[Git][security-tracker-team/security-tracker][master] bookworm triage

2025-01-23 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1179caca by Moritz Muehlenhoff at 2025-01-23T12:33:06+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -271,6 +271,7 @@ CVE-2025-20156 (A vulnerability in the REST API of Cisco 
Meeting Management coul
NOT-FOR-US: Cisco
 CVE-2025-20128 (A vulnerability in the Object Linking and Embedding 2 (OLE2) 
decryptio ...)
- clamav 
+   [bookworm] - clamav  (clamav is being updated via -updates)
NOTE: 
https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html
 CVE-2025-0651 (Improper Privilege Management vulnerability in Cloudflare WARP 
on Wind ...)
NOT-FOR-US: Cloudflare
@@ -286,6 +287,7 @@ CVE-2025-0604 (A flaw was found in Keycloak. When an Active 
Directory user reset
NOT-FOR-US: Keycloak
 CVE-2025-0395 (When the assert() function in the GNU C Library versions 2.13 
to 2.40  ...)
- glibc 2.40-6
+   [bookworm] - glibc  (Minor issue)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=32582
NOTE: https://www.openwall.com/lists/oss-security/2025/01/22/4
NOTE: Fixed by: 
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c
 (2.40-branch)
@@ -873,6 +875,7 @@ CVE-2025-22262 (Improper Neutralization of Input During Web 
Page Generation ('Cr
 CVE-2025-22150 (Undici is an HTTP/1.1 client. Starting in version 4.5.0 and 
prior to v ...)
[experimental] - node-undici 7.2.3+dfsg1+~cs24.12.11-1
- node-undici 
+   [bookworm] - node-undici  (Minor issue)
NOTE: 
https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975
NOTE: Fixed by: 
https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0
 (v5.28.5)
NOTE: Fixed by: 
https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385
 (v6.21.1)
@@ -10095,10 +10098,12 @@ CVE-2024-37962 (Improper Neutralization of Input 
During Web Page Generation ('Cr
NOT-FOR-US: Agency Dominion Fusion
 CVE-2024-12801 (Server-Side Request Forgery (SSRF) in SaxEventRecorder by 
QOS.CH logba ...)
- logback  (bug #1091320)
+   [bookworm] - logback  (Minor issue)
NOTE: https://logback.qos.ch/news.html#1.5.13
NOTE: Fixed by: 
https://github.com/qos-ch/logback/commit/5f05041cba4c4ac0a62748c5c527a2da48999f2d
 (v_1.5.13)
 CVE-2024-12798 (ACE vulnerability in JaninoEventEvaluator  by QOS.CH 
logback-core  ...)
- logback  (bug #1091319)
+   [bookworm] - logback  (Minor issue)
NOTE: https://logback.qos.ch/news.html#1.5.13
NOTE: Fixed by: 
https://github.com/qos-ch/logback/commit/2cb6d520df7592ef1c3a198f1b5df3c10c93e183
 (v_1.5.13)
 CVE-2024-12794 (A vulnerability, which was classified as critical, was found 
in Codezi ...)
@@ -10194,6 +10199,7 @@ CVE-2024-4229 (Incorrect Default Permissions 
vulnerability in Edgecross Basic So
NOT-FOR-US: Edgecross Basic Software for Windows
 CVE-2024-45338 (An attacker can craft an input to the Parse functions that 
would be pr ...)
- golang-golang-x-net  (bug #1091168)
+   [bookworm] - golang-golang-x-net  (Minor issue)
[bullseye] - golang-golang-x-net  (minor issue; DoS)
NOTE: https://go-review.googlesource.com/c/net/+/637536
NOTE: https://github.com/golang/go/issues/70906


=
data/dsa-needed.txt
=
@@ -47,6 +47,8 @@ mosquitto (carnil)
 --
 nodejs
 --
+openjdk-17 (jmm)
+--
 openjpeg2
 --
 opennds



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1179caca34b536788b47db21b132ea2b87ee3e0c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1179caca34b536788b47db21b132ea2b87ee3e0c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2025-01-21 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
45945d7d by Moritz Muehlenhoff at 2025-01-21T18:08:52+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -113,7 +113,8 @@ CVE-2024-57930 [tracing: Have process_string() also allow 
arrays]
 CVE-2022-4975
NOT-FOR-US: Red Hat Advanced Cluster Security
 CVE-2025-24014 [segmentation fault in win_line()]
-   - vim 
+   - vim  (unimportant)
+   NOTE: Crash in CLI tool, no security impact
NOTE: https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955
NOTE: Fixed by: 
https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919 
(v9.1.1043)
 CVE-2025-24337 (WriteFreely through 0.15.1, when MySQL is used, allows local 
users to  ...)
@@ -154,6 +155,7 @@ CVE-2024-22347 (IBM DevOps Velocity 5.0.0 and IBM UrbanCode 
Velocity 4.0.0 throu
NOT-FOR-US: IBM
 CVE-2024-13176 (Issue summary: A timing side-channel which could potentially 
allow rec ...)
- openssl 
+   [bookworm] - openssl  (Minor issue)
NOTE: https://openssl-library.org/news/secadv/20250120.txt
NOTE: 
https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f
 (openssl-3.4.0)
NOTE: 
https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902
 (openssl-3.3.0)
@@ -1717,6 +1719,7 @@ CVE-2024-11322 (A denial-of-service vulnerability exists 
in CyberPower PowerPane
NOT-FOR-US: CyberPower PowerPanel Business
 CVE-2024-11029 (A flaw was found in the FreeIPA API audit, where it sends the 
whole Fr ...)
- freeipa  (bug #1093383)
+   [bookworm] - freeipa  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325557
NOTE: Fixed by: 
https://pagure.io/freeipa/c/3b38efe75865d0696829b4f26572575a8e74ddce 
(release-4-12-3)
NOTE: Fixed by: 
https://pagure.io/freeipa/c/7a5a10b6bf2e3eafd4b69362ffaece39791be2a8 
(release-4-12-3)
@@ -8480,6 +8483,7 @@ CVE-2024-52046 (The ObjectSerializationDecoder in Apache 
MINA uses Java\u2019s n
[bookworm] - mina  (Minor issue)
[bullseye] - mina  (Minor issue; need specific conditions)
- mina2  (bug #1091530)
+   [bookworm] - mina2  (Minor issue)
NOTE: https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8
 CVE-2024-47978 (Dell NativeEdge, version(s) 2.1.0.0, contain(s) an Execution 
with Unne ...)
NOT-FOR-US: Dell
@@ -9158,10 +9162,12 @@ CVE-2023-4617 (Incorrect authorization vulnerability in 
HTTP POST method in Gove
NOT-FOR-US: Govee Home application on Android and iOS
 CVE-2024-9102 (phpLDAPadmin since at least version 1.2.0 through the latest 
version 1 ...)
- phpldapadmin  (bug #1090914)
+   [bookworm] - phpldapadmin  (Minor issue, revisit when fixed 
upstream)
[bullseye] - phpldapadmin  (Minor issue, revisit when fixed 
upstream)
NOTE: 
https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/
 CVE-2024-9101 (A reflected cross-site scripting (XSS) vulnerability in the 
'Entry Cho ...)
- phpldapadmin  (bug #1090914)
+   [bookworm] - phpldapadmin  (Minor issue, revisit when fixed 
upstream)
[bullseye] - phpldapadmin  (Minor issue, revisit when fixed 
upstream)
NOTE: 
https://www.redguard.ch/blog/2024/12/19/security-advisory-phpldapadmin/
 CVE-2024-56319 (In Matter (aka connectedhomeip or Project CHIP) through 
1.4.0.0 before ...)
@@ -19241,6 +19247,7 @@ CVE-2024-36276 (Insecure inherited permissions for some 
Intel(R) CIP software be
NOT-FOR-US: Intel
 CVE-2024-36275 (NULL pointer dereference in some Intel(R) Optane(TM) PMem 
Management s ...)
- ipmctl  (bug #1087731)
+   [bookworm] - ipmctl  (Minor issue)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01189.html
NOTE: 
https://github.com/intel/ipmctl/commit/59d74ca68fcde3f1a11298a935b470fac09904aa 
(v03.00.00.0499)
NOTE: Fixed in 03.00.00.0499 and later upstream.


=
data/dsa-needed.txt
=
@@ -27,6 +27,8 @@ gh
 --
 git (carnil)
 --
+git-lfs (jmm)
+--
 jetty9
 --
 jpeg-xl
@@ -52,6 +54,8 @@ pagure
 --
 pam-u2f (carnil)
 --
+pdns-recursor (jmm)
+--
 php-laravel-framework
 --
 python-django



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45945d7d8fea43f281e0c45f87092c8946b7a710

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45945d7d8fea43f281e0c45f87092c8946b7a710
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.d

[Git][security-tracker-team/security-tracker][master] bookworm triage

2025-01-19 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7a364510 by Moritz Muehlenhoff at 2025-01-19T22:52:39+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -5204,6 +5204,7 @@ CVE-2024-56828 (File Upload vulnerability in ChestnutCMS 
through 1.5.0. Based on
NOT-FOR-US: ChestnutCMS
 CVE-2024-55629 (Suricata is a network Intrusion Detection System, Intrusion 
Prevention ...)
- suricata 1:7.0.8-1
+   [bookworm] - suricata  (Minor issue)
NOTE: 
https://github.com/OISF/suricata/security/advisories/GHSA-69wr-vhwg-84h2
NOTE: Fixed by: 
https://github.com/OISF/suricata/commit/6882bcb3e51bd3cf509fb6569cc30f48d7bb53d7
 (master)
NOTE: Fixed by: 
https://github.com/OISF/suricata/commit/779f9d8ba35c3f9b5abfa327d3a4209861bd2eb8
 (master)
@@ -5211,6 +5212,7 @@ CVE-2024-55629 (Suricata is a network Intrusion Detection 
System, Intrusion Prev
NOTE: Fixed by: 
https://github.com/OISF/suricata/commit/c4d8790db85164714c92556fbc8e849e9df6355b
 (suricata-7.0.8)
 CVE-2024-55628 (Suricata is a network Intrusion Detection System, Intrusion 
Prevention ...)
- suricata 1:7.0.8-1
+   [bookworm] - suricata  (Minor issue)
NOTE: 
https://github.com/OISF/suricata/security/advisories/GHSA-96w4-jqwf-qx2j
NOTE: Fixed by: 
https://github.com/OISF/suricata/commit/19cf0f81335d9f787d587450f7105ad95a648951
 (master)
NOTE: Fixed by: 
https://github.com/OISF/suricata/commit/37f4c52b22fcdde4adf9b479cb5700f89d00768d
 (master)
@@ -5220,6 +5222,7 @@ CVE-2024-55628 (Suricata is a network Intrusion Detection 
System, Intrusion Prev
NOTE: Fixed by: 
https://github.com/OISF/suricata/commit/71212b78bd1b7b841c9d9a907d0b3eea71a54060
 (suricata-7.0.8)
 CVE-2024-55627 (Suricata is a network Intrusion Detection System, Intrusion 
Prevention ...)
- suricata 1:7.0.8-1
+   [bookworm] - suricata  (Minor issue)
NOTE: 
https://github.com/OISF/suricata/security/advisories/GHSA-h2mv-7gg8-8x7v
NOTE: Fixed by: 
https://github.com/OISF/suricata/commit/282509f70c4ce805098e59535af445362e3e9ebd
 (master)
NOTE: Fixed by: 
https://github.com/OISF/suricata/commit/8900041405dbb5f9584edae994af2100733fb4be
 (master)
@@ -5229,11 +5232,13 @@ CVE-2024-55627 (Suricata is a network Intrusion 
Detection System, Intrusion Prev
NOTE: Fixed by: 
https://github.com/OISF/suricata/commit/7d47fcf7f7fefacd2b0d8f482534a83b35a3c45e
 (suricata-7.0.8)
 CVE-2024-55626 (Suricata is a network Intrusion Detection System, Intrusion 
Prevention ...)
- suricata 1:7.0.8-1
+   [bookworm] - suricata  (Minor issue)
NOTE: 
https://github.com/OISF/suricata/security/advisories/GHSA-wmg4-jqx5-4h9v
NOTE: Fixed by: 
https://github.com/OISF/suricata/commit/dd71ef0af222a566e54dfc479dd1951dd17d7ceb
 (master)
NOTE: Fixed by: 
https://github.com/OISF/suricata/commit/470795e65ba77cffba3aed850313a5f23c4b278d
 (suricata-7.0.8)
 CVE-2024-55605 (Suricata is a network Intrusion Detection System, Intrusion 
Prevention ...)
- suricata 1:7.0.8-1
+   [bookworm] - suricata  (Minor issue)
NOTE: 
https://github.com/OISF/suricata/security/advisories/GHSA-x2hr-33vp-w289
NOTE: Fixed by: 
https://github.com/OISF/suricata/commit/f80ebd5a30b02db5915f749f0c067c7adefbbe76
 (suricata-7.0.8)
NOTE: Fixed by: 
https://github.com/OISF/suricata/commit/c3a6abf60134c2993ee3802ee52206e9fdbf55ba
 (suricata-7.0.8)
@@ -5313,12 +5318,15 @@ CVE-2024-12970 (Improper Neutralization of Special 
Elements used in an OS Comman
NOT-FOR-US: TUBITAK BILGEM Pardus OS My Computer
 CVE-2023-6605 (A flaw was found in FFmpeg's DASH playlist support. This 
vulnerability ...)
- ffmpeg 
+   [bookworm] - ffmpeg  (Minor issue, wait until it's fixed in 
the 5.1 branch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2334336
 CVE-2023-6604 (A flaw was found in FFmpeg. This vulnerability allows 
unexpected addit ...)
- ffmpeg 
+   [bookworm] - ffmpeg  (Minor issue, wait until it's fixed in 
the 5.1 branch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2334337
 CVE-2023-6601 (A flaw was found in FFmpeg's HLS demuxer. This vulnerability 
allows by ...)
- ffmpeg 
+   [bookworm] - ffmpeg  (Minor issue, wait until it's fixed in 
the 5.1 branch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2253172
 CVE-2024-56769 (In the Linux kernel, the following vulnerability has been 
resolved:  m ...)
- linux 6.12.8-1
@@ -5566,6 +5574,7 @@ CVE-2024-10932 (The Backup Migration plugin for WordPress 
is vulnerable to PHP O
NOT-FOR-US: WordPress plugin
 CVE-2025-22376 (In Net::OAuth::Client in the Net::OAuth package before 0.29 
for Perl,  ...)
- libnet-oauth-perl 0.30-1 (bug #1092056)
+   [b

[Git][security-tracker-team/security-tracker][master] bookworm triage

2025-01-19 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b2dc5be3 by Moritz Muehlenhoff at 2025-01-19T13:21:13+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -52,6 +52,7 @@ CVE-2025-23208 (zot is a production-ready vendor-neutral OCI 
image registry. The
NOT-FOR-US: zot
 CVE-2025-23207 (KaTeX is a fast, easy-to-use JavaScript library for TeX math 
rendering ...)
- node-katex  (bug #1093446)
+   [bookworm] - node-katex  (Minor issue)
NOTE: 
https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546
NOTE: 
https://github.com/KaTeX/KaTeX/commit/ff289955e81aab89086eef09254cbf88573d415c 
(v0.16.21)
TODO: check embeded code copy
@@ -8682,6 +8683,7 @@ CVE-2024-49336 (IBM Security Guardium 11.5 is vulnerable 
to server-side request
NOT-FOR-US: IBM
 CVE-2024-47093 (Improper neutralization of input in Nagvis before version 
1.9.42 which ...)
- nagvis 1:1.9.42-1
+   [bookworm] - nagvis  (Minor issue)
NOTE: 
https://github.com/NagVis/nagvis/commit/30e71e8167d17a1828e7da71d6942f6fb36478cd
 (nagvis-1.9.42)
NOTE: 
https://github.com/NagVis/nagvis/commit/b5b1164007439de526df7d54d5c02d7732ba1c42
 (nagvis-1.9.42)
 CVE-2024-38864 (Incorrect permissions on the Checkmk Windows Agent's data 
directory in ...)
@@ -25033,6 +25035,7 @@ CVE-2024-49762 (Pterodactyl is a free, open-source game 
server management panel.
NOT-FOR-US: Pterodactyl
 CVE-2024-49760 (OpenRefine is a free, open source tool for working with messy 
data. Th ...)
- openrefine 3.8.7-1 (bug #1086041)
+   [bookworm] - openrefine  (Minor issue)
NOTE: 
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qfwq-6jh6-8xx4
NOTE: 
https://github.com/OpenRefine/OpenRefine/commit/24d084052dc55426fe460f2a17524fd18d28b20c
NOTE: 
https://github.com/OpenRefine/OpenRefine/commit/478285afffea59c893ac472faa74898ab9e5e95a
 (3.8.3)
@@ -25058,30 +25061,36 @@ CVE-2024-48208 (pure-ftpd before 1.0.52 is vulnerable 
to Buffer Overflow. There
NOTE: No security impact, basically just terminates the user's 
connection
 CVE-2024-47883 (The OpenRefine fork of the MIT Simile Butterfly server is a 
modular we ...)
- openrefine-butterfly 1.2.6-1 (bug #1086042)
+   [bookworm] - openrefine-butterfly  (Minor issue)
NOTE: 
https://github.com/OpenRefine/simile-butterfly/security/advisories/GHSA-3p8v-w8mr-m3x8
NOTE: 
https://github.com/OpenRefine/simile-butterfly/commit/537f64bfa72746f8b21d4bda461fad843435319c
 (1.2.6)
 CVE-2024-47882 (OpenRefine is a free, open source tool for working with messy 
data. Pr ...)
- openrefine 3.8.7-1 (bug #1086041)
+   [bookworm] - openrefine  (Minor issue)
NOTE: 
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-j8hp-f2mj-586g
NOTE: 
https://github.com/OpenRefine/OpenRefine/commit/85594e75e7b36025f7b6a67dcd3ec253c5dff8c2
NOTE: 
https://github.com/OpenRefine/OpenRefine/commit/b0d5dd0a6a40369593f4a6b593e3e0ffa213339e
 (3.8.3)
 CVE-2024-47881 (OpenRefine is a free, open source tool for working with messy 
data. St ...)
- openrefine 3.8.7-1 (bug #1086041)
+   [bookworm] - openrefine  (Minor issue)
NOTE: 
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8
NOTE: 
https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056
NOTE: 
https://github.com/OpenRefine/OpenRefine/commit/8a5cced755f9d4544cfc9fd1b9dc9274807b5020
 (3.8.3)
 CVE-2024-47880 (OpenRefine is a free, open source tool for working with messy 
data. Pr ...)
- openrefine 3.8.7-1 (bug #1086041)
+   [bookworm] - openrefine  (Minor issue)
NOTE: 
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-79jv-5226-783f
NOTE: 
https://github.com/OpenRefine/OpenRefine/commit/8060477fa53842ebabf43b63e039745932fa629d
NOTE: 
https://github.com/OpenRefine/OpenRefine/commit/fbf94fe3f001d6e2aa02e890930cf1affb0847b0
 (3.8.3)
 CVE-2024-47879 (OpenRefine is a free, open source tool for working with messy 
data. Pr ...)
- openrefine 3.8.7-1 (bug #1086041)
+   [bookworm] - openrefine  (Minor issue)
NOTE: 
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-3jm4-c6qf-jrh3
NOTE: 
https://github.com/OpenRefine/OpenRefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126
NOTE: 
https://github.com/OpenRefine/OpenRefine/commit/52c882a447d9efe8d3ef73b78468887c5da39790
 (3.8.3)
 CVE-2024-47878 (OpenRefine is a free, open source tool for working with messy 
data. Pr ...)
- openrefine 3.8.7-1 (bug #1086041)
+   [bookworm] - openrefine  (Minor issue)
NOTE: 
https://github.com/OpenRefine/OpenRefine/security/advisories/

[Git][security-tracker-team/security-tracker][master] bookworm triage

2025-01-18 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a3335701 by Moritz Muehlenhoff at 2025-01-18T17:16:47+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -5886,6 +5886,7 @@ CVE-2025-22214 (Landray EIS 2001 through 2006 allows 
Message/fi_message_receiver
NOT-FOR-US: WordPress pluginEIS
 CVE-2024-56830 (The Net::EasyTCP package 0.15 through 0.26 for Perl uses 
Perl's builti ...)
- libnet-easytcp-perl 
+   [bookworm] - libnet-easytcp-perl  (Scheduled for removal)
NOTE: https://github.com/briandfoy/cpan-security-advisory/issues/184
NOTE: Related to CVE-2002-20002 (direct use of rand for version before 
< 0.15)
 CVE-2024-56829 (Huang Yaoshi Pharmaceutical Management Software through 16.0 
allows ar ...)
@@ -8227,10 +8228,12 @@ CVE-2024-56362 (Navidrome is an open source web-based 
music collection server an
NOT-FOR-US: Navidrome
 CVE-2024-56326 (Jinja is an extensible templating engine. Prior to 3.1.5, An 
oversight ...)
- jinja2  (bug #1091331)
+   [bookworm] - jinja2  (Minor issue)
NOTE: 
https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h
NOTE: Fixed by: 
https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4
 (3.1.5)
 CVE-2024-56201 (Jinja is an extensible templating engine. In versions on the 
3.x branc ...)
- jinja2  (bug #1091329)
+   [bookworm] - jinja2  (Minor issue)
NOTE: 
https://github.com/pallets/jinja/security/advisories/GHSA-gmj6-6f8f-6699
NOTE: https://github.com/pallets/jinja/issues/1792
NOTE: Fixed by: 
https://github.com/pallets/jinja/commit/767b23617628419ae3709ccfb02f9602ae9fe51f
 (3.1.5)
@@ -8723,6 +8726,7 @@ CVE-2024-55231 (An IDOR vulnerability in the 
edit-notes.php module of PHPGurukul
NOT-FOR-US: PHPGurukul Online Notes Sharing Management System
 CVE-2024-53580 (iperf v3.17.1 was discovered to contain a segmentation 
violation via t ...)
- iperf3 3.18-1 (bug #1090931)
+   [bookworm] - iperf3  (Minor issue)
NOTE: https://github.com/esnet/iperf/pull/1810
NOTE: 
https://github.com/esnet/iperf/commit/3f66f604df7f1038a49108c48612c2f4fe71331f 
(3.18)
 CVE-2024-51532 (Dell PowerStore contains an Improper Neutralization of 
Argument Delimi ...)


