triage for python-django issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4630,18 +4630,22 @@ CVE-2024-7518 (Select options could obscure the fullscreen notification dialog. NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-33/#CVE-2024-7518 CVE-2024-42005 (An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2. ...) - python-django 3:4.2.15-1 (bug #1078074) + [bookworm] - python-django (Minor issue) NOTE: https://www.djangoproject.com/weblog/2024/aug/06/security-releases/ NOTE: https://github.com/django/django/commit/f4af67b9b41e0f4c117a8741da3abbd1c869ab28/ (4.2.15) CVE-2024-41991 (An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2. ...) - python-django 3:4.2.15-1 (bug #1078074) + [bookworm] - python-django (Minor issue) NOTE: https://www.djangoproject.com/weblog/2024/aug/06/security-releases/ NOTE: https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f/ (4.2.15) CVE-2024-41990 (An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2. ...) - python-django 3:4.2.15-1 (bug #1078074) + [bookworm] - python-django (Minor issue; intrusive to backport) NOTE: https://www.djangoproject.com/weblog/2024/aug/06/security-releases/ NOTE: https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88/ (4.2.15) CVE-2024-41989 (An issue was discovered in Django 5.0 before 5.0.8 and 4.2 before 4.2. ...) - python-django 3:4.2.15-1 (bug #1078074) + [bookworm] - python-django (Minor issue) NOTE: https://www.djangoproject.com/weblog/2024/aug/06/security-releases/ NOTE: https://github.com/django/django/commit/fc76660f589ac07e45e9cd34ccb8087aeb11904b/ (4.2.15) CVE-2024-42062 (CloudStack account-users by default use username and password based au ...) @@ -11031,14 +11035,17 @@ CVE-2024-39880 (Delta Electronics CNCSoft-G2 lacks proper validation of the leng NOT-FOR-US: Delta Electronics CVE-2024-39614 (An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2. ...) - python-django 3:4.2.14-1 (bug #1076069) + [bookworm] - python-django (Minor issue) NOTE: https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ NOTE: https://github.com/django/django/commit/17358fb35fb7217423d4c4877ccb6d1a3a40b1c3 (4.2.14) CVE-2024-39330 (An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2. ...) - python-django 3:4.2.14-1 (bug #1076069) + [bookworm] - python-django (Minor issue) NOTE: https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ NOTE: https://github.com/django/django/commit/2b00edc0151a660d1eb86da4059904a0fc4e095e (4.2.14) CVE-2024-39329 (An issue was discovered in Django 5.0 before 5.0.7 and 4.2 before 4.2. ...) - python-django 3:4.2.14-1 (bug #1076069) + [bookworm] - python-django (Minor issue) NOTE: https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ NOTE: https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14 (4.2.14) CVE-2024-39181 (Shenzhen Libituo Technology Co., Ltd LBT-T300-T400 v3.2 was discovered ...) @@ -11057,6 +11064,7 @@ CVE-2024-38959 (Cross Site Scripting vulnerability in Creativeitem Academy LMS L NOT-FOR-US: Creativeitem Academy LMS Learning Management System CVE-2024-38875 (An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before 5.0 ...) - python-django 3:4.2.14-1 (bug #1076069) + [bookworm] - python-django (Minor issue; intrusive to backport) NOTE: https://www.djangoproject.com/weblog/2024/jul/09/security-releases/ NOTE: https://github.com/django/django/commit/79f368764295df109a37192f6182fb6f361d85b5 (4.2.14) CVE-2024-38301 (Dell Alienware Command Center, version 5.7.3.0 and prior, contains an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07196966b7c78e3f182827360a42e2a419f8f7fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07196966b7c78e3f182827360a42e2a419f8f7fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f23c31fd by Moritz Muehlenhoff at 2024-08-22T11:30:56+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -676,6 +676,7 @@ CVE-2024-8007 (A flaw was found in the Red Hat OpenStack Platform (RHOSP) direct NOT-FOR-US: RHOSP Director / Red Hat OpenStack Platform CVE-2024-22034 - osc 1.9.0-1 + [bookworm] - osc (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1225911 CVE-2024-43882 (In the Linux kernel, the following vulnerability has been resolved: e ...) - linux 6.10.6-1 @@ -1097,6 +1098,7 @@ CVE-2024-43399 (Mobile Security Framework (MobSF) is a pen-testing, malware anal NOT-FOR-US: Mobile Security Framework (MobSF) CVE-2024-43380 (fugit contains time tools for flor and the floraison group. The fugit ...) - ruby-fugit + [bookworm] - ruby-fugit (Minor issue) NOTE: https://github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g NOTE: https://github.com/floraison/fugit/issues/104 NOTE: https://github.com/floraison/fugit/commit/6a7527497c0bb9196efe503e3d9b5271128a8ee1 (v1.11.1) @@ -4900,6 +4902,7 @@ CVE-2024-37286 (APM server logs contain document body from a partially failed bu NOT-FOR-US: APM server CVE-2024-7319 (An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensi ...) - heat + [bookworm] - heat (Minor issue) [bullseye] - heat (Incomplete fix for CVE-2023-1625 not applied) NOTE: https://storyboard.openstack.org/#!/story/2011007 CVE-2024-7291 (The JetFormBuilder plugin for WordPress is vulnerable to privilege esc ...) @@ -12542,7 +12545,8 @@ CVE-2024-29506 (Artifex Ghostscript before 10.03.0 has a stack-based buffer over NOTE: Introduced with: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=316c3a08269212f1005709da64efcb383f8f5ce0 (ghostpdl-9.55.0rc1) NOTE: Fixed by: https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=77dc7f699beba606937b7ea23b50cf5974fa64b1 (ghostpdl-10.03.0) CVE-2023-52169 (The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) conta ...) - - 7zip 24.05+dfsg-1 + - 7zip 24.05+dfsg-1 (unimportant) + NOTE: Crash in CLI tool, no security impact - p7zip 16.02+transitional.1 NOTE: https://sourceforge.net/p/sevenzip/bugs/2402/ NOTE: https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/ @@ -12551,6 +12555,7 @@ CVE-2023-52169 (The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) NOTE: depending on 7zip. Mark this version as fixed version. CVE-2023-52168 (The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) conta ...) - 7zip 24.05+dfsg-1 + [bookworm] - 7zip (Minor issue) - p7zip 16.02+transitional.1 NOTE: https://sourceforge.net/p/sevenzip/bugs/2402/ NOTE: https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f23c31fd39ba2a768e7912de8274c2be0a039a6f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f23c31fd39ba2a768e7912de8274c2be0a039a6f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 78549882 by Moritz Muehlenhoff at 2024-08-20T15:04:20+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -939,6 +939,7 @@ CVE-2024-43378 (calamares-nixos-extensions provides Calamares branding and modul TODO: check CVE-2024-43370 (gettext.js is a GNU gettext port for node and the browser. There is a ...) - gettext.js 0.7.0-4 (bug #1078880) + [bookworm] - gettext.js (Minor issue) NOTE: https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg NOTE: Fixed by: https://github.com/guillaumepotier/gettext.js/commit/6e52e0f8fa7d7c8b358e78b613d47ea332b8a56c (2.0.3) CVE-2024-43369 (Ibexa RichText Field Type is a Field Type for supporting rich formatte ...) @@ -1198,6 +1199,7 @@ CVE-2024-43275 (Cross-Site Request Forgery (CSRF) vulnerability in Xyzscripts In NOT-FOR-US: Xyzscripts Insert PHP Code Snippet CVE-2024-42353 (WebOb provides objects for HTTP requests and responses. When WebOb nor ...) - python-webob (bug #1078879) + [bookworm] - python-webob (Minor issue) NOTE: https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3 NOTE: Fixed by: https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b (1.8.8) CVE-2024-25024 (IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 and IBM Cloud Pa ...) @@ -2299,6 +2301,7 @@ CVE-2024-7680 (A vulnerability was found in itsourcecode Tailoring Management Sy NOT-FOR-US: itsourcecode Tailoring Management System CVE-2024-5651 (A flaw was found in fence agents that rely on SSH/Telnet. This vulnera ...) - fence-agents (bug #1078970) + [bookworm] - fence-agents (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2290540 CVE-2024-5527 (Zohocorp ManageEngine ADAudit Plus versions below8110 are vulnerable t ...) NOT-FOR-US: Zohocorp ManageEngine ADAudit Plus View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78549882b2fbbfbdce6959c09e09c0be748df7b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78549882b2fbbfbdce6959c09e09c0be748df7b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f0ac38f5 by Moritz Muehlenhoff at 2024-08-20T14:19:43+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -98,6 +98,7 @@ CVE-2024-7592 (There is a LOW severity vulnerability affecting CPython, specific - python3.13 - python3.12 - python3.11 + [bookworm] - python3.11 (Minor issue) - python3.9 NOTE: https://github.com/python/cpython/pull/123075 NOTE: https://github.com/python/cpython/issues/123067 @@ -292,6 +293,7 @@ CVE-2024-7904 (A vulnerability was found in DedeBIZ 6.3.0. It has been rated as NOT-FOR-US: DedeBIZ CVE-2024-6221 (A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Ac ...) - python-flask-cors + [bookworm] - python-flask-cors (Minor issue) NOTE: https://huntr.com/bounties/a42935fc-6f57-4818-bca4-3d528235df4d CVE-2024-43353 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...) NOT-FOR-US: WordPress plugin @@ -1565,6 +1567,7 @@ CVE-2023-43489 (Improper access control for some Intel(R) CIP software before ve NOT-FOR-US: Intel CVE-2023-42667 (Improper isolation in the Intel(R) Core(TM) Ultra Processor stream cac ...) - intel-microcode 3.20240813.1 (bug #1078742) + [bookworm] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01038.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813 CVE-2023-40067 (Unchecked return value in firmware for some Intel(R) CSME may allow an ...) @@ -362328,6 +362331,7 @@ CVE-2019-18861 RESERVED CVE-2023-49288 (Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, and ...) - squid 6.1-1 + [bookworm] - squid (Vulnerable feature got removed upstream, workaround exists) - squid3 NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5 NOTE: https://megamansec.github.io/Squid-Security-Audit/trace-uaf.html = data/dsa-needed.txt = @@ -26,7 +26,7 @@ cinder dnsmasq Lee Garrett showed interest to prepare an update for review -- -dovecot +dovecot (jmm) Noah Meyerhans is preparing updates -- frr View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0ac38f563938bf3ab77ab0bd66890625ea00b3e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0ac38f563938bf3ab77ab0bd66890625ea00b3e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f19f99b by Moritz Muehlenhoff at 2024-08-18T13:51:52+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -,6 +,7 @@ CVE-2024-26022 (Improper access control in some Intel(R) UEFI Integrator Tools o NOT-FOR-US: Intel CVE-2024-25939 (Mirrored regions with different values in 3rd Generation Intel(R) Xeon ...) - intel-microcode 3.20240813.1 (bug #1078742) + [bookworm] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01118.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813 CVE-2024-25576 (improper access control in firmware for some Intel(R) FPGA products be ...) @@ -1127,6 +1128,7 @@ CVE-2024-24983 (Protection mechanism failure in firmware for some Intel(R) Ether NOT-FOR-US: Intel CVE-2024-24980 (Protection mechanism failure in some 3rd, 4th, and 5th Generation Inte ...) - intel-microcode 3.20240813.1 (bug #1078742) + [bookworm] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01100.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813 CVE-2024-24977 (Uncontrolled search path for some Intel(R) License Manager for FLEXlm ...) @@ -1135,6 +1137,7 @@ CVE-2024-24973 (Improper input validation for some Intel(R) Distribution for GDB NOT-FOR-US: Intel CVE-2024-24853 (Incorrect behavior order in transition between executive monitor and S ...) - intel-microcode 3.20240813.1 (bug #1078742) + [bookworm] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01083.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813 CVE-2024-24580 (Improper conditions check in some Intel(R) Data Center GPU Max Series ...) @@ -1589,6 +1592,7 @@ CVE-2023-31366 (Improper input validation in AMD \u03bcProf could allow an attac NOT-FOR-US: AMD CVE-2023-31356 (Incomplete system memory cleanup in SEV firmware could allow a privile ...) - amd64-microcode + [bookworm] - amd64-microcode (Minor issue) NOTE: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html TODO: check, potentially already addressed in 3.20230823.1 as this updates AMD-SEV firmware to version 1.55 build 21 for Family 19h models 10h-1fh (asked maintainer) CVE-2023-31349 (Incorrect default permissions in the AMD \u03bcProf installation direc ...) @@ -9692,6 +9696,7 @@ CVE-2024-39697 (phonenumber is a library for parsing, formatting and validating NOT-FOR-US: Rust crate phonenumber CVE-2024-39684 (Tencent RapidJSON is vulnerable to privilege escalation due to an inte ...) - rapidjson + [bookworm] - rapidjson (Minor issue) NOTE: https://github.com/Tencent/rapidjson/issues/2289 CVE-2024-39675 (A vulnerability has been identified in RUGGEDCOM RMC30 (All versions < ...) NOT-FOR-US: Siemens @@ -9721,6 +9726,7 @@ CVE-2024-38867 (A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) NOT-FOR-US: Siemens CVE-2024-38517 (Tencent RapidJSON is vulnerable to privilege escalation due to an inte ...) - rapidjson + [bookworm] - rapidjson (Minor issue) NOTE: https://github.com/Tencent/rapidjson/pull/1261 CVE-2024-38363 (Airbyte is a data integration platform for ELT pipelines. Airbyte conn ...) NOT-FOR-US: Airbyte = data/dsa-needed.txt = @@ -26,6 +26,8 @@ cinder dnsmasq Lee Garrett showed interest to prepare an update for review -- +dovecot +-- frr coordination with the maintainer ongoing -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f19f99bd6191a4e9db1ad585477231ade52ca0c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f19f99bd6191a4e9db1ad585477231ade52ca0c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c2220e4c by Moritz Muehlenhoff at 2024-08-16T15:33:58+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -8965,6 +8965,7 @@ CVE-2024-6391 (The oik plugin for WordPress is vulnerable to Stored Cross-Site S NOT-FOR-US: WordPress plugin CVE-2024-6237 (A flaw was found in the 389 Directory Server. This flaw allows an unau ...) - 389-ds-base 2.4.5+dfsg1-1 + [bookworm] - 389-ds-base (Minor issue) NOTE: https://github.com/389ds/389-ds-base/issues/5989 NOTE: https://github.com/389ds/389-ds-base/commit/e8dd583685e6143f2027f97569de4cc45ba46e14 (389-ds-base-2.4.5) CVE-2024-6222 (In Docker Desktop before v4.29.0, an attacker who has gained access to ...) @@ -53416,22 +53417,27 @@ CVE-2024-24474 (QEMU before 8.2.0 has an integer underflow, and resultant buffer NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52 (v8.2.0-rc0) CVE-2024-23809 (A double-free vulnerability exists in the BrainVision ASCII Header Par ...) - biosig 2.6.0-1 + [bookworm] - biosig (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1919 NOTE: https://sourceforge.net/p/biosig/code/ci/3848d1ca0e1b2a60df395ddc76a191e835a1e4de/ CVE-2024-23606 (An out-of-bounds write vulnerability exists in the sopen_FAMOS_read fu ...) - biosig 2.6.0-1 + [bookworm] - biosig (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1925 NOTE: https://sourceforge.net/p/biosig/code/ci/e20e81564f0709323f7b99486a0a2b4594ab05f2/ CVE-2024-23313 (An integer underflow vulnerability exists in the sopen_FAMOS_read func ...) - biosig 2.6.0-1 + [bookworm] - biosig (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1922 NOTE: https://sourceforge.net/p/biosig/code/ci/e20e81564f0709323f7b99486a0a2b4594ab05f2/ CVE-2024-23310 (A use-after-free vulnerability exists in the sopen_FAMOS_read function ...) - biosig 2.6.0-1 + [bookworm] - biosig (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1923 NOTE: https://sourceforge.net/p/biosig/code/ci/e20e81564f0709323f7b99486a0a2b4594ab05f2/ CVE-2024-23305 (An out-of-bounds write vulnerability exists in the BrainVisionMarker P ...) - biosig 2.6.0-1 + [bookworm] - biosig (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1918 NOTE: https://sourceforge.net/p/biosig/code/ci/76c1369de1a9a24feed558ab8834b4410310b07b/ CVE-2024-22824 (An issue in Timo v.2.0.3 allows a remote attacker to execute arbitrary ...) @@ -53442,16 +53448,19 @@ CVE-2024-22245 (Arbitrary Authentication Relay and Session Hijack vulnerabilitie NOT-FOR-US: VMware CVE-2024-22097 (A double-free vulnerability exists in the BrainVision Header Parsing f ...) - biosig 2.6.0-1 + [bookworm] - biosig (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1917 NOTE: https://sourceforge.net/p/biosig/code/ci/3848d1ca0e1b2a60df395ddc76a191e835a1e4de/ CVE-2024-22054 (A malformed discovery packet sent by a malicious actor with preexistin ...) NOT-FOR-US: UniFi CVE-2024-21812 (An integer overflow vulnerability exists in the sopen_FAMOS_read funct ...) - biosig 2.6.0-1 + [bookworm] - biosig (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1921 NOTE: https://sourceforge.net/p/biosig/code/ci/e20e81564f0709323f7b99486a0a2b4594ab05f2/ CVE-2024-21795 (A heap-based buffer overflow vulnerability exists in the .egi parsing ...) - biosig 2.6.0-1 + [bookworm] - biosig (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1920 NOTE: https://sourceforge.net/p/biosig/code/ci/71057b016be545974565fdc0f903871c345da412/ CVE-2024-21726 (Inadequate content filtering leads to XSS vulnerabilities in various c ...) = data/dsa-needed.txt = @@ -57,7 +57,7 @@ pymatgen -- python-aiohttp -- -python-asyncssh +python-asyncssh (jmm) -- python-reportlab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2220e4c36ace12896d2f9d8d72220ebb088841b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2220e4c36ace12896d2f9d8d72220ebb088841b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tra