=
data/dsa-needed.txt
=
@@ -29,6 +29,10 @@ git (carnil)
 --
 jetty9
 --
+jpeg-xl
+--
+libreoffice (jmm)
+--
 libreswan
   Waiting on feedback from maintainer
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a33357014c147a3ca8c375a65f8c250892dd222d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a33357014c147a3ca8c375a65f8c250892dd222d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2025-01-17 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2ec0464b by Moritz Muehlenhoff at 2025-01-17T09:21:21+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -324,6 +324,7 @@ CVE-2024-45341
- golang-1.23 1.23.5-1
- golang-1.22 1.22.11-1
- golang-1.19 
+   [bookworm] - golang-1.19  (Minor issue)
- golang-1.15 
NOTE: https://groups.google.com/g/golang-announce/c/sSaUhLA-2SI
NOTE: https://go.dev/issue/71156
@@ -333,6 +334,7 @@ CVE-2024-45336
- golang-1.23 1.23.5-1
- golang-1.22 1.22.11-1
- golang-1.19 
+   [bookworm] - golang-1.19  (Minor issue)
- golang-1.15 
NOTE: https://groups.google.com/g/golang-announce/c/sSaUhLA-2SI
NOTE: https://go.dev/issue/70530
@@ -526,6 +528,7 @@ CVE-2025-20072 (Mattermost Mobile versions <= 2.22.0 fail 
to properly validate t
NOT-FOR-US: Mattermost Mobile
 CVE-2025-0518 (Unchecked Return Value, Out-of-bounds Read vulnerability in 
FFmpeg all ...)
- ffmpeg 
+   [bookworm] - ffmpeg  (Minor issue, wait until it's fixed in 
the 5.1 branch)
NOTE: Fixed by: 
https://github.com/FFmpeg/FFmpeg/commit/b5b6391d64807578ab872dc58fb8aa621dcfc38a
 CVE-2025-0473 (Vulnerability in the PMB platform that allows an attacker to 
persist t ...)
TODO: check
@@ -2100,118 +2103,148 @@ CVE-2024-57811 (In Eaton X303 3.5.16 - X303 3.5.17 
Build 712, an attacker with n
NOT-FOR-US: Eaton
 CVE-2024-57664 (An issue in the sqlg_group_node component of openlink 
virtuoso-opensou ...)
- virtuoso-opensource 7.2.12+dfsg-0.2
+   [bookworm] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1211
 CVE-2024-57663 (An issue in the sqlg_place_dpipes component of openlink 
virtuoso-opens ...)
- virtuoso-opensource 7.2.12+dfsg-0.2
+   [bookworm] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1218
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/f43a780d70544af89e9af3c62213db81fdd80b2b
 (v7.2.12)
 CVE-2024-57662 (An issue in the sqlg_hash_source component of openlink 
virtuoso-openso ...)
- virtuoso-opensource 7.2.12+dfsg-0.2
+   [bookworm] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1217
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/834b99868e4ac3cfd778f6f4ad9476764f3c09b6
 (v7.2.12)
 CVE-2024-57661 (An issue in the sqlo_df component of openlink 
virtuoso-opensource v7.2 ...)
- virtuoso-opensource 7.2.12+dfsg-0.2
+   [bookworm] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1220
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/a6061c06256a46d87c9e037b9b462259960163bf
 (v7.2.12)
 CVE-2024-57660 (An issue in the sqlo_expand_jts component of openlink 
virtuoso-opensou ...)
- virtuoso-opensource 7.2.12+dfsg-0.2
+   [bookworm] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1221
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/976880190ee0fcecffac03a6929d268152de3a61
 (v7.2.12)
 CVE-2024-57659 (An issue in the sqlg_parallel_ts_seq component of openlink 
virtuoso-op ...)
- virtuoso-opensource 7.2.12+dfsg-0.2
+   [bookworm] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1212
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/59c5767996062a0949b5412822ec8cca1962589f
 (v7.2.12)
 CVE-2024-57658 (An issue in the sql_tree_hash_1 component of openlink 
virtuoso-opensou ...)
- virtuoso-opensource 7.2.12+dfsg-0.2
+   [bookworm] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1209
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/2fdea48eba6156914c1ba4f488895166c0c00462
 (v7.2.12)
 CVE-2024-57657 (An issue in the sqlg_vec_upd component of openlink 
virtuoso-opensource ...)
- virtuoso-opensource 7.2.12+dfsg-0.2
+   [bookworm] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1219
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/cdb0bc3e414e15e2153515af07056daebd3d9153
 (v7.2.12)
 CVE-2024-57656 (An issue in the sqlc_add_distinct_node component of openlink 
virtuoso- ...)
- virtuoso-opensource 7.2.12+dfsg-0.2
+   [bookworm] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1210
NOTE: 
https://github.com/openlink/virtuoso-opensource/com

[Git][security-tracker-team/security-tracker][master] bookworm triage

2025-01-15 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
09d2782b by Moritz Muehlenhoff at 2025-01-15T10:05:54+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -958,7 +958,8 @@ CVE-2025-22613 (WeGIA is an open source web manager with a 
focus on the Portugue
 CVE-2025-22138 (@codidact/qpixel is a Q&A-based community knowledge-sharing 
software.  ...)
NOT-FOR-US: @codidact/qpixel
 CVE-2025-22134 (When switching to other buffers using the :all command and 
visual mode ...)
-   - vim 
+   - vim  (unimportant)
+   NOTE: Crash in CLI tool, no security impact
NOTE: https://github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8
NOTE: Fixed by: 
https://github.com/vim/vim/commit/c9a1e257f1630a0866447e53a564f7ff96a80ead 
(v9.1.1003)
 CVE-2025-0070 (SAP NetWeaver Application Server for ABAP and ABAP Platform 
allows an  ...)
@@ -1735,11 +1736,13 @@ CVE-2024-5872 (On affected platforms running Arista 
EOS, a specially crafted pac
NOT-FOR-US: Arista EOS
 CVE-2024-57823 (In Raptor RDF Syntax Library through 2.0.16, there is an 
integer under ...)
- raptor2  (bug #1067896)
+   [bookworm] - raptor2  (Minor issue, revisit when fixed 
upstream)
[bullseye] - raptor2  (Minor issue, revisit when fixed 
upstream)
NOTE: https://github.com/pedrib/PoC/blob/master/fuzzing/raptor-fuzz.md
NOTE: https://github.com/dajobe/raptor/issues/70
 CVE-2024-57822 (In Raptor RDF Syntax Library through 2.0.16, there is a 
heap-based buf ...)
- raptor2  (bug #1067896)
+   [bookworm] - raptor2  (Minor issue, revisit when fixed 
upstream)
[bullseye] - raptor2  (Minor issue, revisit when fixed 
upstream)
NOTE: https://github.com/pedrib/PoC/blob/master/fuzzing/raptor-fuzz.md
NOTE: https://github.com/dajobe/raptor/issues/70



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09d2782b224f8c90f34502e33304371b0463d8ed

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09d2782b224f8c90f34502e33304371b0463d8ed
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2025-01-13 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ff44 by Moritz Muehlenhoff at 2025-01-13T19:55:02+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -1178,10 +1178,10 @@ CVE-2024-51737 (RediSearch is a Redis module that 
provides querying, secondary i
 CVE-2024-51480 (RedisTimeSeries is a time-series database (TSDB) module for 
Redis, by  ...)
NOT-FOR-US: RedisTimeSeries Redis module
 CVE-2024-51442 (Command Injection in Minidlna version v1.3.3 and before allows 
an atta ...)
-   - minidlna 
-   [bullseye] - minidlna  (Minor issue, revisit when fixed 
upstream)
+   - minidlna  (unimportant)
NOTE: https://sourceforge.net/p/minidlna/bugs/364/
NOTE: https://github.com/mselbrede/CVE-2024-51442
+   NOTE: Doesn't cross any security boundary, non issue
 CVE-2024-45345
REJECTED
 CVE-2024-45344
@@ -5277,6 +5277,7 @@ CVE-2024-8950 (Improper Neutralization of Special 
Elements used in an SQL Comman
NOT-FOR-US: Arne Informatics Piramit Automation
 CVE-2024-56431 (oc_huff_tree_unpack in huffdec.c in libtheora in Theora 
through 1.0 71 ...)
- libtheora  (bug #1091633)
+   [bookworm] - libtheora  (Minor issue)
NOTE: https://github.com/UnionTech-Software/libtheora-CVE-2024-56431-PoC
NOTE: https://github.com/advisories/GHSA-8xp8-gmmj-xc8w
NOTE: https://github.com/xiph/theora/issues/18
@@ -5294,6 +5295,7 @@ CVE-2024-52534 (Dell ECS, version(s) prior to ECS 
3.8.1.3, contain(s) an Authent
NOT-FOR-US: Dell
 CVE-2024-52046 (The ObjectSerializationDecoder in Apache MINA uses Java\u2019s 
native  ...)
- mina 
+   [bookworm] - mina  (Minor issue)
- mina2  (bug #1091530)
NOTE: https://lists.apache.org/thread/4wxktgjpggdbto15d515wdctohb0qmv8
 CVE-2024-47978 (Dell NativeEdge, version(s) 2.1.0.0, contain(s) an Execution 
with Unne ...)
@@ -6932,6 +6934,7 @@ CVE-2024-11841 (The Tithe.ly Giving Button WordPress 
plugin through 1.1 does not
NOT-FOR-US: WordPress plugin
 CVE-2024-7701 (Use of Password Hash With Insufficient Computational Effort 
vulnerabil ...)
- percona-toolkit  (bug #1091435)
+   [bookworm] - percona-toolkit  (Minor issue)
NOTE: https://github.com/percona/percona-toolkit/pull/896
NOTE: Fixed by: 
https://github.com/percona/percona-toolkit/commit/78f20304859ce8d6b236bc2c9c18d74c0b273dd7
 (v3.7.0)
NOTE: Fixed by: 
https://github.com/percona/percona-toolkit/commit/3dd1f7da83f642a4e823a098cb4c97e6dc11f478
 (v3.7.0)
@@ -20507,6 +20510,7 @@ CVE-2024-7883 (When using Arm Cortex-M Security 
Extensions (CMSE), Secure stack
- llvm-toolchain-17 
- llvm-toolchain-18 
- llvm-toolchain-19 
+   [bookworm] - llvm-toolchain-19  (Minor issue, doesn't affect 
the default build flags in Debian and no backport into release branches planned)
NOTE: 
https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2322994
NOTE: https://github.com/llvm/llvm-project/pull/114433
@@ -264558,6 +264562,7 @@ CVE-2021-3857 (chaskiq is vulnerable to Improper 
Neutralization of Input During
NOT-FOR-US: chaskiq
 CVE-2021-41973 (In Apache MINA, a specifically crafted, malformed HTTP request 
may cau ...)
- mina 
+   [bookworm] - mina  (Minor issue)
- mina2 2.1.5-1
NOTE: https://lists.apache.org/thread/sq0kkqvxcp7xjt8gxdyb650nj8dv6qv0
 CVE-2021-41972 (Apache Superset up to and including 1.3.1 allowed for database 
connect ...)
@@ -285512,18 +285517,22 @@ CVE-2021-33647 (When performing the inference shape 
operation of the Tile operat
NOT-FOR-US: Mindspore deep learning
 CVE-2021-33646 (The th_read() function doesn\u2019t free a variable 
t->th_buf.gnu_long ...)
- libtar 
+   [bookworm] - libtar  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121295
NOTE: (not-upstream) patch from OpenEuler: 
https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33645-CVE-2021-33646.patch
 CVE-2021-33645 (The th_read() function doesn\u2019t free a variable 
t->th_buf.gnu_long ...)
- libtar 
+   [bookworm] - libtar  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121295
NOTE: (not-upstream) patch from OpenEuler: 
https://gitee.com/src-openeuler/libtar/blob/master/openEuler-CVE-2021-33645-CVE-2021-33646.patch
 CVE-2021-33644 (An attacker who submits a crafted tar file with size in header 
struct  ...)
- libtar 
+   [bookworm] - libtar  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2121292
NOTE: (not-upstream) patch from OpenEuler: 
https://gitee.com/src-openeuler/libtar/blob/mas

[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-12-23 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4c97f2d7 by Moritz Muehlenhoff at 2024-12-23T12:57:57+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -1,5 +1,6 @@
 CVE-2024-56378 (libpoppler.so in Poppler through 24.12.0 has an out-of-bounds 
read vul ...)
- poppler 
+   [bookworm] - poppler  (Minor issue)
NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1553
NOTE: 
https://gitlab.freedesktop.org/poppler/poppler/-/commit/ade9b5ebed44b0c15522c27669ef6cdf93eff84e
 CVE-2024-56375 (An integer underflow was discovered in Fort 1.6.3 and 1.6.4 
before 1.6 ...)
@@ -684,6 +685,7 @@ CVE-2024-53688 (Improper neutralization of special elements 
used in an OS comman
NOT-FOR-US: FXC AE1021
 CVE-2024-52792 (LDAP Account Manager (LAM) is a php webfrontend for managing 
entries ( ...)
- ldap-account-manager  (bug #1090934)
+   [bookworm] - ldap-account-manager  (Minor issue)
NOTE: 
https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-6cp9-j5r7-xhcc
 CVE-2024-51175 (An issue in H3C switch h3c-S1526 allows a remote attacker to 
obtain se ...)
NOT-FOR-US: H3C switch h3c-S1526
@@ -30879,6 +30881,7 @@ CVE-2024-45240 (The TikTok (aka 
com.zhiliaoapp.musically) application before 34.
 CVE-2024-45239 (An issue was discovered in Fort before 1.6.3. A malicious RPKI 
reposit ...)
- fort-validator 1.6.3-1
NOTE: https://nicmx.github.io/FORT-validator/CVE.html
+   NOTE: 
https://github.com/NICMx/FORT-validator/commit/942f921ba7244cdcf4574cedc4c16392a7cc594b
 (1.6.3)
 CVE-2024-45238 (An issue was discovered in Fort before 1.6.3. A malicious RPKI 
reposit ...)
- fort-validator 1.6.3-1
NOTE: https://nicmx.github.io/FORT-validator/CVE.html


=
data/dsa-needed.txt
=
@@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the 
name of the source pa
 --
 cacti
 --
+fastnetmon (jmm)
+--
 frr
   coordination with the maintainer ongoing
 --
@@ -52,7 +54,7 @@ trafficserver
 --
 wordpress
 --
-xen
+xen (jmm)
 --
 zabbix
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c97f2d70df6784c05d38a9987c8d78b5b0151c8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c97f2d70df6784c05d38a9987c8d78b5b0151c8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-12-12 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
77b66633 by Moritz Muehlenhoff at 2024-12-12T15:32:51+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -2489,6 +2489,7 @@ CVE-2024-54134 (A publish-access account was compromised 
for `@solana/web3.js`,
NOT-FOR-US: @solana/web3.js
 CVE-2024-54132 (The GitHub CLI is GitHub\u2019s official command line tool. A 
security ...)
- gh  (bug #1089120)
+   [bookworm] - gh  (Minor issue)
NOTE: https://github.com/cli/cli/security/advisories/GHSA-2m9h-r57g-45pj
NOTE: Merge commit: 
https://github.com/cli/cli/commit/1136764c369aaf0cae4ec2ee09dc35d871076932 
(v2.63.1)
 CVE-2024-54002 (Dependency-Track is a Component Analysis platform that allows 
organiza ...)
@@ -3766,6 +3767,7 @@ CVE-2024-53859 (go-gh is a Go module for interacting with 
the `gh` utility and t
NOTE: 
https://github.com/cli/go-gh/security/advisories/GHSA-55v3-xh23-96gh
 CVE-2024-53858 (The gh cli is GitHub\u2019s official command line tool. A 
security vul ...)
- gh  (bug #1088808)
+   [bookworm] - gh  (Minor issue)
NOTE: https://github.com/cli/cli/security/advisories/GHSA-jwcm-9g39-pmcw
 CVE-2024-53260 (Autolab is a course management service that enables 
auto-graded progra ...)
NOT-FOR-US: Autolab


=
data/dsa-needed.txt
=
@@ -19,6 +19,12 @@ chromium (dilinger)
 frr
   coordination with the maintainer ongoing
 --
+gst-plugins-base1.0 (jmm)
+--
+gst-plugins-good1.0
+--
+gstreamer1.0
+--
 jetty9
 --
 libreswan



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77b66633bd26c5e8cd5074a49723cff725c6cf5c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/77b66633bd26c5e8cd5074a49723cff725c6cf5c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-12-11 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
27d01493 by Moritz Muehlenhoff at 2024-12-11T11:42:11+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17757,6 +17757,7 @@ CVE-2024-7099 (netease-youdao/qanything version 1.4.1 
contains a vulnerability w
NOT-FOR-US: netease-youdao/qanything
 CVE-2024-49214 (QUIC in HAProxy 3.1.x before 3.1-dev7, 3.0.x before 3.0.5, and 
2.9.x b ...)
- haproxy 2.9.11-1
+   [bookworm] - haproxy  (Minor issue and not backported to 2.6.x 
tree)
NOTE: 
https://github.com/haproxy/haproxy/commit/f627b9272bd8ffca6f2f898bfafc6bf0b84b7d46
 (v3.1-dev7)
NOTE: 
https://git.haproxy.org/?p=haproxy-2.9.git;a=commit;h=fe5685af820ae62fe5b0d80b5ed7a2ffc41a036f
 (v2.9.11)
 CVE-2024-38863 (Exposure of CSRF tokens in query parameters on specific 
requests in Ch ...)
@@ -86831,8 +86832,9 @@ CVE-2024-24821 (Composer is a dependency Manager for 
the PHP language. In affect
NOTE: 
https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5
 (2.7.0)
 CVE-2024-24820 (Icinga Director is a tool designed to make Icinga 2 
configuration hand ...)
- icingaweb2-module-director 1.11.1-1
+   [bookworm] - icingaweb2-module-director  (Minor issue)
NOTE: 
https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3mwp-5p5v-j6q3
-   TODO: check details
+   NOTE: 
https://github.com/Icinga/icingaweb2-module-director/commit/f1e54348c8362b3010eb2d87d8cf380d5ba55135
 (v1.10.3)
 CVE-2024-24819 (icingaweb2-module-incubator is a working project of bleeding 
edge Icin ...)
NOT-FOR-US: icingaweb2-module-incubator
 CVE-2024-24499
@@ -262157,14 +262159,11 @@ CVE-2021-39360 (In GNOME libzapojit through 0.0.3, 
zpj-skydrive.c does not enabl
NOTE: 
https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/
NOTE: https://gitlab.gnome.org/GNOME/libzapojit/-/issues/4
 CVE-2021-39359 (In GNOME libgda through 6.0.0, gda-web-provider.c does not 
enable TLS  ...)
-   - libgda5 5.2.10-5 (bug #993592)
-   [bookworm] - libgda5  (Minor issue)
-   [bullseye] - libgda5  (Minor issue)
-   [buster] - libgda5  (Minor issue)
-   [stretch] - libgda5  (Minor issue, revisit when/if fixed 
upstream)
+   - libgda5 5.2.10-5 (bug #993592; unimportant)
NOTE: 
https://blogs.gnome.org/mcatanzaro/2021/05/25/reminder-soupsessionsync-and-soupsessionasync-default-to-no-tls-certificate-verification/
NOTE: https://gitlab.gnome.org/GNOME/libgda/-/issues/249
NOTE: Fixed by: 
https://gitlab.gnome.org/GNOME/libgda/-/commit/bebdffb4de586fb43fd07ac549121f4b22f6812d
 (master)
+   NOTE: Debian builds with --without-libsoup, which disabled the web 
functionality using libsoup entirely
 CVE-2021-39358 (In GNOME libgfbgraph through 0.2.4, gfbgraph-photo.c does not 
enable T ...)
- gfbgraph 0.2.5-1 (bug #993537)
[bullseye] - gfbgraph  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27d014930078b3966be96502eb3138e4ec2eccee

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27d014930078b3966be96502eb3138e4ec2eccee
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-12-11 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2e92b0db by Moritz Muehlenhoff at 2024-12-11T10:32:16+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1097,6 +1097,7 @@ CVE-2024-55565 (nanoid (aka Nano ID) before 5.0.9 
mishandles non-integer values.
NOTE: 
https://github.com/ai/nanoid/commit/d643045f40d6dc8afa000a644d857da1436ed08c 
(3.3.8)
 CVE-2024-55564 (The POSIX::2008 package before 0.24 for Perl has a potential 
_execve50 ...)
- libposix-2008-perl 0.24-1
+   [bookworm] - libposix-2008-perl  (Minor issue)
 CVE-2024-55563 (Bitcoin Core through 27.2 allows transaction-relay jamming via 
an off- ...)
- bitcoin 
 CVE-2024-55560 (MailCleaner before 28d913e has default values of 
ssh_host_dsa_key, ssh ...)
@@ -11782,6 +11783,7 @@ CVE-2024-47939 (Stack-based buffer overflow 
vulnerability exists in multiple Ric
NOT-FOR-US: Ricoh
 CVE-2024-21510 (Versions of the package sinatra from 0.0.0 are vulnerable to 
Reliance  ...)
- ruby-sinatra  (bug #1087290)
+   [bookworm] - ruby-sinatra  (Minor issue, too intrusive to 
backport)
NOTE: https://security.snyk.io/vuln/SNYK-RUBY-SINATRA-6483832
NOTE: https://github.com/sinatra/sinatra/pull/2053
NOTE: Rejected upstream fix: 
https://github.com/sinatra/sinatra/pull/2010
@@ -13411,6 +13413,7 @@ CVE-2024-49767 (Werkzeug is a Web Server Gateway 
Interface web application libra
[bookworm] - python-werkzeug  (Minor issue; can be fixed via 
point release)
[bullseye] - python-werkzeug  (Vulnerable code introduced 
later)
- quart 0.19.9-1 (bug #1086063)
+   [bookworm] - quart  (Minor issue)
NOTE: 
https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2
NOTE: Introduced by: 
https://github.com/pallets/werkzeug/commit/cbb446fdcada7685fce936ded01b76c08dbd6eb5
 (2.0.0rc1)
NOTE: Fixed by: 
https://github.com/pallets/werkzeug/commit/8760275afb72bd10b57d92cb4d52abf759b2f3a7
 (3.0.6)
@@ -32003,6 +32006,7 @@ CVE-2024-42370 (Litestar is an Asynchronous Server 
Gateway Interface (ASGI) fram
NOT-FOR-US: litestar
 CVE-2024-42367 (aiohttp is an asynchronous HTTP client/server framework for 
asyncio an ...)
- python-aiohttp 3.10.3-2
+   [bookworm] - python-aiohttp  (Minor issue)
NOTE: 
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-jwhx-xcg6-8xhj
NOTE: https://github.com/aio-libs/aiohttp/pull/8653
NOTE: 
https://github.com/aio-libs/aiohttp/commit/ce2e9758814527589b10759a20783fb03b98339f
 (v3.10.2)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e92b0db91c5b997fff1f189af1f20a9ba119482

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e92b0db91c5b997fff1f189af1f20a9ba119482
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-12-11 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0e87abc2 by Moritz Muehlenhoff at 2024-12-11T09:47:10+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -587,7 +587,8 @@ CVE-2024-47484 (Dell Avamar, version(s) 19.9, contain(s) an 
Improper Neutralizat
 CVE-2024-47117 (IBM Carbon Design System (Carbon Charts 0.4.0 through 1.13.16) 
is vuln ...)
NOT-FOR-US: IBM
 CVE-2024-46657 (Artifex Software mupdf v1.24.9 was discovered to contain a 
segmentatio ...)
-   - mupdf  (bug #1089681)
+   - mupdf  (bug #1089681; unimportant)
+   NOTE: Crash in CLI tool, no security impact
NOTE: Fixed by: 
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=b5c898a30f068b5342e8263a2cd5b9f0be291aac
 (1.25.0-rc1)
 CVE-2024-46442 (An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows 
attacke ...)
NOT-FOR-US: BYD Dilink Headunit System
@@ -2930,9 +2931,11 @@ CVE-2024-36611 (In Symfony v7.07, a security 
vulnerability was identified in the
[experimental] - symfony 7.1.0~beta1+dfsg-1
- symfony  (bug #1088817)
NOTE: 
https://github.com/symfony/symfony/commit/a804ca15fcad279d7727b91d12a667fd5b925995
 (v7.1.0-BETA1)
+   NOTE: Not considered a security issue by upstream: 
https://github.com/symfony/symfony/issues/59077#issuecomment-2513935018
 CVE-2024-36610 (A deserialization vulnerability exists in the Stub class of 
the VarDum ...)
-   - symfony 6.4.4+dfsg-3
+   - symfony 6.4.4+dfsg-3 (unimportant)
NOTE: Fixed by: 
https://github.com/symfony/symfony/commit/3ffd495bb3cc4d2e24e35b2d83c5b909cab7e259
 (v6.4.4)
+   NOTE: Not considered a security issue by upstream: 
https://github.com/symfony/symfony/issues/59077#issuecomment-2513935018
 CVE-2024-35371 (Ant-Media-Serverv2.8.2 is affected by Improper Output 
Neutralization f ...)
NOT-FOR-US: Ant-Media-Server
 CVE-2024-35369 (In FFmpeg version n6.1.1, specifically within the 
avcodec/speexdec.c m ...)
@@ -4393,8 +4396,9 @@ CVE-2024-11630 (A vulnerability has been found in E-Lins 
H685, H685f, H700, H720
 CVE-2024-11619 (A vulnerability, which was classified as problematic, has been 
found i ...)
NOT-FOR-US: macrozheng mall
 CVE-2024-11612 (7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. 
This vu ...)
-   - 7zip 24.08+dfsg-1
-   - p7zip 16.02+transitional.1
+   - 7zip 24.08+dfsg-1 (unimportant)
+   - p7zip 16.02+transitional.1 (unimportant)
+   NOTE: Crash in CLI tool, no security impact
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-24-1606/
NOTE: 
https://bushido-sec.com/index.php/2024/11/22/2ourc3-vulnerabiltiy-7zip-fuzzing/
NOTE: Since p7zip/16.02+transitional.1 src:p7zip is only a empty source 
package
@@ -50797,6 +50801,7 @@ CVE-2024-2451 (Improper fingerprint validation in the 
TeamViewer Client (Full &
NOT-FOR-US: TeamViewer
 CVE-2024-2199 (A denial of service vulnerability was found in 389-ds-base ldap 
server ...)
- 389-ds-base 3.1.1+dfsg1-1 (bug #1072531)
+   [bookworm] - 389-ds-base  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2267976
NOTE: 
https://github.com/389ds/389-ds-base/commit/36a2f1d5e4e2265140320087104c6799a97c28d9
 (389-ds-base-3.1.1)
NOTE: 
https://github.com/389ds/389-ds-base/commit/63946b8e63328efc9b36a01f99d5ba71e243fcfa
 (389-ds-base-2.4.6)


=
data/dsa-needed.txt
=
@@ -33,6 +33,8 @@ openafs
 opennds
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --
+php-laravel-framework
+--
 python-aiohttp (jmm)
 --
 python-django



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e87abc282e32e7e18a87795d273a48d937e2bfe

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e87abc282e32e7e18a87795d273a48d937e2bfe
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-12-10 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f3fbb311 by Moritz Muehlenhoff at 2024-12-10T20:09:42+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -441,6 +441,7 @@ CVE-2024-55566 (ColPack 1.0.10 through 9a7293a has a 
predictable temporary file
NOTE: Negligible security impact with fs.protected_symlinks=1 being the 
standard in Debian
 CVE-2024-55565 (nanoid (aka Nano ID) before 5.0.9 mishandles non-integer 
values. 3.3.8 ...)
- node-postcss 
+   [bookworm] - node-postcss  (Minor issue)
NOTE: node-postcss bundles nanoid
 CVE-2024-55564 (The POSIX::2008 package before 0.24 for Perl has a potential 
_execve50 ...)
- libposix-2008-perl 0.24-1
@@ -1681,6 +1682,7 @@ CVE-2024-53984 (Nanopb is a small code-size Protocol 
Buffers implementation.  Wh
NOTE: Fixed by: 
https://github.com/nanopb/nanopb/commit/2b86c255aa52250438d5aba124d0e86db495b378
 CVE-2024-53981 (python-multipart is a streaming multipart parser for Python. 
When pars ...)
- python-multipart  (bug #1088991)
+   [bookworm] - python-multipart  (Minor issue)
NOTE: 
https://github.com/Kludex/python-multipart/security/advisories/GHSA-59g5-xgcq-4qw3
NOTE: Fixed by: 
https://github.com/Kludex/python-multipart/commit/9205a0ec8c646b9f705430a6bfb52bd957b76c19
 (0.0.18)
NOTE: Fixed by: 
https://github.com/Kludex/python-multipart/commit/c4fe4d3cebc08c660e57dd709af1ffa7059b3177
 (0.0.19)
@@ -21631,6 +21633,7 @@ CVE-2024-45752 (logiops through 0.3.4, in its default 
configuration, allows any
 CVE-2024-45614 (Puma is a Ruby/Rack web server built for parallelism. In 
affected vers ...)
{DLA-3947-1}
- puma 6.4.3-1 (bug #1082379)
+   [bookworm] - puma  (Minor issue)
NOTE: 
https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
NOTE: Fixed by: 
https://github.com/puma/puma/commit/cac3fd18cf29ed43719ff5d52d9cfec215f0a043 
(v6.4.3)
 CVE-2024-43496 (Microsoft Edge (Chromium-based) Remote Code Execution 
Vulnerability)


=
data/dsa-needed.txt
=
@@ -44,7 +44,7 @@ python-tornado
 --
 ring
 --
-smarty4
+smarty4 (jmm)
 --
 sogo
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3fbb311e94e865420604d225bb74329b577b4f0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3fbb311e94e865420604d225bb74329b577b4f0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-12-10 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ba8e02f3 by Moritz Muehlenhoff at 2024-12-10T17:34:18+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -210,6 +210,7 @@ CVE-2024-48956 (Serviceware Processes 6.0 through 7.3 
allows attackers without v
NOT-FOR-US: Serviceware Processes
 CVE-2024-46901 (Insufficient validation of filenames against control 
characters in Apa ...)
- subversion 1.14.5-1
+   [bookworm] - subversion  (Minor issue)
NOTE: https://subversion.apache.org/security/CVE-2024-46901-advisory.txt
 CVE-2024-46547 (A vulnerability was found in Romain Bourdon Wampserver all 
versions (d ...)
NOT-FOR-US: Romain Bourdon Wampserver
@@ -421,6 +422,7 @@ CVE-2023-32094 (Missing Authorization vulnerability in 
Felix Welberg Extended Po
NOT-FOR-US: WordPress plugin
 CVE-2024-12224 [RUSTSEC-2024-0421]
- rust-idna 
+   [bookworm] - rust-idna  (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0421.html
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1887898
 CVE-2024-9651 (The Fluent Forms  WordPress plugin before 5.2.1 does not 
sanitise and  ...)
@@ -434,8 +436,9 @@ CVE-2024-55579 (An issue was discovered in Qlik Sense 
Enterprise for Windows bef
 CVE-2024-55578 (Zammad before 6.4.1 places sensitive data (such as 
auth_microsoft_offi ...)
- zammad  (bug #841355)
 CVE-2024-55566 (ColPack 1.0.10 through 9a7293a has a predictable temporary 
file (locat ...)
-   - colpack 
+   - colpack  (unimportant)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1225617
+   NOTE: Negligible security impact with fs.protected_symlinks=1 being the 
standard in Debian
 CVE-2024-55565 (nanoid (aka Nano ID) before 5.0.9 mishandles non-integer 
values. 3.3.8 ...)
- node-postcss 
NOTE: node-postcss bundles nanoid



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba8e02f3509a9886548f91c2ad5d0bd5ac9a1c22

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba8e02f3509a9886548f91c2ad5d0bd5ac9a1c22
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-12-06 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b2b74b4f by Moritz Muehlenhoff at 2024-12-06T16:40:06+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -5274,7 +5274,7 @@ CVE-2024-52511 (Nextcloud Tables allows users to to 
create tables with individua
NOT-FOR-US: Nextcloud Tables
 CVE-2024-52510 (The Nextcloud Desktop Client is a tool to synchronize files 
from Nextc ...)
- nextcloud-desktop 3.15.0-1 (bug #1087885)
-   [bookworm] - nextcloud-desktop  (Minor issue)
+   [bookworm] - nextcloud-desktop  (Minor issue, too intrusive to 
backport)
[bullseye] - nextcloud-desktop  (Minor issue)
NOTE: 
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4qc-m9mj-452v
NOTE: https://github.com/nextcloud/desktop/pull/7333
@@ -12638,6 +12638,7 @@ CVE-2024-9987 (A post-authentication SQL Injection 
vulnerability within the filt
NOT-FOR-US: Pandora FMS
 CVE-2024-53899 (virtualenv before 20.26.6 allows command injection through the 
activat ...)
- python-virtualenv 20.26.6+ds-1
+   [bookworm] - python-virtualenv  (Minor issue)
[bullseye] - python-virtualenv  (Minor issue)
NOTE: https://github.com/pypa/virtualenv/issues/2768
NOTE: https://github.com/pypa/virtualenv/pull/2771


=
data/dsa-needed.txt
=
@@ -32,6 +32,8 @@ linux (carnil)
 --
 mosquitto
 --
+openafs
+--
 opennds
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2b74b4f470e123d3b08c12dc25f7dff6e5ec7e6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2b74b4f470e123d3b08c12dc25f7dff6e5ec7e6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-12-06 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bba6a790 by Moritz Muehlenhoff at 2024-12-06T14:21:13+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -13,6 +13,7 @@ CVE-2024-6219 (Mark Laing discovered in LXD's PKI mode, until 
version 5.21.1, th
NOTE: incus: 
https://github.com/lxc/incus/commit/d2bb0d86031cb0c1319914f1fb3842c058edb776 
(v0.3.0)
 CVE-2024-6156 (Mark Laing discovered that LXD's PKI mode, until version 
5.21.2, could ...)
- lxd 
+   [bookworm] - lxd  (Minor issue)
- incus 
NOTE: 
https://github.com/canonical/lxd/security/advisories/GHSA-4c49-9fpc-hc3v
 CVE-2024-54140 (sigstore-java is a sigstore java client for interacting with 
sigstore  ...)
@@ -20,7 +21,7 @@ CVE-2024-54140 (sigstore-java is a sigstore java client for 
interacting with sig
 CVE-2024-53589 (GNU objdump 2.43 is vulnerable to Buffer Overflow in the BFD 
(Binary F ...)
- binutils  (unimportant)
NOTE: 
https://bushido-sec.com/index.php/2024/12/05/binutils-objdump-tekhex-buffer-overflow/
-   NOTE: NOTE: binutils not covered by security support
+   NOTE: binutils not covered by security support
 CVE-2024-53523 (JSFinder commit d70ab9bc5221e016c08cffaf0d9ac79646c90645 is 
vulnerable ...)
NOT-FOR-US: JSFinder
 CVE-2024-53457 (A stored cross-site scripting (XSS) vulnerability in the 
Device Settin ...)
@@ -101938,7 +101939,7 @@ CVE-2023-47117 (Label Studio is an open source data 
labeling tool. In all curren
 CVE-2023-46446 (An issue in AsyncSSH before 2.14.1 allows attackers to control 
the rem ...)
{DLA-3899-1}
- python-asyncssh 2.15.0-1 (bug #1055999)
-   [bookworm] - python-asyncssh  (Minor issue)
+   [bookworm] - python-asyncssh  (Minor issue)
[buster] - python-asyncssh  (Minor issue)
NOTE: 
https://github.com/ronf/asyncssh/security/advisories/GHSA-c35q-ffpf-5qpm
NOTE: 
https://github.com/ronf/asyncssh/commit/83e43f5ea3470a8617fc388c72b062c7136efd7e
 (v2.14.1)


=
data/dsa-needed.txt
=
@@ -35,8 +35,13 @@ mosquitto
 opennds
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --
+proftpd-dfsg
+--
 python-aiohttp (jmm)
 --
+python-django
+  Chris is working on it
+--
 python-tornado
 --
 ring



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bba6a7907bb64b88c192142f5061998171ac445d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bba6a7907bb64b88c192142f5061998171ac445d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-12-05 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d4762c0c by Moritz Muehlenhoff at 2024-12-05T11:11:29+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -527,6 +527,7 @@ CVE-2024-53990 (The AsyncHttpClient (AHC) library allows 
Java applications to ea
NOTE: 
https://github.com/AsyncHttpClient/async-http-client/commit/d5a83362f7aed81b93ebca559746ac9be0f95425
 (async-http-client-project-3.0.1)
 CVE-2024-53984 (Nanopb is a small code-size Protocol Buffers implementation.  
When the ...)
- nanopb 0.4.9.1-1 (bug #1088994)
+   [bookworm] - nanopb  (Minor issue)
NOTE: 
https://github.com/nanopb/nanopb/security/advisories/GHSA-xwqq-qxmw-hj5r
NOTE: Fixed by: 
https://github.com/nanopb/nanopb/commit/2b86c255aa52250438d5aba124d0e86db495b378
 CVE-2024-53981 (python-multipart is a streaming multipart parser for Python. 
When pars ...)
@@ -7887,6 +7888,7 @@ CVE-2024-48010 (Dell PowerProtect DD, versions prior to 
8.1.0.0, 7.13.1.10, 7.10
NOT-FOR-US: Dell
 CVE-2024-47072 (XStream is a simple library to serialize objects to XML and 
back again ...)
- libxstream-java 1.4.21-1 (bug #1087274)
+   [bookworm] - libxstream-java  (Minor issue)
NOTE: 
https://github.com/x-stream/xstream/security/advisories/GHSA-hfq9-hggm-c56q
NOTE: https://x-stream.github.io/CVE-2024-47072.html
 CVE-2024-46961 (The Inshot com.downloader.privatebrowser (aka Video Downloader 
- XDown ...)
@@ -12392,6 +12394,7 @@ CVE-2024-9287 (A vulnerability has been found in the 
CPython `venv` module and C
- python3.9 
- python2.7  (Vulnerable code not present)
- pypy3 
+   [bookworm] - pypy3  (Minor issue)
NOTE: 
https://mail.python.org/archives/list/security-annou...@python.org/thread/RSPJ2B5JL22FG3TKUJ7D7DQ4N5JRRBZL/
NOTE: https://github.com/python/cpython/issues/124651
NOTE: https://github.com/python/cpython/pull/124712


=
data/dsa-needed.txt
=
@@ -21,6 +21,8 @@ chromium (dilinger)
 frr
   coordination with the maintainer ongoing
 --
+jetty9
+--
 libreswan
   Waiting on feedback from maintainer
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4762c0cc5a596df636a6bfd38db52e4c4b2a61f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4762c0cc5a596df636a6bfd38db52e4c4b2a61f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-12-04 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
008559c0 by Moritz Muehlenhoff at 2024-12-04T10:07:26+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/DSA/list


Changes:

=
data/CVE/list
=
@@ -423,6 +423,7 @@ CVE-2024-53364 (A SQL injection vulnerability was found in 
PHPGURUKUL Vehicle Pa
NOT-FOR-US: PHPGURUKUL Vehicle Parking Management System
 CVE-2024-53259 (quic-go is an implementation of the QUIC protocol in Go. An 
off-path a ...)
- golang-github-lucas-clemente-quic-go 
+   [bookworm] - golang-github-lucas-clemente-quic-go  (Minor issue)
NOTE: 
https://github.com/quic-go/quic-go/security/advisories/GHSA-px8v-pp82-rcvr
NOTE: https://github.com/quic-go/quic-go/pull/4729
NOTE: 
https://github.com/quic-go/quic-go/commit/ca31dd355cbe5fc6c5807992d9d1149c66c96a50
 (master)
@@ -874,18 +875,24 @@ CVE-2024-36620 (moby v25.0.0 - v26.0.2 is vulnerable to 
NULL Pointer Dereference
NOTE: Introduced in 
https://github.com/moby/moby/commit/2a6ff3c24fd790e5d42d2eabaf6acf06edfe6975 
(v25.0.0-beta.1)
 CVE-2024-36619 (FFmpeg n6.1.1 has a vulnerability in the WAVARC decoder of the 
libavco ...)
- ffmpeg 7:7.1-3
+   [bookworm] - ffmpeg  (Vulnerable decoder added in 6.0)
+   [bullseye] - ffmpeg  (Vulnerable decoder added in 6.0)
NOTE: 
https://github.com/ffmpeg/ffmpeg/commit/28c7094b25b689185155a6833caf2747b94774a4
 (n7.1)
 CVE-2024-36618 (FFmpeg n6.1.1 has a vulnerability in the AVI demuxer of the 
libavforma ...)
- ffmpeg 7:7.0.1-3
+   [bookworm] - ffmpeg  (Pick up when fixed in 5.1.x)
NOTE: 
https://github.com/ffmpeg/ffmpeg/commit/7a089ed8e049e3bfcb22de1250b86f2106060857
 (n7.0)
 CVE-2024-36617 (FFmpeg n6.1.1 has an integer overflow vulnerability in the 
FFmpeg CAF  ...)
- ffmpeg 7:7.0.1-3
NOTE: 
https://github.com/ffmpeg/ffmpeg/commit/d973fcbcc2f944752ff10e6a76b0b2d9329937a7
 (n7.0)
+   NOTE: 
https://github.com/ffmpeg/ffmpeg/commit/f0e780370cc1c437d64f10d326b1d656ef490b5f
 (n5.1.5)
 CVE-2024-36616 (An integer overflow in the component 
/libavformat/westwood_vqa.c of FF ...)
- ffmpeg 7:7.0.1-3
NOTE: 
https://github.com/ffmpeg/ffmpeg/commit/86f73277bf014e2ce36dd2594f1e0fb8b3bd6661
 (n7.0)
+   NOTE: 
https://github.com/ffmpeg/ffmpeg/commit/a8beef67993aa267de87599007143d9f0ba67c23
 (n5.1.5)
 CVE-2024-36615 (FFmpeg n7.0 has a race condition vulnerability in the VP9 
decoder. Thi ...)
- ffmpeg 7:7.1-3
+   [bookworm] - ffmpeg  (Pick up when fixed in 5.1.x)
NOTE: 
https://github.com/ffmpeg/ffmpeg/commit/0ba058579f332b3060d8470a04ddd3fbf305be61
 (n7.1)
 CVE-2024-36612 (Zulip from 8.0 to 8.3 contains a memory leak vulnerability in 
the hand ...)
NOT-FOR-US: Zulip
@@ -900,16 +907,20 @@ CVE-2024-35371 (Ant-Media-Serverv2.8.2 is affected by 
Improper Output Neutraliza
NOT-FOR-US: Ant-Media-Server
 CVE-2024-35369 (In FFmpeg version n6.1.1, specifically within the 
avcodec/speexdec.c m ...)
- ffmpeg 7:7.0.1-3
+   [bookworm] - ffmpeg  (Pick up when fixed in 5.1.x)
NOTE: 
https://github.com/ffmpeg/ffmpeg/commit/0895ef0d6d6406ee6cd158fc4d47d80f201b8e9c
 (n7.0)
 CVE-2024-35368 (FFmpeg n7.0 is affected by a Double Free via the 
rkmpp_retrieve_frame  ...)
- ffmpeg 7:7.1-3
+   [bookworm] - ffmpeg  (Pick up when fixed in 5.1.x)
NOTE: 
https://github.com/ffmpeg/ffmpeg/commit/4513300989502090c4fd6560544dce399a8cd53c
 (n7.1)
 CVE-2024-35367 (FFmpeg n6.1.1 has an Out-of-bounds Read via 
libavcodec/ppc/vp8dsp_alti ...)
- ffmpeg 7:7.0.1-3
+   [bookworm] - ffmpeg  (Pick up when fixed in 5.1.x)
NOTE: 
https://github.com/ffmpeg/ffmpeg/commit/09e6840cf7a3ee07a73c3ae88a020bf27ca1a667
 (n7.0)
 CVE-2024-35366 (FFmpeg n6.1.1 is Integer Overflow. The vulnerability exists in 
the par ...)
- ffmpeg 7:7.0.1-3
NOTE: 
https://github.com/ffmpeg/ffmpeg/commit/0bed22d597b78999151e3bde0768b7fe763fc2a6
 (n7.0)
+   NOTE: 
https://github.com/ffmpeg/ffmpeg/commit/4db0eb4653efad967ddcf71f564fd2f1169bafcb
 (n5.1.5)
 CVE-2024-11992 (Absolute path traversal vulnerability in Quick.CMS, version 
6.7, the e ...)
NOT-FOR-US: Quick.CMS
 CVE-2024-11990 (A Cross-Site Scripting (XSS) vulnerability in SurgeMail v78c2 
could al ...)