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 195e5fce by Moritz Muehlenhoff at 2024-08-16T14:05:18+02:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -731,6 +731,7 @@ CVE-2024-20082 (In Modem, there is a possible memory corruption due to a missing NOT-FOR-US: Mediatek CVE-2024-7730 - qemu + [bookworm] - qemu (Minor issue) NOTE: https://lore.kernel.org/qemu-devel/virtio-snd-fuzz-2427-fix-v1-manos.pitsidiana...@linaro.org/ NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2427 NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3 (v9.1.0-rc0) @@ -2168,6 +2169,7 @@ CVE-2024-7317 (The Folders \u2013 Unlimited Folders to Organize Media Library Fo NOT-FOR-US: WordPress plugin CVE-2024-7246 (It's possible for a gRPC client communicating with a HTTP/2 proxy to p ...) - grpc + [bookworm] - grpc (Minor issue) NOTE: https://github.com/grpc/grpc/issues/36245 NOTE: Fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4. CVE-2024-6720 (The Light Poll WordPress plugin through 1.0.0 does not have CSRF check ...) @@ -12030,7 +12032,7 @@ CVE-2024-34142 (Adobe Experience Manager versions 6.5.20 and earlier are affecte CVE-2024-34141 (Adobe Experience Manager versions 6.5.20 and earlier are affected by a ...) NOT-FOR-US: Adobe CVE-2024-32111 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) - - wordpress 6.5.5+dfsg1-1 (bug #1074486) + - wordpress (Only affects Windows systems) NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/ CVE-2024-3 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...) - wordpress 6.5.5+dfsg1-1 (bug #1074486) @@ -67518,6 +67520,7 @@ CVE-2023-43364 (main.py in Searchor before 2.4.2 uses eval on CLI input, which m NOT-FOR-US: Searchor CVE-2023-41337 (h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. In ...) - h2o (bug #1059413) + [bookworm] - h2o (Minor issue) NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q NOTE: Fixed by: https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab CVE-2023-38694 (Umbraco is an ASP.NET content management system (CMS). Starting in ver ...) @@ -78693,6 +78696,7 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource [bullseye] - grpc (Minor issue) [buster] - grpc (Minor issue) - h2o 2.2.5+dfsg2-8 (bug #1054232) + [bookworm] - h2o (Minor issue) - haproxy 1.8.13-1 - nginx 1.24.0-2 (unimportant; bug #1053770) - nghttp2 1.57.0-1 (bug #1053769) = data/dsa-needed.txt = @@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. +-- +aom (jmm) -- cacti Bastien Roucariès is proposing to work on a update and agreed on it with maintainer @@ -25,8 +27,7 @@ dnsmasq Lee Garrett showed interest to prepare an update for review -- frr - Tobias Frost (tobi) proposed to work on preparing an update, but discussion - with Debian maintainer for status on bullseye + updates + coordination with the maintainer ongoing -- ghostscript (carnil) -- @@ -37,10 +38,8 @@ git glance Maintainer prepared updates for review -- -h2o (jmm) --- libreswan - Waiting on feedback from maintainer, proposal to EOL Bullseye + Waiting on feedback from maintainer -- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/195e5fce977fdbd73a6e3bf716abf90f21144645 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/195e5fce977fdbd73a6e3bf716abf90f21144645 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8298ccb2 by Moritz Muehlenhoff at 2023-05-31T13:22:52+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3625,11 +3625,13 @@ CVE-2023-30848 (Pimcore is an open source data and experience management platfor NOT-FOR-US: Pimcore CVE-2023-30847 (H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the rev ...) - h2o + [bookworm] - h2o (Minor issue) + [bullseye] - h2o (Minor issue) NOTE: Fixed by: https://github.com/h2o/h2o/commit/a70af675328dda438ecd9d8a1673c1715fd93cc7 NOTE: Fixed by: https://github.com/h2o/h2o/commit/5f57d505514e937d13787b1f408837cb9197e2b2 NOTE: https://github.com/h2o/h2o/pull/3229 NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx - TODO: check, https://github.com/h2o/h2o/commit/f2d9056ba5004000755a5a7adccd27d0d79d83da has done a major refactoring, but issue possibly present before + NOTE: https://github.com/h2o/h2o/commit/f2d9056ba5004000755a5a7adccd27d0d79d83da has done a major refactoring, but issue possibly present before CVE-2023-30846 (typed-rest-client is a library for Node Rest and Http Clients with typ ...) NOT-FOR-US: typed-rest-client CVE-2023-30845 (ESPv2 is a service proxy that provides API management capabilities usi ...) @@ -24258,10 +24260,12 @@ CVE-2023-0407 CVE-2023-23920 (An untrusted search path vulnerability exists in Node.js. <19.6.1, <18 ...) {DSA-5395-1 DLA-3344-1} - nodejs (bug #1031834) + [bookworm] - nodejs (Can be fixed along with next update) NOTE: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-insecure-loading-of-icu-data-through-icu_data-environment-variable-low-cve-2023-23920 NOTE: https://github.com/nodejs/node/commit/f369c0a739b9f0182ededa834a2a44e6fec322d1 CVE-2023-23919 (A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16 ...) - nodejs (bug #1031834) + [bookworm] - nodejs (Can be fixed along with next update) [bullseye] - nodejs (X509Certificate API introduced in v15.6.0) [buster] - nodejs (X509Certificate API introduced in v15.6.0) NOTE: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-openssl-error-handling-issues-in-nodejs-crypto-library-medium-cve-2023-23919 @@ -24269,6 +24273,7 @@ CVE-2023-23919 (A cryptographic vulnerability exists in Node.js <19.2.0, <18.14. NOTE: https://github.com/nodejs/node/commit/438812e14d3b2a705fb639b69e37c6cc4e7c8029 CVE-2023-23918 (A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14 ...) - nodejs (bug #1031834) + [bookworm] - nodejs (Can be fixed along with next update) [bullseye] - nodejs (Permissions policy introduced in v16.x) [buster] - nodejs (v10.x doesn't support policy manifests) NOTE: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-permissions-policies-can-be-bypassed-via-process-mainmodule-high-cve-2023-23918 @@ -60260,8 +60265,10 @@ CVE-2022-3013 (A vulnerability classified as critical has been found in SourceCo CVE-2022-3012 (A vulnerability was found in oretnom23 Fast Food Ordering System. It h ...) NOT-FOR-US: oretnom23 Fast Food Ordering System CVE-2022-38065 (A privilege escalation vulnerability exists in the oslo.privsep functi ...) - - python-oslo.privsep (bug #1033114) + - python-oslo.privsep (unimportant; bug #1033114) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1599 + NOTE: Deemed as additional hardening, but not a security issue by upstream: + NOTE: https://bugs.launchpad.net/oslo.privsep/+bug/1989008 CVE-2022-3011 RESERVED CVE-2022-38785 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8298ccb2dda0991737330b48bb3912c52d4b5952 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8298ccb2dda0991737330b48bb3912c52d4b5952 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c8307b7 by Moritz Muehlenhoff at 2023-05-30T15:52:13+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4212,6 +4212,7 @@ CVE-2023-30609 (matrix-react-sdk is a react-based SDK for inserting a Matrix cha CVE-2023-30608 (sqlparse is a non-validating SQL parser module for Python. In affected ...) {DLA-3425-1} - sqlparse (bug #1034615) + [bookworm] - sqlparse (Minor issue) [bullseye] - sqlparse (Minor issue) NOTE: https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2 NOTE: Introduced by: https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a (0.1.15) @@ -7426,6 +7427,7 @@ CVE-2023-29400 (Templates containing actions in unquoted HTML attributes (e.g. " - golang-1.20 1.20.4-1 [experimental] - golang-1.19 1.19.9-1 - golang-1.19 + [bullseye] - golang-1.19 (Minor issue) - golang-1.15 - golang-1.11 NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU @@ -9184,6 +9186,7 @@ CVE-2023-28883 (In Cerebrate 1.13, a blind SQL injection exists in the searchAll NOT-FOR-US: Cerebrate CVE-2023-28882 (Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial ...) - modsecurity 3.0.9-1 (bug #1035083) + [bookworm] - modsecurity (Minor issue) [bullseye] - modsecurity (Vulnerable code not present) [buster] - modsecurity (Vulnerable code not present) NOTE: https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-version-309/ @@ -11041,6 +11044,7 @@ CVE-2023-28372 RESERVED CVE-2023-28371 (In Stellarium through 1.2, attackers can write to files that are typic ...) - stellarium (bug #1034183) + [bookworm] - stellarium (Minor issue) [bullseye] - stellarium (Minor issue) [buster] - stellarium (Minor issue) NOTE: https://github.com/Stellarium/stellarium/commit/1261f74dc4aa6bbd01ab514343424097f8cf46b7 @@ -11805,6 +11809,7 @@ CVE-2023-28155 (The Request package through 2.88.1 for Node.js allows a bypass o NOTE: https://github.com/request/request/issues/3442 CVE-2023-28154 (Webpack 5 before 5.76.0 does not avoid cross-realm object access. Impo ...) - node-webpack 5.76.1+dfsg1+~cs17.16.16-1 (bug #1032904) + [bookworm] - node-webpack (Minor issue) [bullseye] - node-webpack 4.43.0-6+deb11u1 [buster] - node-webpack (Minor issue) NOTE: https://github.com/webpack/webpack/pull/16500 @@ -22328,6 +22333,7 @@ CVE-2023-24540 (Not all valid JavaScript whitespace characters are considered to - golang-1.20 1.20.4-1 [experimental] - golang-1.19 1.19.9-1 - golang-1.19 + [bullseye] - golang-1.19 (Minor issue) - golang-1.15 - golang-1.11 NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU @@ -22338,6 +22344,7 @@ CVE-2023-24539 (Angle brackets (<>) are not considered dangerous characters when - golang-1.20 1.20.4-1 [experimental] - golang-1.19 1.19.9-1 - golang-1.19 + [bullseye] - golang-1.19 (Minor issue) - golang-1.15 - golang-1.11 NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c8307b7263b8114a9c9f4b6b0e02106fcbcf3fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c8307b7263b8114a9c9f4b6b0e02106fcbcf3fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 88e0c08f by Moritz Mühlenhoff at 2023-05-28T17:03:04+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10066,6 +10066,7 @@ CVE-2023-2491 (A flaw was found in the Emacs text editor. Processing a specially CVE-2023-28617 (org-babel-execute:latex in ob-latex.el in Org Mode through 9.6.1 for G ...) {DLA-3416-1} - org-mode (bug #1033341) + [bookworm] - org-mode (Minor issue) [bullseye] - org-mode (Minor issue) [buster] - org-mode (Minor issue) - emacs 1:28.2+1-14 (bug #1033342) @@ -10664,6 +10665,8 @@ CVE-2023-28440 (Discourse is an open source platform for community discussion. I NOT-FOR-US: Discourse CVE-2023-28439 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor (bug #1034481) + [bookworm] - ckeditor (Minor issue) + [bullseye] - ckeditor (Minor issue) - ckeditor3 [bookworm] - ckeditor3 (Minor issue) [bullseye] - ckeditor3 (Minor issue) @@ -12435,6 +12438,7 @@ CVE-2023-27985 (emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerabl NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60204 CVE-2023- [RUSTSEC-2023-0018] - rust-remove-dir-all + [bookworm] - rust-remove-dir-all (Minor issue) [bullseye] - rust-remove-dir-all (Minor issue) [buster] - rust-remove-dir-all (Minor issue, no in-place fix: old API deprecated + new API introduced) NOTE: https://github.com/advisories/GHSA-mc8h-8q98-g5hr @@ -48642,6 +48646,7 @@ CVE-2022-3561 (Cross-site Scripting (XSS) - Generic in GitHub repository librenm NOT-FOR-US: LibreNMS CVE-2022-3560 (A flaw was found in pesign. The pesign package provides a systemd serv ...) - pesign (bug #1030168) + [bookworm] - pesign (Minor issue) [bullseye] - pesign (Minor issue) [buster] - pesign (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/01/31/6 @@ -229445,6 +229450,7 @@ CVE-2020-12755 (fishProtocol::establishConnection in fish/fish.cpp in KDE kio-ex NOTE: https://github.com/KDE/kio-extras/commit/d813cef3cecdec9af1532a40d677a203ff979145 CVE-2019-20794 (An issue was discovered in the Linux kernel 4.18 through 5.6.11 when u ...) - linux + [bookworm] - linux (Minor issue, revisit when fixed upstream) [bullseye] - linux (Minor issue, revisit when fixed upstream) [buster] - linux (Minor issue, revisit when fixed upstream) NOTE: https://sourceforge.net/p/fuse/mailman/message/36598753/ @@ -459947,6 +459953,7 @@ CVE-2015-7812 (The hypercall_create_continuation function in arch/arm/domain.c i NOTE: http://xenbits.xen.org/xsa/advisory-145.html CVE-2013-7445 (The Direct Rendering Manager (DRM) subsystem in the Linux kernel throu ...) - linux (bug #1000886) + [bookworm] - linux (Minor issue, requires invasive changes) [bullseye] - linux (Minor issue, requires invasive changes) [buster] - linux (Minor issue, requires invasive changes) [stretch] - linux (Minor issue, requires invasive changes) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88e0c08f4b3eb0867e41894f12bd3d1fbaf3e866 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88e0c08f4b3eb0867e41894f12bd3d1fbaf3e866 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c672b3cb by Moritz Mühlenhoff at 2023-05-28T10:54:51+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -336,6 +336,7 @@ CVE-2023-32697 (SQLite JDBC is a library for accessing and creating SQLite datab NOTE: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2 CVE-2023-32685 [Clipboard based cross-site scripting (blocked with default CSP)] - kanboard + [bookworm] - kanboard (Minor issue) NOTE: https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv CVE-2023-32681 (Requests is a HTTP library. Since Requests 2.3.0, Requests has been le ...) - requests (bug #1036693) @@ -951,148 +952,173 @@ CVE-2023-31842 (Sourcecodester Faculty Evaluation System v1.0 is vulnerable to S NOT-FOR-US: Sourcecodester Faculty Evaluation System CVE-2023-31631 (An issue in the sqlo_preds_contradiction component of openlink virtuos ...) - virtuoso-opensource (bug #1036467) + [bookworm] - virtuoso-opensource (Minor issue) [bullseye] - virtuoso-opensource (Minor issue) [buster] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1137 NOTE: https://github.com/openlink/virtuoso-opensource/commit/c77cd981a82a7f6385b174eb818057b2f19d8c09 CVE-2023-31630 (An issue in the sqlo_query_spec component of openlink virtuoso-opensou ...) - virtuoso-opensource (bug #1036467) + [bookworm] - virtuoso-opensource (Minor issue) [bullseye] - virtuoso-opensource (Minor issue) [buster] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1138 NOTE: https://github.com/openlink/virtuoso-opensource/commit/f9244141ce68dc4a3314fd4a0cd5bb3bdd6ab830 CVE-2023-31629 (An issue in the sqlo_union_scope component of openlink virtuoso-openso ...) - virtuoso-opensource (bug #1036467) + [bookworm] - virtuoso-opensource (Minor issue) [bullseye] - virtuoso-opensource (Minor issue) [buster] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1139 NOTE: https://github.com/openlink/virtuoso-opensource/commit/9553f94992f0a33f7eb7e87e74f0f78998ba5bec CVE-2023-31628 (An issue in the stricmp component of openlink virtuoso-opensource v7.2 ...) - virtuoso-opensource (bug #1036467) + [bookworm] - virtuoso-opensource (Minor issue) [bullseye] - virtuoso-opensource (Minor issue) [buster] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1141 NOTE: https://github.com/openlink/virtuoso-opensource/commit/2ed10333e6e973c2b3e1e60ba854ef0dd12afe07 CVE-2023-31627 (An issue in the strhash component of openlink virtuoso-opensource v7.2 ...) - virtuoso-opensource (bug #1036467) + [bookworm] - virtuoso-opensource (Minor issue) [bullseye] - virtuoso-opensource (Minor issue) [buster] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1140 NOTE: https://github.com/openlink/virtuoso-opensource/commit/ce61d6f568568b771d7e857408e3246d31135494 CVE-2023-31626 (An issue in the gpf_notice component of openlink virtuoso-opensource v ...) - virtuoso-opensource (bug #1036467) + [bookworm] - virtuoso-opensource (Minor issue) [bullseye] - virtuoso-opensource (Minor issue) [buster] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1129 NOTE: https://github.com/openlink/virtuoso-opensource/commit/4ad97c5a81067e3bdabe849f42f089edc9880131 CVE-2023-31625 (An issue in the psiginfo component of openlink virtuoso-opensource v7. ...) - virtuoso-opensource (bug #1036467) + [bookworm] - virtuoso-opensource (Minor issue) [bullseye] - virtuoso-opensource (Minor issue) [buster] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1132 NOTE: https://github.com/openlink/virtuoso-opensource/commit/2ed10333e6e973c2b3e1e60ba854ef0dd12afe07 CVE-2023-31624 (An issue in the sinv_check_exp component of openlink virtuoso-opensour ...) - virtuoso-opensource (bug #1036467) + [bookworm] - virtuoso-opensource (Minor issue) [bullseye] - virtuoso-opensource (Minor issue) [buster] - virtuoso-opensource (Minor issue) NOTE: https://github.com/openlink/virtuoso-opensource/issues/1134 NOTE: https://github.com/openlink/virtuoso-opensource/commit/311097fb1f23d0a1dd7dcdd2afecf6fe14665526 CVE-2023-3162
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a4ad4547 by Moritz Mühlenhoff at 2023-05-24T17:22:06+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3071,6 +3071,8 @@ CVE-2023-2158 (Code Dx versions prior to 2023.4.2 are vulnerable to user imperso CVE-2023-2157 RESERVED - imagemagick (bug #1036476) + [bookworm] - imagemagick (Minor issue) + [bullseye] - imagemagick (Minor issue) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/9a9896fce95d09e5e47b86baccbe1ce1a2fca76b (7.1.1-7) NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick6/commit/7e4c992f148afc5b28111e540921d5b6e4e38673 (6.9.12-85) CVE-2023-2156 (A flaw was found in the networking subsystem of the Linux kernel withi ...) @@ -7709,6 +7711,7 @@ CVE-2023-1787 (An issue has been discovered in GitLab affecting all versions sta - gitlab CVE-2023-1786 (Sensitive data could be exposed in logs of cloud-init before version 2 ...) - cloud-init (bug #1035023) + [bookworm] - cloud-init (Minor issue) [bullseye] - cloud-init (Minor issue) [buster] - cloud-init (Minor issue) NOTE: https://bugs.launchpad.net/cloud-init/+bug/2013967 @@ -11195,6 +11198,7 @@ CVE-2023-1371 (The W4 Post List WordPress plugin before 2.4.6 does not ensure th CVE-2023-1370 ([Json-smart](https://netplex.github.io/json-smart/) is a performance f ...) {DLA-3373-1} - json-smart (bug #1033474) + [bookworm] - json-smart (Minor issue) [bullseye] - json-smart (Minor issue) NOTE: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/ NOTE: https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a (2.4.9) @@ -20268,6 +20272,7 @@ CVE-2023-0646 (A vulnerability classified as critical was found in dst-admin 1.5 NOT-FOR-US: dst-admin CVE-2023-0645 (An out of bounds read exists in libjxl. An attacker using a specifical ...) - jpeg-xl (bug #1034722) + [bookworm] - jpeg-xl (Minor issue) NOTE: https://github.com/libjxl/libjxl/commit/a7c8428b61299f3b055cbbdbba3fbcd8cb38d084 NOTE: https://github.com/libjxl/libjxl/issues/2100 NOTE: https://github.com/libjxl/libjxl/pull/2101 @@ -55894,6 +55899,7 @@ CVE-2022-40153 REJECTED CVE-2022-40152 (Those using Woodstox to parse XML data may be vulnerable to Denial of ...) - libwoodstox-java (bug #1032089) + [bookworm] - libwoodstox-java (Minor issue) [bullseye] - libwoodstox-java (Minor issue) [buster] - libwoodstox-java (Minor issue) NOTE: https://github.com/x-stream/xstream/issues/304 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4ad4547817109b99be975fea0f8b5e58ca10c7e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4ad4547817109b99be975fea0f8b5e58ca10c7e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d541685 by Moritz Mühlenhoff at 2023-05-24T10:01:38+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11265,6 +11265,7 @@ CVE-2023-28145 RESERVED CVE-2023-28144 (KDAB Hotspot 1.3.x and 1.4.x through 1.4.1, in a non-default configura ...) - hotspot (bug #1033848) + [bookworm] - hotspot (Minor issue) [bullseye] - hotspot (Minor issue) [buster] - hotspot (Vulnerable code not present, introduced in 1.3.0) NOTE: https://www.openwall.com/lists/oss-security/2023/03/14/8 @@ -16873,12 +16874,18 @@ CVE-2023-26119 (Versions of the package net.sourceforge.htmlunit:htmlunit from 0 NOT-FOR-US: net.sourceforge.htmlunit:htmlunit CVE-2023-26118 (Versions of the package angular from 1.4.9 are vulnerable to Regular E ...) - angular.js + [bookworm] - angular.js (Minor issue) + [bullseye] - angular.js (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046 CVE-2023-26117 (Versions of the package angular from 1.0.0 are vulnerable to Regular E ...) - angular.js + [bookworm] - angular.js (Minor issue) + [bullseye] - angular.js (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045 CVE-2023-26116 (Versions of the package angular from 1.2.21 are vulnerable to Regular ...) - angular.js + [bookworm] - angular.js (Minor issue) + [bullseye] - angular.js (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044 CVE-2023-26115 RESERVED @@ -96085,6 +96092,7 @@ CVE-2022-25871 (All versions of package querymen are vulnerable to Prototype Pol NOT-FOR-US: Node querymen CVE-2022-25869 (All versions of package angular are vulnerable to Cross-site Scripting ...) - angular.js + [bookworm] - angular.js (Minor issue) [bullseye] - angular.js (Minor issue) [buster] - angular.js (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781 @@ -96143,6 +96151,7 @@ CVE-2022-25845 (The package com.alibaba:fastjson before 1.2.83 are vulnerable to NOT-FOR-US: com.alibaba:fastjson CVE-2022-25844 (The package angular after 1.7.0 are vulnerable to