=
data/DSA/list
=
@@ -362,7 +362,7 @@
[bullseye] - libndp 1.6-1+deb11u1
[bookworm] - libndp 1.8-1+deb12u1
 [15 Jun 2024] DSA-5712-1 ffmpeg - security update
-   {CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795 
CVE-2023-51798 CVE-2024-31585 CVE-2024-32230}
+   {CVE-2023-50010 CVE-2023-51793 CVE-2023-51794 CVE-2023-51795 
CVE-2023-51798 CVE-2024-31585 CVE-2024-32230 CVE-2024-36617 CVE-2024-36616 
CVE-2024-35366}
[bookworm] - ffmpe

[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-12-04 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
493f0ae9 by Moritz Muehlenhoff at 2024-12-04T09:23:33+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -4780,6 +4780,7 @@ CVE-2024-52511 (Nextcloud Tables allows users to to 
create tables with individua
NOT-FOR-US: Nextcloud Tables
 CVE-2024-52510 (The Nextcloud Desktop Client is a tool to synchronize files 
from Nextc ...)
- nextcloud-desktop  (bug #1087885)
+   [bookworm] - nextcloud-desktop  (Minor issue)
NOTE: 
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r4qc-m9mj-452v
NOTE: https://github.com/nextcloud/desktop/pull/7333
NOTE: 
https://github.com/nextcloud/desktop/commit/8cce183ba4ce46ddef58751fe5358efdea8d0114


=
data/dsa-needed.txt
=
@@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the 
name of the source pa
 --
 cacti
 --
+ceph
+--
 frr
   coordination with the maintainer ongoing
 --
@@ -24,6 +26,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more 6.1.y versions
 --
+mosquitto
+--
 opennds
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --
@@ -40,6 +44,8 @@ smarty4
 --
 sogo
 --
+tcpdf
+--
 trafficserver
 --
 wordpress



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/493f0ae988cbf0944b2bd69e3dace55f4e1ace3d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/493f0ae988cbf0944b2bd69e3dace55f4e1ace3d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-11-29 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9494fe83 by Moritz Muehlenhoff at 2024-11-29T17:18:48+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -251,6 +251,7 @@ CVE-2024-11738
NOTE: https://github.com/rustls/rustls/issues/2227
 CVE-2024-53920 (In elisp-mode.el in GNU Emacs through 30.0.92, a user who 
chooses to i ...)
- emacs 
+   [bookworm] - emacs  (Minor issue, revisit when fixed 
upstream)
NOTE: 
https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html
NOTE: 
https://yhetil.org/emacs/CAFXAjY5f4YfHAtZur1RAqH34UbYU56_t6t2Er0YEh1Sb7-W=hg%40mail.gmail.com/
 CVE-2024-53855 (Centurion ERP (Enterprise Rescource Planning) is a simple 
application  ...)
@@ -794,6 +795,7 @@ CVE-2024-53930 (WikiDocs before 1.0.65 allows stored XSS by 
authenticated users
NOT-FOR-US: WikiDocs
 CVE-2024-53916 (In OpenStack Neutron through 25.0.0, 
neutron/extensions/tagging.py can ...)
- neutron 
+   [bookworm] - neutron  (Minor issue, revisit when fixed 
upstream)
NOTE: https://review.opendev.org/c/openstack/neutron/+/935883
 CVE-2024-53915 (An issue was discovered in the server in Veritas Enterprise 
Vault befo ...)
NOT-FOR-US: Veritas Enterprise Vault
@@ -891,6 +893,7 @@ CVE-2024-11646 (A vulnerability classified as critical was 
found in 1000 Project
NOT-FOR-US: 1000 Projects Beauty Parlour Management System
 CVE-2024-11498 (There exists a stack buffer overflow in libjxl.A 
specifically-crafted  ...)
- jpeg-xl 
+   [bookworm] - jpeg-xl  (Minor issue)
NOTE: https://github.com/libjxl/libjxl/pull/3943
NOTE: 
https://github.com/libjxl/libjxl/commit/bf4781a2eed2eef664790170977d1d3d8347efb9
 CVE-2024-11403 (There exists an out of bounds read/write in LibJXL versions 
prior to c ...)
@@ -4597,6 +4600,7 @@ CVE-2024-23919 (Improper buffer restrictions in some 
Intel(R) Graphics software
NOT-FOR-US: Intel
 CVE-2024-23918 (Improper conditions check in some Intel(R) Xeon(R) processor 
memory co ...)
- intel-microcode 3.20241112.1 (bug #1087532)
+   [bookworm] - intel-microcode  (Minor issue)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01079.html
NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112
 CVE-2024-23312 (Uncontrolled search path for some Intel(R) Binary 
Configuration Tool s ...)
@@ -4616,12 +4620,14 @@ CVE-2024-22185 (Time-of-check Time-of-use Race 
Condition in some Intel(R) proces
NOT-FOR-US: Intel
 CVE-2024-21853 (Improper finite state machines (FSMs) in the hardware logic in 
some 4t ...)
- intel-microcode 3.20241112.1 (bug #1087532)
+   [bookworm] - intel-microcode  (Minor issue)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01101.html
NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112
 CVE-2024-21850 (Sensitive information in resource not removed before reuse in 
some Int ...)
NOT-FOR-US: Intel
 CVE-2024-21820 (Incorrect default permissions in some Intel(R) Xeon(R) 
processor memor ...)
- intel-microcode 3.20241112.1 (bug #1087532)
+   [bookworm] - intel-microcode  (Minor issue)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01079.html
NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20241112
 CVE-2024-21808 (Improper buffer restrictions in some Intel(R) VPL software 
before vers ...)
@@ -128445,6 +128451,7 @@ CVE-2023-2143 (The Enable SVG, WebP & ICO Upload 
WordPress plugin through 1.0.3
NOT-FOR-US: WordPress plugin
 CVE-2023-2142 (In Nunjucks versions prior to version 3.2.4, it was  possible 
to bypas ...)
- node-nunjucks  (bug #1088331)
+   [bookworm] - node-nunjucks  (Minor issue)
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1825980
NOTE: 
https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw
 CVE-2023-2141 (An unsafe .NET object deserialization in DELMIA Apriso Release 
2017 th ...)
@@ -135258,6 +135265,7 @@ CVE-2023-1522 (SQL Injection in the Hardware 
Inventory report of Security Center
NOT-FOR-US: Security Center
 CVE-2023-1521 (On Linux the sccache client can execute arbitrary code with the 
privil ...)
- sccache 0.5.3-1
+   [bookworm] - sccache  (Minor issue)
NOTE: https://securitylab.github.com/advisories/GHSL-2023-046_ScCache/
NOTE: https://github.com/advisories/GHSA-x7fr-pg8f-93f5
NOTE: ttps://github.com/mozilla/sccache/pull/1663


=
data/dsa-needed.txt

[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-11-25 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e17e5e2a by Moritz Muehlenhoff at 2024-11-25T10:52:49+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -1,5 +1,6 @@
 CVE-2024-53901 (The Imager package before 1.025 for Perl has a heap-based 
buffer overf ...)
- libimager-perl 1.025+dfsg-1
+   [bookworm] - libimager-perl  (Minor issue)
NOTE: https://github.com/tonycoz/imager/issues/534
NOTE: 
https://github.com/tonycoz/imager/commit/7851737838aa86113b276aea02729cc1f6e9eed0
 (v1.025)
NOTE: https://github.com/briandfoy/cpan-security-advisory/issues/167
@@ -1076,9 +1077,11 @@ CVE-2024-52765 (H3C GR-1800AX MiniGRW1B0V100R007 is 
vulnerable to remote code ex
NOT-FOR-US: H3C GR-1800AX MiniGRW1B0V100R007
 CVE-2024-52763 (A cross-site scripting (XSS) vulnerability in the component 
/graph_all ...)
- ganglia-web 
+   [bookworm] - ganglia-web  (Minor issue, revisit when fixed 
upstream)
NOTE: https://github.com/ganglia/ganglia-web/issues/382
 CVE-2024-52762 (A cross-site scripting (XSS) vulnerability in the component 
/master/he ...)
- ganglia-web 
+   [bookworm] - ganglia-web  (Minor issue, revisit when fixed 
upstream)
NOTE: https://github.com/ganglia/ganglia-web/issues/382
 CVE-2024-52757 (D-LINK DI-8003 v16.07.16A1 was discovered to contain a buffer 
overflow ...)
NOT-FOR-US: D-LINK


=
data/dsa-needed.txt
=
@@ -27,13 +27,15 @@ linux (carnil)
 opennds
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --
-php8.2
+php8.2 (jmm)
 --
 python-aiohttp (jmm)
 --
+python-tornado
+--
 ring
 --
-smarty3
+smarty3 (jmm)
   Tobias Frost posted a debdiff for review addressing CVE-2023-28447 and 
CVE-2024-35226
 --
 smarty4



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e17e5e2abbab32e25994ab5be3f247f30029830c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e17e5e2abbab32e25994ab5be3f247f30029830c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-11-23 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8126cd6c by Moritz Muehlenhoff at 2024-11-23T20:34:11+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -834,6 +834,7 @@ CVE-2024-53426 (A heap-buffer-overflow vulnerability has 
been identified in ntop
NOTE: https://github.com/ntop/ntopng/issues/8793
 CVE-2024-53425 (A heap-buffer-overflow vulnerability was discovered in the 
SkipSpacesA ...)
- assimp 
+   [bookworm] - assimp  (Minor issue, revisit when fixed 
upstream)
NOTE: https://github.com/assimp/assimp/issues/5860
 CVE-2024-53335 (TOTOLINK A810R V4.1.2cu.5182_B20201026 is vulnerable to Buffer 
Overflo ...)
NOT-FOR-US: TOTOLINK
@@ -963,10 +964,12 @@ CVE-2024-52067 (Apache NiFi 1.16.0 through 1.28.0 and 
2.0.0-M1 through 2.0.0-M4
NOT-FOR-US: Apache NiFi
 CVE-2024-11596 (ECMP dissector crash in Wireshark 4.4.0 to 4.4.1 and 4.2.0 to 
4.2.8 al ...)
- wireshark 4.4.2-1
+   [bookworm] - wireshark  (Minor issue)
NOTE: https://www.wireshark.org/security/wnpa-sec-2024-15.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/20214
 CVE-2024-11595 (FiveCo RAP dissector infinite loop in Wireshark 4.4.0 to 4.4.1 
and 4.2 ...)
- wireshark 4.4.2-1
+   [bookworm] - wireshark  (Minor issue)
NOTE: https://www.wireshark.org/security/wnpa-sec-2024-14.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/20176
 CVE-2024-53095 (In the Linux kernel, the following vulnerability has been 
resolved:  s ...)
@@ -2311,6 +2314,7 @@ CVE-2023-52921 (In the Linux kernel, the following 
vulnerability has been resolv
NOTE: 
https://git.kernel.org/linus/90e065677e0362a777b9db97ea21d43a39211399 (6.5-rc6)
 CVE-2024-10524 (Applications that use Wget to access a remote resource using 
shorthand ...)
- wget  (bug #1088023)
+   [bookworm] - wget  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2024/11/18/6
NOTE: https://jfrog.com/blog/cve-2024-10524-wget-zero-day-vulnerability/
NOTE: Fixed by: 
https://git.savannah.gnu.org/cgit/wget.git/commit/?id=c419542d956a2607bbce5df64b9d378a8588d778
 (v1.25.0)
@@ -2501,9 +2505,11 @@ CVE-2024-5030 (The CM Table Of Contents  WordPress 
plugin before 1.2.3 does not
NOT-FOR-US: WordPress plugin
 CVE-2024-52947 (A cross-site scripting (XSS) vulnerability in LemonLDAP::NG 
before 2.2 ...)
- lemonldap-ng 2.20.1+ds-1
+   [bookworm] - lemonldap-ng  (Minor issue, will be fixed via spu)
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3257
 CVE-2024-52946 (An issue was discovered in LemonLDAP::NG before 2.20.1. An 
Improper Ch ...)
- lemonldap-ng 2.20.1+ds-1
+   [bookworm] - lemonldap-ng  (Minor issue, will be fixed via spu)
NOTE: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3255
 CVE-2024-52945 (An issue was discovered in Veritas NetBackup before 10.5. This 
only ap ...)
NOT-FOR-US: Veritas NetBackup
@@ -2778,6 +2784,7 @@ CVE-2024-52523 (Nextcloud Server is a self hosted 
personal cloud system. After s
- nextcloud-server  (bug #941708)
 CVE-2024-52522 (Rclone is a command-line program to sync files and directories 
to and  ...)
- rclone  (bug #1088107)
+   [bookworm] - rclone  (Minor issue)
NOTE: 
https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv
NOTE: 
https://github.com/rclone/rclone/commit/01ccf204f42b4f68541b16843292439090a2dcf0
 (master)
NOTE: 
https://github.com/rclone/rclone/commit/669b2f2669cacd634faa2bcecb589b76e1402533
 (v1.68.2)
@@ -5930,6 +5937,7 @@ CVE-2024-10964 (A vulnerability classified as critical 
has been found in emqx ne
NOT-FOR-US: emqx neuron
 CVE-2024-10963 (A flaw was found in pam_access, where certain rules in its 
configurati ...)
- pam  (bug #1087019)
+   [bookworm] - pam  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2324291
NOTE: https://github.com/linux-pam/linux-pam/issues/834
 CVE-2024-10668 (There exists an auth bypass in Google Quickshare where an 
attacker can ...)
@@ -6900,6 +6908,7 @@ CVE-2023-34443 (Combodo iTop is a simple, web based IT 
Service Management tool.
NOT-FOR-US: Combodo iTop
 CVE-2024-51744 (golang-jwt is a Go implementation of JSON Web Tokens. Unclear 
document ...)
- golang-github-golang-jwt-jwt  (bug #1086792)
+   [bookworm] - golang-github-golang-jwt-jwt  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2323735
NOTE: 
https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c
 (v4.5.1)
 CVE-2024-9147 (Improper Neutralization of Script-Related HTML Tags in a Web 
Page (Bas ...)


=
data/d

[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-11-12 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
525ce4c4 by Moritz Muehlenhoff at 2024-11-12T14:22:10+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -16,19 +16,25 @@ CVE-2024-52533 (gio/gsocks4aproxy.c in GNOME GLib before 
2.82.1 has an off-by-on
TODO: check if has impact on embedded copy in src:gobject-introspection
 CVE-2024-52532 (GNOME libsoup before 3.6.1 has an infinite loop, and memory 
consumptio ...)
- libsoup3 
+   [bookworm] - libsoup3  (Minor issue)
- libsoup2.4 
+   [bookworm] - libsoup2.4  (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/391
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/410
NOTE: 
https://gitlab.gnome.org/GNOME/libsoup/-/commit/29b96fab2512666d7241e46c98cc45b60b795c0c
 CVE-2024-52531 (GNOME libsoup before 3.6.1 allows a buffer overflow in 
applications th ...)
- libsoup3 
+   [bookworm] - libsoup3  (Minor issue)
- libsoup2.4 
+   [bookworm] - libsoup2.4  (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/merge_requests/407
NOTE: 
https://gitlab.gnome.org/GNOME/libsoup/-/commit/3c54033634ae537b52582900a7ba432c52ae8174
NOTE: 
https://gitlab.gnome.org/GNOME/libsoup/-/commit/a35222dd0bfab2ac97c10e86b95f762456628283
 CVE-2024-52530 (GNOME libsoup before 3.6.0 allows HTTP request smuggling in 
some confi ...)
- libsoup3 3.5.2-1
+   [bookworm] - libsoup3  (Minor issue)
- libsoup2.4 
+   [bookworm] - libsoup2.4  (Minor issue)
NOTE: https://gitlab.gnome.org/GNOME/libsoup/-/issues/377
NOTE: Fixed by: 
https://gitlab.gnome.org/GNOME/libsoup/-/commit/04df03bc092ac20607f3e150936624d4f536e68b
 (3.5.2)
 CVE-2024-52288 (libosdp is an implementation of IEC 60839-11-5 OSDP (Open 
Supervised D ...)
@@ -229,18 +235,25 @@ CVE-2024-10179 (The Slickstream: Engagement and 
Conversions plugin for WordPress
TODO: check
 CVE-2024-49395 (In mutt and neomutt, PGP encryption does not use the 
--hidden-recipien ...)
- mutt 
+   [bookworm] - mutt  (Minor issue)
- neomutt 
+   [bookworm] - neomutt  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325332
 CVE-2024-49394 (In mutt and neomutt the In-Reply-To email header field is not 
protecte ...)
- mutt 
+   [bookworm] - mutt  (Minor issue)
- neomutt 
+   [bookworm] - neomutt  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325330
 CVE-2024-49393 (In neomutt and mutt, the To and Cc email headers are not 
validated by  ...)
- mutt 
+   [bookworm] - mutt  (Minor issue)
- neomutt 
+   [bookworm] - neomutt  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325317
 CVE-2024-11079 (A flaw was found in Ansible-Core. This vulnerability allows 
attackers  ...)
- ansible-core 
+   [bookworm] - ansible-core  (Minor issue)
- ansible 5.4.0-1
NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in 
experimental/5.4.0-1 in sid
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2325171
@@ -1542,6 +1555,7 @@ CVE-2024-10027 (The WP Booking Calendar WordPress plugin 
before 10.6.3 does not
NOT-FOR-US: WordPress plugin
 CVE-2024-9902 (A flaw was found in Ansible. The ansible-core `user` module can 
allow  ...)
- ansible-core 2.18.0-1 (bug #1086883)
+   [bookworm] - ansible-core  (Minor issue)
- ansible 5.4.0-1
NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in 
experimental/5.4.0-1 in sid
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2318271
@@ -1563,11 +1577,13 @@ CVE-2024-51757 (happy-dom is a JavaScript 
implementation of a web browser withou
NOT-FOR-US: happy-dom
 CVE-2024-51755 (Twig is a template language for PHP. In a sandbox, an attacker 
can acc ...)
- php-twig 3.14.2-1 (bug #1086884)
+   [bookworm] - php-twig  (Minor issue)
- twig 
NOTE: 
https://github.com/twigphp/Twig/security/advisories/GHSA-jjxq-ff2g-95vh
NOTE: Fixed by: 
https://github.com/twigphp/Twig/commit/831c148e786178e5f2fde9db67266be3bf241c21 
(v3.14.1)
 CVE-2024-51754 (Twig is a template language for PHP. In a sandbox, an attacker 
can cal ...)
- php-twig 3.14.2-1 (bug #1086884)
+   [bookworm] - php-twig  (Minor issue)
- twig 
NOTE: 
https://github.com/twigphp/Twig/security/advisories/GHSA-6377-hfv9-hqf6
NOTE: Fixed by: 
https://github.com/twigphp/Twig/commit/2bb8c2460a2c519c498df9b643d5277117155a73 
(v3.14.1)
@@ -4432,6 +4448,7 @@ CVE-2024-10214 (Mattermost versions 9.11.X <= 9.11.1, 
9.5.x <= 9.5.9 icorrectly
- mattermost-server  (bug #823556)
 CVE-2024-45802 (Squid is an open

[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-11-05 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6bf6ebf2 by Moritz Muehlenhoff at 2024-11-05T17:31:24+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -406,6 +406,7 @@ CVE-2024-10310 (The Element Pack Elementor Addons (Header 
Footer, Template Libra
NOT-FOR-US: WordPress plugin
 CVE-2024-51774 (qBittorrent before 5.0.1 proceeds with use of https URLs even 
after ce ...)
- qbittorrent 5.0.1-1
+   [bookworm] - qbittorrent  (Minor issue)
NOTE: https://sharpsec.run/rce-vulnerability-in-qbittorrent/
 CVE-2024-7456 (A SQL injection vulnerability exists in the 
`/api/v1/external-users` r ...)
NOT-FOR-US: lunary-ai/lunary
@@ -903,8 +904,11 @@ CVE-2024-8185 (Vault Community and Vault Enterprise 
(\u201cVault\u201d) clusters
NOT-FOR-US: HashiCorp Vault
 CVE-2024-7883 (When using Arm Cortex-M Security Extensions (CMSE), Secure 
stack  cont ...)
- llvm-toolchain-14 
+   [bookworm] - llvm-toolchain-14  (Minor issue)
- llvm-toolchain-15 
+   [bookworm] - llvm-toolchain-15  (Minor issue)
- llvm-toolchain-16 
+   [bookworm] - llvm-toolchain-16  (Minor issue)
- llvm-toolchain-17 
- llvm-toolchain-18 
NOTE: 
https://developer.arm.com/Arm%20Security%20Center/Cortex-M%20Security%20Extensions%20Vulnerability
@@ -1564,6 +1568,7 @@ CVE-2024-22066 (There is a privilege escalation 
vulnerability in ZTE ZXR10 ZSR V
NOT-FOR-US: ZTE
 CVE-2024-10491 (A vulnerability has been identified in the Express 
response.linksfunct ...)
- node-express 
+   [bookworm] - node-express  (Minor issue)
NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-10491
NOTE: check details, affects only <=3.21.4, so possibly fixed in 
4.1.1~dfsg-1 onwards
 CVE-2024-10474 (Focus was incorrectly allowing internal links to utilize the 
app schem ...)
@@ -2297,6 +2302,7 @@ CVE-2024-10413 (A vulnerability, which was classified as 
critical, has been foun
NOT-FOR-US: SourceCodester
 CVE-2024-50602 (An issue was discovered in libexpat before 2.6.4. There is a 
crash wit ...)
- expat 2.6.3-2 (bug #1086134)
+   [bookworm] - expat  (Minor issue)
NOTE: https://github.com/libexpat/libexpat/pull/915
 CVE-2024-10412 (A vulnerability was found in Poco-z Guns-Medical 1.0. It has 
been decl ...)
NOT-FOR-US: Poco-z Guns-Medical
@@ -6787,6 +6793,7 @@ CVE-2024-49193 (Zendesk before 2024-07-02 allows remote 
attackers to read ticket
NOT-FOR-US: Zendesk
 CVE-2024-6519 (A use-after-free vulnerability was found in the QEMU LSI53C895A 
SCSI H ...)
- qemu  (bug #1085299)
+   [bookworm] - qemu  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2292089
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-24-1382/
 CVE-2024-9860 (The Bridge Core plugin for WordPress is vulnerable to 
unauthorized mod ...)
@@ -94492,10 +94499,8 @@ CVE-2023-46478 (An issue in minCal v.1.0.0 allows a 
remote attacker to execute a
 CVE-2023-46451 (Best Courier Management System v1.0 is vulnerable to Cross 
Site Script ...)
NOT-FOR-US: Best Courier Management System
 CVE-2023-46361 (Artifex Software jbig2dec v0.20 was discovered to contain a 
SEGV vulne ...)
-   - jbig2dec  (bug #1055387)
-   [bookworm] - jbig2dec  (Minor issue)
-   [bullseye] - jbig2dec  (Minor issue)
-   [buster] - jbig2dec  (Minor issue)
+   - jbig2dec  (bug #1055387; unimportant)
+   NOTE: Crash in CLI tool, no security impact
NOTE: 
https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/jbig2dec-SEGV/jbig2dec-SEGV.md
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=707308
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=705041
@@ -127929,8 +127934,8 @@ CVE-2023-28430 (OneSignal is an email, sms, push 
notification, and in-app messag
 CVE-2023-28429 (Pimcore is an open source data and experience management 
platform. Ver ...)
NOT-FOR-US: Pimcore
 CVE-2023-28428 (PDFio is a C library for reading and writing PDF files. In 
versions 1. ...)
-   - ippsample  (bug #1034155)
-   [bookworm] - ippsample  (Minor issue)
+   - ippsample  (bug #1034155; unimportant)
+   NOTE: Crash in CLI tool, no security impact
NOTE: 
https://github.com/michaelrsweet/pdfio/commit/97d4955666779dc5b0665e15dd951a5c12426a31
 (v1.1.1)
NOTE: 
https://github.com/michaelrsweet/pdfio/security/advisories/GHSA-68x8-9phf-j7jf
 CVE-2023-28427 (matrix-js-sdk is a Matrix messaging protocol Client-Server SDK 
for Jav ...)
@@ -322400,6 +322405,7 @@ CVE-2020-23885
 CVE-2020-23884 (A buffer overflow in Nomacs v3.15.0 allows attackers to cause 
a denial ...)
- qt6-base  (Fixed before initial upload to the archive)
- qtimageformats-opensourc

[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-10-29 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3fee93e6 by Moritz Muehlenhoff at 2024-10-29T12:21:49+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -491,6 +491,7 @@ CVE-2024-9162 (The All-in-One WP Migration and Backup 
plugin for WordPress is vu
 CVE-2024-50624 (ispdbservice.cpp in KDE Kmail before 6.2.0 allows 
man-in-the-middle at ...)
[experimental] - kmail-account-wizard 4:24.08.0-1
- kmail-account-wizard  (bug #1086198)
+   [bookworm] - kmail-account-wizard  (Minor issue)
NOTE: https://bugs.kde.org/show_bug.cgi?id=487882
NOTE: 
https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41c3aff435d4a88afb25585180a62ee4
 (v24.07.80)
 CVE-2024-50623 (In Cleo Harmony before 5.8.0.20, VLTrader before 5.8.0.20, and 
LexiCom ...)
@@ -499,20 +500,25 @@ CVE-2024-50616 (Ironman PowerShell Universal 5.x before 
5.0.12 allows an authent
NOT-FOR-US: Ironman PowerShell Universal
 CVE-2024-50615 (TinyXML2 through 10.0.0 has a reachable assertion for 
UINT_MAX/digit,  ...)
- tinyxml2 
+   [bookworm] - tinyxml2  (Minor issue, revisit when fixed 
upstream)
NOTE: https://github.com/leethomason/tinyxml2/issues/997
 CVE-2024-50614 (TinyXML2 through 10.0.0 has a reachable assertion for 
UINT_MAX/16, tha ...)
- tinyxml2 
+   [bookworm] - tinyxml2  (Minor issue, revisit when fixed 
upstream)
NOTE: https://github.com/leethomason/tinyxml2/issues/996
 CVE-2024-50613 (libsndfile through 1.2.2 has a reachable assertion, that may 
lead to a ...)
- libsndfile 
+   [bookworm] - libsndfile  (Minor issue, revisit when fixed 
upstream)
NOTE: https://github.com/libsndfile/libsndfile/issues/1034
 CVE-2024-50612 (libsndfile through 1.2.2 has an ogg_vorbis.c 
vorbis_analysis_wrote out ...)
- libsndfile 
+   [bookworm] - libsndfile  (Minor issue, revisit when fixed 
upstream)
NOTE: https://github.com/libsndfile/libsndfile/issues/1035
 CVE-2024-50611 (CycloneDX cdxgen through 10.10.7, when run against an 
untrusted codeba ...)
NOT-FOR-US: CycloneDX cdxgen
 CVE-2024-50610 (GSL (GNU Scientific Library) through 2.8 has an integer 
signedness err ...)
- gsl 2.8+dfsg-4 (bug #1086206)
+   [bookworm] - gsl  (Minor issue)
NOTE: https://lists.gnu.org/archive/html/bug-gsl/2024-09/msg0.html
 CVE-2024-50307 (Use of potentially dangerous function issue exists in Chatwork 
Desktop ...)
NOT-FOR-US: Chatwork Desktop Application
@@ -1181,9 +1187,11 @@ CVE-2024-0126 (NVIDIA GPU Display Driver for Windows and 
Linux contains a vulner
[bullseye] - nvidia-graphics-drivers-tesla-460  (Non-free not 
supported)
NOTE: 460.106.00-3 turned the package into a metapackage to aid 
switching to nvidia-graphics-drivers-tesla-470
- nvidia-graphics-drivers-tesla-470  (bug #1085974)
+   [bookworm] - nvidia-graphics-drivers-tesla-470  (Non-free not 
supported)
- nvidia-graphics-drivers-tesla 525.147.05-6 (bug #1085975)
NOTE: 525.147.05-6 turned the package into a metapackage to aid 
switching to nvidia-graphics-drivers
- nvidia-open-gpu-kernel-modules  (bug #1085976)
+   [bookworm] - nvidia-open-gpu-kernel-modules  (Contrib not 
supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5586
 CVE-2024-48936 (SchedMD Slurm before 24.05.4 has Incorrect Authorization. A 
mistake in ...)
- slurm-wlm  (bug #1086003)
@@ -1408,6 +1416,7 @@ CVE-2024-10250 (The Nioland theme for WordPress is 
vulnerable to Reflected Cross
NOT-FOR-US: WordPress theme
 CVE-2024-10041 (A vulnerability was found in PAM. The secret information is 
stored in  ...)
- pam  (bug #1086038)
+   [bookworm] - pam  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2319212
NOTE: https://github.com/linux-pam/linux-pam/issues/846
NOTE: https://github.com/linux-pam/linux-pam/pull/686
@@ -4330,13 +4339,10 @@ CVE-2024-9925 (SQL injection vulnerability in TAI Smart 
Factory's QPLANT SF vers
 CVE-2024-9895 (The Smart Online Order for Clover plugin for WordPress is 
vulnerable t ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-9676 (A vulnerability was found in Podman, Buildah, and CRI-O. A 
symlink tra ...)
-   - cri-o  (bug #979702)
- golang-github-containers-buildah 
[bookworm] - golang-github-containers-buildah  (Minor issue)
- golang-github-containers-storage 1.55.1+ds1-1
[bookworm] - golang-github-containers-storage  (Minor issue)
-   - libpod 
-   - podman 
NOTE: https://github.com/advisories/GHSA-wq2p-5pc6-wpgf
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2317467
NOTE: https://github.com/containers/buildah/pull/5786


==

[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-10-23 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0334f2bf by Moritz Muehlenhoff at 2024-10-23T18:02:03+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -2955,6 +2955,7 @@ CVE-2024-47876 (Sakai is a Collaboration and Learning 
Environment. Starting in v
NOT-FOR-US: Sakai
 CVE-2024-47874 (Starlette is an Asynchronous Server Gateway Interface (ASGI) 
framework ...)
- starlette 0.41.0-1 (bug #1085295)
+   [bookworm] - starlette  (Minor issue)
NOTE: 
https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw
NOTE: 
https://github.com/encode/starlette/commit/fd038f3070c302bff17ef7d173dbb0b007617733
 (0.40.0)
 CVE-2024-47824 (matrix-react-sdk is react-based software development kit for 
inserting ...)
@@ -5704,6 +5705,7 @@ CVE-2023-37822 (The Eufy Homebase 2 before firmware 
version 3.3.4.1h creates a d
NOT-FOR-US: Eufy HomeBase 2 model T8010X
 CVE-2024-8508 (NLnet Labs Unbound up to and including version 1.21.0 contains 
a vulne ...)
- unbound 1.21.1-1 (bug #1083282)
+   [bookworm] - unbound  (Minor issue)
NOTE: Advisory: https://nlnetlabs.nl/downloads/unbound/CVE-2024-8508.txt
NOTE: Patch: 
https://nlnetlabs.nl/downloads/unbound/patch_CVE-2024-8508.diff
NOTE: Fixed by: 
https://github.com/NLnetLabs/unbound/commit/b7c61d7cc256d6a174e6179622c7fa968272c259
 (release-1.21.1)
@@ -7592,6 +7594,7 @@ CVE-2024-46639 (A cross-site scripting (XSS) 
vulnerability in HelpDeskZ v2.0.2 a
 CVE-2024-46544 (Incorrect Default Permissions vulnerability in Apache Tomcat 
Connector ...)
{DLA-3919-1}
- libapache-mod-jk  (bug #1082713)
+   [bookworm] - libapache-mod-jk  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2024/09/23/1
NOTE: Fixed by: 
https://github.com/apache/tomcat-connectors/commit/d55706e92b65018c2e4c7ab14014a996b0174966
 (JK_1_2_50)
 CVE-2024-46241 (PHPGurukul Dairy Farm Shop Management System v1.1 is 
vulnerable to Cro ...)
@@ -7808,6 +7811,7 @@ CVE-2024-8612 (A flaw was found in QEMU, in the 
virtio-scsi, virtio-blk, and vir
NOTE: 
https://gitlab.com/qemu-project/qemu/-/commit/637b0aa139565cb82a7b9269e62214f87082635c
 CVE-2024-45769 (A vulnerability was found in Performance Co-Pilot (PCP). This 
flaw all ...)
- pcp 6.3.1-1
+   [bookworm] - pcp  (Minor issue)
[bullseye] - pcp  (The vulnerable code was introduced 
later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2310452
NOTE: https://www.openwall.com/lists/oss-security/2024/09/20/1
@@ -7815,6 +7819,7 @@ CVE-2024-45769 (A vulnerability was found in Performance 
Co-Pilot (PCP). This fl
NOTE: Fixed by: 
https://github.com/performancecopilot/pcp/commit/eadb79aab46175d7a58d0fa88028408743e2a93f
 (6.3.1)
 CVE-2024-45770 (A vulnerability was found in Performance Co-Pilot (PCP). This 
flaw can ...)
- pcp 6.3.1-1
+   [bookworm] - pcp  (Minor issue)
[bullseye] - pcp  (Minor issue, requires root access)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2310451
NOTE: https://www.openwall.com/lists/oss-security/2024/09/20/1
@@ -24597,6 +24602,7 @@ CVE-2024-6643
REJECTED
 CVE-2024-6531 (A vulnerability has been identified in Bootstrap that exposes 
users to ...)
- twitter-bootstrap4  (bug #1084059)
+   [bookworm] - twitter-bootstrap4  (Minor issue)
- twitter-bootstrap3  (Only affects 4.x)
NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6531
 CVE-2024-6528 (CWE-79: Improper Neutralization of Input During Web Page 
Generation (' ...)
@@ -24604,10 +24610,12 @@ CVE-2024-6528 (CWE-79: Improper Neutralization of 
Input During Web Page Generati
 CVE-2024-6485 (A security vulnerability has been discovered in bootstrap that 
could e ...)
- twitter-bootstrap4  (Only affects 3.x)
- twitter-bootstrap3  (bug #1084060)
+   [bookworm] - twitter-bootstrap3  (Minor issue)
NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6485
 CVE-2024-6484 (A vulnerability has been identified in Bootstrap that exposes 
users to ...)
- twitter-bootstrap4  (Only affects 3.x)
- twitter-bootstrap3  (bug #1084060)
+   [bookworm] - twitter-bootstrap3  (Minor issue)
NOTE: https://www.herodevs.com/vulnerability-directory/cve-2024-6484
 CVE-2024-6407 (CWE-200: Information Exposure vulnerability exists that could 
cause di ...)
NOT-FOR-US: Schneider Electric


=
data/dsa-needed.txt
=
@@ -23,7 +23,7 @@ chromium (dilinger)
 frr
   coordination with the maintainer ongoing
 --
-libheif
+libheif (jmm)
 --
 libreswan
   Waiting on feedback from maintainer
@@ -32,6 +32,8 @@ linux (carnil)
   Wait

[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-10-23 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5816881c by Moritz Muehlenhoff at 2024-10-23T11:01:45+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -1783,6 +1783,7 @@ CVE-2024-10195 (A vulnerability was found in Tecno 4G 
Portable WiFi TR118 V008-2
NOT-FOR-US: Tecno 4G Portable WiFi TR118
 CVE-2024- [XSS Vulnerability in matrix.pl]
- dbeacon 0.4.0-3 (bug #1031542)
+   [bookworm] - dbeacon  (Minor issue)
 CVE-2024-49631 (Improper Neutralization of Input During Web Page Generation 
(XSS or 'C ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-49630 (Improper Neutralization of Input During Web Page Generation 
(XSS or 'C ...)
@@ -2489,16 +2490,19 @@ CVE-2024-47637 (: Relative Path Traversal vulnerability 
in LiteSpeed Technologie
NOT-FOR-US: WordPress plugin
 CVE-2024-47522 (Suricata is a network Intrusion Detection System, Intrusion 
Prevention ...)
- suricata 1:7.0.7-1
+   [bookworm] - suricata  (Minor issue)
NOTE: 
https://github.com/OISF/suricata/security/advisories/GHSA-w5xv-6586-jpm7
NOTE: https://redmine.openinfosecfoundation.org/issues/7267
 CVE-2024-47351 (Improper Limitation of a Pathname to a Restricted Directory 
('Path Tra ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-47188 (Suricata is a network Intrusion Detection System, Intrusion 
Prevention ...)
- suricata 1:7.0.7-1
+   [bookworm] - suricata  (Minor issue)
NOTE: 
https://github.com/OISF/suricata/security/advisories/GHSA-qq5v-qcjx-f872
NOTE: https://redmine.openinfosecfoundation.org/issues/7289
 CVE-2024-47187 (Suricata is a network Intrusion Detection System, Intrusion 
Prevention ...)
- suricata 1:7.0.7-1
+   [bookworm] - suricata  (Minor issue)
NOTE: 
https://github.com/OISF/suricata/security/advisories/GHSA-64ww-4f6x-863p
NOTE: https://redmine.openinfosecfoundation.org/issues/7209
 CVE-2024-47139 (A stored cross-site scripting (XSS) vulnerability exists in an 
undiscl ...)
@@ -2511,14 +2515,17 @@ CVE-2024-45844 (BIG-IP monitor functionality may allow 
an attacker to bypass acc
NOT-FOR-US: BIG-IP
 CVE-2024-45797 (LibHTP is a security-aware parser for the HTTP protocol and 
the relate ...)
- libhtp 1:0.5.49-1
+   [bookworm] - libhtp  (Minor issue)
NOTE: 
https://github.com/OISF/libhtp/security/advisories/GHSA-rqqp-24ch-248f
NOTE: https://redmine.openinfosecfoundation.org/issues/7191
 CVE-2024-45796 (Suricata is a network Intrusion Detection System, Intrusion 
Prevention ...)
- suricata 1:7.0.7-1
+   [bookworm] - suricata  (Minor issue)
NOTE: 
https://github.com/OISF/suricata/security/advisories/GHSA-mf6r-3xp2-v7xg
NOTE: https://redmine.openinfosecfoundation.org/issues/7067
 CVE-2024-45795 (Suricata is a network Intrusion Detection System, Intrusion 
Prevention ...)
- suricata 1:7.0.7-1
+   [bookworm] - suricata  (Minor issue)
NOTE: 
https://github.com/OISF/suricata/security/advisories/GHSA-6r8w-fpw6-cp9g
NOTE: https://redmine.openinfosecfoundation.org/issues/7195
 CVE-2024-45072 (IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to 
an XML E ...)
@@ -2885,7 +2892,9 @@ CVE-2024-9895 (The Smart Online Order for Clover plugin 
for WordPress is vulnera
 CVE-2024-9676 (A vulnerability was found in Podman, Buildah, and CRI-O. A 
symlink tra ...)
- cri-o  (bug #979702)
- golang-github-containers-buildah 
+   [bookworm] - golang-github-containers-buildah  (Minor issue)
- golang-github-containers-storage 1.55.1+ds1-1
+   [bookworm] - golang-github-containers-storage  (Minor issue)
- libpod 
- podman 
NOTE: https://github.com/advisories/GHSA-wq2p-5pc6-wpgf
@@ -2913,6 +2922,7 @@ CVE-2024-49195 (Mbed TLS 3.5.x through 3.6.x before 3.6.2 
has a buffer underrun
NOTE: 
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-10-1/
 CVE-2024-48948 (The Elliptic package 6.5.7 for Node.js, in its for ECDSA 
implementatio ...)
- node-elliptic  (bug #1085298)
+   [bookworm] - node-elliptic  (Minor issue)
NOTE: https://github.com/indutny/elliptic/issues/321
NOTE: https://github.com/indutny/elliptic/pull/322
 CVE-2024-48915 (Agent Dart is an agent library built for Internet Computer for 
Dart an ...)
@@ -2971,6 +2981,7 @@ CVE-2024-45271 (An unauthenticated local attacker can 
gain admin privileges by d
NOT-FOR-US: MB connect line GmbH
 CVE-2024-44337 (The package `github.com/gomarkdown/markdown` is a Go library 
for parsi ...)
- golang-github-gomarkdown-markdown  (bug #1085377)
+   [bookworm] - golang-github-gomarkdown-markdown  (Minor issue)
NOTE: https://github.com/Brinmon/CVE-2024-4433