Regular Expression D ...) - angular.js (bug #1014779) + [bookworm] - angular.js (Minor issue) [bullseye] - angular.js (Minor issue) [buster] - angular.js (Minor issue, probably even not-affected) [stretch] - angular.js (Nodejs in stretch not covered by security support) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d541685df2f3b1eef3eba14b974ba6ba57225b0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d541685df2f3b1eef3eba14b974ba6ba57225b0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 54f50b7a by Moritz Mühlenhoff at 2023-05-23T22:16:30+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1425,6 +1425,7 @@ CVE-2023-2426 (Use of Out-of-range Pointer Offset in GitHub repository vim/vim p NOTE: https://github.com/vim/vim/commit/caf642c25de526229264cab9425e7c9979f3509b (v9.0.1499) CVE-2023-31485 (GitLab::API::v4 through 0.26 does not verify TLS certificates when con ...) - libgitlab-api-v4-perl (bug #954051) + [bookworm] - libgitlab-api-v4-perl (Minor issue) [bullseye] - libgitlab-api-v4-perl (Minor issue) [buster] - libgitlab-api-v4-perl (Minor issue) NOTE: https://github.com/bluefeet/GitLab-API-v4/pull/57 @@ -19749,6 +19750,7 @@ CVE-2015-10073 (A vulnerability, which was classified as problematic, was found NOT-FOR-US: WikiSEO CVE-2023-25193 (hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to ...) - harfbuzz (bug #1030612) + [bookworm] - harfbuzz (Minor issue) [bullseye] - harfbuzz (Minor issue) [buster] - harfbuzz (Minor issue) NOTE: Original fix: https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc @@ -88860,6 +88862,7 @@ CVE-2022-28368 (Dompdf 1.2.1 allows remote code execution via a .php file in the NOTE: https://github.com/dompdf/dompdf/commit/0e0261b7bce372b3a05b712a023f6f742a22d57e (v0.8.0) CVE-2022-28367 (OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE ...) - libowasp-antisamy-java (bug #1010154) + [bookworm] - libowasp-antisamy-java (Minor issue) [bullseye] - libowasp-antisamy-java (Minor issue) [buster] - libowasp-antisamy-java (Minor issue) [stretch] - libowasp-antisamy-java (Minor issue) @@ -88868,6 +88871,7 @@ CVE-2022-28367 (OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on NOTE: https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0 (v1.6.7) CVE-2022-28366 (Certain Neko-related HTML parsers allow a denial of service via crafte ...) - libowasp-antisamy-java (bug #1010154) + [bookworm] - libowasp-antisamy-java (Minor issue) [bullseye] - libowasp-antisamy-java (Minor issue) [buster] - libowasp-antisamy-java (Minor issue) [stretch] - libowasp-antisamy-java (Minor issue) @@ -148133,6 +148137,7 @@ CVE-2021-32851 (Mind-elixir is a free, open source mind map core. Prior to versi NOT-FOR-US: Mind-elixir CVE-2021-32850 (jQuery MiniColors is a color picker built on jQuery. Prior to version ...) - jquery-minicolors (bug #1031791) + [bookworm] - jquery-minicolors (Minor issue) [bullseye] - jquery-minicolors (Minor issue) [buster] - jquery-minicolors (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2021-1045_jQuery_MiniColors_Plugin/ @@ -151122,6 +151127,7 @@ CVE-2021-31812 (In Apache PDFBox, a carefully crafted PDF file can trigger an in [bullseye] - libpdfbox2-java (Minor issue) [buster] - libpdfbox2-java (Minor issue) - libpdfbox-java (bug #991527) + [bookworm] - libpdfbox-java (Minor issue) [bullseye] - libpdfbox-java (Minor issue) [buster] - libpdfbox-java (Minor issue) [stretch] - libpdfbox-java (Minor issue) @@ -151132,6 +151138,7 @@ CVE-2021-31811 (In Apache PDFBox, a carefully crafted PDF file can trigger an Ou [bullseye] - libpdfbox2-java (Minor issue) [buster] - libpdfbox2-java (Minor issue) - libpdfbox-java (bug #991527) + [bookworm] - libpdfbox-java (Minor issue) [bullseye] - libpdfbox-java (Minor issue) [buster] - libpdfbox-java (Minor issue) [stretch] - libpdfbox-java (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54f50b7af0ec660fcb46d813e438a63f3b27add8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54f50b7af0ec660fcb46d813e438a63f3b27add8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fd31e5c by Moritz Mühlenhoff at 2023-05-23T21:11:20+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -916,6 +916,7 @@ CVE-2023-2641 (A vulnerability was found in SourceCodester Online Internship Man NOT-FOR-US: SourceCodester Online Internship Management System CVE-2023-32076 (in-toto is a framework to protect supply chain integrity. The in-toto ...) - in-toto (bug #1035934) + [bookworm] - in-toto (Minor issue) [bullseye] - in-toto (Minor issue) NOTE: https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf NOTE: https://github.com/in-toto/in-toto/commit/f88138c90861953c77a1384ea2fcc58126e6fe59 (v2.0.0) @@ -5983,6 +5984,7 @@ CVE-2023-29660 RESERVED CVE-2023-29659 (A Segmentation fault caused by a floating point exception exists in li ...) - libheif (bug #1035607) + [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) [buster] - libheif (Minor issue) NOTE: https://github.com/strukturag/libheif/issues/794 @@ -9968,6 +9970,7 @@ CVE-2023-1437 RESERVED CVE-2023-1436 (An infinite recursion is triggered in Jettison when constructing a JSO ...) - libjettison-java (bug #1033846) + [bookworm] - libjettison-java (Minor issue) [bullseye] - libjettison-java (Minor issue) [buster] - libjettison-java (Minor issue, DoS) NOTE: https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/ @@ -10180,6 +10183,7 @@ CVE-2023-28429 (Pimcore is an open source data and experience management platfor NOT-FOR-US: Pimcore CVE-2023-28428 (PDFio is a C library for reading and writing PDF files. In versions 1. ...) - ippsample (bug #1034155) + [bookworm] - ippsample (Minor issue) NOTE: https://github.com/michaelrsweet/pdfio/commit/97d4955666779dc5b0665e15dd951a5c12426a31 (v1.1.1) NOTE: https://github.com/michaelrsweet/pdfio/security/advisories/GHSA-68x8-9phf-j7jf CVE-2023-28427 (matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for Jav ...) @@ -14347,12 +14351,14 @@ CVE-2023-27104 RESERVED CVE-2023-27103 (Libde265 v1.0.11 was discovered to contain a heap buffer overflow via ...) - libde265 (bug #1033257) + [bookworm] - libde265 (Minor issue) [bullseye] - libde265 (Minor issue) [buster] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/394 NOTE: https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995 CVE-2023-27102 (Libde265 v1.0.11 was discovered to contain a segmentation violation vi ...) - libde265 (bug #1033257) + [bookworm] - libde265 (Minor issue) [bullseye] - libde265 (Minor issue) [buster] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/393 @@ -16806,6 +16812,8 @@ CVE-2023-26126 (All versions of the package m.static are vulnerable to Directory NOT-FOR-US: m.static CVE-2023-26125 (Versions of the package github.com/gin-gonic/gin before 1.9.0 are vuln ...) - golang-github-gin-gonic-gin (bug #1035498) + [bookworm] - golang-github-gin-gonic-gin (Minor issue) + [bullseye] - golang-github-gin-gonic-gin (Minor issue) NOTE: https://github.com/gin-gonic/gin/pull/3500 NOTE: https://github.com/gin-gonic/gin/pull/3503 NOTE: https://github.com/gin-gonic/gin/commit/81ac7d55a09e34013225db0aeac6e70c1ae68928 (v1.9.0) @@ -21921,6 +21929,8 @@ CVE-2023-0476 (A LDAP injection vulnerability exists in Tenable.sc due to improp NOT-FOR-US: Tenable CVE-2023-0475 (HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompressi ...) - golang-github-hashicorp-go-getter (bug #1032100) + [bookworm] - golang-github-hashicorp-go-getter (Minor issue) + [bullseye] - golang-github-hashicorp-go-getter (Minor issue) [buster] - golang-github-hashicorp-go-getter (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125 CVE-2023-0474 (Use after free in GuestView in Google Chrome prior to 109.0.5414.119 a ...) @@ -26294,10 +26304,9 @@ CVE-2023-0198 (NVIDIA GPU Display Driver for Linux contains a vulnerability in t CVE-2023-0197 (NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manag ...) NOT-FOR-US: NVIDIA vGPU software CVE-2023-0196 (NVIDIA CUDA Toolkit SDK contains a bug in cuobjdump, where a local use ...) - - nvidia-cuda-toolkit (bug #1032668) - [bullseye] - nvidia-cuda-toolkit (Non-f
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e7e8196 by Moritz Mühlenhoff at 2023-05-23T15:37:10+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,7 @@ CVE-2023-31708 (A Cross-Site Request Forgery (CSRF) in EyouCMS v1.6.2 allows att CVE-2023-31670 (An issue in wasm2c 1.0.32, wasm2wat 1.0.32, wasm-decompile 1.0.32, and ...) - wabt (unimportant) NOTE: https://github.com/WebAssembly/wabt/issues/2199 - NOTE: Crash in CLI, no security impact + NOTE: Crash in CLI tool, no security impact CVE-2023-31664 (A reflected cross-site scripting (XSS) vulnerability in /authenticatio ...) NOT-FOR-US: WSO2 CVE-2023-2845 (Improper Access Control in GitHub repository cloudexplorer-dev/cloudex ...) @@ -652,7 +652,6 @@ CVE-2023-32758 (giturlparse (aka git-url-parse) through 1.2.2, as used in Semgre CVE-2023-2700 (A vulnerability was found in libvirt. This security flaw ouccers due t ...) [experimental] - libvirt 9.3.0-1 - libvirt (bug #1036297) - [bookworm] - libvirt (Minor issue) [bullseye] - libvirt (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2203653 NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585 (v9.3.0) @@ -10144,6 +10143,8 @@ CVE-2023-28440 (Discourse is an open source platform for community discussion. I CVE-2023-28439 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor (bug #1034481) - ckeditor3 + [bookworm] - ckeditor3 (Minor issue) + [bullseye] - ckeditor3 (Minor issue) [buster] - ckeditor3 (No longer supported in LTS) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g NOTE: https://github.com/ckeditor/ckeditor4/commit/b85af23f020a61397c6c0024aef73f2c7f62bfef (4.21.0) @@ -96220,6 +96221,8 @@ CVE-2022-24066 (The package simple-git before 3.5.0 are vulnerable to Command In NOT-FOR-US: simple-git CVE-2022-24065 (The package cookiecutter before 2.1.1 are vulnerable to Command Inject ...) - cookiecutter (bug #1013279) + [bookworm] - cookiecutter (Minor issue) + [bullseye] - cookiecutter (Minor issue) [buster] - cookiecutter (Minor issue) [stretch] - cookiecutter (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281 @@ -99674,6 +99677,7 @@ CVE-2022-24729 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed [bullseye] - ckeditor (Minor issue) [buster] - ckeditor (Minor issue) - ckeditor3 (bug #1015217) + [bookworm] - ckeditor3 (Minor issue) [bullseye] - ckeditor3 (Minor issue) [buster] - ckeditor3 (No longer supported in LTS) [stretch] - ckeditor3 (EOL'd for stretch) @@ -99683,6 +99687,7 @@ CVE-2022-24728 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed [bullseye] - ckeditor (Minor issue) [buster] - ckeditor (Minor issue) - ckeditor3 (bug #1015217) + [bookworm] - ckeditor3 (Minor issue) [bullseye] - ckeditor3 (Minor issue) [buster] - ckeditor3 (No longer supported in LTS) [stretch] - ckeditor3 (EOL'd for stretch) @@ -127231,6 +127236,7 @@ CVE-2021-41165 (CKEditor4 is an open source WYSIWYG HTML editor. In affected ver [buster] - ckeditor (Minor issue) [stretch] - ckeditor (Minor issue) - ckeditor3 (bug #1015217) + [bookworm] - ckeditor3 (Minor issue) [bullseye] - ckeditor3 (Minor issue) [buster] - ckeditor3 (No longer supported in LTS) [stretch] - ckeditor3 (EOL'd for stretch) @@ -136268,6 +136274,7 @@ CVE-2021-37695 (ckeditor is an open source WYSIWYG HTML editor with rich content [bullseye] - ckeditor (Minor issue) [buster] - ckeditor (Minor issue) - ckeditor3 (bug #1015217) + [bookworm] - ckeditor3 (Minor issue) [bullseye] - ckeditor3 (Minor issue) [buster] - ckeditor3 (No longer supported in LTS) [stretch] - ckeditor3 (EOL'd for stretch) @@ -145501,6 +145508,7 @@ CVE-2021-33829 (A cross-site scripting (XSS) vulnerability in the HTML Data Proc - ckeditor 4.16.0+dfsg-2 [buster] - ckeditor (Minor issue) - ckeditor3 (bug #1015217) + [bookworm] - ckeditor3 (Minor issue) [bullseye] - ckeditor3 (Minor issue) [buster] - ckeditor3 (No longer supported in LTS) [stretch] - ckeditor3 (EOL'd for stretch) @@ -165322,6 +165330,7 @@ CVE-2021-26271 (It was possible to execute a ReDoS-type attack inside CKEditor 4 [buster] - ckeditor (Minor issue) [stretch] - ckeditor (Fix along next DLA) - ckeditor3 (bug
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 37c9243b by Moritz Mühlenhoff at 2023-05-23T12:30:03+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -652,6 +652,7 @@ CVE-2023-32758 (giturlparse (aka git-url-parse) through 1.2.2, as used in Semgre CVE-2023-2700 (A vulnerability was found in libvirt. This security flaw ouccers due t ...) [experimental] - libvirt 9.3.0-1 - libvirt (bug #1036297) + [bookworm] - libvirt (Minor issue) [bullseye] - libvirt (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2203653 NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585 (v9.3.0) @@ -1393,6 +1394,7 @@ CVE-2023-31485 (GitLab::API::v4 through 0.26 does not verify TLS certificates wh NOTE: https://github.com/bluefeet/GitLab-API-v4/pull/57 CVE-2023-31484 (CPAN.pm before 2.35 does not verify TLS certificates when downloading ...) - perl (bug #1035109) + [bookworm] - perl (Minor issue) [bullseye] - perl (Minor issue) [buster] - perl (Minor issue) NOTE: https://github.com/andk/cpanpm/pull/175 @@ -3530,6 +3532,7 @@ CVE-2023-30631 RESERVED CVE-2023-30630 (Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This ...) - dmidecode (bug #1034483) + [bookworm] - dmidecode (Minor issue) [bullseye] - dmidecode (Minor issue) [buster] - dmidecode (Minor issue) NOTE: https://github.com/adamreiser/dmiwrite @@ -8638,6 +8641,7 @@ CVE-2023-28859 (redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection NOTE: https://github.com/redis/redis-py/pull/2641 CVE-2023-28858 (redis-py before 4.5.3 leaves a connection open after canceling an asyn ...) - python-redis (bug #1033754) + [bookworm] - python-redis (Minor issue) [bullseye] - python-redis (Vulnerable code not present) [buster] - python-redis (Vulnerable code introduced later) NOTE: https://github.com/redis/redis-py/issues/2624 @@ -9772,6 +9776,7 @@ CVE-2023-28532 RESERVED CVE-2023-28531 (ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without ...) - openssh (bug #1033166) + [bookworm] - openssh (Minor issue) [bullseye] - openssh (Vulnerable code introduced later; per-hop desination constraints support added in OpenSSH 8.9) [buster] - openssh (Vulnerable code introduced later; per-hop desination constraints support added in OpenSSH 8.9) CVE-2023-28530 @@ -12771,6 +12776,7 @@ CVE-2022-48364 (The undo_mark_statuses_as_sensitive method in app/services/appro - mastodon (bug #859741) CVE-2023-27635 (debmany in debian-goodies 0.88.1 allows attackers to execute arbitrary ...) - debian-goodies (bug #1031267) + [bookworm] - debian-goodies (Minor issue; user prompted before execution) [bullseye] - debian-goodies (Minor issue; user prompted before execution) [buster] - debian-goodies (Minor issue; user prompted before execution) CVE-2023-1181 (Cross-site Scripting (XSS) - Stored in GitHub repository icret/easyima ...) @@ -18912,25 +18918,30 @@ CVE-2023-25516 CVE-2023-25515 RESERVED CVE-2023-25514 (NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in ...) - - nvidia-cuda-toolkit (bug #1034793; bug #1034799) + - nvidia-cuda-toolkit (unimportant; bug #1034793; bug #1034799) [bullseye] - nvidia-cuda-toolkit (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456 + NOTE: Crash in CLI tool, no security impact CVE-2023-25513 (NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in ...) - - nvidia-cuda-toolkit (bug #1034799) + - nvidia-cuda-toolkit (unimportant; bug #1034799) [bullseye] - nvidia-cuda-toolkit (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456 + NOTE: Crash in CLI tool, no security impact CVE-2023-25512 (NVIDIA CUDA toolkit for Linux and Windows contains a vulnerability in ...) - - nvidia-cuda-toolkit (bug #1034799) + - nvidia-cuda-toolkit (unimportant; bug #1034799) [bullseye] - nvidia-cuda-toolkit (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456 + NOTE: Crash in CLI tool, no security impact CVE-2023-25511 (NVIDIA CUDA Toolkit for Linux and Windows contains a vulnerability in ...) - - nvidia-cuda-toolkit (bug #1034793; bug #1034799) + - nvidia-cuda-toolkit (unimportant; bug #1034793; bug #1034799) [bullseye] - nvidia-cuda-toolkit (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456 +
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 20fade1e by Moritz Muehlenhoff at 2023-04-29T12:55:45+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7670,6 +7670,7 @@ CVE-2023-1545 (SQL Injection in GitHub repository nilsteampassnet/teampass prior - teampass (bug #730180) CVE-2023-1544 (A flaw was found in the QEMU implementation of VMWare's paravirtual RD ...) - qemu (bug #1034179) + [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) [buster] - qemu (Minor issue) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html @@ -15172,6 +15173,8 @@ CVE-2023-26113 (Versions of the package collection.js before 6.8.1 are vulnerabl NOT-FOR-US: collection.js CVE-2023-26112 (All versions of the package configobj are vulnerable to Regular Expres ...) - configobj (bug #1034152) + [bookworm] - configobj (Minor issue) + [bullseye] - configobj (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494 NOTE: https://github.com/DiffSK/configobj/issues/232 CVE-2023-26111 (All versions of the package @nubosoftware/node-static; all versions of ...) @@ -289388,6 +289391,7 @@ CVE-2019-10181 (It was found that in icedtea-web up to and including 1.7.2 and 1 NOTE: https://github.com/AdoptOpenJDK/IcedTea-Web/commit/528cb8163b7053576a658b9602b5694b21957b0e (1.8) CVE-2019-10180 (A vulnerability was found in all pki-core 10.x.x version, where the To ...) - dogtag-pki (bug #1014855) + [bookworm] - dogtag-pki (Minor issue) [bullseye] - dogtag-pki (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1721137 CVE-2019-10179 (A vulnerability was found in all pki-core 10.x.x versions, where the K ...) @@ -289397,6 +289401,7 @@ CVE-2019-10179 (A vulnerability was found in all pki-core 10.x.x versions, where NOTE: https://github.com/dogtagpki/pki/commit/a93a65be0b1bcf94e004ba59c6a0c8a2c086936f (v10.9.0) CVE-2019-10178 (It was found that the Token Processing Service (TPS) did not properly ...) - dogtag-pki (bug #1014856) + [bookworm] - dogtag-pki (Minor issue) [bullseye] - dogtag-pki (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1719042 CVE-2019-10177 (A stored cross-site scripting (XSS) vulnerability was found in the PDF ...) @@ -391342,6 +391347,7 @@ CVE-2017-148 (the web framework using ljharb's qs module older than v6.3.2, NOT-FOR-US: ljharb CVE-2017-147 (rbenv (all current versions) is vulnerable to Directory Traversal in t ...) - rbenv (bug #869702) + [bookworm] - rbenv (Minor issue) [bullseye] - rbenv (Minor issue) [buster] - rbenv (Minor issue) [stretch] - rbenv (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20fade1e6f5d2c99111cf4c45dce171cfe9ea197 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20fade1e6f5d2c99111cf4c45dce171cfe9ea197 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c04442c by Moritz Muehlenhoff at 2023-04-10T19:53:01+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5852,6 +5852,7 @@ CVE-2023-28339 (OpenDoas through 6.8.2, when TIOCSTI is available, allows privil - doas [bullseye] - doas (Minor issue) - opendoas (bug #1034185) + [bookworm] - opendoas (Minor issue, will be addressed via kernel change which isn't in 6.1 yet) NOTE: https://github.com/Duncaen/OpenDoas/issues/106 NOTE: https://www.openwall.com/lists/oss-security/2023/03/14/4 NOTE: Restricting ioctl on the kernel side seems the better approach, patches have been @@ -66389,7 +66390,6 @@ CVE-2022-2211 (A vulnerability was found in libguestfs. This issue occurs while [bullseye] - libguestfs (Minor issue) [buster] - libguestfs (Minor issue) - guestfs-tools 1.48.3-4 (bug #1014764) - [bookworm] - guestfs-tools (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2100862 NOTE: In 1:1.46.2-1 of src:libguestfs the tools were split out to src:guestfs-tools, marking that as fixed version NOTE: https://listman.redhat.com/archives/libguestfs/2022-June/029274.