[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-10-17 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
63f3ffef by Moritz Mühlenhoff at 2024-10-16T18:21:09+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -2029,6 +2029,7 @@ CVE-2024-27457 (Improper check for unusual or exceptional 
conditions in Intel(R)
NOT-FOR-US: Intel
 CVE-2024-25885 (An issue in the getcolor function in utils.py of xhtml2pdf 
v0.2.13 all ...)
- xhtml2pdf  (bug #1084986)
+   [bookworm] - xhtml2pdf  (Minor issue)
NOTE: 
https://gist.github.com/salvatore-abello/c88dd0027496774023ef36c7b576d206
 CVE-2024-25825 (FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS 
for You 1 ...)
NOT-FOR-US: FydeOS
@@ -2050,6 +2051,7 @@ CVE-2023-52952 (A vulnerability has been identified in 
HiMed Cockpit 12 pro (J31
NOT-FOR-US: Siemens
 CVE-2024-28168 (Improper Restriction of XML External Entity Reference ('XXE') 
vulnerab ...)
- fop  (bug #1084985)
+   [bookworm] - fop  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2024/10/09/1
NOTE: https://issues.apache.org/jira/browse/FOP-3168
NOTE: 
https://github.com/apache/xmlgraphics-fop/commit/d96ba9a11710d02716b6f4f6107ebfa9ccec7134
 (2_10)
@@ -9185,6 +9187,7 @@ CVE-2024-20439 (A vulnerability in Cisco Smart Licensing 
Utility could allow an
NOT-FOR-US: Cisco
 CVE-2024-44082 (In OpenStack Ironic before 26.0.1 and ironic-python-agent 
before 9.13. ...)
- ironic 1:26.1.0-1
+   [bookworm] - ironic  (Minor issue)
- ironic-python-agent 9.14.0-1
NOTE: https://www.openwall.com/lists/oss-security/2024/09/04/4
NOTE: https://bugs.launchpad.net/ironic/+bug/2071740


=
data/dsa-needed.txt
=
@@ -26,6 +26,8 @@ linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point
   releases to more 6.1.y versions
 --
+openjdk-17 (jmm)
+--
 opennds
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63f3ffef71bf21f95979bb533e4c945d90f92e88

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63f3ffef71bf21f95979bb533e4c945d90f92e88
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-10-13 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
090b27e7 by Moritz Muehlenhoff at 2024-10-13T20:36:48+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -204,6 +204,7 @@ CVE-2024-46088 (An arbitrary file upload vulnerability in 
the ProductAction.entp
NOT-FOR-US: Zhejiang University Entersoft Customer Resource Management 
System
 CVE-2024-45403 (h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and 
HTTP/3. Wh ...)
- h2o  (bug #1084984)
+   [bookworm] - h2o  (Minor issue)
NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-4xp5-3jhc-3m92
NOTE: 
https://github.com/h2o/h2o/commit/16b13eee8ad7895b4fe3fcbcabee53bd52782562
NOTE: 
https://github.com/h2o/h2o/commit/1ed32b23f999acf0c5029f09c8525f93eb1d354c
@@ -211,6 +212,7 @@ CVE-2024-45402 (Picotls is a TLS protocol library that 
allows users select diffe
- picotls  (bug #925405)
 CVE-2024-45397 (h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and 
HTTP/3. Wh ...)
- h2o  (bug #1084984)
+   [bookworm] - h2o  (Minor issue)
NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-jf2c-xjcp-wg4c
NOTE: 
https://github.com/h2o/h2o/commit/15ed15a2efb83a77bb4baaa5a119e639c2f6898a
 CVE-2024-45396 (Quicly is an IETF QUIC protocol implementation. Quicly up to 
commtit d ...)
@@ -257,6 +259,7 @@ CVE-2024-33578 (A DLL hijack vulnerability was reported in 
Lenovo Leyun that cou
NOT-FOR-US: Lenovo
 CVE-2024-25622 (h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and 
HTTP/3. Th ...)
- h2o  (bug #1084984)
+   [bookworm] - h2o  (Minor issue)
NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-5m7v-cj65-h6pj
NOTE: https://github.com/h2o/h2o/issues/3332
NOTE: 
https://github.com/h2o/h2o/commit/123f5e2b65dcdba8f7ef659a00d24bd1249141be
@@ -670,6 +673,7 @@ CVE-2024-48957 (execute_filter_audio in 
archive_read_support_format_rar.c in lib
NOTE: 
https://github.com/libarchive/libarchive/commit/3006bc5d02ad3ae3c4f9274f60c1f9d2d834734b
 (v3.7.5)
 CVE-2024-48949 (The verify function in lib/elliptic/eddsa/index.js in the 
Elliptic pac ...)
- node-elliptic 6.5.7+dfsg-1
+   [bookworm] - node-elliptic  (Minor issue)
NOTE: 
https://github.com/indutny/elliptic/commit/7ac5360118f74eb02da73bdf9f24fd0c72ff5281
 (v6.5.6)
 CVE-2024-48942 (The Syracom Secure Login (2FA) plugin for Jira, Confluence, 
and Bitbuc ...)
NOT-FOR-US: Jira plugin
@@ -686,6 +690,7 @@ CVE-2024-9680 (An attacker was able to achieve code 
execution in the content pro
NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/
 CVE-2024-9675 (A vulnerability was found in Buildah. Cache mounts do not 
properly val ...)
- golang-github-containers-buildah  (bug #1084980)
+   [bookworm] - golang-github-containers-buildah  (Minor issue)
[bullseye] - golang-github-containers-buildah  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2317458
 CVE-2024-9671 (A vulnerability was found in 3Scale. There is no auth mechanism 
to see ...)
@@ -892,6 +897,7 @@ CVE-2024-46307 (A loop hole in the payment logic of 
Sparkshop v1.16 allows attac
NOT-FOR-US: Sparkshop
 CVE-2024-46304 (A NULL pointer dereference in libcoap v4.3.5-rc2 and below 
allows a re ...)
- libcoap3  (bug #1084981)
+   [bookworm] - libcoap3  (Minor issue)
- libcoap2 
- libcoap 
NOTE: https://github.com/obgm/libcoap/issues/1509
@@ -1978,6 +1984,7 @@ CVE-2024-47765 (Minecraft MOTD Parser is a PHP library to 
parse minecraft server
NOT-FOR-US: Minecraft MOTD Parser
 CVE-2024-47764 (cookie is a basic HTTP cookie parser and serializer for HTTP 
servers.  ...)
- node-cookie 0.7.1+~0.6.0-1
+   [bookworm] - node-cookie  (Minor issue)
NOTE: 
https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x
NOTE: https://github.com/jshttp/cookie/pull/167
NOTE: 
https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c
 (v0.7.0)
@@ -1997,6 +2004,7 @@ CVE-2024-47651 (This vulnerability exists in Shilpi 
Client Dashboard due to impr
NOT-FOR-US: Shilpi Client Dashboard
 CVE-2024-47211 (In OpenStack Ironic before 21.4.4, 22.x and 23.x before 
23.0.3, 23.x a ...)
- ironic 1:26.1.0-1
+   [bookworm] - ironic  (Minor issue)
NOTE: https://security.openstack.org/ossa/OSSA-2024-004.html
 CVE-2024-47183 (Parse Server is an open source backend that can be deployed to 
any inf ...)
NOT-FOR-US: Parse Server
@@ -2411,6 +2419,7 @@ CVE-2024-20365 (A vulnerability in the Redfish API of 
Cisco UCS B-Series, Cisco
NOT-FOR-US: Cisco
 CVE-2024-9407 (A vulnerability exists in the bind-propagation option of the 
Dockerfil ...)

[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-10-09 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ff23c741 by Moritz Muehlenhoff at 2024-10-09T12:35:22+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/DSA/list


Changes:

=
data/CVE/list
=
@@ -33,6 +33,7 @@ CVE-2024-47817 (Lara-zeus Dynamic Dashboard simple way to 
manage widgets for you
NOT-FOR-US: Lara-zeus Dynamic Dashboard
 CVE-2024-47814 (Vim is an open source, command line text editor. A 
use-after-free was  ...)
- vim  (bug #1084806)
+   [bookworm] - vim  (Minor issue)
NOTE: https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg
NOTE: https://github.com/vim/vim/commit/51b62387be93c65fa56bbabe1c3 
(v9.1.0764)
 CVE-2024-47782 (WikiDiscover is an extension designed for use with a 
CreateWiki manage ...)
@@ -1511,6 +1512,7 @@ CVE-2024-46280 (PIX-LINK LV-WR22 RE3002-P1-01_V117.0 is 
vulnerable to Improper A
NOT-FOR-US: PIX-LINK
 CVE-2024-45993 (Giflib Project v5.2.2 is vulnerable to a heap buffer overflow 
via gif2 ...)
- giflib  (bug #1084058)
+   [bookworm] - giflib  (Minor issue)
NOTE: https://gitlab.com/mthandazo/project-pov
 CVE-2024-45920 (A Stored Cross-Site Scripting (XSS) vulnerability in Solvait 
24.4.2 al ...)
NOT-FOR-US: Solvait
@@ -1647,6 +1649,7 @@ CVE-2024-46453 (A cross-site scripting (XSS) 
vulnerability in the component /tes
NOT-FOR-US: iq3xcite
 CVE-2024-38796 (EDK2 contains a vulnerability in the 
PeCoffLoaderRelocateImage(). An A ...)
- edk2  (bug #1084055)
+   [bookworm] - edk2  (Minor issue)
NOTE: 
https://github.com/tianocore/edk2/security/advisories/GHSA-xpcr-7hjq-m6qm
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=1993
NOTE: https://github.com/tianocore/edk2/pull/6249
@@ -2235,6 +2238,7 @@ CVE-2024-47003 (Mattermost versions 9.11.x <= 9.11.0 and 
9.5.x <= 9.5.8 fail to
- mattermost-server  (bug #823556)
 CVE-2024-46632 (Assimp v5.4.3 is vulnerable to Buffer Overflow via the 
MD5Importer::Lo ...)
- assimp  (bug #1082857)
+   [bookworm] - assimp  (Minor issue)
NOTE: https://github.com/assimp/assimp/issues/5771
 CVE-2024-46627 (Incorrect access control in BECN DATAGERRY v2.2 allows 
attackers to ex ...)
NOT-FOR-US: BECN DATAGERRY
@@ -5534,6 +5538,7 @@ CVE-2024-45591 (XWiki Platform is a generic wiki 
platform. The REST API exposes
NOT-FOR-US: XWiki
 CVE-2024-45590 (body-parser is Node.js body parsing middleware. body-parser 
<1.20.3 is ...)
- node-body-parser 1.20.3+~1.19.5-1 (bug #1081657)
+   [bookworm] - node-body-parser  (Minor issue)
NOTE: 
https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7
NOTE: 
https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce
 (1.20.3)
 CVE-2024-45412 (Yeti bridges the gap between CTI and DFIR practitioners by 
providing a ...)
@@ -136282,7 +136287,9 @@ CVE-2023-22925
RESERVED
 CVE-2023-22656 (Out-of-bounds read in Intel(R) Media SDK and some Intel(R) 
oneVPL soft ...)
- intel-mediasdk  (bug #1082866)
+   [bookworm] - intel-mediasdk  (Minor issue)
- onevpl  (bug #1082867)
+   [bookworm] - onevpl  (Minor issue)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html
 CVE-2023-22433
RESERVED


=
data/DSA/list
=
@@ -19,7 +19,7 @@
{CVE-2024-7025 CVE-2024-9369 CVE-2024-9370}
[bookworm] - chromium 129.0.6668.89-1~deb12u1
 [02 Oct 2024] DSA-5780-1 php8.2 - security update
-   {CVE-2024-8925 CVE-2024-8926 CVE-2024-8927}
+   {CVE-2024-8925 CVE-2024-8926 CVE-2024-8927 CVE-2024-9026}
[bookworm] - php8.2 8.2.24-1~deb12u1
 [29 Sep 2024] DSA-5779-1 cups - security update
{CVE-2024-47175}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff23c741d367a2f3d0c745b5bdc28e964e75b19f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff23c741d367a2f3d0c745b5bdc28e964e75b19f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-09-27 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ca874b5c by Moritz Muehlenhoff at 2024-09-27T13:42:49+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -4,6 +4,7 @@ CVE-2024-9049 (The Beaver Builder \u2013 WordPress Page Builder 
plugin for WordP
NOT-FOR-US: WordPress plugin
 CVE-2024-9029 (A flaw was found in freeimage library. Processing a crafted 
image can  ...)
- freeimage 
+   [bookworm] - freeimage  (Minor issue)
NOTE: https://sourceforge.net/p/freeimage/bugs/351/
 CVE-2024-8991 (The OSM \u2013 OpenStreetMap plugin for WordPress is vulnerable 
to Sto ...)
NOT-FOR-US: WordPress plugin
@@ -290,6 +291,7 @@ CVE-2022-49037 (Insertion of sensitive information into log 
file vulnerability i
NOT-FOR-US: Synology
 CVE-2024-8805 [BlueZ HID over GATT Profile Improper Access Control Remote Code 
Execution Vulnerability]
- bluez 
+   [bookworm] - bluez  (Minor issue)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-24-1229/
NOTE: 
https://patchwork.kernel.org/project/bluetooth/patch/20240912204458.3037144-1-luiz.de...@gmail.com/
NOTE: 
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=41f943630d9a03c40e95057b2ac3d96470b9c71e
@@ -914,6 +916,7 @@ CVE-2023-47480 (An issue in Pure Data 0.54-0 and fixed in 
0.54-1 allows a local
NOTE: 
https://github.com/pure-data/pure-data/commit/0b5e467b8728b3ed56e1a8ee5b367ce78e7e6e5d
 (0.54-1test1)
 CVE-2024-8612 (A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and 
virtio-c ...)
- qemu  (bug #1082406)
+   [bookworm] - qemu  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2313760
NOTE: 
https://gitlab.com/qemu-project/qemu/-/commit/637b0aa139565cb82a7b9269e62214f87082635c
 CVE-2024-45769 (A vulnerability was found in Performance Co-Pilot (PCP). This 
flaw all ...)
@@ -35139,7 +35142,9 @@ CVE-2023-45315 (Improper initialization in some 
Intel(R) Power Gadget software f
NOT-FOR-US: Intel
 CVE-2023-45221 (Improper buffer restrictions in Intel(R) Media SDK all 
versions may al ...)
- intel-mediasdk 
+   [bookworm] - intel-mediasdk  (Minor issue)
- onevpl 
+   [bookworm] - onevpl  (Minor issue)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html
 CVE-2023-45217 (Improper access control in Intel(R) Power Gadget software for 
Windows  ...)
NOT-FOR-US: Intel


=
data/dsa-needed.txt
=
@@ -34,6 +34,8 @@ node-dompurify
 opennds
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --
+php8.2 (jmm)
+--
 python-aiohttp
 --
 python-reportlab



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca874b5c73ffe4673ab37243ec02bdd27ae13745

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca874b5c73ffe4673ab37243ec02bdd27ae13745
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-09-25 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
35d88ae3 by Moritz Muehlenhoff at 2024-09-25T22:48:29+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -34707,17 +34707,23 @@ CVE-2023-49614 (Out of bounds write in firmware for 
some Intel(R) FPGA products
NOT-FOR-US: Intel
 CVE-2023-48727 (NULL pointer dereference in some Intel(R) oneVPL software 
before versi ...)
- intel-mediasdk 
+   [bookworm] - intel-mediasdk  (Minor issue)
- onevpl 
+   [bookworm] - onevpl  (Minor issue)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html
 CVE-2023-48368 (Improper input validation in Intel(R) Media SDK software all 
versions  ...)
- intel-mediasdk 
+   [bookworm] - intel-mediasdk  (Minor issue)
- onevpl 
+   [bookworm] - onevpl  (Minor issue)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html
 CVE-2023-47859 (Improper access control for some Intel(R) Wireless Bluetooth 
products  ...)
NOT-FOR-US: Intel
 CVE-2023-47282 (Out-of-bounds write in Intel(R) Media SDK all versions and 
some Intel( ...)
- intel-mediasdk 
+   [bookworm] - intel-mediasdk  (Minor issue)
- onevpl 
+   [bookworm] - onevpl  (Minor issue)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html
 CVE-2023-47210 (Improper input validation for some Intel(R) PROSet/Wireless 
WiFi softw ...)
- firmware-nonfree 20240610-1
@@ -34726,7 +34732,9 @@ CVE-2023-47210 (Improper input validation for some 
Intel(R) PROSet/Wireless WiFi
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html
 CVE-2023-47169 (Improper buffer restrictions in Intel(R) Media SDK software 
all versio ...)
- intel-mediasdk 
+   [bookworm] - intel-mediasdk  (Minor issue)
- onevpl 
+   [bookworm] - onevpl  (Minor issue)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00935.html
 CVE-2023-47165 (Improper conditions check in the Intel(R) Data Center GPU Max 
Series 1 ...)
NOT-FOR-US: Intel


=
data/dsa-needed.txt
=
@@ -14,7 +14,7 @@ If needed, specify the release by adding a slash after the 
name of the source pa
 --
 activemq
 --
-booth
+booth (jmm)
   Adrian Bunk proposed an debdiff for review, cf. #1082674
 --
 chromium (dilinger)
@@ -22,8 +22,6 @@ chromium (dilinger)
 frr
   coordination with the maintainer ongoing
 --
-libreoffice (jmm)
---
 libreswan
   Waiting on feedback from maintainer
 --
@@ -44,8 +42,6 @@ python-reportlab
 --
 ring
 --
-setuptools
---
 smarty3
 --
 smarty4



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35d88ae3fb989bcb4342280a55605eef8bfc6509

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35d88ae3fb989bcb4342280a55605eef8bfc6509
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-09-25 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b2ef6c0b by Moritz Muehlenhoff at 2024-09-25T09:21:46+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -173,6 +173,7 @@ CVE-2024-47069 (Oveleon Cookie Bar is a cookie bar is for 
the Contao Open Source
NOT-FOR-US: Contao CMS
 CVE-2024-47068 (Rollup is a module bundler for JavaScript. Versions prior to 
3.29.5 an ...)
- node-rollup  (bug #1082712)
+   [bookworm] - node-rollup  (Minor issue)
NOTE: 
https://github.com/rollup/rollup/security/advisories/GHSA-gcx4-mw62-g8wm
NOTE: 
https://github.com/rollup/rollup/commit/2ef77c00ec2635d42697cff2c0567ccc8db34fb4
 (v3.29.5)
NOTE: 
https://github.com/rollup/rollup/commit/e2552c9e955e0a61f70f508200ee9f752f85a541
 (v4.22.4)
@@ -390,6 +391,7 @@ CVE-2024-37879 (Improper input validation in 
/admin/config/save in User-friendly
NOT-FOR-US: User-friendly SVN (USVN)
 CVE-2023-47480 (An issue in Pure Data 0.54-0 and fixed in 0.54-1 allows a 
local attack ...)
- puredata 0.54.1+ds-1
+   [bookworm] - puredata  (Minor issue)
NOTE: https://github.com/pure-data/pure-data/issues/2063
NOTE: 
https://github.com/pure-data/pure-data/commit/0b5e467b8728b3ed56e1a8ee5b367ce78e7e6e5d
 (0.54-1test1)
 CVE-2024-8612 (A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and 
virtio-c ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2ef6c0b0cc38a06e751eb352d7db2e42f9cd290

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2ef6c0b0cc38a06e751eb352d7db2e42f9cd290
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-09-20 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c8af8242 by Moritz Muehlenhoff at 2024-09-20T17:18:06+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -39,6 +39,7 @@ CVE-2024-8375 (There exists a use after free vulnerability in 
Reverb.Reverb supp
NOT-FOR-US: Google Reverb
 CVE-2024-8354 (A flaw was found in QEMU. An assertion failure was present in 
the usb_ ...)
- qemu  (bug #1082377)
+   [bookworm] - qemu  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2313497
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2548
 CVE-2024-7785 (Improper Neutralization of Input During Web Page Generation 
(XSS or 'C ...)
@@ -83,6 +84,7 @@ CVE-2024-45806 (Envoy is a cloud-native high-performance 
edge/middle/service pro
- envoyproxy  (bug #987544)
 CVE-2024-45752 (logiops through 0.3.4, in its default configuration, allows 
any unpriv ...)
- logiops  (bug #1082378)
+   [bookworm] - logiops  (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1226598
 CVE-2024-45614 (Puma is a Ruby/Rack web server built for parallelism. In 
affected vers ...)
- puma  (bug #1082379)
@@ -104,6 +106,7 @@ CVE-2024-33109 (Directory Traversal in the web interface of 
the Tiptel IP 286 wi
NOT-FOR-US: Tiptel
 CVE-2024-31570 (libfreeimage in FreeImage 3.4.0 through 3.18.0 has a 
stack-based buffe ...)
- freeimage  (bug #1082380)
+   [bookworm] - freeimage  (Minor issue#)
NOTE: https://sourceforge.net/p/freeimage/bugs/355/
NOTE: https://www.openwall.com/lists/oss-security/2024/04/11/10
 CVE-2024-25673 (Couchbase Server 7.6.x before 7.6.2, 7.2.x before 7.2.6, and 
all earli ...)
@@ -124,6 +127,7 @@ CVE-2024-8364 (The WP Custom Fields Search plugin for 
WordPress is vulnerable to
NOT-FOR-US: WordPress plugin
 CVE-2024-7254 (Any project that parses untrusted Protocol Buffers 
datacontaining an a ...)
- protobuf  (bug #1082381)
+   [bookworm] - protobuf  (Minor issue)
NOTE: 
https://github.com/protocolbuffers/protobuf/commit/cc8b3483a5584b3301e3d43d17eb59704857ffaa
 CVE-2024-47089 (This vulnerability exists in the Apex Softcell LD Geo due to 
improper  ...)
NOT-FOR-US: Apex Softcell LD Geo
@@ -291,6 +295,7 @@ CVE-2024-45813 (find-my-way is a fast, open source HTTP 
router, internally using
NOT-FOR-US: find-my-way
 CVE-2024-45679 (Heap-based buffer overflow vulnerability in Assimp versions 
prior to 5 ...)
- assimp 5.4.0+ds-1
+   [bookworm] - assimp  (Minor issue)
NOTE: https://github.com/assimp/assimp/pull/5310
NOTE: 
https://github.com/assimp/assimp/commit/e4e2c63e0c2c449cd69fb9a3269e865eb83c241d
 (v5.4.0)
 CVE-2024-45601 (Mesop is a Python-based UI framework designed for rapid web 
apps devel ...)
@@ -400,8 +405,10 @@ CVE-2024-36981 (An out-of-bounds read vulnerability exists 
in the OpenPLC Runtim
 CVE-2024-36980 (An out-of-bounds read vulnerability exists in the OpenPLC 
Runtime Ethe ...)
NOT-FOR-US: OpenPLC
 CVE-2024-35515 (Insecure deserialization in sqlitedict up to v2.1.0 allows 
attackers t ...)
-   - sqlitedict 
+   - sqlitedict  (unimportant)
NOTE: https://wha13.github.io/2024/06/13/mfcve/
+   NOTE: https://github.com/piskvorky/sqlitedict/issues/174
+   NOTE: Not considered a security issue by upstream
 CVE-2024-34399 (**UNSUPPORTED WHEN ASSIGNED** An issue was discovered in BMC 
Remedy Mi ...)
NOT-FOR-US: BMC Remedy Mid Tier
 CVE-2024-34057 (Triangle Microworks TMW IEC 61850 Client source code libraries 
before  ...)
@@ -4558,6 +4565,7 @@ CVE-2024-34577 (Cross-site scripting vulnerability exists 
in WRC-X3000GS2-B, WRC
NOT-FOR-US: WRC-X3000GS2-B, WRC-X3000GS2-W, and WRC-X3000GS2A-B
 CVE-2024-2881 (Fault Injection vulnerability inwc_ed25519_sign_msg function in 
wolfss ...)
- wolfssl 5.7.0-0.3
+   [bookworm] - wolfssl  (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable
 CVE-2024-2694 (The Betheme theme for WordPress is vulnerable to PHP Object 
Injection  ...)
NOT-FOR-US: WordPress theme
@@ -5114,6 +5122,7 @@ CVE-2024-36068 (An incorrect access control vulnerability 
in Rubrik CDM versions
NOT-FOR-US: Rubrik CDM
 CVE-2024-1544 (Generating the ECDSA nonce k samples a random number r and then 
 trunc ...)
- wolfssl  (bug #1081789)
+   [bookworm] - wolfssl  (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable
NOTE: https://github.com/wolfSSL/wolfssl/pull/7020
 CVE-2024-8046 (The Logo Showcase Ultimate \u2013 Logo Carousel, Logo Slider & 
Logo Gr ...)


=
data/dsa-needed.txt
=
@@ -50,6 +50,8 @@ smarty3

[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-09-18 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a08776e7 by Moritz Muehlenhoff at 2024-09-18T10:46:52+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -438,6 +438,7 @@ CVE-2024-8421
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309710#c7
 CVE-2024- [RUSTSEC-2023-0086]
- rust-lexical-core  (bug #1082053)
+   [bookworm] - rust-lexical-core  (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0086.html
NOTE: https://github.com/Alexhuszagh/rust-lexical/issues/102
NOTE: https://github.com/Alexhuszagh/rust-lexical/issues/101
@@ -1922,6 +1923,7 @@ CVE-2024-43800 (serve-static serves static files. 
serve-static passes untrusted
NOTE: 
https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa
 (2.1.0)
 CVE-2024-43799 (Send is a library for streaming files from the file system as 
a http r ...)
- node-send  (bug #1081483)
+   [bookworm] - node-send  (Minor issue)
NOTE: 
https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg
NOTE: 
https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35
 (0.19.0)
 CVE-2024-43796 (Express.js minimalist web framework for node. In express < 
4.20.0, pas ...)
@@ -76072,19 +76074,18 @@ CVE-2023-49465 (Libde265 v1.0.14 was discovered to 
contain a heap-buffer-overflo
NOTE: Fixed by: 
https://github.com/strukturag/libde265/commit/1475c7d2f0a6dc35c27e18abc4db9679bfd32568
 (v1.0.15)
 CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation 
violation via ...)
- libheif 1.17.6-1 (bug #1059151)
-   [bookworm] - libheif  (Minor issue)
-   [bullseye] - libheif  (Minor issue)
+   [bookworm] - libheif  (Vulnerable code not present)
+   [bullseye] - libheif  (Vulnerable code not present)
[buster] - libheif  (Vulnerable code not present)
NOTE: https://github.com/strukturag/libheif/issues/1044
NOTE: https://github.com/strukturag/libheif/pull/1049
NOTE: 
https://github.com/strukturag/libheif/commit/2bf226a300951e6897ee7267d0dd379ba5ad7287
 (v1.17.6)
 CVE-2023-49463 (libheif v1.17.5 was discovered to contain a segmentation 
violation via ...)
-   - libheif 1.17.6-1 (bug #1059151)
-   [bookworm] - libheif  (Minor issue)
-   [bullseye] - libheif  (Minor issue)
+   - libheif 1.17.6-1 (bug #1059151; unimportant)
[buster] - libheif  (Vulnerable code not present)
NOTE: https://github.com/strukturag/libheif/issues/1042
NOTE: 
https://github.com/strukturag/libheif/commit/26ec3953d46bb5756b97955661565bcbc6647abf
 (v1.17.6)
+   NOTE: Crash in CLI tool, no security impact (only affects example tool 
shipped in libheif-examples)
 CVE-2023-49462 (libheif v1.17.5 was discovered to contain a segmentation 
violation via ...)
- libheif 1.17.6-1 (bug #1059151)
[bookworm] - libheif  (Minor issue)
@@ -76094,8 +76095,8 @@ CVE-2023-49462 (libheif v1.17.5 was discovered to 
contain a segmentation violati
NOTE: 
https://github.com/strukturag/libheif/commit/730a9d80bea3434f75c79e721878cc67f3889969
 (v1.17.6)
 CVE-2023-49460 (libheif v1.17.5 was discovered to contain a segmentation 
violation via ...)
- libheif 1.17.6-1 (bug #1059151)
-   [bookworm] - libheif  (Minor issue)
-   [bullseye] - libheif  (Minor issue)
+   [bookworm] - libheif  (Vulnerable code not present)
+   [bullseye] - libheif  (Vulnerable code not present)
[buster] - libheif  (Vulnerable code not present)
NOTE: https://github.com/strukturag/libheif/issues/1046
NOTE: 
https://github.com/strukturag/libheif/commit/fd5b02aca3e29088bf0a1fc400bd661be4a6ed76
 (v1.17.6)


=
data/dsa-needed.txt
=
@@ -33,6 +33,8 @@ linux (carnil)
 --
 nodejs (aron)
 --
+node-dompurify
+--
 opennds
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a08776e77cff56224fc28f5a9f12bdc4d7fa1abe

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a08776e77cff56224fc28f5a9f12bdc4d7fa1abe
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-09-15 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3213b35b by Moritz Muehlenhoff at 2024-09-15T12:21:29+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -40,6 +40,7 @@ CVE-2024-8797 (The WP Booking System \u2013 Booking Calendar 
plugin for WordPres
NOT-FOR-US: WordPress plugin
 CVE-2024-8775 (A flaw was found in Ansible, where sensitive information stored 
in Ans ...)
- ansible-core 
+   [bookworm] - ansible-core  (Minor issue)
- ansible 5.4.0-1
NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in 
experimental/5.4.0-1 in sid
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2312119
@@ -1468,9 +1469,11 @@ CVE-2024-8601 (This vulnerability exists in TechExcel 
Back Office Software versi
NOT-FOR-US: TechExcel Back Office Software
 CVE-2024-8373 (Improper sanitization of the value of the [srcset] attribute in 

+   [bookworm] - angular.js  (Minor issue)
NOTE: 
https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b
 CVE-2024-8372 (Improper sanitization of the value of the '[srcset]' attribute 
in Angu ...)
- angular.js 
+   [bookworm] - angular.js  (Minor issue)
NOTE: 
https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017
 CVE-2024-8042 (Rapid7 Insight Platform versions between November 2019 and 
August 14,  ...)
NOT-FOR-US: Rapid7 Insight Platform
@@ -3702,11 +3705,13 @@ CVE-2024-5991 (In function MatchDomainName(), input 
param str is treated as a NU
NOTE: https://github.com/wolfSSL/wolfssl/pull/7604
 CVE-2024-5814 (A malicious TLS1.2 server can force a TLS1.3 client with 
downgrade cap ...)
- wolfssl  (bug #1081791)
+   [bookworm] - wolfssl  (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable
NOTE: https://github.com/wolfSSL/wolfssl/pull/7619
NOTE: https://tches.iacr.org/index.php/TCHES/article/view/11259
 CVE-2024-5288 (An issue was discovered in wolfSSL before 5.7.0. A safe-error 
attack v ...)
- wolfssl  (bug #1081790)
+   [bookworm] - wolfssl  (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable
NOTE: https://github.com/wolfSSL/wolfssl/pull/7416
 CVE-2024-4872 (The product does not validate any query towards persistent 
data, resul ...)
@@ -14259,6 +14264,7 @@ CVE-2024-6540 (Improper filtering of fields when using 
the export function in th
 CVE-2024-6345 (A vulnerability in the package_index module of pypa/setuptools 
version ...)
{DLA-3876-1}
- setuptools 70.3.0-2
+   [bookworm] - setuptools  (Minor issue)
NOTE: https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
NOTE: Fixed by merge: 
https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0
 (v70.0.0)
 CVE-2024-6289 (The WPS Hide Login WordPress plugin before 1.9.16.4 does not 
prevent r ...)


=
data/dsa-needed.txt
=
@@ -35,7 +35,7 @@ nodejs (aron)
 opennds
   pinged maintainer, but no reply yet. should most probably be bumped to 10.x
 --
-php-twig
+php-twig (jmm)
   Maintainer prepared an update and is acked for upload
 --
 python-aiohttp
@@ -44,6 +44,8 @@ python-reportlab
 --
 ring
 --
+ruby-saml
+--
 setuptools
 --
 smarty3



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3213b35b1caf88cc040af84acd3d3ed8b1194572

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3213b35b1caf88cc040af84acd3d3ed8b1194572
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-09-13 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c2b7b239 by Moritz Muehlenhoff at 2024-09-13T21:41:43+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -851,6 +851,7 @@ CVE-2024-44087 (A vulnerability has been identified in 
Automation License Manage
NOT-FOR-US: Siemens
 CVE-2024-43800 (serve-static serves static files. serve-static passes 
untrusted user i ...)
- node-serve-static  (bug #1081482)
+   [bookworm] - node-serve-static  (Minor issue)
NOTE: 
https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p
NOTE: 
https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b
 (1.16.0)
NOTE: 
https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa
 (2.1.0)
@@ -860,6 +861,7 @@ CVE-2024-43799 (Send is a library for streaming files from 
the file system as a
NOTE: 
https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35
 (0.19.0)
 CVE-2024-43796 (Express.js minimalist web framework for node. In express < 
4.20.0, pas ...)
- node-express  (bug #1081481)
+   [bookworm] - node-express  (Minor issue)
NOTE: 
https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx
NOTE: 
https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553
 (4.20.0)
 CVE-2024-43781 (A vulnerability has been identified in SINUMERIK 828D V4 (All 
versions ...)
@@ -1265,6 +1267,7 @@ CVE-2024-45406 (Craft is a content management system 
(CMS). Craft CMS 5 stored X
NOT-FOR-US: Craft CMS
 CVE-2024-45296 (path-to-regexp turns path strings into a regular expressions. 
In certa ...)
- node-path-to-regexp  (bug #1081656)
+   [bookworm] - node-path-to-regexp  (Minor issue)
NOTE: 
https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
NOTE: 
https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6
 (v8.0.0)
 CVE-2024-45041 (External Secrets Operator is a Kubernetes operator that 
integrates ext ...)
@@ -2480,6 +2483,7 @@ CVE-2024-6232 (There is a MEDIUM severity vulnerability 
affecting CPython.
- python3.13 3.13.0~rc2-1
- python3.12 3.12.6-1
- python3.11 
+   [bookworm] - python3.11  (Minor issue)
- python3.9 
- python2.7 
[bullseye] - python2.7  (Unsupported in Bullseye, only 
included to build a few applications)
@@ -3450,6 +3454,7 @@ CVE-2024-6632 (A vulnerability exists in FileCatalyst 
Workflow whereby a field a
NOT-FOR-US: FileCatalyst Workflow
 CVE-2024-5991 (In function MatchDomainName(), input param str is treated as a 
NULL te ...)
- wolfssl 
+   [bookworm] - wolfssl  (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable
NOTE: https://github.com/wolfSSL/wolfssl/pull/7604
 CVE-2024-5814 (A malicious TLS1.2 server can force a TLS1.3 client with 
downgrade cap ...)
@@ -48076,7 +48081,8 @@ CVE-2024-3221 (A vulnerability classified as critical 
was found in SourceCodeste
 CVE-2024-3218 (A vulnerability classified as critical has been found in 
Shibang Commu ...)
NOT-FOR-US: Shibang Communications IP Network Intercom Broadcasting 
System
 CVE-2024-3209 (A vulnerability was found in UPX up to 4.2.2. It has been rated 
as cri ...)
-   - upx-ucl 4.2.4-1
+   - upx-ucl 4.2.4-1 (unimportant)
+   NOTE: Crash in CLI tool, no security impact
NOTE: https://github.com/upx/upx/issues/841
 CVE-2024-3207 (A vulnerability was found in ermig1979 Simd up to 6.0.134. It 
has been ...)
NOT-FOR-US: ermig1979 Simd


=
data/dsa-needed.txt
=
@@ -49,5 +49,7 @@ smarty4
 --
 twisted (jmm)
 --
+xen
+--
 zabbix
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2b7b23945a0aa1e9b9f134831e3c0c33eb5878e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2b7b23945a0aa1e9b9f134831e3c0c33eb5878e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-09-11 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
52b60e84 by Moritz Muehlenhoff at 2024-09-11T09:22:10+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -919,6 +919,7 @@ CVE-2024-6792 (The WP ULike  WordPress plugin before 
4.7.2.1 does not properly s
NOT-FOR-US: WordPress plugin
 CVE-2024-45751 (tgt (aka Linux target framework) before 1.0.93 attempts to 
achieve ent ...)
- tgt  (bug #1081158)
+   [bookworm] - tgt  (Minor issue)
NOTE: https://github.com/fujita/tgt/pull/67
NOTE: 
https://github.com/fujita/tgt/commit/abd8e0d987ab56013d360077202bf2aca20a42dd 
(v1.0.93)
NOTE: https://www.openwall.com/lists/oss-security/2024/09/07/2
@@ -1017,6 +1018,7 @@ CVE-2024-45158 (An issue was discovered in Mbed TLS 3.6 
before 3.6.1. A stack bu
NOTE: 
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-2/
 CVE-2024-45157 (An issue was discovered in Mbed TLS before 2.28.9 and 3.x 
before 3.6.1 ...)
- mbedtls 
+   [bookworm] - mbedtls  (Minor issue)
NOTE: 
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1/
 CVE-2024-45107 (Acrobat Reader versions 20.005.30636, 24.002.20964, 
24.001.30123, 24.0 ...)
NOT-FOR-US: Adobe


=
data/dsa-needed.txt
=
@@ -11,13 +11,15 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source 
package.
 
+--
+activemq
 --
 chromium (dilinger)
 --
 dnsmasq
   Lee Garrett showed interest to prepare an update for review
 --
-expat
+expat (jmm)
   Maintainer proposed debdiffs for review
 --
 frr
@@ -51,10 +53,7 @@ smarty3
 --
 smarty4
 --
-twisted
---
-xen
-  Might not be needed as maintainer did aim to have the version included in 
the upcoming point release
+twisted (jmm)
 --
 zabbix
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52b60e84e7ef13f7193fde87b7842d770e03bec6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52b60e84e7ef13f7193fde87b7842d770e03bec6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-09-06 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
34dc22b8 by Moritz Muehlenhoff at 2024-09-06T13:44:32+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3,6 +3,7 @@ CVE-2024-34158
- golang-1.22 
- golang-1.21 
- golang-1.19 
+   [bookworm] - golang-1.19  (Minor issue)
- golang-1.15 
NOTE: https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc
NOTE: https://go.dev/issue/69141
@@ -11,6 +12,7 @@ CVE-2024-34156
- golang-1.22 
- golang-1.21 
- golang-1.19 
+   [bookworm] - golang-1.19  (Minor issue)
- golang-1.15 
NOTE: https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc
NOTE: https://go.dev/issue/69139
@@ -19,6 +21,7 @@ CVE-2024-34155
- golang-1.22 
- golang-1.21 
- golang-1.19 
+   [bookworm] - golang-1.19  (Minor issue)
- golang-1.15 
NOTE: https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc
NOTE: https://go.dev/issue/69138
@@ -212,6 +215,7 @@ CVE-2024-20505 (A vulnerability in the PDF parsing module 
of Clam AntiVirus (Cla
NOTE: 
https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html
 CVE-2024-8418 (A flaw was found in Aardvark-dns versions 1.12.0 and 1.12.1. 
They cont ...)
- aardvark-dns 1.12.2-1 (bug #1080964)
+   [bookworm] - aardvark-dns  (Minor issue)
NOTE: https://github.com/containers/aardvark-dns/issues/500
NOTE: https://github.com/containers/aardvark-dns/pull/503
NOTE: 
https://github.com/containers/aardvark-dns/commit/6d76c50978755b8162d176ec7eea0e09f8d57a42
@@ -833,10 +837,12 @@ CVE-2024-6232 (There is a MEDIUM severity vulnerability 
affecting CPython.
NOTE: 
https://github.com/python/cpython/commit/743acbe872485dc18df4d8ab2dc7895187f062c4
 (3.10-branch)
 CVE-2024-45231
- python-django 3:4.2.16-1
+   [bookworm] - python-django  (Minor issue)
NOTE: 
https://www.djangoproject.com/weblog/2024/sep/03/security-releases/
NOTE: 
https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199
 (4.2.16)
 CVE-2024-45230
- python-django 3:4.2.16-1
+   [bookworm] - python-django  (Minor issue)
NOTE: 
https://www.djangoproject.com/weblog/2024/sep/03/security-releases/
NOTE: 
https://github.com/django/django/commit/d147a8ebbdf28c17cafbbe2884f0bc57e2bf82e2
 (4.2.16)
 CVE-2024-45506 (HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x 
through 3.1 ...)
@@ -1028,6 +1034,7 @@ CVE-2024-45509 (In MISP through 2.4.196, 
app/Controller/BookmarksController.php
NOT-FOR-US: MISP
 CVE-2024-45508 (HTMLDOC before 1.9.19 has an out-of-bounds write in 
parse_paragraph in ...)
- htmldoc 
+   [bookworm] - htmldoc  (Minor issue)
NOTE: https://github.com/michaelrsweet/htmldoc/issues/528
NOTE: 
https://github.com/michaelrsweet/htmldoc/commit/2d5b2ab9ddbf2aee2209010cebc11efdd1cab6e2
 CVE-2024-45270 (WordPress plugin "Carousel Slider" provided by Sayful Islam 
contains a ...)
@@ -1289,9 +1296,11 @@ CVE-2024-2502 (An application can be configured to block 
boot attempts after con
NOT-FOR-US: Silabs
 CVE-2024-1545 (Fault Injection vulnerability in RsaPrivateDecryption function 
in wolf ...)
- wolfssl 5.7.0-0.3
+   [bookworm] - wolfssl  (Minor issue)
NOTE: https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable
 CVE-2024-1543 (The side-channel protected T-Table implementation in wolfSSL up 
to ver ...)
- wolfssl 5.6.6-1.2
+   [bookworm] - wolfssl  (Minor issue)
NOTE: 
https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-566-dec-19-2023
NOTE: https://github.com/wolfSSL/wolfssl/pull/6854
 CVE-2024-8285 (A flaw was found in Kroxylicious. When establishing the 
connection wit ...)
@@ -1841,6 +1850,7 @@ CVE-2024-6688 (The Oxygen Builder plugin for WordPress is 
vulnerable to unauthor
NOT-FOR-US: WordPress plugin
 CVE-2024-45321 (The App::cpanminus package through 1.7047 for Perl downloads 
code via  ...)
- cpanminus 
+   [bookworm] - cpanminus  (Minor issue)
NOTE: 
https://security.metacpan.org/2024/08/26/cpanminus-downloads-code-using-insecure-http.html
NOTE: https://github.com/miyagawa/cpanminus/issues/611
NOTE: https://github.com/miyagawa/cpanminus/pull/674
@@ -2080,6 +2090,7 @@ CVE-2024-28077 (A denial-of-service issue was discovered 
on certain GL-iNet devi
NOT-FOR-US: GL-iNet devices
 CVE-2023-49582 (Lax permissions set by the Apache Portable Runtime library on 
Unix pla ...)
- apr  (bug #1080375)
+   [bookworm] - apr  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2024/08/26/1
NOTE: https://lists.apache.org/thread/h5f1c2dqm8b