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c04442cf2acead3b42fca985065690d3cafac99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c04442cf2acead3b42fca985065690d3cafac99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b7f29b3f by Moritz Muehlenhoff at 2023-04-10T18:16:57+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11040,9 +11040,17 @@ CVE-2023-26486 (Vega is a visualization grammar, a declarative format for creati NOT-FOR-US: Vega CVE-2023-26485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - cmark-gfm + [bookworm] - cmark-gfm (Minor issue) + [bullseye] - cmark-gfm (Minor issue) - python-cmarkgfm + [bookworm] - python-cmarkgfm (Minor issue) + [bullseye] - python-cmarkgfm (Minor issue) - r-cran-commonmark + [bookworm] - r-cran-commonmark (Minor issue) + [bullseye] - r-cran-commonmark (Minor issue) - ruby-commonmarker + [bookworm] - ruby-commonmarker (Minor issue) + [bullseye] - ruby-commonmarker (Minor issue) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-r8vr-c48j-fcc5 NOTE: https://github.com/github/cmark-gfm/commit/07a66c9bc341f902878e37d7da8647d6ef150987 CVE-2023-26484 (KubeVirt is a virtual machine management add-on for Kubernetes. In ver ...) @@ -15894,9 +15902,17 @@ CVE-2023-24825 RESERVED CVE-2023-24824 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - cmark-gfm + [bookworm] - cmark-gfm (Minor issue) + [bullseye] - cmark-gfm (Minor issue) - python-cmarkgfm + [bookworm] - python-cmarkgfm (Minor issue) + [bullseye] - python-cmarkgfm (Minor issue) - r-cran-commonmark + [bookworm] - r-cran-commonmark (Minor issue) + [bullseye] - r-cran-commonmark (Minor issue) - ruby-commonmarker + [bookworm] - ruby-commonmarker (Minor issue) + [bullseye] - ruby-commonmarker (Minor issue) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh NOTE: https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59 CVE-2023-24823 @@ -15935,6 +15951,7 @@ CVE-2023-24810 (Misskey is an open source, decentralized social media platform. NOT-FOR-US: Misskey CVE-2023-24809 (NetHack is a single player dungeon exploration game. Starting with ver ...) - nethack (bug #1031869) + [bookworm] - nethack (Minor issue) [bullseye] - nethack (Minor issue) [buster] - nethack (Minor issue) NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-2cqv-5w4v-mgch @@ -23436,28 +23453,60 @@ CVE-2023-22487 (Flarum is a forum software for building communities. Using the m NOT-FOR-US: Flarum CVE-2023-22486 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - cmark-gfm (bug #1033110) + [bookworm] - cmark-gfm (Minor issue) + [bullseye] - cmark-gfm (Minor issue) - python-cmarkgfm (bug #1033111) + [bookworm] - python-cmarkgfm (Minor issue) + [bullseye] - python-cmarkgfm (Minor issue) - r-cran-commonmark (bug #1033112) + [bookworm] - r-cran-commonmark (Minor issue) + [bullseye] - r-cran-commonmark (Minor issue) - ruby-commonmarker (bug #1033113) + [bookworm] - ruby-commonmarker (Minor issue) + [bullseye] - ruby-commonmarker (Minor issue) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p NOTE: https://github.com/github/cmark-gfm/commit/ece074cc3378f7a8dec0395f00123e9fa6981f7b (0.29.0.gfm.7) CVE-2023-22485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - cmark-gfm (bug #1033110) + [bookworm] - cmark-gfm (Minor issue) + [bullseye] - cmark-gfm (Minor issue) - python-cmarkgfm (bug #1033111) + [bookworm] - python-cmarkgfm (Minor issue) + [bullseye] - python-cmarkgfm (Minor issue) - r-cran-commonmark (bug #1033112) + [bookworm] - r-cran-commonmark (Minor issue) + [bullseye] - r-cran-commonmark (Minor issue) - ruby-commonmarker (bug #1033113) + [bookworm] - ruby-commonmarker (Minor issue) + [bullseye] - ruby-commonmarker (Minor issue) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr CVE-2023-22484 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - cmark-gfm (bug #1033110) + [bookworm] - cmark-gfm (Minor issue) + [bullseye] - cmark-gfm (Minor issue) - python-cmarkgfm (bug #1033111) + [bookworm] - python-cmarkgfm (Minor issue) + [bullseye] - python-cmarkgfm (Minor issue) - r-cran-commonmark (bug #1033112) + [bookworm] - r-cran-commonmark (Minor issue) + [bullseye] - r-cran-commonmark (Minor
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 10a900d6 by Moritz Muehlenhoff at 2023-04-10T17:21:32+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3098,6 +3098,8 @@ CVE-2023-29142 RESERVED CVE-2023-29141 (An issue was discovered in MediaWiki before 1.35.10, 1.36.x through 1. ...) - mediawiki + [bookworm] - mediawiki (Minor issue) + [bullseye] - mediawiki (Minor issue) NOTE: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_39/RELEASE-NOTES-1.39 NOTE: https://phabricator.wikimedia.org/T285159 CVE-2023-29140 (An issue was discovered in the GrowthExperiments extension for MediaWi ...) @@ -17063,6 +17065,7 @@ CVE-2023-0467 (The WP Dark Mode WordPress plugin before 4.0.8 does not properly NOT-FOR-US: WordPress plugin CVE-2023-0466 (The function X509_VERIFY_PARAM_add0_policy() is documented to implicit ...) - openssl + [bookworm] - openssl (Minor issue) [bullseye] - openssl (Minor issue) [buster] - openssl (Minor issue) NOTE: https://www.openssl.org/news/secadv/20230328.txt @@ -17070,6 +17073,7 @@ CVE-2023-0466 (The function X509_VERIFY_PARAM_add0_policy() is documented to imp NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a (OpenSSL_1_1_1-stable) CVE-2023-0465 (Applications that use a non-default option when verifying certificates ...) - openssl + [bookworm] - openssl (Minor issue) [bullseye] - openssl (Minor issue) [buster] - openssl (Minor issue) NOTE: https://www.openssl.org/news/secadv/20230328.txt @@ -17077,6 +17081,7 @@ CVE-2023-0465 (Applications that use a non-default option when verifying certifi NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b013765abfa80036dc779dd0e50602c57bb3bf95 (OpenSSL_1_1_1-stable) CVE-2023-0464 (A security vulnerability has been identified in all supported versions ...) - openssl + [bookworm] - openssl (Minor issue) [bullseye] - openssl (Minor issue) [buster] - openssl (Minor issue) NOTE: https://www.openssl.org/news/secadv/20230322.txt @@ -84938,6 +84943,7 @@ CVE-2022-28043 CVE-2022-28042 (stb_image.h v2.27 was discovered to contain an heap-based use-after-fr ...) {DLA-3305-1} - libstb (bug #1014531) + [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/1289 NOTE: https://github.com/nothings/stb/pull/1297 @@ -84948,6 +84954,7 @@ CVE-2022-28042 (stb_image.h v2.27 was discovered to contain an heap-based use-af CVE-2022-28041 (stb_image.h v2.27 was discovered to contain an integer overflow via th ...) {DLA-3305-1} - libstb (bug #1014531) + [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/1292 NOTE: https://github.com/nothings/stb/pull/1297 @@ -116734,6 +116741,7 @@ CVE-2021-42717 (ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON NOTE: Fixed by: https://github.com/SpiderLabs/ModSecurity/commit/ac79c1c29b7e6323e26cc984ad4f76ef62c731cd (v3.0.6) CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM loader incorr ...) - libstb (bug #1014532) + [bookworm] - libstb (Minor issue) [bullseye] - libstb (Vulnerable code introduced later) [buster] - libstb (Vulnerable code introduced later) NOTE: https://github.com/nothings/stb/issues/1166 @@ -116744,6 +116752,7 @@ CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM loader CVE-2021-42715 (An issue was discovered in stb stb_image.h 1.33 through 2.27. The HDR ...) {DLA-3305-1} - libstb (bug #1014532) + [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/1224 NOTE: https://github.com/nothings/stb/pull/1223 @@ -133848,6 +133857,7 @@ CVE-2021-36490 RESERVED CVE-2021-36489 (Buffer Overflow vulnerability in Allegro through 5.2.6 allows attacker ...) - allegro4.4 (bug #1032670) + [bookworm] - allegro4.4 (Minor issue) [bullseye] - allegro4.4 (Minor issue) [buster] - allegro4.4 (Minor issue) - allegro5 2:5.2.8.0-1 @@ -161495,6 +161505,7 @@ CVE-2021-25744 RESERVED CVE-2021-25743 (kubectl does not neutralize escape, meta or control sequences containe ...) - kubernetes (bug #1016441) + [bookworm] - kubernetes (Minor issue) [bullseye] - kubernetes (Minor issue) NOTE: https://github.com/kubernetes/kubernetes/issues/101695 CVE-2021-25742 (A
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 73660236 by Moritz Muehlenhoff at 2023-03-17T14:47:56+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -107719,7 +107719,7 @@ CVE-2021-43519 (Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5 NOTE: http://lua-users.org/lists/lua-l/2021-11/msg00015.html NOTE: Fixed by: https://github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868 CVE-2021-43518 (Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. ...) - - teeworlds (bug #1009070) + - teeworlds 0.7.5-2 (bug #1009070) [bullseye] - teeworlds (Minor issue) [buster] - teeworlds (Minor issue) NOTE: https://github.com/teeworlds/teeworlds/issues/2981 @@ -130466,6 +130466,7 @@ CVE-2021-3618 (ALPACA is an application layer protocol content confusion attack, [bullseye] - nginx 1.18.0-6.1+deb11u2 [stretch] - nginx (Minor issue) - vsftpd (bug #991329) + [bookworm] - vsftpd (Minor issue) [bullseye] - vsftpd (Minor issue) [buster] - vsftpd (Minor issue) [stretch] - vsftpd (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73660236b6341532d5411e2a26de9285f457e9cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73660236b6341532d5411e2a26de9285f457e9cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fd95911a by Moritz Muehlenhoff at 2023-03-17T11:26:51+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44832,8 +44832,8 @@ CVE-2022-38457 (A use-after-free(UAF) vulnerability was found in function 'vmw_c [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=2074 CVE-2022-38096 (A NULL pointer dereference vulnerability was found in vmwgfx driver in ...) - - linux - NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=2073 + NOTE: PoC has been removed, original reporter is unresponsive and not reproducible + NOTE: It's unclear whether this was a really issue in the first place CVE-2022-36402 (An integer overflow vulnerability was found in vmwgfx driver in driver ...) - linux NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=2072 @@ -217650,6 +217650,7 @@ CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before 2020- [buster] - gupnp 1.0.5-0+deb10u1 - minidlna 1.2.1+dfsg-3 (bug #976594) - pupnp-1.8 (bug #983206) + [bookworm] - pupnp-1.8 (Minor issue) [bullseye] - pupnp-1.8 (Minor issue) [buster] - pupnp-1.8 (Minor issue) - libupnp @@ -229842,6 +229843,7 @@ CVE-2020-8555 (The Kubernetes kube-controller-manager in versions v1.0-1.14, ver NOTE: https://github.com/kubernetes/kubernetes/issues/91542 CVE-2020-8554 (Kubernetes API server in all versions allow an attacker who is able to ...) - kubernetes (bug #990793) + [bookworm] - kubernetes (Kubernetes in Bullseye only ships the client) [bullseye] - kubernetes (Kubernetes in Bullseye only ships the client) NOTE: https://www.openwall.com/lists/oss-security/2020/12/07/5 NOTE: https://github.com/kubernetes/kubernetes/issues/97076 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd95911a49076f04baa4c3156d90fdbcebe2bab3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd95911a49076f04baa4c3156d90fdbcebe2bab3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c72e0539 by Moritz Muehlenhoff at 2023-03-17T09:23:29+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25692,6 +25692,7 @@ CVE-2022-4171 (The demon image annotation plugin for WordPress is vulnerable to NOT-FOR-US: demon image annotation plugin for WordPress CVE-2022-4170 (The rxvt-unicode package is vulnerable to a remote code execution, in ...) - rxvt-unicode (bug #1025489) + [bookworm] - rxvt-unicode (Minor issue) [bullseye] - rxvt-unicode (Vulnerable code introduced later) [buster] - rxvt-unicode (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2022/12/05/1 @@ -178130,6 +178131,7 @@ CVE-2020-28492 REJECTED CVE-2020-28491 (This affects the package com.fasterxml.jackson.dataformat:jackson-data ...) - jackson-dataformat-cbor (bug #983664) + [bookworm] - jackson-dataformat-cbor (Minor issue) [bullseye] - jackson-dataformat-cbor (Minor issue) [buster] - jackson-dataformat-cbor (Minor issue) [stretch] - jackson-dataformat-cbor (Minor issue; https://people.debian.org/~abhijith/CVE-2020-28491.txt) @@ -185158,7 +185160,8 @@ CVE-2020-26556 (Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 ma NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/malleable/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960012 CVE-2020-26555 (Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specificati ...) - - linux + NOT-FOR-US: Bluetooth + NOTE: There's no indication that any Bluetooth software in Debian is affected NOTE: https://kb.cert.org/vuls/id/799380 NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/impersonation-pin-pairing/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1918601 @@ -209120,9 +209123,7 @@ CVE-2020-15803 (Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4 [buster] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-18057 CVE-2020-15802 (Devices supporting Bluetooth before 5.1 may allow man-in-the-middle at ...) - - linux - [bullseye] - linux (Minor issue, revisit when/if fixed upstream) - [buster] - linux (Minor issue, revisit when/if fixed upstream) + NOTE: Bluetooth protocol issue NOTE: https://www.kb.cert.org/vuls/id/589825/ CVE-2020-15801 (In Python 3.8.4, sys.path restrictions specified in a python38._pth fi ...) - python3.9 (Windows-specific) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72e05398d71b26af09299b3f90b540b44af3bb8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72e05398d71b26af09299b3f90b540b44af3bb8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fc63cfb by Moritz Muehlenhoff at 2023-03-16T09:21:09+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -60384,6 +60384,7 @@ CVE-2022-2211 (A vulnerability was found in libguestfs. This issue occurs while [bullseye] - libguestfs (Minor issue) [buster] - libguestfs (Minor issue) - guestfs-tools (bug #1014764) + [bookworm] - guestfs-tools (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2100862 NOTE: In 1:1.46.2-1 of src:libguestfs the tools were split out to src:guestfs-tools, marking that as fixed version NOTE: https://listman.redhat.com/archives/libguestfs/2022-June/029274.html @@ -515082,6 +515083,7 @@ CVE-2013-0343 (The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the L - linux-2.6 (low) CVE-2013-0342 (The CreateID function in packet.py in pyrad before 2.1 uses sequential ...) - pyrad (low; bug #701151) + [bookworm] - pyrad (Minor issue) [bullseye] - pyrad (Minor issue) [buster] - pyrad (Minor issue) [stretch] - pyrad (Minor issue) @@ -515104,6 +515106,7 @@ CVE-2013-0338 (libxml2 2.9.0 and earlier allows context-dependent attackers to c - libxml2 2.8.0+dfsg1-7+nmu1 (bug #702260) CVE-2013-0337 (The default configuration of nginx, possibly 1.3.13 and earlier, uses ...) - nginx (low; bug #701112) + [bookworm] - nginx (Minor issue) [bullseye] - nginx (Minor issue) [buster] - nginx (Minor issue) [stretch] - nginx (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fc63cfb150c92b67c266a87e73679c73982f0a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fc63cfb150c92b67c266a87e73679c73982f0a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4096b90c by Moritz Muehlenhoff at 2023-03-15T19:46:07+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41582,6 +41582,7 @@ CVE-2020-36604 (hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisonin NOTE: Fixed by: https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90 (v9.0.3) CVE-2022-3276 (Command injection is possible in the puppetlabs-mysql module prior to ...) - puppet-module-puppetlabs-mysql (bug #1027154) + [bookworm] - puppet-module-puppetlabs-mysql (Minor issue) [bullseye] - puppet-module-puppetlabs-mysql (Minor issue) NOTE: https://puppet.com/security/cve/CVE-2022-3276 NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/f83792b256fa6acc1b1375b3bfed257629a5c02d (v13.0.0) @@ -152268,6 +152269,7 @@ CVE-2021-26827 (Buffer Overflow in TP-Link WR2041 v1 firmware for the TL-WR2041+ NOT-FOR-US: TP-Link CVE-2021-26826 (A stack overflow issue exists in Godot Engine up to v3.2 and is caused ...) - godot 3.5.1-stable-1 (bug #982593) + [bookworm] - godot (Minor issue) [bullseye] - godot (Minor issue) [buster] - godot (Minor issue) NOTE: https://github.com/godotengine/godot/pull/45701 @@ -152275,6 +152277,7 @@ CVE-2021-26826 (A stack overflow issue exists in Godot Engine up to v3.2 and is NOTE: https://github.com/godotengine/godot/commit/113b5ab1c45c01b8e6d54d13ac8876d091f883a8 (3.3-stable) CVE-2021-26825 (An integer overflow issue exists in Godot Engine up to v3.2 that can b ...) - godot 3.5.1-stable-1 (bug #982593) + [bookworm] - godot (Minor issue) [bullseye] - godot (Minor issue) [buster] - godot (Minor issue) NOTE: https://github.com/godotengine/godot/pull/45701 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4096b90c9b4ba07209e8baaf703036d3e6d67d3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4096b90c9b4ba07209e8baaf703036d3e6d67d3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a85187f8 by Moritz Muehlenhoff at 2023-03-15T19:07:14+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -123601,6 +123601,7 @@ CVE-2021-38085 (The Canon TR150 print driver through 3.71.2.10 is vulnerable to NOT-FOR-US: Canon CVE-2021-38084 (An issue was discovered in the POP3 component of Courier Mail Server b ...) - courier (bug #989375) + [bookworm] - courier (Minor issue) [bullseye] - courier (Minor issue) [buster] - courier (Minor issue) [stretch] - courier (Minor issue, include in next update) @@ -230813,9 +230814,10 @@ CVE-2020-8033 (Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp Devic CVE-2020-8032 (A Insecure Temporary File vulnerability in the packaging of cyrus-sasl ...) - cyrus-sasl2 (openSUSE specific packaging issue) CVE-2020-8031 (A Improper Neutralization of Input During Web Page Generation ('Cross- ...) - - open-build-service (bug #983576) + - open-build-service 2.9.4-4 (bug #983576) [stretch] - open-build-service (Minor issue, XSS in web app) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1178880 + NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, marking as fixed version CVE-2020-8030 (A Insecure Temporary File vulnerability in skuba of SUSE CaaS Platform ...) NOT-FOR-US: SuSE CaaS CVE-2020-8029 (A Incorrect Permission Assignment for Critical Resource vulnerability ...) @@ -230836,14 +230838,16 @@ CVE-2020-8022 (A Incorrect Default Permissions vulnerability in the packaging of NOT-FOR-US: SAP CVE-2020-8021 (a Improper Access Control vulnerability in of Open Build Service allow ...) {DLA-2545-1} - - open-build-service (bug #983576) + - open-build-service 2.9.4-4 (bug #983576) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1171649 NOTE: https://github.com/openSUSE/open-build-service/commit/7323c904f86ba9e04065c23422d06c03647589fb + NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, marking as fixed version CVE-2020-8020 (A Improper Neutralization of Input During Web Page Generation vulnerab ...) {DLA-2545-1} - - open-build-service (bug #983576) + - open-build-service 2.9.4-4 (bug #983576) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1171439 NOTE: https://github.com/openSUSE/open-build-service/commit/7cc32c8e2ff7290698e101d9a80a9dc29a5500fb + NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, marking as fixed version CVE-2020-8019 (A UNIX Symbolic Link (Symlink) Following vulnerability in the packagin ...) NOT-FOR-US: SAP CVE-2020-8018 (A Incorrect Default Permissions vulnerability in the SLES15-SP1-CHOST- ...) @@ -293499,6 +293503,7 @@ CVE-2019-5428 REJECTED CVE-2019-5427 (c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack ...) - c3p0 (low; bug #927936) + [bookworm] - c3p0 (Minor issue) [bullseye] - c3p0 (Minor issue) [buster] - c3p0 (Minor issue) [stretch] - c3p0 (Minor issue) @@ -327340,11 +327345,12 @@ CVE-2018-12467 (Authorized users of the openbuildservice before 2.9.4 could dele NOTE: Fixed by: https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063 NOTE: Introduced by: https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b CVE-2018-12466 (openSUSE openbuildservice before 9.2.4 allowed authenticated users to ...) - - open-build-service (bug #911797) + - open-build-service 2.9.4-4 (bug #911797) [stretch] - open-build-service (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1098934 NOTE: Fixed by: https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063 NOTE: Introduced by: https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b + NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, marking as fixed version CVE-2018-12465 (An OS command injection vulnerability in the web administration compon ...) NOT-FOR-US: Micro Focus CVE-2018-12464 (A SQL injection vulnerability in the web administration and quarantine ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a85187f840c5f028834e9be400833199da643682 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a85187f840c5f028834e9be400833199da643682 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing l
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6979bc79 by Moritz Muehlenhoff at 2023-03-08T10:58:37+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -425778,14 +425778,11 @@ CVE-2016-5417 (Memory leak in the __res_vinit function in the IPv6 name server m NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5e7fdabd7df1fc6c56d104e61390bf5a6b526c38 (glibc-2.24) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19257 CVE-2016-5416 (389 Directory Server in Red Hat Enterprise Linux Desktop 6 through 7, ...) - - 389-ds-base (bug #834233) - [bullseye] - 389-ds-base (Minor issue) - [buster] - 389-ds-base (Minor issue) - [stretch] - 389-ds-base (Minor issue) - [jessie] - 389-ds-base (Minor issue) + - 389-ds-base (unimportant; bug #834233) NOTE: https://fedorahosted.org/389/ticket/48852 NOTE: https://github.com/389ds/389-ds-base/issues/1912 NOTE: Potentially related: https://fedorahosted.org/389/ticket/48354 + NOTE: Marginal impact, upstream not planning to change CVE-2016-5415 REJECTED CVE-2016-5414 (FreeIPA 4.4.0 allows remote attackers to request an arbitrary SAN name ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6979bc791a2ed46300966cbdacac836b13ad0c64 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6979bc791a2ed46300966cbdacac836b13ad0c64 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 76e65624 by Moritz Muehlenhoff at 2023-03-07T15:55:29+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44948,7 +44948,7 @@ CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re - ghostwriter 2.1.6+ds-1 (unimportant) - ruby-commonmarker [buster] - ruby-commonmarker (Minor issue) - - r-cran-commonmark + - r-cran-commonmark 1.8.1-1 [bullseye] - r-cran-commonmark (Minor issue) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q NOTE: https://github.com/github/cmark-gfm/commit/cfcaa0068bf319974fdec283416fcee5035c2d70 (0.29.0.gfm.6) @@ -47417,9 +47417,9 @@ CVE-2021-46834 (A permission bypass vulnerability in Huawei cross device task ma NOT-FOR-US: Huawei CVE-2020-36599 (lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before ...) [experimental] - ruby-omniauth 2.0.4-1~exp1 - - ruby-omniauth + - ruby-omniauth 2.0.4-2 [buster] - ruby-omniauth (Minor issue) - NOTE: https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2 (v2.0.0-rc1) + NOTE: https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00 (v2.0.0-rc1) CVE-2020-36598 RESERVED CVE-2020-36597 @@ -69104,11 +69104,11 @@ CVE-2022- [RUSTSEC-2022-0022] - rust-hyper 0.14.19-1 NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0022.html CVE-2022- [RUSTSEC-2022-0021] - - rust-crossbeam-queue + - rust-crossbeam-queue 0.3.5-1 [bullseye] - rust-crossbeam-queue (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0021.html CVE-2022- [RUSTSEC-2022-0019] - - rust-crossbeam-channel + - rust-crossbeam-channel 0.4.4-1 [bullseye] - rust-crossbeam-channel (Minor issue) [buster] - rust-crossbeam-channel (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0019.html @@ -137393,9 +137393,10 @@ CVE-2020-36327 (Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes - bundler [buster] - bundler (Minor issue) [stretch] - bundler (Invasive change, hard to backport; chances of regression) - - rubygems - [bullseye] - rubygems (Minor issue) + - rubygems 3.3.5-1 + [bullseye] - rubygems (Minor issue, too intrusive to backport) NOTE: https://github.com/rubygems/rubygems/issues/3982 + NOTE: https://github.com/rubygems/rubygems/pull/4609 CVE-2021-3521 (There is a flaw in RPM's signature functionality. OpenPGP subkeys are ...) - rpm 4.18.0+dfsg-1 (bug #1014723) [bullseye] - rpm (Minor issue) @@ -164120,7 +164121,8 @@ CVE-2019-25011 (NetBox through 2.6.2 allows an Authenticated User to conduct an NOT-FOR-US: NetBox CVE-2019-25010 (An issue was discovered in the failure crate through 2019-11-13 for Ru ...) - rust-failure (bug #969839) - [bullseye] - rust-failure (Minor issue, unmaintained/deprecated upstream) + [bookworm] - rust-failure (Minor issue, unmaintained/deprecated upstream) + [bullseye] - rust-failure (Minor issue, unmaintained/deprecated upstream) [buster] - rust-failure (Minor issue, unmaintained/deprecated upstream) NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0036.html CVE-2019-25009 (An issue was discovered in the http crate before 0.1.20 for Rust. The ...) @@ -186439,11 +186441,10 @@ CVE-2020-25574 (An issue was discovered in the http crate before 0.1.20 for Rust NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0033.html NOTE: https://github.com/hyperium/http/issues/352 CVE-2020-25575 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in the failure ...) - - rust-failure (bug #969839; low) - [bullseye] - rust-failure (Minor issue; unmaintained upstream) - [buster] - rust-failure (Minor issue; unmaintained upstream) + - rust-failure (unimportant; bug #969839) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0036.html NOTE: https://github.com/rust-lang-nursery/failure/issues/336 + NOTE: This CVE ID is merely for the fact that the crate is unmaintained CVE-2020-25202 RESERVED CVE-2020-25201 (HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes a names ...) @@ -227007,6 +227008,7 @@ CVE-2018-21034 (In Argo versions prior to v1.5.0-rc1, it was possible for authen NOT-FOR-US: Argo CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext HTTP, a ...) - lxc-templates (bug #988730) + [bookworm] - lxc-templates
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e27f195 by Moritz Muehlenhoff at 2023-03-03T20:18:19+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/embedded-code-copies Changes: = data/CVE/list = @@ -29488,9 +29488,10 @@ CVE-2022-44036 (** DISPUTED ** In b2evolution 7.2.5, if configured with admins_c CVE-2022-44035 RESERVED CVE-2022-44034 (An issue was discovered in the Linux kernel through 6.0.6. drivers/cha ...) - - linux + - linux (unimportant) NOTE: https://lore.kernel.org/lkml/20220916050333.GA188358@ubuntu/ NOTE: https://lore.kernel.org/lkml/20220919101825.GA313940@ubuntu/ + NOTE: Negligible security impact, would need physical access to "exploit" CVE-2022-44033 (An issue was discovered in the Linux kernel through 6.0.6. drivers/cha ...) - linux (unimportant) NOTE: https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/ @@ -56854,7 +56855,7 @@ CVE-2022-34668 (NVFLARE, versions prior to 2.1.4, contains a vulnerability that NOT-FOR-US: NVFLARE CVE-2022-34667 (NVIDIA CUDA Toolkit SDK contains a stack-based buffer overflow vulnera ...) [experimental] - nvidia-cuda-toolkit 11.8.0-1 - - nvidia-cuda-toolkit (bug #1021625) + - nvidia-cuda-toolkit 11.8.0-2 (bug #1021625) [bullseye] - nvidia-cuda-toolkit (Non-free not supported) [buster] - nvidia-cuda-toolkit (Minor issue) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5373 @@ -69827,9 +69828,7 @@ CVE-2022-30046 RESERVED CVE-2022-30045 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...) - mapcache (unimportant; bug #1014389) - - scilab (bug #1014391) - [bullseye] - scilab (Minor issue) - [buster] - scilab (Minor issue) + - scilab (unimportant; bug #1014391) - netcdf 1:4.9.0-1 [bullseye] - netcdf (Minor issue) [buster] - netcdf (Minor issue) @@ -137211,9 +137210,7 @@ CVE-2021-31598 (An issue was discovered in libezxml.a in ezXML 0.8.6. The functi {DLA-2705-1} - mapcache (unimportant; bug #989363) [stretch] - mapcache (Minor issue) - - scilab (bug #989364) - [bullseye] - scilab (Minor issue) - [buster] - scilab (Minor issue) + - scilab (unimportant; bug #989364) - netcdf 1:4.9.0-1 (bug #989360) [bullseye] - netcdf (Minor issue) [buster] - netcdf (Minor issue) @@ -137856,9 +137853,7 @@ CVE-2021-31349 (The usage of an internal HTTP header created an authentication b CVE-2021-31348 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...) {DLA-2705-1} - mapcache (unimportant; bug #989363) - - scilab (bug #989364) - [bullseye] - scilab (Minor issue) - [buster] - scilab (Minor issue) + - scilab (unimportant; bug #989364) - netcdf 1:4.9.0-1 (bug #989360) [bullseye] - netcdf (Minor issue) [buster] - netcdf (Minor issue) @@ -137871,9 +137866,7 @@ CVE-2021-31348 (An issue was discovered in libezxml.a in ezXML 0.8.6. The functi CVE-2021-31347 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...) {DLA-2705-1} - mapcache (unimportant; bug #989363) - - scilab (bug #989364) - [bullseye] - scilab (Minor issue) - [buster] - scilab (Minor issue) + - scilab (unimportant; bug #989364) - netcdf 1:4.9.0-1 (bug #989360) [bullseye] - netcdf (Minor issue) [buster] - netcdf (Minor issue) @@ -138172,9 +138165,7 @@ CVE-2021-31230 CVE-2021-31229 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...) {DLA-2705-1} - mapcache (unimportant; bug #989363) - - scilab (bug #989364) - [bullseye] - scilab (Minor issue) - [buster] - scilab (Minor issue) + - scilab (unimportant; bug #989364) - netcdf 1:4.9.0-1 (bug #989360) [bullseye] - netcdf (Minor issue) [buster] - netcdf (Minor issue) @@ -140292,9 +140283,7 @@ CVE-2021-30486 (SysAid 20.3.64 b14 is affected by Blind and Stacker SQL injectio CVE-2021-30485 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...) {DLA-2705-1} - mapcache (unimportant; bug #989363) - - scilab (bug #989364) - [bullseye] - scilab (Minor issue) - [buster] - scilab (Minor issue) + - scilab (unimportant; bug #989364) - netcdf 1:4.9.0-1 (bug #989360) [bullseye] - netcdf (Minor issue) [buster] - netcdf (Minor issue) @@ -151056,10 +151045,7 @@ CVE-2021-26223 (SQL injection vulnerability in SourceCodester CASAP Automated En NOT-FOR-US: SourceCodester CASAP Automated Enrollment System CVE-2021-26222 (The ezxml_new function in
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5601a142 by Moritz Muehlenhoff at 2023-03-02T22:50:41+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18171,6 +18171,8 @@ CVE-2022-4544 (The MashShare WordPress plugin before 3.8.7 does not validate and NOT-FOR-US: WordPress plugin CVE-2022-4543 (A flaw named "EntryBleed" was found in the Linux Kernel Page Table Iso ...) - linux + [bookworm] - linux (Minor issue, revisit when/if fixed upstream) + [bullseye] - linux (Minor issue, revisit when/if fixed upstream) NOTE: https://www.openwall.com/lists/oss-security/2022/12/16/3 NOTE: https://www.willsroot.io/2022/12/entrybleed.html CVE-2023-0016 (SAP BPC MS 10.0 - version 810, allows an unauthorized attacker to exec ...) @@ -172448,31 +172450,31 @@ CVE-2020-26235 (In Rust time crate from version 0.2.7 and before version 0.2.23, NOTE: Introduced by: https://github.com/time-rs/time/commit/5f1c4927124fefbd8d2886f83a574beb381411e9 (v0.2.7) NOTE: Deprecated in: https://github.com/time-rs/time/commit/f153a1ca5fdfec979f16c49619e6034cc67e186d (v0.2.23) CVE-2020-35914 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...) - - rust-lock-api (bug #975319) + - rust-lock-api 0.4.5-1 (bug #975319) [bullseye] - rust-lock-api (Minor issue) [buster] - rust-lock-api (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html NOTE: https://github.com/Amanieu/parking_lot/pull/262 CVE-2020-35913 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...) - - rust-lock-api (bug #975319) + - rust-lock-api 0.4.5-1 (bug #975319) [bullseye] - rust-lock-api (Minor issue) [buster] - rust-lock-api (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html NOTE: https://github.com/Amanieu/parking_lot/pull/262 CVE-2020-35912 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...) - - rust-lock-api (bug #975319) + - rust-lock-api 0.4.5-1 (bug #975319) [bullseye] - rust-lock-api (Minor issue) [buster] - rust-lock-api (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html NOTE: https://github.com/Amanieu/parking_lot/pull/262 CVE-2020-35911 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...) - - rust-lock-api (bug #975319) + - rust-lock-api 0.4.5-1 (bug #975319) [bullseye] - rust-lock-api (Minor issue) [buster] - rust-lock-api (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html NOTE: https://github.com/Amanieu/parking_lot/pull/262 CVE-2020-35910 (An issue was discovered in the lock_api crate before 0.4.2 for Rust. A ...) - - rust-lock-api (bug #975319) + - rust-lock-api 0.4.5-1 (bug #975319) [bullseye] - rust-lock-api (Minor issue) [buster] - rust-lock-api (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5601a14217efce3be87dd9761165abfc1bd9a039 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5601a14217efce3be87dd9761165abfc1bd9a039 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ec9c2e6e by Moritz Muehlenhoff at 2023-03-02T21:11:57+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -90052,6 +90052,7 @@ CVE-2022-23438 (An improper neutralization of input during web page generation ( NOT-FOR-US: Fortinet CVE-2022-23437 (There's a vulnerability within the Apache Xerces Java (XercesJ) XML pa ...) - libxerces2-java (bug #1016975) + [bookworm] - libxerces2-java (revisit when/if fix is complete) [bullseye] - libxerces2-java (revisit when/if fix is complete) [buster] - libxerces2-java (revisit when/if fix is complete) [stretch] - libxerces2-java (revisit when/if fix is complete) @@ -117782,8 +117783,9 @@ CVE-2021-3715 (A flaw was found in the "Routing decision" classifier in the Linu NOTE: https://www.openwall.com/lists/oss-security/2021/09/07/1 NOTE: https://git.kernel.org/linus/ef299cc3fa1a9e1288665a9fdc8bff55629fd359 (5.6) CVE-2021-3714 (A flaw was found in the Linux kernels memory deduplication mechanism. ...) - - linux + - linux (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1931327 + NOTE: Inherent design limitation, can be avoided by not using KSM CVE-2021-39245 (Hardcoded .htaccess Credentials for getlogs.cgi exist on Altus Nexto, ...) NOT-FOR-US: Altus CVE-2021-39244 (Authenticated Semi-Blind Command Injection (via Parameter Injection) e ...) @@ -131810,6 +131812,7 @@ CVE-2021-33565 RESERVED CVE-2016-20011 (libgrss through 0.7.0 fails to perform TLS certificate verification wh ...) - libgrss (bug #989149) + [bookworm] - libgrss (Minor issue) [bullseye] - libgrss (Minor issue) [buster] - libgrss (Minor issue) [stretch] - libgrss (Minor issue) @@ -181932,18 +181935,14 @@ CVE-2020-26562 CVE-2020-26561 (** UNSUPPORTED WHEN ASSIGNED ** Belkin LINKSYS WRT160NL 1.0.04.002_US_ ...) NOT-FOR-US: Belkin CVE-2020-26560 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0. ...) - - bluez (bug #1006406) - [bullseye] - bluez (Minor issue) - [buster] - bluez (Minor issue) - [stretch] - bluez (Mesh support introduced later) + NOT-FOR-US: Bluetooth + NOTE: There's no indication that any Bluetooth software in Debian is affected NOTE: https://kb.cert.org/vuls/id/799380 NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/impersonation-mesh/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1959994 CVE-2020-26559 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0. ...) - - bluez (bug #1006406) - [bullseye] - bluez (Minor issue) - [buster] - bluez (Minor issue) - [stretch] - bluez (Mesh support introduced later) + NOT-FOR-US: Bluetooth + NOTE: There's no indication that any Bluetooth software in Debian is affected NOTE: https://kb.cert.org/vuls/id/799380 NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/authvalue-leak/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960011 @@ -181959,10 +181958,8 @@ CVE-2020-26558 (Bluetooth LE and BR/EDR secure pairing in Bluetooth Core Specifi NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00517.html NOTE: https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738 CVE-2020-26557 (Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 may perm ...) - - bluez (bug #1006406) - [bullseye] - bluez (Minor issue) - [buster] - bluez (Minor issue) - [stretch] - bluez (Mesh support introduced later) + NOT-FOR-US: Bluetooth + NOTE: There's no indication that any Bluetooth software in Debian is affected NOTE: https://kb.cert.org/vuls/id/799380 NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/predicatable-authvalue/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960009 @@ -435368,6 +435365,7 @@ CVE-2016-2142 (Red Hat OpenShift Enterprise 3.1 uses world-readable permissions NOT-FOR-US: OpenShift CVE-2016-2141 (JGroups before 4.0 does not require the proper headers for the ENCRYPT ...) - libjgroups-java (low; bug #867493) + [bookworm] - libjgroups-java (Minor issue, only used as build dep) [bullseye] - libjgroups-java (Minor issue, only used as build dep) [buster] - libjgroups-java (Minor issue, only used as build dep) [stretch] - libjgroups-java (Minor issue, only used as build dep) View it on GitLab: https://salsa.debian.org/security-tracker-team/
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c12b7e8c by Moritz Muehlenhoff at 2023-03-01T20:23:33+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28980,13 +28980,15 @@ CVE-2022-44034 (An issue was discovered in the Linux kernel through 6.0.6. drive NOTE: https://lore.kernel.org/lkml/20220916050333.GA188358@ubuntu/ NOTE: https://lore.kernel.org/lkml/20220919101825.GA313940@ubuntu/ CVE-2022-44033 (An issue was discovered in the Linux kernel through 6.0.6. drivers/cha ...) - - linux + - linux (unimportant) NOTE: https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/ NOTE: https://lore.kernel.org/lkml/20220919040457.GA302681@ubuntu/ + NOTE: Negligible security impact, would need physical access to "exploit" CVE-2022-44032 (An issue was discovered in the Linux kernel through 6.0.6. drivers/cha ...) - - linux + - linux (unimportant) NOTE: https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/ NOTE: https://lore.kernel.org/lkml/20220919040701.GA302806@ubuntu/ + NOTE: Negligible security impact, would need physical access to "exploit" CVE-2022-44031 (Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in i ...) - redmine 5.0.4-1 (bug #1026048) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories @@ -99851,6 +99853,7 @@ CVE-2021-44505 (An issue was discovered in FIS GT.M through V7.0-000 (related to NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 CVE-2021-44504 (An issue was discovered in FIS GT.M through V7.0-000 (related to the Y ...) - fis-gtm + [bookworm] - fis-gtm (Minor issue) [bullseye] - fis-gtm (Minor issue) [buster] - fis-gtm (Minor issue) [stretch] - fis-gtm (Minor issue) @@ -99907,6 +99910,7 @@ CVE-2021-44497 (An issue was discovered in FIS GT.M through V7.0-000 (related to NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 CVE-2021-44496 (An issue was discovered in FIS GT.M through V7.0-000 (related to the Y ...) - fis-gtm + [bookworm] - fis-gtm (Minor issue) [bullseye] - fis-gtm (Minor issue) [buster] - fis-gtm (Minor issue) [stretch] - fis-gtm (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c12b7e8c5ea0005deb66cd1e7659400e11e3da7c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c12b7e8c5ea0005deb66cd1e7659400e11e3da7c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bf7f45d by Moritz Muehlenhoff at 2023-03-01T17:41:58+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13589,6 +13589,8 @@ CVE-2010-10003 (A vulnerability classified as critical was found in gesellix tit NOT-FOR-US: gesellix titlelink CVE-2023-22602 (When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, ...) - shiro (bug #1029039) + [bookworm] - shiro (Minor issue) + [bullseye] - shiro (Minor issue) NOTE: https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl CVE-2023-22601 (InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRo ...) NOT-FOR-US: InHand Networks InRouter @@ -19254,8 +19256,11 @@ CVE-2022-47017 CVE-2022-47016 REJECTED CVE-2022-47015 (MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of S ...) + - mariadb + [bookworm] - mariadb (Minor issue, wait for next point release) - mariadb-10.6 - mariadb-10.5 + [bullseye] - mariadb-10.5 (Minor issue) - mariadb-10.3 NOTE: https://jira.mariadb.org/browse/MDEV-29644 CVE-2022-47014 @@ -39937,6 +39942,8 @@ CVE-2022-40665 REJECTED CVE-2022-40664 (Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shi ...) - shiro (bug #1021671) + [bookworm] - shiro (Minor issue) + [bullseye] - shiro (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/10/12/1 CVE-2022-40663 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: NIKON @@ -40965,6 +40972,7 @@ CVE-2022-3168 NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5 CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...) - openvswitch (bug #1021740) + [bookworm] - openvswitch (Minor issue) [bullseye] - openvswitch (Minor issue) [buster] - openvswitch (Minor issue) NOTE: https://arxiv.org/abs/2011.09107 @@ -48826,7 +48834,7 @@ CVE-2022-37396 (In JetBrains Rider before 2022.2 Trust and Open Project dialog c CVE-2022-37395 (A Huawei device has an input verification vulnerability. Successful ex ...) NOT-FOR-US: Huawei CVE-2022-37394 (An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 2 ...) - - nova (bug #1016980) + - nova 2:26.0.0-1 (bug #1016980) [bullseye] - nova (Minor issue) [buster] - nova (Minor issue) NOTE: https://bugs.launchpad.net/ossa/+bug/1981813 @@ -61792,6 +61800,7 @@ CVE-2022-32533 (** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not suffi NOT-FOR-US: Apache Portals Jetspeed CVE-2022-32532 (Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured ...) - shiro (bug #1014820) + [bookworm] - shiro (Minor issue) [bullseye] - shiro (Minor issue) [buster] - shiro (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/06/28/2 @@ -88497,7 +88506,7 @@ CVE-2022-23838 RESERVED CVE-2022-23837 (In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the ...) {DLA-2943-1} - - ruby-sidekiq (bug #1004193) + - ruby-sidekiq 6.4.1+dfsg-1 (bug #1004193) [bullseye] - ruby-sidekiq (Minor issue) NOTE: https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956 (v6.4.0) CVE-2022-23836 @@ -112052,6 +112061,7 @@ CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification o NOTE: https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884 (v0.11.8) CVE-2021-41303 (Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a ...) - shiro (bug #1014819) + [bookworm] - shiro (Minor issue) [bullseye] - shiro (Minor issue) [buster] - shiro (Minor issue) [stretch] - shiro (Minor issue) @@ -129211,6 +129221,7 @@ CVE-2021-34435 (In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension al NOT-FOR-US: Eclipse Theia CVE-2021-34434 (In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the dynamic se ...) - mosquitto (bug #993400) + [bookworm] - mosquitto (Minor issue) [bullseye] - mosquitto (Minor issue) [buster] - mosquitto (Vulnerable code introduced later) [stretch] - mosquitto (Vulnerable code introduced later) @@ -130716,6 +130727,7 @@ CVE-2021-3576 (Execution with Unnecessary Privileges vulnerability in Bitdefende NOT-FOR-US: Bitdefender CVE-2021-3575 (A heap-based buffer overflow was found in openjpeg in color.c:379:42 i ...) - openjpeg2 (bug #989775) + [bookworm] - openjpeg2 (Minor iss
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 527ea393 by Moritz Muehlenhoff at 2023-03-01T17:02:38+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22749,14 +22749,17 @@ CVE-2022-45887 (An issue was discovered in the Linux kernel through 6.0.9. drive - linux NOTE: https://lore.kernel.org/linux-media/20221115131822.6640-5-imv4...@gmail.com/ CVE-2022-45886 (An issue was discovered in the Linux kernel through 6.0.9. drivers/med ...) - - linux + - linux (unimportant) NOTE: https://lore.kernel.org/linux-media/20221115131822.6640-3-imv4...@gmail.com/ + NOTE: Negligible security impact, would need physical access to "exploit" CVE-2022-45885 (An issue was discovered in the Linux kernel through 6.0.9. drivers/med ...) - - linux + - linux (unimportant) NOTE: https://lore.kernel.org/linux-media/20221115131822.6640-2-imv4...@gmail.com/ + NOTE: Negligible security impact, would need physical access to "exploit" CVE-2022-45884 (An issue was discovered in the Linux kernel through 6.0.9. drivers/med ...) - - linux + - linux (unimportant) NOTE: https://lore.kernel.org/linux-media/20221115131822.6640-4-imv4...@gmail.com/ + NOTE: Negligible security impact, would need physical access to "exploit" CVE-2022-45883 REJECTED CVE-2022-45877 (OpenHarmony-v3.1.4 and prior versions had an vulnerability. PIN code i ...) @@ -79405,10 +79408,8 @@ CVE-2022-26637 CVE-2022-26636 RESERVED CVE-2022-26635 (PHP-Memcached v2.2.0 and below contains an improper NULL termination w ...) - - php-memcached (bug #1009328) - [bullseye] - php-memcached (Minor issue) - [buster] - php-memcached (Minor issue) - [stretch] - php-memcached (Minor issue) + NOTE: Disputed issue, not considered a security issue by upstream: + NOTE: https://github.com/php-memcached-dev/php-memcached/issues/519#issuecomment-1259303434 NOTE: https://xhzeem.me/posts/Php5-memcached-Injection-Bypass/read/ NOTE: https://github.com/php-memcached-dev/php-memcached/issues/519 CVE-2022-26634 (HMA VPN v5.3.5913.0 contains an unquoted service path which allows att ...) @@ -86209,7 +86210,7 @@ CVE-2022-24331 (In JetBrains TeamCity before 2021.1.4, GitLab authentication imp CVE-2022-24330 (In JetBrains TeamCity before 2021.2.1, a redirection to an external si ...) NOT-FOR-US: JetBrains TeamCity CVE-2022-24329 (In JetBrains Kotlin before 1.6.0, it was not possible to lock dependen ...) - - kotlin (bug #1007243) + - kotlin (bug #1007243) NOTE: https://blog.jetbrains.com/blog/2022/02/08/jetbrains-security-bulletin-q4-2021/ NOTE: https://youtrack.jetbrains.com/issue/KT-49449 (not public) CVE-2022-24328 (In JetBrains Hub before 2021.1.13956, an unprivileged user could perfo ...) @@ -113736,10 +113737,12 @@ CVE-2021-40649 (In Connx Version 6.2.0.1269 (20210623), a cookie can be issued b NOT-FOR-US: Connx CVE-2021-40648 (In man2html 1.6g, a filename can be created to overwrite the previous ...) - man2html (bug #1021738) + [bookworm] - man2html (Minor issue) [bullseye] - man2html (Minor issue) NOTE: https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933 CVE-2021-40647 (In man2html 1.6g, a specific string being read in from a file will ove ...) - man2html (bug #1021738) + [bookworm] - man2html (Minor issue) [bullseye] - man2html (Minor issue) NOTE: https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933 CVE-2021-40646 @@ -127791,6 +127794,7 @@ CVE-2021-35044 RESERVED CVE-2021-35043 (OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using ...) - libowasp-antisamy-java (bug #1014981) + [bookworm] - libowasp-antisamy-java (Minor issue) [bullseye] - libowasp-antisamy-java (Minor issue) [buster] - libowasp-antisamy-java (Minor issue) [stretch] - libowasp-antisamy-java (Minor issue) @@ -170346,7 +170350,7 @@ CVE-2020-29584 CVE-2020-29583 (Firmware version 4.60 of Zyxel USG devices contains an undocumented ac ...) NOT-FOR-US: Zyxel CVE-2020-29582 (In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for ...) - - kotlin (bug #1001037) + - kotlin (bug #1001037) NOTE: https://youtrack.jetbrains.com/issue/KT-42181 (not public) CVE-2020-29581 (The official spiped docker images before 1.5-alpine contain a blank pa ...) NOT-FOR-US: spiped Docker images @@ -305982,11 +305986,14 @@ CVE-2019-0188 (Apache Camel prior to 2.24.0 contains an XML external entity inje NOT-FOR-US: Apache Camel CVE-2019-0187 (Unauthenticated RCE is possible when JMeter is used in distributed mo
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bb556c99 by Moritz Muehlenhoff at 2023-02-28T17:24:25+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38083,6 +38083,7 @@ CVE-2022-3278 (NULL Pointer Dereference in GitHub repository vim/vim prior to 9. CVE-2022-3277 [unrestricted creation of security groups] RESERVED - neutron (bug #1027150) + [bookworm] - neutron (Minor issue) [bullseye] - neutron (Minor issue) [buster] - neutron (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2129193 @@ -47524,17 +47525,17 @@ CVE-2022-37772 (Maarch RM 2.8.3 solution contains an improper restriction of exc CVE-2022-37771 (IObit Malware Fighter v9.2 for Microsoft Windows lacks tamper protecti ...) NOT-FOR-US: IObit Malware Fighter CVE-2022-37770 (libjpeg commit 281daa9 was discovered to contain a segmentation fault ...) - - libjpeg (unimportant) + - libjpeg 0.0~git20220805.54ec643-1 (unimportant) NOTE: https://github.com/thorfdbg/libjpeg/issues/79 NOTE: https://github.com/thorfdbg/libjpeg/commit/281daa9ccee18742b83a77cd29bd2726b69b7977 NOTE: Crash in CLI tool, no security impact CVE-2022-37769 (libjpeg commit 281daa9 was discovered to contain a segmentation fault ...) - - libjpeg (bug #1025339) + - libjpeg 0.0~git20220805.54ec643-1 (bug #1025339) [bullseye] - libjpeg (Minor issue) NOTE: https://github.com/thorfdbg/libjpeg/issues/78 NOTE: https://github.com/thorfdbg/libjpeg/commit/281daa9ccee18742b83a77cd29bd2726b69b7977 CVE-2022-37768 (libjpeg commit 281daa9 was discovered to contain an infinite loop via ...) - - libjpeg (unimportant) + - libjpeg 0.0~git20220805.54ec643-1 (unimportant) NOTE: https://github.com/thorfdbg/libjpeg/issues/77 NOTE: https://github.com/thorfdbg/libjpeg/commit/281daa9ccee18742b83a77cd29bd2726b69b7977 NOTE: Hang in CLI tool, no security impact @@ -130427,6 +130428,7 @@ CVE-2021-33814 CVE-2021-33813 (An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to c ...) {DLA-2712-1 DLA-2696-1} - libjdom2-intellij-java (bug #990673) + [bookworm] - libjdom2-intellij-java (Minor issue) [bullseye] - libjdom2-intellij-java (Minor issue) [buster] - libjdom2-intellij-java (Minor issue) - libjdom2-java 2.0.6-2.1 (bug #990671) @@ -133003,7 +133005,7 @@ CVE-2021-32825 (bblfshd is an open source self-hosted server for source code par CVE-2021-32824 (Apache Dubbo is a java based, open source RPC framework. Versions prio ...) TODO: check CVE-2021-32823 (In the bindata RubyGem before version 2.4.10 there is a potential deni ...) - - ruby-bindata (bug #990577) + - ruby-bindata 2.4.14-1 (bug #990577) [bullseye] - ruby-bindata (Minor issue) [buster] - ruby-bindata (Minor issue) [stretch] - ruby-bindata (Minor issue) @@ -163502,7 +163504,7 @@ CVE-2021-21306 (Marked is an open-source markdown parser and compiler (npm packa NOTE: https://github.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96 NOTE: https://github.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd CVE-2021-21305 (CarrierWave is an open-source RubyGem which provides a simple and flex ...) - - ruby-carrierwave (bug #982551) + - ruby-carrierwave 1.3.2-1 (bug #982551) [buster] - ruby-carrierwave (Minor issue) [stretch] - ruby-carrierwave (No reverse dependencies) NOTE: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4 @@ -204199,6 +204201,7 @@ CVE-2020-16156 (CPAN 2.28 allows Signature Verification Bypass. ...) NOTE: https://github.com/andk/cpanpm/commit/89b13baf1d46e4fb10023af30ef305efec4fd603 (2.33-TRIAL) CVE-2020-16155 (The CPAN::Checksums package 2.12 for Perl does not uniquely define sig ...) - libcpan-checksums-perl + [bookworm] - libcpan-checksums-perl (Minor issue) [bullseye] - libcpan-checksums-perl (Minor issue) [buster] - libcpan-checksums-perl (Minor issue) [stretch] - libcpan-checksums-perl (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb556c99e0da30ced15af92856f0cae5c2d1bdab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb556c99e0da30ced15af92856f0cae5c2d1bdab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commit
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 16c529b4 by Moritz Muehlenhoff at 2023-02-28T16:23:12+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9894,6 +9894,7 @@ CVE-2023-0331 (The Correos Oficial WordPress plugin through 1.2.0.2 does not hav CVE-2023-0330 RESERVED - qemu (bug #1029155) + [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2160151 NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html @@ -25189,6 +25190,7 @@ CVE-2022-3873 (Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/draw NOT-FOR-US: jgraph/drawio CVE-2022-3872 (An off-by-one read/write issue was found in the SDHCI device of QEMU. ...) - qemu (bug #1024022) + [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) [buster] - qemu (Minor issue, DoS, waiting for sanctioned patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2140567 @@ -88907,7 +88909,7 @@ CVE-2022-23608 (PJSIP is a free and open source multimedia communication library NOTE: https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f CVE-2022-23607 (treq is an HTTP library inspired by requests but written on top of Twi ...) {DLA-2954-1} - - python-treq (bug #1005041) + - python-treq 22.2.0-0.1 (bug #1005041) [bullseye] - python-treq (Minor issue) [buster] - python-treq (Minor issue) NOTE: https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc @@ -163175,7 +163177,7 @@ CVE-2021-21417 (fluidsynth is a software synthesizer based on the SoundFont 2 sp NOTE: https://github.com/FluidSynth/fluidsynth/issues/808 NOTE: https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-6fcq-pxhc-jxc9 CVE-2021-21416 (django-registration is a user registration package for Django. The dja ...) - - python-django-registration (bug #987366) + - python-django-registration 3.3-1 (bug #987366) [bullseye] - python-django-registration (Minor issue) [buster] - python-django-registration (Minor issue) [stretch] - python-django-registration (Minor issue) @@ -397130,15 +397132,14 @@ CVE-2016-10126 (Splunk Web in Splunk Enterprise 5.0.x before 5.0.17, 6.0.x befor CVE-2016-10125 (D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a hardcoded ...) NOT-FOR-US: D-Link CVE-2016-10127 (PySAML2 allows remote attackers to conduct XML external entity (XXE) a ...) - - python-pysaml2 (low; bug #859135) - [bullseye] - python-pysaml2 (Minor issue) - [buster] - python-pysaml2 (Minor issue) + - python-pysaml2 4.5.0-2 (low; bug #859135) [stretch] - python-pysaml2 (Minor issue) [jessie] - python-pysaml2 (Minor issue) NOTE: https://github.com/rohe/pysaml2/issues/366 NOTE: A proper fix for this issue would be to fix the underlying issue in src:libxml2 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1411794#c12 NOTE: https://www.openwall.com/lists/oss-security/2017/01/19/5 (for the scope of the CVE) + NOTE: https://github.com/IdentityPython/pysaml2/commit/6e09a25d9 (4.4.0-1) CVE-2016-10149 (XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and earlier a ...) {DSA-3759-1} - python-pysaml2 3.0.0-5 (bug #850716) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16c529b4ee6c664dd750ceef7a23eccf1e5e49de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16c529b4ee6c664dd750ceef7a23eccf1e5e49de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a9f9a19 by Moritz Muehlenhoff at 2023-02-27T21:02:03+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7408,6 +7408,7 @@ CVE-2023-0483 CVE-2023-0482 (In RESTEasy the insecure File.createTempFile() is used in the DataSour ...) - resteasy (bug #1031728) - resteasy3.0 (bug #1031729) + [bookworm] - resteasy3.0 (Minor issue) [bullseye] - resteasy3.0 (Minor issue) [buster] - resteasy3.0 (Minor issue) NOTE: https://github.com/resteasy/resteasy/pull/3409/ @@ -82569,7 +82570,7 @@ CVE-2022-0676 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 NOTE: https://huntr.dev/bounties/5ad814a1-5dd3-43f4-869b-33b8dab78485 NOTE: https://github.com/radareorg/radare2/commit/c84b7232626badd075caf3ae29661b609164bac6 CVE-2022-0675 (In certain situations it is possible for an unmanaged rule to exist on ...) - - puppet-module-puppetlabs-firewall (bug #1006749) + - puppet-module-puppetlabs-firewall 3.4.0-1 (bug #1006749) [bullseye] - puppet-module-puppetlabs-firewall (Minor issue) [buster] - puppet-module-puppetlabs-firewall (Minor issue) NOTE: https://github.com/puppetlabs/puppetlabs-firewall/pull/1030/commits/2c0047e09be82dd9e1aa4d93c0cb103f83d2a01e (3.4.0) @@ -183489,6 +183490,7 @@ CVE-2020-25634 (A flaw was found in Red Hat 3scale’s API docs URL, where i CVE-2020-25633 (A flaw was found in RESTEasy client in all versions of RESTEasy up to ...) - resteasy (bug #970585) - resteasy3.0 (bug #1014983) + [bookworm] - resteasy3.0 (Minor issue) [bullseye] - resteasy3.0 (Minor issue) [buster] - resteasy3.0 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1879042 @@ -205265,9 +205267,7 @@ CVE-2020-15710 (Potential double free in Bluez 5 module of PulseAudio could allo NOTE: https://bugs.launchpad.net/ubuntu/%2Bsource/pulseaudio/%2Bbug/1884738 CVE-2020-15709 (Versions of add-apt-repository before 0.98.9.2, 0.96.24.32.14, 0.96.20 ...) {DLA-2339-1} - - software-properties (bug #968850) - [bullseye] - software-properties (Minor issue) - [buster] - software-properties (Minor issue) + - software-properties (unimportant; bug #968850) NOTE: https://www.openwall.com/lists/oss-security/2020/08/03/1 NOTE: https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286 CVE-2020-15708 (Ubuntu's packaging of libvirt in 20.04 LTS created a control socket wi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a9f9a19f24d880c8c04b0cb7ddc12f7f6af04c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a9f9a19f24d880c8c04b0cb7ddc12f7f6af04c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: dd810cc0 by Moritz Muehlenhoff at 2023-02-27T17:29:00+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56924,6 +56924,7 @@ CVE-2022-34300 (In tinyexr 1.0.1, there is a heap-based buffer over-read in tiny NOTE: https://github.com/syoyo/tinyexr/pull/175 CVE-2022-34299 (There is a heap-based buffer over-read in libdwarf 0.4.0. This issue i ...) - dwarfutils (bug #1014493) + [bookworm] - dwarfutils (Minor issue) [bullseye] - dwarfutils (Minor issue) [buster] - dwarfutils (Minor issue) [stretch] - dwarfutils (Minor issue) @@ -62404,6 +62405,7 @@ CVE-2022-32201 (In libjpeg 1.63, there is a NULL pointer dereference in Componen NOTE: Crash in CLI tool, no security impact CVE-2022-32200 (libdwarf 0.4.0 has a heap-based buffer over-read in _dwarf_check_strin ...) - dwarfutils (bug #1012515) + [bookworm] - dwarfutils (Minor issue) [bullseye] - dwarfutils (Minor issue) [buster] - dwarfutils (Minor issue) [stretch] - dwarfutils (Minor issue) @@ -118405,11 +118407,12 @@ CVE-2021-38580 CVE-2021-38579 RESERVED CVE-2021-38578 (Existing CommBuffer checks in SmmEntryPoint will not catch underflow w ...) - - edk2 (bug #1014468) + - edk2 2022.11-1 (bug #1014468) [bullseye] - edk2 (Minor issue) [buster] - edk2 (Minor issue) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3387 (private) NOTE: https://edk2.groups.io/g/devel/message/90516 + NOTE: https://github.com/tianocore/edk2/commit/cab1f02565d3b29081dd21afb074f35fdb4e1fd6 CVE-2021-38577 REJECTED CVE-2021-38576 (A BIOS bug in firmware for a particular PC model leaves the Platform a ...) @@ -144077,6 +144080,7 @@ CVE-2021-3448 (A flaw was found in dnsmasq in versions before 2.85. When configu NOTE: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=74d4fcd756a85bc1823232ea74334f7ccfb9d5d2 CVE-2021-3447 (A flaw was found in several ansible modules, where parameters containi ...) - ansible (bug #1014721) + [bookworm] - ansible (Minor issue) [bullseye] - ansible (Minor issue) [buster] - ansible (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939349 @@ -26,9 +244450,8 @@ CVE-2019-19380 CVE-2019-19379 (In app/Controller/TagsController.php in MISP 2.4.118, users can bypass ...) NOT-FOR-US: MISP CVE-2019-19378 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image ...) - - linux - [bullseye] - linux (Minor issue) - [buster] - linux (Minor issue) + - linux (unimportant) + NOTE: raid 5/6 is marked as not production ready for btrfs CVE-2019-19377 (In the Linux kernel 5.0.21, mounting a crafted btrfs filesystem image, ...) {DLA-2483-1} - linux 5.6.7-1 @@ -261170,6 +261173,7 @@ CVE-2019-14855 (A flaw was found in the way certificate signatures could be forg [stretch] - gnupg2 (Minor issue) [jessie] - gnupg2 (No backport to version << 2.2.x, low impact, danger of breaking things) - gnupg1 (low) + [bookworm] - gnupg1 (Minor issue) [bullseye] - gnupg1 (Minor issue) [buster] - gnupg1 (Minor issue) [stretch] - gnupg1 (Minor issue) @@ -270228,6 +270232,7 @@ CVE-2019-12215 (** DISPUTED ** A full path disclosure vulnerability was discover - matomo (bug #448532) CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of mishand ...) - freeimage (bug #947478) + [bookworm] - freeimage (Revisit when upstream fixes are available) [bullseye] - freeimage (Revisit when upstream fixes are available) [buster] - freeimage (Revisit when upstream fixes are available) [stretch] - freeimage (Revisit when upstream fixes are available) @@ -270245,6 +270250,7 @@ CVE-2019-12213 (When FreeImage 3.18.0 reads a special TIFF file, the TIFFReadDir NOTE: https://sourceforge.net/p/freeimage/svn/1825/ CVE-2019-12212 (When FreeImage 3.18.0 reads a special JXR file, the StreamCalcIFDSize ...) - freeimage (bug #947477) + [bookworm] - freeimage (Revisit when upstream fixes are available) [bullseye] - freeimage (Revisit when upstream fixes are available) [buster] - freeimage (Revisit when upstream fixes are available) [stretch] - freeimage (Revisit when upstream fixes are available) @@ -336924,12 +336930,8 @@ CVE-2018-7588 (An issue was discovered in CImg v.220. A heap-based buffer over-r NOTE: https://github.com/dtschump/CImg/issues/183 NOTE: https://github.com/dtschump/CImg/commit/8447076ef22322a14a0ce130837e44c5ba8095f4 CVE-2018-7587 (An is
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 041decee by Moritz Muehlenhoff at 2023-02-27T13:37:13+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24418,11 +24418,13 @@ CVE-2022-3966 (A vulnerability, which was classified as critical, has been found NOT-FOR-US: Ultimate Member Plugin CVE-2022-3965 (A vulnerability classified as problematic was found in ffmpeg. This vu ...) - ffmpeg + [bookworm] - ffmpeg (Wait until it lands in 5.1.x) [bullseye] - ffmpeg (Wait until it lands in 4.3.x) [buster] - ffmpeg (Wait until it lands in 4.1.x) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/13c13109759090b7f7182480d075e13b36ed8edd CVE-2022-3964 (A vulnerability classified as problematic has been found in ffmpeg. Th ...) - ffmpeg + [bookworm] - ffmpeg (Wait until it lands in 5.1.x) [bullseye] - ffmpeg (Wait until it lands in 4.3.x) [buster] - ffmpeg (Wait until it lands in 4.1.x) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92f9b28ed84a77138105475beba16c146bdaf984 @@ -33264,7 +33266,7 @@ CVE-2022-42965 (An exponential ReDoS (Regular Expression Denial of Service) can CVE-2022-42964 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) - pymatgen (bug #1024017) NOTE: https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184/ - NOTE: Doesn't seem to be reported upstream so far + NOTE: https://github.com/materialsproject/pymatgen/issues/2755 CVE-2022-3520 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0 ...) - vim 2:9.0.0813-1 (unimportant) NOTE: https://huntr.dev/bounties/c1db3b70-f4fe-481f-8a24-0b1449c94246 @@ -133015,6 +133017,7 @@ CVE-2021-32752 (Ether Logs is a package that allows one to check one's logs in t NOT-FOR-US: Ether Logs CVE-2021-32751 (Gradle is a build tool with a focus on build automation. In versions p ...) - gradle (bug #1014778) + [bookworm] - gradle (Minor issue) [bullseye] - gradle (Minor issue) [buster] - gradle (Minor issue) [stretch] - gradle (Minor issue) @@ -142066,12 +142069,14 @@ CVE-2021-29430 (Sydent is a reference Matrix identity server. Sydent does not li NOT-FOR-US: Matrix Sydent CVE-2021-29429 (In Gradle before version 7.0, files created with open permissions in t ...) - gradle (bug #987284) + [bookworm] - gradle (Minor issue) [bullseye] - gradle (Minor issue) [buster] - gradle (Minor issue) [stretch] - gradle (Minor issue) NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8 CVE-2021-29428 (In Gradle before version 7.0, on Unix-like systems, the system tempora ...) - gradle (bug #987284) + [bookworm] - gradle (Minor issue) [bullseye] - gradle (Minor issue) [buster] - gradle (Minor issue) [stretch] - gradle (Minor issue; sticky bit on /tmp is set by default) @@ -260342,6 +260347,7 @@ CVE-2019-15053 (The "HTML Include and replace macro" plugin before 1.5.0 for Con NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence Server CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication credentials ...) - gradle (low; bug #941187) + [bookworm] - gradle (Minor issue) [bullseye] - gradle (Minor issue) [buster] - gradle (Minor issue) [stretch] - gradle (Minor issue) @@ -276806,11 +276812,9 @@ CVE-2019-9906 CVE-2019-9905 RESERVED CVE-2019-9904 (An issue was discovered in lib\cdt\dttree.c in libcdt.a in graphviz 2. ...) - - graphviz (low; bug #925284) - [bullseye] - graphviz (Minor issue) - [buster] - graphviz (Minor issue) - [stretch] - graphviz (Minor issue) - [jessie] - graphviz (Minor issue) + NOTE: Does not reproduce with the version of Graphviz in Bullseye, might be bogus + NOTE: or Windows-specific. Even if applicable to some older release, impact is + NOTE: negligible anyway NOTE: https://gitlab.com/graphviz/graphviz/issues/1512 CVE-2019-9903 (PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles dict mark ...) {DLA-3120-1} @@ -432788,6 +432792,7 @@ CVE-2016-2569 (Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly ap NOTE: Upstream confirmed it does not affect squid 2.7.x CVE-2016-2568 (pkexec, when used with --user nonpriv, allows local users to escape to ...) - policykit-1 (low; bug #816062; bug #812512) + [bookworm] - policykit-1 (Minor issue) [bullseye] - policykit-1 (Minor issue) [buster] - policykit-1 (Minor issue) [stretch] - policykit-1 (Minor issue) View it
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d4d1ee1f by Moritz Muehlenhoff at 2023-02-24T14:41:20+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -96080,6 +96080,7 @@ CVE-2021-44960 (In SVGPP SVG++ library 1.3.0, the XMLDocument::getRoot function [bullseye] - svgpp (Minor issue) [buster] - svgpp (Minor issue) NOTE: https://github.com/svgpp/svgpp/issues/101 + NOTE: https://github.com/svgpp/svgpp/commit/0bc57f2cc6d9d86a0fa1ce73e508c2b5994b4b91 CVE-2021-44959 RESERVED CVE-2021-44958 @@ -119123,6 +119124,7 @@ CVE-2021-37746 (textview_uri_security_check in textview.c in Claws Mail before 3 [buster] - claws-mail (Minor issue) [stretch] - claws-mail (Minor issue) - sylpheed (bug #991723) + [bookworm] - sylpheed (Minor issue) [bullseye] - sylpheed (Minor issue) [buster] - sylpheed (Minor issue) [stretch] - sylpheed (Minor issue) @@ -178621,6 +178623,7 @@ CVE-2020-26881 RESERVED CVE-2020-26880 (Sympa through 6.2.57b.2 allows a local privilege escalation from the s ...) - sympa (bug #972114) + [bookworm] - sympa (Revisit when fixed upstream; most setups mitigated) [bullseye] - sympa (Revisit when fixed upstream; most setups mitigated) [buster] - sympa (Revisit when fixed upstream; most setups mitigated) [stretch] - sympa (Mitigated, revisit when fixed upstream) @@ -207645,6 +207648,7 @@ CVE-2020-14305 (An out-of-bounds memory write flaw was found in how the Linux ke NOTE: https://patchwork.ozlabs.org/project/netfilter-devel/patch/c2385b5c-309c-cc64-2e10-a0ef62897...@virtuozzo.com/ CVE-2020-14304 (A memory disclosure flaw was found in the Linux kernel's ethernet driv ...) - linux (bug #960702) + [bookworm] - linux (Minor issue) [bullseye] - linux (Minor issue) [buster] - linux (Minor issue) CVE-2020-14303 (A flaw was found in the AD DC NBT server in all Samba versions before ...) @@ -257984,6 +257988,7 @@ CVE-2019-15214 (An issue was discovered in the Linux kernel before 5.0.10. There [stretch] - linux 4.9.184-1 CVE-2019-15213 (An issue was discovered in the Linux kernel before 5.2.3. There is a u ...) - linux + [bookworm] - linux (Revisit when correctly fixed upstream) [bullseye] - linux (Revisit when correctly fixed upstream) [stretch] - linux (Vulnerable code introduced later) [jessie] - linux (Vulnerable code introduced later) @@ -320576,6 +320581,7 @@ CVE-2018-12929 (ntfs_read_locked_inode in the ntfs.ko filesystem driver in the L [jessie] - linux (ntfs is not supportable) CVE-2018-12928 (In the Linux kernel 4.15.0, a NULL pointer dereference was discovered ...) - linux (low) + [bookworm] - linux (Minor issue) [bullseye] - linux (Minor issue) [buster] - linux (Minor issue) [stretch] - linux (Minor issue) @@ -324109,33 +324115,21 @@ CVE-2018-11742 (NEC Univerge Sv9100 WebPro 6.00.00 devices have Cleartext Passwo CVE-2018-11741 (NEC Univerge Sv9100 WebPro 6.00.00 devices have Predictable Session ID ...) NOT-FOR-US: NEC Univerge Sv9100 WebPro devices CVE-2018-11740 (An issue was discovered in libtskbase.a in The Sleuth Kit (TSK) from r ...) - - sleuthkit (low; bug #902187) - [bullseye] - sleuthkit (Minor issue) - [buster] - sleuthkit (Minor issue) - [stretch] - sleuthkit (Minor issue) - [jessie] - sleuthkit (Minor issue) + - sleuthkit (unimportant; bug #902187) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1264 + NOTE: Negligible security impact CVE-2018-11739 (An issue was discovered in libtskimg.a in The Sleuth Kit (TSK) from re ...) - - sleuthkit (low; bug #902187) - [bullseye] - sleuthkit (Minor issue) - [buster] - sleuthkit (Minor issue) - [stretch] - sleuthkit (Minor issue) - [jessie] - sleuthkit (Minor issue) + - sleuthkit (unimportant; bug #902187) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1267 + NOTE: Negligible security impact CVE-2018-11738 (An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from rel ...) - - sleuthkit (low; bug #902187) - [bullseye] - sleuthkit (Minor issue) - [buster] - sleuthkit (Minor issue) - [stretch] - sleuthkit (Minor issue) - [jessie] - sleuthkit (Minor issue) + - sleuthkit (unimportant; bug #902187) NOTE: https://github.com/sleuthkit/sleuthkit/issues/1265 + NOTE: Negligible security impact CVE-2018-11737 (An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) from rel ...) - - sleuthkit (low; bug #902187) - [bullseye] - sleuthkit (Minor issue) -
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ce345456 by Moritz Muehlenhoff at 2023-02-23T17:52:23+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71738,6 +71738,7 @@ CVE-2022-28392 RESERVED CVE-2022-28391 (BusyBox through 1.35.0 allows remote attackers to execute arbitrary co ...) - busybox (bug #1010264) + [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) [stretch] - busybox (Minor issue) @@ -101743,15 +101744,18 @@ CVE-2021-43519 (Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5 - lua5.4 5.4.4-1 (bug #1000228) [bullseye] - lua5.4 (Minor issue) - lua5.3 - [bullseye] - lua5.3 (Minor issue) + [bookworm] - lua5.3 (Minor issue) + [bullseye] - lua5.3 (Minor issue) [buster] - lua5.3 (Minor issue) [stretch] - lua5.3 (Minor issue) - lua5.2 - [bullseye] - lua5.2 (Minor issue) + [bookworm] - lua5.2 (Minor issue) + [bullseye] - lua5.2 (Minor issue) [buster] - lua5.2 (Minor issue) [stretch] - lua5.2 (Minor issue) - lua5.1 - [bullseye] - lua5.1 (Minor issue) + [bookworm] - lua5.1 (Minor issue) + [bullseye] - lua5.1 (Minor issue) [buster] - lua5.1 (Minor issue) [stretch] - lua5.1 (Minor issue) - lua50 (Vulnerable code not present) @@ -164207,6 +164211,7 @@ CVE-2021-20256 (A flaw was found in Red Hat Satellite. The BMC interface exposes CVE-2021-20255 (A stack overflow via an infinite recursion vulnerability was found in ...) {DLA-2623-1} - qemu (bug #984451) + [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) [buster] - qemu (Minor issue, waiting for sanctioned patch, fixed in stretch-lts) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html @@ -165060,6 +165065,7 @@ CVE-2020-35504 (A NULL pointer dereference flaw was found in the SCSI emulation NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba CVE-2020-35503 (A NULL pointer dereference flaw was found in the megasas-gen2 SCSI hos ...) - qemu (bug #979678) + [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) [buster] - qemu (Minor issue, waiting for sanctioned patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910346 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce3454562a36f2c8faac7d60e665e81bf801229e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce3454562a36f2c8faac7d60e665e81bf801229e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 923be14c by Moritz Muehlenhoff at 2023-02-23T13:28:34+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49912,7 +49912,7 @@ CVE-2022-36114 (Cargo is a package manager for the rust programming language. It - cargo 0.63.1-1 (bug #1021142) [bullseye] - cargo (Minor issue) [buster] - cargo (Minor issue) - - rust-cargo (bug #1021143) + - rust-cargo 0.66.0-1 (bug #1021143) [bullseye] - rust-cargo (Minor issue) [buster] - rust-cargo (Minor issue) NOTE: https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp @@ -49921,7 +49921,7 @@ CVE-2022-36113 (Cargo is a package manager for the rust programming language. Af - cargo 0.63.1-1 (bug #1021142) [bullseye] - cargo (Minor issue) [buster] - cargo (Minor issue) - - rust-cargo (bug #1021143) + - rust-cargo 0.66.0-1 (bug #1021143) [bullseye] - rust-cargo (Minor issue) [buster] - rust-cargo (Minor issue) NOTE: https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j @@ -65309,10 +65309,11 @@ CVE-2022- [RUSTSEC-2022-0019] [buster] - rust-crossbeam-channel (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0019.html CVE-2022- [RUSTSEC-2022-0020] - - rust-crossbeam + - rust-crossbeam 0.8.1-1 [bullseye] - rust-crossbeam (Minor issue) [buster] - rust-crossbeam (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0020.html + NOTE: advisory seems wrong about fixed version, should be >= 0.8.0 CVE-2022-30600 (A flaw was found in moodle where logic used to count failed login atte ...) - moodle CVE-2022-30599 (A flaw was found in moodle where an SQL injection risk was identified ...) @@ -167924,7 +167925,7 @@ CVE-2020-35919 (An issue was discovered in the net2 crate before 0.2.36 for Rust NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0078.html NOTE: https://github.com/deprecrated/net2-rs/issues/105 CVE-2020-35916 (An issue was discovered in the image crate before 0.23.12 for Rust. A ...) - - rust-image (bug #976869) + - rust-image 0.23.14-1 (bug #976869) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0073.html NOTE: https://github.com/image-rs/image/issues/1357 CVE-2020-29606 @@ -276971,6 +276972,7 @@ CVE-2019-9546 (SolarWinds Orion Platform before 2018.4 Hotfix 2 allows privilege NOT-FOR-US: SolarWinds Orion Platform CVE-2019-9545 (An issue was discovered in Poppler 0.74.0. A recursive function call, ...) - poppler (low; bug #923552) + [bookworm] - poppler (Minor issue) [bullseye] - poppler (Minor issue) [buster] - poppler (Minor issue) [stretch] - poppler (Minor issue) @@ -276980,6 +276982,7 @@ CVE-2019-9544 (An issue was discovered in Bento4 1.5.1-628. An out of bounds wri NOT-FOR-US: Bento4 CVE-2019-9543 (An issue was discovered in Poppler 0.74.0. A recursive function call, ...) - poppler (low; bug #923553) + [bookworm] - poppler (Minor issue) [bullseye] - poppler (Minor issue) [buster] - poppler (Minor issue) [stretch] - poppler (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/923be14c8108a68520c576efbe3d4b0b48ab3782 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/923be14c8108a68520c576efbe3d4b0b48ab3782 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 06788701 by Moritz Muehlenhoff at 2023-02-22T20:33:10+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -112553,6 +112553,7 @@ CVE-2021-3739 (A NULL pointer dereference flaw was found in the btrfs_rm_device NOTE: https://www.openwall.com/lists/oss-security/2021/08/25/3 CVE-2021-3735 (A deadlock issue was found in the AHCI controller device of QEMU. It o ...) - qemu (bug #1014767) + [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) [buster] - qemu (Minor issue, waiting for patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997184 @@ -137713,6 +137714,7 @@ CVE-2021-30185 (CERN Indico before 2.3.4 can use an attacker-supplied Host heade NOT-FOR-US: CERN Indico CVE-2021-30184 (GNU Chess 6.2.7 allows attackers to execute arbitrary code via crafted ...) - gnuchess (bug #986801) + [bookworm] - gnuchess (Minor issue) [bullseye] - gnuchess (Minor issue) [buster] - gnuchess (Minor issue) [stretch] - gnuchess (Minor issue in a game; can be fixed in next update) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/067887010077b80f6cc9b5f6ac4914b3945e7047 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/067887010077b80f6cc9b5f6ac4914b3945e7047 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f015e682 by Moritz Muehlenhoff at 2023-02-21T22:50:29+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -128832,6 +128832,7 @@ CVE-2021-33465 (An issue was discovered in yasm version 1.3.0. There is a NULL p NOTE: Crash in CLI tool, no security impact CVE-2021-33464 (An issue was discovered in yasm version 1.3.0. There is a heap-buffer- ...) - yasm (bug #1016353) + [bookworm] - yasm (Minor issue) [bullseye] - yasm (Minor issue) [buster] - yasm (Minor issue) NOTE: https://github.com/yasm/yasm/issues/164 @@ -132999,6 +133000,7 @@ CVE-2021-31880 RESERVED CVE-2021-31879 (GNU Wget through 1.21.1 does not omit the Authorization header upon a ...) - wget (bug #988209) + [bookworm] - wget (Minor issue) [bullseye] - wget (Minor issue) [buster] - wget (Minor issue) [stretch] - wget (Minor issue; can be fixed in next update) @@ -145164,6 +145166,7 @@ CVE-2021-27212 (In OpenLDAP through 2.4.57 and 2.5.x through 2.5.1alpha, an asse NOTE: REL_ENG 2.4.x: https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30 CVE-2021-27211 (steghide 0.5.1 relies on a certain 32-bit seed value, which makes it e ...) - steghide (bug #983267) + [bookworm] - steghide (Minor issue) [bullseye] - steghide (Minor issue) [buster] - steghide (Minor issue) [stretch] - steghide (Minor issue; can be fixed in next DLA) @@ -204945,6 +204948,7 @@ CVE-2020-14941 RESERVED CVE-2020-14940 (An issue was discovered in io/gpx/GPXDocumentReader.java in TuxGuitar ...) - tuxguitar (bug #963626) + [bookworm] - tuxguitar (Minor issue) [bullseye] - tuxguitar (Minor issue) [buster] - tuxguitar (Minor issue) [stretch] - tuxguitar (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f015e6825bcd314633c129a827cd8d66804394a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f015e6825bcd314633c129a827cd8d66804394a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f59193d by Moritz Muehlenhoff at 2023-02-21T20:37:23+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -72531,6 +72531,10 @@ CVE-2022-28048 (STB v2.27 was discovered to contain an integer shift of invalid NOTE: https://github.com/nothings/stb/issues/1293 NOTE: https://github.com/nothings/stb/pull/1297 NOTE: Negligible security impact + NOTE: https://github.com/nothings/stb/commit/84b94010a7b08003cc3fb93635582849398e7ae2 + NOTE: https://github.com/nothings/stb/commit/96fe76c21308653d22672e986dd39506f6871421 + NOTE: https://github.com/nothings/stb/commit/47164e4086c1349ef3042fb04e0f7f7ceaf1fcee + NOTE: https://github.com/nothings/stb/commit/5cfc2a744ad7047cda2396cc67772f313a46093d CVE-2022-28047 RESERVED CVE-2022-28046 @@ -72550,12 +72554,20 @@ CVE-2022-28042 (stb_image.h v2.27 was discovered to contain an heap-based use-af [bullseye] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/1289 NOTE: https://github.com/nothings/stb/pull/1297 + NOTE: https://github.com/nothings/stb/commit/84b94010a7b08003cc3fb93635582849398e7ae2 + NOTE: https://github.com/nothings/stb/commit/96fe76c21308653d22672e986dd39506f6871421 + NOTE: https://github.com/nothings/stb/commit/47164e4086c1349ef3042fb04e0f7f7ceaf1fcee + NOTE: https://github.com/nothings/stb/commit/5cfc2a744ad7047cda2396cc67772f313a46093d CVE-2022-28041 (stb_image.h v2.27 was discovered to contain an integer overflow via th ...) {DLA-3305-1} - libstb (bug #1014531) [bullseye] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/1292 NOTE: https://github.com/nothings/stb/pull/1297 + NOTE: https://github.com/nothings/stb/commit/84b94010a7b08003cc3fb93635582849398e7ae2 + NOTE: https://github.com/nothings/stb/commit/96fe76c21308653d22672e986dd39506f6871421 + NOTE: https://github.com/nothings/stb/commit/47164e4086c1349ef3042fb04e0f7f7ceaf1fcee + NOTE: https://github.com/nothings/stb/commit/5cfc2a744ad7047cda2396cc67772f313a46093d CVE-2022-28040 RESERVED CVE-2022-28039 @@ -241726,6 +241738,7 @@ CVE-2019-19450 RESERVED CVE-2019-19449 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem image c ...) - linux + [bookworm] - linux (Minor issue, revisit once fixed upstream) [bullseye] - linux (Minor issue, revisit once fixed upstream) [buster] - linux (Minor issue, revisit once fixed upstream) [stretch] - linux (f2fs is not supportable) @@ -254720,6 +254733,7 @@ CVE-2019-16061 (A number of files on the NETSAS Enigma NMS server 65.0.0 and pri NOT-FOR-US: NETSAS Enigma NMS CVE-2019-16089 (An issue was discovered in the Linux kernel through 5.2.13. nbd_genl_s ...) - linux + [bookworm] - linux (Minor issue, revisit when fixed upstream) [bullseye] - linux (Minor issue, revisit when fixed upstream) [buster] - linux (Minor issue, revisit when fixed upstream) [stretch] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f59193df95c9ac4637121512c01c969d94950d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f59193df95c9ac4637121512c01c969d94950d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 755f3d05 by Moritz Muehlenhoff at 2023-02-21T19:44:10+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66583,6 +66583,7 @@ CVE-2022-29979 (Simple Client Management System 1.0 is vulnerable to SQL Injecti NOT-FOR-US: Sourcecodester Simple Client Management System CVE-2022-29978 (There is a floating point exception error in sixel_encoder_do_resize, ...) - libsixel (bug #1014527) + [bookworm] - libsixel (Minor issue) [bullseye] - libsixel (Minor issue) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) @@ -66590,6 +66591,7 @@ CVE-2022-29978 (There is a floating point exception error in sixel_encoder_do_re NOTE: Previously also reported in https://github.com/saitoha/libsixel/issues/166 CVE-2022-29977 (There is an assertion failure error in stbi__jpeg_huff_decode, stb_ima ...) - libsixel (bug #1014526) + [bookworm] - libsixel (Minor issue) [bullseye] - libsixel (Minor issue) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) @@ -79987,6 +79989,7 @@ CVE-2022-0684 (The WP Home Page Menu WordPress plugin before 3.1 does not saniti NOT-FOR-US: WordPress plugin CVE-2021-46700 (In libsixel 1.8.6, sixel_encoder_output_without_macro (called from six ...) - libsixel (bug #1014469) + [bookworm] - libsixel (Minor issue) [bullseye] - libsixel (Minor issue) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) @@ -108120,12 +108123,14 @@ CVE-2021-41738 (ZeroShell 3.9.5 has a command injection vulnerability in /cgi-bi CVE-2021-41737 RESERVED - faust (bug #1014783) + [bookworm] - faust (Minor issue) [bullseye] - faust (Minor issue) [buster] - faust (Minor issue) [stretch] - faust (Minor issue, no patch/acknowledgment yet) NOTE: https://github.com/grame-cncm/faust/issues/653 CVE-2021-41736 (Faust v2.35.0 was discovered to contain a heap-buffer overflow in the ...) - faust (bug #1014783) + [bookworm] - faust (Minor issue) [bullseye] - faust (Minor issue) [buster] - faust (Minor issue) [stretch] - faust (Minor issue, no patch/acknowledgment yet) @@ -115981,6 +115986,7 @@ CVE-2021-38577 REJECTED CVE-2021-38576 (A BIOS bug in firmware for a particular PC model leaves the Platform a ...) - edk2 (bug #1014468) + [bookworm] - edk2 (Minor issue) [bullseye] - edk2 (Minor issue) [buster] - edk2 (Minor issue) NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3499 (private) @@ -136920,24 +136926,28 @@ CVE-2021-30473 (aom_image.c in libaom in AOMedia before 2021-04-07 frees memory NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=2998 CVE-2021-30472 (A flaw was found in PoDoFo 0.9.7. A stack-based buffer overflow in Pdf ...) - libpodofo (bug #986794) + [bookworm] - libpodofo (Minor issue) [bullseye] - libpodofo (Minor issue) [buster] - libpodofo (Minor issue) [stretch] - libpodofo (Minor issue; can be fixed in next update) NOTE: https://sourceforge.net/p/podofo/tickets/132/ CVE-2021-30471 (A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive call in Pd ...) - libpodofo (bug #986793) + [bookworm] - libpodofo (Minor issue) [bullseye] - libpodofo (Minor issue) [buster] - libpodofo (Minor issue) [stretch] - libpodofo (Minor issue; can be fixed in next update) NOTE: https://sourceforge.net/p/podofo/tickets/131/ CVE-2021-30470 (A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive call among ...) - libpodofo (bug #986792) + [bookworm] - libpodofo (Minor issue) [bullseye] - libpodofo (Minor issue) [buster] - libpodofo (Minor issue) [stretch] - libpodofo (Minor issue; can be fixed in next update) NOTE: https://sourceforge.net/p/podofo/tickets/130/ CVE-2021-30469 (A flaw was found in PoDoFo 0.9.7. An use-after-free in PoDoFo::PdfVecO ...) - libpodofo (bug #986791) + [bookworm] - libpodofo (Minor issue) [bullseye] - libpodofo (Minor issue) [buster] - libpodofo (Minor issue) [stretch] - libpodofo (Minor issue; can be fixed in next update) @@ -143459,6 +143469,7 @@ CVE-2021-27918 (encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an NOTE: https://github.com/golang/go/issues/44913 CVE-2021-3420 (A flaw was found in newlib in versions prior to 4.0.0. Improper overfl ...) - newlib (bug #984446) + [bookworm] - newlib (Minor issue) [bullseye] - newlib (Minor issue) [buster]
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c102f0c6 by Moritz Muehlenhoff at 2023-02-21T19:04:11+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -82630,6 +82630,7 @@ CVE-2022-24600 (Luocms v2.0 is affected by SQL Injection through /admin/login.ph NOT-FOR-US: Luocms CVE-2022-24599 (In autofile Audio File Library 0.3.6, there exists one memory leak vul ...) - audiofile (bug #1008017) + [bookworm] - audiofile (Minor issue) [bullseye] - audiofile (Minor issue) [buster] - audiofile (Minor issue) [stretch] - audiofile (Minor issue) @@ -128644,6 +128645,7 @@ CVE-2021-33498 (Pexip Infinity before 26 allows remote denial of service because NOT-FOR-US: Pexip Infinity CVE-2021-3563 (A flaw was found in openstack-keystone. Only the first 72 characters o ...) - keystone (bug #989998) + [bookworm] - keystone (Minor issue) [bullseye] - keystone (Minor issue) [buster] - keystone (Minor issue) [stretch] - keystone (Keystone is not supported in stretch) @@ -265105,6 +265107,7 @@ CVE-2019-13148 (An issue was discovered in TRENDnet TEW-827DRU firmware before 2 NOT-FOR-US: TRENDnet TEW-827DRU firmware CVE-2019-13147 (In Audio File Library (aka audiofile) 0.3.6, there exists one NULL poi ...) - audiofile (low; bug #931343) + [bookworm] - audiofile (Minor issue) [bullseye] - audiofile (Minor issue) [buster] - audiofile (Minor issue) [stretch] - audiofile (Minor issue) @@ -268147,6 +268150,7 @@ CVE-2019-12068 (In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3. NOTE: https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08 CVE-2019-12067 (The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to ...) - qemu (low; bug #972099) + [bookworm] - qemu (Minor issue, revisit when fixed upstream) [bullseye] - qemu (Minor issue, revisit when fixed upstream) [buster] - qemu (Minor issue, waiting for sanctioned patch) - qemu-kvm @@ -292230,8 +292234,9 @@ CVE-2018-20544 (There is floating point exception at caca/dither.c (function cac NOTE: https://github.com/cacalabs/libcaca/issues/36 NOTE: Upstream fix: https://github.com/cacalabs/libcaca/commit/84bd155087b93ab2d8d7cb5b1ac94ecd4cf4f93c CVE-2018-20543 (There is an attempted excessive memory allocation at libxsmm_sparse_cs ...) - - libxsmm (bug #917573) + - libxsmm (unimportant; bug #917573) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652634 + NOTE: Negligible security impact CVE-2018-20542 (There is a heap-based buffer-overflow at generator_spgemm_csc_reader.c ...) - libxsmm 1.17-1 (bug #917526) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652633 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c102f0c69020082f0c59095fd1dc85a128c3ee2b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c102f0c69020082f0c59095fd1dc85a128c3ee2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e24005dd by Moritz Muehlenhoff at 2023-02-21T10:30:07+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20278,6 +20278,7 @@ CVE-2022-45749 RESERVED CVE-2022-45748 (An issue was discovered with assimp 5.1.4, a use after free occurred i ...) - assimp (bug #1029833) + [bookworm] - assimp (Minor issue) [bullseye] - assimp (Minor issue) [buster] - assimp (Minor issue) NOTE: https://github.com/assimp/assimp/issues/4286 @@ -42679,6 +42680,7 @@ CVE-2022-38529 (tinyexr commit 0647fb3 was discovered to contain a heap-buffer o NOTE: https://github.com/syoyo/tinyexr/commit/82984a37d1dba67000a35b083b26df5e57a2bb72 CVE-2022-38528 (Open Asset Import Library (assimp) commit 3c253ca was discovered to co ...) - assimp (bug #1021018) + [bookworm] - assimp (Minor issue) [bullseye] - assimp (Minor issue) [buster] - assimp (Minor issue) NOTE: https://github.com/assimp/assimp/issues/4662 @@ -93759,6 +93761,7 @@ CVE-2021-45341 (A buffer overflow vulnerability in CDataMoji of the jwwlib compo NOTE: Fixed by: https://github.com/LibreCAD/LibreCAD/commit/f3502963eaf379a429bc9da73c1224c5db649997 CVE-2021-45340 (In Libsixel prior to and including v1.10.3, a NULL pointer dereference ...) - libsixel (bug #1004377) + [bookworm] - libsixel (Minor issue) [bullseye] - libsixel (Minor issue) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue) @@ -131741,6 +131744,7 @@ CVE-2021-32295 RESERVED CVE-2021-32294 (An issue was discovered in libgig through 20200507. A heap-buffer-over ...) - libgig (bug #1014777) + [bookworm] - libgig (Minor issue) [bullseye] - libgig (Minor issue) [buster] - libgig (Minor issue) [stretch] - libgig (Minor issue, revisit when/if fixed upstream) @@ -159072,11 +159076,13 @@ CVE-2020-36121 RESERVED CVE-2020-36120 (Buffer Overflow in the "sixel_encoder_encode_bytes" function of Libsix ...) - libsixel (bug #988159) - [bullseye] - libsixel (Minor issue) + [bookworm] - libsixel (Minor issue, fix modifies the API) + [bullseye] - libsixel (Minor issue, fix modifies the API) [buster] - libsixel (Minor issue) [stretch] - libsixel (Minor issue; can be fixed in next update) - NOTE: https://github.com/saitoha/libsixel/issues/143 + NOTE: https://github.com/saitoha/libsixel/issues/143 (old/defunct repo) NOTE: https://github.com/libsixel/libsixel/issues/46 + NOTE: https://github.com/libsixel/libsixel/pull/47 CVE-2020-36119 RESERVED CVE-2020-36118 @@ -333036,6 +333042,7 @@ CVE-2017-18227 (TitanHQ WebTitan Gateway has incorrect certificate validation fo NOT-FOR-US: TitanHQ WebTitan Gateway CVE-2017-18226 (The Gentoo net-im/jabberd2 package through 2.6.1 sets the ownership of ...) - jabberd2 (low; bug #902783) + [bookworm] - jabberd2 (Minor issue, default init system not affected) [bullseye] - jabberd2 (Minor issue, default init system not affected) [buster] - jabberd2 (Minor issue, default init system not affected) [stretch] - jabberd2 (Minor issue, default init system not affected) @@ -434175,11 +434182,7 @@ CVE-2016-1587 (The Snapweb interface before version 0.21.2 was exposing controls CVE-2016-1586 (A malicious webview could install long-lived unload handlers that re-u ...) NOT-FOR-US: Oxide CVE-2016-1585 (In all versions of AppArmor mount rules are accidentally widened when ...) - - apparmor (low; bug #929990) - [bullseye] - apparmor (Minor overall security impact) - [buster] - apparmor (Minor overall security impact) - [stretch] - apparmor (Minor overall security impact) - [jessie] - apparmor (Minor overall security impact) + - apparmor (unimportant; bug #929990) NOTE: https://bugs.launchpad.net/apparmor/+bug/1597017 NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=995594 NOTE: Introduced around AppArmor 2.8 upstream. @@ -434188,6 +434191,7 @@ CVE-2016-1585 (In all versions of AppArmor mount rules are accidentally widened NOTE: by default before buster, in particular not with mount rules), 2. libvirtd NOTE: but the profile is not meant to be a strong security boundary. NOTE: https://bugs.launchpad.net/apparmor/+bug/1597017/comments/6 + NOTE: Negligible security impact / known limitation CVE-2016-1584 (In all versions of Unity8 a running but not active application on a la ...) - unity (bug #609278) CVE-2016-1583 (The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c in the ...) View it on GitL
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1310760a by Moritz Muehlenhoff at 2023-01-11T14:47:36+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -110082,6 +110082,7 @@ CVE-2021-37232 (A stack overflow vulnerability occurs in Atomicparsley 20210124. [buster] - atomicparsley (Minor issue) [stretch] - atomicparsley (Minor issue) - gtkpod (bug #993376) + [bookworm] - gtkpod (Minor issue) [bullseye] - gtkpod (Minor issue) [buster] - gtkpod (Minor issue) [stretch] - gtkpod (Minor issue) @@ -110093,6 +110094,7 @@ CVE-2021-37231 (A stack-buffer-overflow occurs in Atomicparsley 20210124.204813. [buster] - atomicparsley (Minor issue) [stretch] - atomicparsley (Minor issue) - gtkpod (bug #993375) + [bookworm] - gtkpod (Minor issue) [bullseye] - gtkpod (Minor issue) [buster] - gtkpod (Minor issue) [stretch] - gtkpod (Minor issue) @@ -173394,6 +173396,7 @@ CVE-2020-24828 RESERVED CVE-2020-24827 (A vulnerability in the dwarf::cursor::skip_form function of Libelfin v ...) - libelfin (bug #1014122) + [bookworm] - libelfin (Minor issue) [bullseye] - libelfin (Minor issue) [buster] - libelfin (Minor issue) [stretch] - libelfin (Minor issue) @@ -173401,6 +173404,7 @@ CVE-2020-24827 (A vulnerability in the dwarf::cursor::skip_form function of Libe NOTE: https://github.com/xiaoxiongwang/function_bugs/tree/master/libelfin#segv-in-function-dwarfcursorskip_form-at-dwarfcursorcc181 CVE-2020-24826 (A vulnerability in the elf::section::as_strtab function of Libelfin v0 ...) - libelfin (bug #1014122) + [bookworm] - libelfin (Minor issue) [bullseye] - libelfin (Minor issue) [buster] - libelfin (Minor issue) [stretch] - libelfin (Minor issue) @@ -173408,6 +173412,7 @@ CVE-2020-24826 (A vulnerability in the elf::section::as_strtab function of Libel NOTE: https://github.com/xiaoxiongwang/function_bugs/tree/master/libelfin#segv-in-function-elfsectionas_strtab-at-elfelfcc284 CVE-2020-24825 (A vulnerability in the line_table::line_table function of Libelfin v0. ...) - libelfin (bug #1014122) + [bookworm] - libelfin (Minor issue) [bullseye] - libelfin (Minor issue) [buster] - libelfin (Minor issue) [stretch] - libelfin (Minor issue) @@ -173415,6 +173420,7 @@ CVE-2020-24825 (A vulnerability in the line_table::line_table function of Libelf NOTE: https://github.com/xiaoxiongwang/function_bugs/tree/master/libelfin#segv-in-function-line_tableline_table-at-dwarflinecc104 CVE-2020-24824 (A global buffer overflow issue in the dwarf::line_table::line_table fu ...) - libelfin (bug #1014122) + [bookworm] - libelfin (Minor issue) [bullseye] - libelfin (Minor issue) [buster] - libelfin (Minor issue) [stretch] - libelfin (Minor issue) @@ -173422,6 +173428,7 @@ CVE-2020-24824 (A global buffer overflow issue in the dwarf::line_table::line_ta NOTE: https://github.com/xiaoxiongwang/function_bugs/tree/master/libelfin#global-buffer-overflow-in-function-dwarfline_tableline_table-at-dwarflinecc107 CVE-2020-24823 (A vulnerability in the dwarf::to_string function of Libelfin v0.3 allo ...) - libelfin (bug #1014122) + [bookworm] - libelfin (Minor issue) [bullseye] - libelfin (Minor issue) [buster] - libelfin (Minor issue) [stretch] - libelfin (Minor issue) @@ -173429,6 +173436,7 @@ CVE-2020-24823 (A vulnerability in the dwarf::to_string function of Libelfin v0. NOTE: https://github.com/xiaoxiongwang/function_bugs/tree/master/libelfin#segv-in-function-dwarfto_string-at-dwarfvaluecc300 CVE-2020-24822 (A vulnerability in the dwarf::cursor::uleb function of Libelfin v0.3 a ...) - libelfin (bug #1014122) + [bookworm] - libelfin (Minor issue) [bullseye] - libelfin (Minor issue) [buster] - libelfin (Minor issue) [stretch] - libelfin (Minor issue) @@ -173436,6 +173444,7 @@ CVE-2020-24822 (A vulnerability in the dwarf::cursor::uleb function of Libelfin NOTE: https://github.com/xiaoxiongwang/function_bugs/tree/master/libelfin#segv-in-function-dwarfcursoruleb128-at-dwarfinternalhh154 CVE-2020-24821 (A vulnerability in the dwarf::cursor::skip_form function of Libelfin v ...) - libelfin (bug #1014122) + [bookworm] - libelfin (Minor issue) [bullseye] - libelfin (Minor issue) [buster] - libelfin (Minor issue) [stretch] - libelfin (Minor issue) @@ -274955,6 +274964,7 @@ CVE-2015-9281 (Logon Manager in SAS Web Infrastructure Platform before 9.4M3 all NOT-FOR-US: SAS Web Infrastructure Platform