[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-09-03 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9fa9faca by Moritz Muehlenhoff at 2024-09-03T17:15:53+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -24,24 +24,31 @@ CVE-2024-37136 (Dell Path to PowerProtect, versions 1.1, 
1.2, contains an Exposu
NOT-FOR-US: Dell
 CVE-2024-45620
- opensc 
+   [bookworm] - opensc  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309289
 CVE-2024-45619
- opensc 
+   [bookworm] - opensc  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309288
 CVE-2024-45618
- opensc 
+   [bookworm] - opensc  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309287
 CVE-2024-45617
- opensc 
+   [bookworm] - opensc  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309286
 CVE-2024-45616
- opensc 
+   [bookworm] - opensc  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309290
 CVE-2024-45615
- opensc 
+   [bookworm] - opensc  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2309285
 CVE-2024-45310
- runc 
+   [bookworm] - runc  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2024/09/03/1
NOTE: 
https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv
 CVE-2024-8004 (A stored Cross-site Scripting (XSS) vulnerability affecting 
ENOVIA Col ...)
@@ -437,6 +444,7 @@ CVE-2024-8285 (A flaw was found in Kroxylicious. When 
establishing the connectio
NOT-FOR-US: kroxylicious
 CVE-2024-42934
- openipmi 
+   [bookworm] - openipmi  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2308375
 CVE-2024-8304 (A vulnerability has been found in jpress up to 5.1.1 and 
classified as ...)
NOT-FOR-US: jpress
@@ -1155,6 +1163,7 @@ CVE-2024-43966 (Improper Neutralization of Special 
Elements used in an SQL Comma
NOT-FOR-US: WordPress plugin
 CVE-2024-43806 (Rustix is a set of safe Rust bindings to POSIX-ish APIs. When 
using `r ...)
- rust-rustix 0.38.21-1
+   [bookworm] - rust-rustix  (Minor issue)
NOTE: 
https://github.com/bytecodealliance/rustix/security/advisories/GHSA-c827-hfw6-qwvm
 CVE-2024-43802 (Vim is an improved version of the unix vi text editor. When 
flushing t ...)
- vim 2:9.1.0698-1
@@ -1572,6 +1581,7 @@ CVE-2024-42364 (Homepage is a highly customizable 
homepage with Docker and servi
NOT-FOR-US: gethomepage/homepage
 CVE-2024-42040 (Buffer Overflow vulnerability in the net/bootp.c in DENEX 
U-Boot from  ...)
- u-boot 
+   [bookworm] - u-boot  (Minor issue)
NOTE: https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-004.txt
 CVE-2024-41878 (Adobe Experience Manager versions 6.5.19 and earlier are 
affected by a ...)
NOT-FOR-US: Adobe
@@ -20950,6 +20960,7 @@ CVE-2024-37569 (An issue was discovered on Mitel 6869i 
through 4.5.0.41 and 5.x
NOT-FOR-US: Mitel
 CVE-2024-37568 (lepture Authlib before 1.3.1 has algorithm confusion with 
asymmetric p ...)
- python-authlib 1.3.1-1
+   [bookworm] - python-authlib  (Minor issue)
NOTE: https://github.com/lepture/authlib/issues/654
NOTE: 
https://github.com/lepture/authlib/commit/3bea812acefebc9ee108aa24557be3ba8971daf1
 (v1.3.1)
 CVE-2024-35748 (Missing Authorization vulnerability in OPMC WooCommerce 
Dropshipping.T ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fa9facaec71df343fc0d154683386f4df814fcb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fa9facaec71df343fc0d154683386f4df814fcb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-09-01 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
acc83b25 by Moritz Muehlenhoff at 2024-09-01T17:53:56+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -10,12 +10,15 @@ CVE-2024-7717 (The WP Events Manager plugin for WordPress 
is vulnerable to time-
NOT-FOR-US: WordPress plugin
 CVE-2024-0111 (NVIDIA CUDA Toolkit contains a vulnerability in command 
'cuobjdump' wh ...)
- nvidia-cuda-toolkit 
+   [bookworm] - nvidia-cuda-toolkit  (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5564
 CVE-2024-0110 (NVIDIA CUDA Toolkit contains a vulnerability in command 
`cuobjdump` wh ...)
- nvidia-cuda-toolkit 
+   [bookworm] - nvidia-cuda-toolkit  (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5564
 CVE-2024-0109 (NVIDIA CUDA Toolkit contains a vulnerability in command 
`cuobjdump` wh ...)
- nvidia-cuda-toolkit 
+   [bookworm] - nvidia-cuda-toolkit  (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5564
 CVE-2024-44946 (In the Linux kernel, the following vulnerability has been 
resolved:  k ...)
- linux 6.10.7-1
@@ -432,6 +435,7 @@ CVE-2021-4442 (In the Linux kernel, the following 
vulnerability has been resolve
NOTE: 
https://git.kernel.org/linus/8811f4a9836e31c14ecdf79d9f3cb7c5d463265d (5.12-rc3)
 CVE-2024-8250 (NTLMSSP dissector crash in Wireshark 4.2.0 to 4.0.6 and 4.0.0 
to 4.0.1 ...)
- wireshark 
+   [bookworm] - wireshark  (Minor issue)
NOTE: https://www.wireshark.org/security/wnpa-sec-2024-11.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19943
 CVE-2024-8198 (Heap buffer overflow in Skia in Google Chrome prior to 
128.0.6613.113  ...)
@@ -716,6 +720,7 @@ CVE-2024-44340 (D-Link DIR-846W A1 FW100A43 was discovered 
to contain a remote c
 CVE-2024-43788 (Webpack is a module bundler. Its main purpose is to bundle 
JavaScript  ...)
[experimental] - node-webpack 5.94.0+dfsg1+~cs11.18.26-1
- node-webpack 
+   [bookworm] - node-webpack  (Minor issue)
NOTE: 
https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
NOTE: Fixed by: 
https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61
 (v5.94.0)
 CVE-2024-43783 (The Apollo Router Core is a configurable, high-performance 
graph route ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acc83b2568010adc0ec7b83d99f7190f693711db

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acc83b2568010adc0ec7b83d99f7190f693711db
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-08-27 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e8480ffa by Moritz Muehlenhoff at 2024-08-27T08:52:19+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -104,6 +104,7 @@ CVE-2024-43806 (Rustix is a set of safe Rust bindings to 
POSIX-ish APIs. When us
TODO: check
 CVE-2024-43802 (Vim is an improved version of the unix vi text editor. When 
flushing t ...)
- vim 
+   [bookworm] - vim  (Minor issue)
NOTE: https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh
NOTE: 
https://github.com/vim/vim/commit/322ba9108612bead5eb7731ccb66763dec69ef1b 
(v9.1.0697)
 CVE-2024-43444 (Passwords of agents and customers are displayed in plain text 
in the O ...)
@@ -13344,7 +13345,7 @@ CVE-2024-29506 (Artifex Ghostscript before 10.03.0 has 
a stack-based buffer over
 CVE-2023-52169 (The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 
7zz) conta ...)
- 7zip 24.05+dfsg-1 (unimportant)
NOTE: Crash in CLI tool, no security impact
-   - p7zip 16.02+transitional.1
+   - p7zip 16.02+transitional.1 (unimportant)
NOTE: https://sourceforge.net/p/sevenzip/bugs/2402/
NOTE: https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/
NOTE: https://www.openwall.com/lists/oss-security/2024/07/03/10
@@ -13354,6 +13355,7 @@ CVE-2023-52168 (The NtfsHandler.cpp NTFS handler in 
7-Zip before 24.01 (for 7zz)
- 7zip 24.05+dfsg-1
[bookworm] - 7zip  (Minor issue)
- p7zip 16.02+transitional.1
+   [bookworm] - p7zip  (Minor issue)
NOTE: https://sourceforge.net/p/sevenzip/bugs/2402/
NOTE: https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/
NOTE: https://www.openwall.com/lists/oss-security/2024/07/03/10



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8480ffaf10e92e82094f61d9dc0836ab4e85ab2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8480ffaf10e92e82094f61d9dc0836ab4e85ab2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-08-26 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2adf6964 by Moritz Muehlenhoff at 2024-08-26T10:11:32+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -168,6 +168,7 @@ CVE-2024-42852 (Cross Site Scripting vulnerability in 
AcuToWeb server v.10.5.0.7
NOT-FOR-US: AcuToWeb server
 CVE-2024-42845 (An eval Injection vulnerability in the component 
invesalius/reader/dic ...)
- invesalius 
+   [bookworm] - invesalius  (Minor issue)
NOTE: 
https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845
 CVE-2024-42766 (Kashipara Bus Ticket Reservation System v1.0 0 is vulnerable 
to Incorr ...)
NOT-FOR-US: Kashipara Bus Ticket Reservation System
@@ -780,6 +781,7 @@ CVE-2024-43410 (Russh is a Rust SSH client & server 
library. Allocating an untru
NOT-FOR-US: Russh
 CVE-2024-43407 (CKEditor4 is an open source what-you-see-is-what-you-get HTML 
editor.  ...)
- ckeditor 
+   [bookworm] - ckeditor  (Minor issue)
[bullseye] - ckeditor  (Minor issue)
NOTE: 
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7r32-vfj5-c2jv
NOTE: Fixed by removing the plugins/codesnippetgeshi/dev directory 
completely.
@@ -32112,6 +32114,7 @@ CVE-2024-34467 (ThinkPHP 8.0.3 allows remote attackers 
to exploit XSS due to ina
NOT-FOR-US: ThinkPHP
 CVE-2024-34462 (Alinto SOGo through 5.10.0 allows XSS during attachment 
preview.)
- sogo 5.11.0-1 (bug #1071163)
+   [bookworm] - sogo  (Minor issue)
[buster] - sogo  (Minor issue)
NOTE: 
https://github.com/Alinto/sogo/commit/2e37e59ed140d4aee0ff2fba579ca5f83f2c5920 
(SOGo-5.11.0)
 CVE-2023-52729 (TCPServer.cpp in SimpleNetwork through 29bc615 has an 
off-by-one error ...)
@@ -63352,6 +63355,7 @@ CVE-2023-49106 (Missing Password Field Masking 
vulnerability in Hitachi Device M
NOT-FOR-US: Hitachi
 CVE-2023-48104 (Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.)
- sogo 5.9.1-1 (bug #1060925)
+   [bookworm] - sogo  (Minor issue)
[buster] - sogo  (Minor issue)
NOTE: Fixed by: 
https://github.com/Alinto/sogo/commit/7481ccf37087c3f456d7e5a844da01d0f8883098 
(SOGo-5.9.1)
 CVE-2023-47460 (SQL injection vulnerability in Knovos Discovery v.22.67.0 
allows a rem ...)


=
data/dsa-needed.txt
=
@@ -38,6 +38,8 @@ opennds
 --
 pymatgen
 --
+python3.11 (jmm)
+--
 python-aiohttp
 --
 python-reportlab
@@ -54,5 +56,7 @@ twisted
 --
 webkit2gtk (berto)
 --
+xen
+--
 zabbix
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2adf69643e1290bbfb67556425fe8ad4d3ab583e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2adf69643e1290bbfb67556425fe8ad4d3ab583e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] Bookworm triage for python-django issues

2024-08-23 Thread Salvatore Bonaccorso (@carnil)


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
07196966 by Salvatore Bonaccorso at 2024-08-23T21:34:02+02:00
Bookworm triage for python-django issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4630,18 +4630,22 @@ CVE-2024-7518 (Select options could obscure the 
fullscreen notification dialog.
NOTE: 
https://www.mozilla.org/en-US/security/advisories/mfsa2024-33/#CVE-2024-7518
 CVE-2024-42005 (An issue was discovered in Django 5.0 before 5.0.8 and 4.2 
before 4.2. ...)
- python-django 3:4.2.15-1 (bug #1078074)
+   [bookworm] - python-django  (Minor issue)
NOTE: 
https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
NOTE: 
https://github.com/django/django/commit/f4af67b9b41e0f4c117a8741da3abbd1c869ab28/
 (4.2.15)
 CVE-2024-41991 (An issue was discovered in Django 5.0 before 5.0.8 and 4.2 
before 4.2. ...)
- python-django 3:4.2.15-1 (bug #1078074)
+   [bookworm] - python-django  (Minor issue)
NOTE: 
https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
NOTE: 
https://github.com/django/django/commit/efea1ef7e2190e3f77ca0651b5458297bc0f6a9f/
 (4.2.15)
 CVE-2024-41990 (An issue was discovered in Django 5.0 before 5.0.8 and 4.2 
before 4.2. ...)
- python-django 3:4.2.15-1 (bug #1078074)
+   [bookworm] - python-django  (Minor issue; intrusive to backport)
NOTE: 
https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
NOTE: 
https://github.com/django/django/commit/d0a82e26a74940bf0c78204933c3bdd6a283eb88/
 (4.2.15)
 CVE-2024-41989 (An issue was discovered in Django 5.0 before 5.0.8 and 4.2 
before 4.2. ...)
- python-django 3:4.2.15-1 (bug #1078074)
+   [bookworm] - python-django  (Minor issue)
NOTE: 
https://www.djangoproject.com/weblog/2024/aug/06/security-releases/
NOTE: 
https://github.com/django/django/commit/fc76660f589ac07e45e9cd34ccb8087aeb11904b/
 (4.2.15)
 CVE-2024-42062 (CloudStack account-users by default use username and password 
based au ...)
@@ -11031,14 +11035,17 @@ CVE-2024-39880 (Delta Electronics CNCSoft-G2 lacks 
proper validation of the leng
NOT-FOR-US: Delta Electronics
 CVE-2024-39614 (An issue was discovered in Django 5.0 before 5.0.7 and 4.2 
before 4.2. ...)
- python-django 3:4.2.14-1 (bug #1076069)
+   [bookworm] - python-django  (Minor issue)
NOTE: 
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
NOTE: 
https://github.com/django/django/commit/17358fb35fb7217423d4c4877ccb6d1a3a40b1c3
 (4.2.14)
 CVE-2024-39330 (An issue was discovered in Django 5.0 before 5.0.7 and 4.2 
before 4.2. ...)
- python-django 3:4.2.14-1 (bug #1076069)
+   [bookworm] - python-django  (Minor issue)
NOTE: 
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
NOTE: 
https://github.com/django/django/commit/2b00edc0151a660d1eb86da4059904a0fc4e095e
 (4.2.14)
 CVE-2024-39329 (An issue was discovered in Django 5.0 before 5.0.7 and 4.2 
before 4.2. ...)
- python-django 3:4.2.14-1 (bug #1076069)
+   [bookworm] - python-django  (Minor issue)
NOTE: 
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
NOTE: 
https://github.com/django/django/commit/156d3186c96e3ec2ca73b8b25dc2ef366e38df14
 (4.2.14)
 CVE-2024-39181 (Shenzhen Libituo Technology Co., Ltd LBT-T300-T400 v3.2 was 
discovered ...)
@@ -11057,6 +11064,7 @@ CVE-2024-38959 (Cross Site Scripting vulnerability in 
Creativeitem Academy LMS L
NOT-FOR-US: Creativeitem Academy LMS Learning Management System
 CVE-2024-38875 (An issue was discovered in Django 4.2 before 4.2.14 and 5.0 
before 5.0 ...)
- python-django 3:4.2.14-1 (bug #1076069)
+   [bookworm] - python-django  (Minor issue; intrusive to backport)
NOTE: 
https://www.djangoproject.com/weblog/2024/jul/09/security-releases/
NOTE: 
https://github.com/django/django/commit/79f368764295df109a37192f6182fb6f361d85b5
 (4.2.14)
 CVE-2024-38301 (Dell Alienware Command Center, version 5.7.3.0 and prior, 
contains an  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07196966b7c78e3f182827360a42e2a419f8f7fd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07196966b7c78e3f182827360a42e2a419f8f7fd
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-08-22 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f23c31fd by Moritz Muehlenhoff at 2024-08-22T11:30:56+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -676,6 +676,7 @@ CVE-2024-8007 (A flaw was found in the Red Hat OpenStack 
Platform (RHOSP) direct
NOT-FOR-US: RHOSP Director / Red Hat OpenStack Platform
 CVE-2024-22034
- osc 1.9.0-1
+   [bookworm] - osc  (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1225911
 CVE-2024-43882 (In the Linux kernel, the following vulnerability has been 
resolved:  e ...)
- linux 6.10.6-1
@@ -1097,6 +1098,7 @@ CVE-2024-43399 (Mobile Security Framework (MobSF) is a 
pen-testing, malware anal
NOT-FOR-US: Mobile Security Framework (MobSF)
 CVE-2024-43380 (fugit contains time tools for flor and the floraison group. 
The fugit  ...)
- ruby-fugit 
+   [bookworm] - ruby-fugit  (Minor issue)
NOTE: 
https://github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g
NOTE: https://github.com/floraison/fugit/issues/104
NOTE: 
https://github.com/floraison/fugit/commit/6a7527497c0bb9196efe503e3d9b5271128a8ee1
 (v1.11.1)
@@ -4900,6 +4902,7 @@ CVE-2024-37286 (APM server logs contain document body 
from a partially failed bu
NOT-FOR-US: APM server
 CVE-2024-7319 (An incomplete fix for CVE-2023-1625 was found in 
openstack-heat. Sensi ...)
- heat 
+   [bookworm] - heat  (Minor issue)
[bullseye] - heat  (Incomplete fix for CVE-2023-1625 not 
applied)
NOTE: https://storyboard.openstack.org/#!/story/2011007
 CVE-2024-7291 (The JetFormBuilder plugin for WordPress is vulnerable to 
privilege esc ...)
@@ -12542,7 +12545,8 @@ CVE-2024-29506 (Artifex Ghostscript before 10.03.0 has 
a stack-based buffer over
NOTE: Introduced with: 
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=316c3a08269212f1005709da64efcb383f8f5ce0
 (ghostpdl-9.55.0rc1)
NOTE: Fixed by: 
https://cgit.ghostscript.com/cgi-bin/cgit.cgi/ghostpdl.git/commit/?id=77dc7f699beba606937b7ea23b50cf5974fa64b1
 (ghostpdl-10.03.0)
 CVE-2023-52169 (The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 
7zz) conta ...)
-   - 7zip 24.05+dfsg-1
+   - 7zip 24.05+dfsg-1 (unimportant)
+   NOTE: Crash in CLI tool, no security impact
- p7zip 16.02+transitional.1
NOTE: https://sourceforge.net/p/sevenzip/bugs/2402/
NOTE: https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/
@@ -12551,6 +12555,7 @@ CVE-2023-52169 (The NtfsHandler.cpp NTFS handler in 
7-Zip before 24.01 (for 7zz)
NOTE: depending on 7zip. Mark this version as fixed version.
 CVE-2023-52168 (The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 
7zz) conta ...)
- 7zip 24.05+dfsg-1
+   [bookworm] - 7zip  (Minor issue)
- p7zip 16.02+transitional.1
NOTE: https://sourceforge.net/p/sevenzip/bugs/2402/
NOTE: https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f23c31fd39ba2a768e7912de8274c2be0a039a6f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f23c31fd39ba2a768e7912de8274c2be0a039a6f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-08-20 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
78549882 by Moritz Muehlenhoff at 2024-08-20T15:04:20+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -939,6 +939,7 @@ CVE-2024-43378 (calamares-nixos-extensions provides 
Calamares branding and modul
TODO: check
 CVE-2024-43370 (gettext.js is a GNU gettext port for node and the browser. 
There is a  ...)
- gettext.js 0.7.0-4 (bug #1078880)
+   [bookworm] - gettext.js  (Minor issue)
NOTE: 
https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg
NOTE: Fixed by: 
https://github.com/guillaumepotier/gettext.js/commit/6e52e0f8fa7d7c8b358e78b613d47ea332b8a56c
 (2.0.3)
 CVE-2024-43369 (Ibexa RichText Field Type is a Field Type for supporting rich 
formatte ...)
@@ -1198,6 +1199,7 @@ CVE-2024-43275 (Cross-Site Request Forgery (CSRF) 
vulnerability in Xyzscripts In
NOT-FOR-US: Xyzscripts Insert PHP Code Snippet
 CVE-2024-42353 (WebOb provides objects for HTTP requests and responses. When 
WebOb nor ...)
- python-webob  (bug #1078879)
+   [bookworm] - python-webob  (Minor issue)
NOTE: 
https://github.com/Pylons/webob/security/advisories/GHSA-mg3v-6m49-jhp3
NOTE: Fixed by: 
https://github.com/Pylons/webob/commit/f689bcf4f0a1f64f1735b1d5069aef5be6974b5b 
(1.8.8)
 CVE-2024-25024 (IBM QRadar Suite Software 1.10.12.0 through 1.10.23.0 and IBM 
Cloud Pa ...)
@@ -2299,6 +2301,7 @@ CVE-2024-7680 (A vulnerability was found in itsourcecode 
Tailoring Management Sy
NOT-FOR-US: itsourcecode Tailoring Management System
 CVE-2024-5651 (A flaw was found in fence agents that rely on SSH/Telnet. This 
vulnera ...)
- fence-agents  (bug #1078970)
+   [bookworm] - fence-agents  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2290540
 CVE-2024-5527 (Zohocorp ManageEngine ADAudit Plus versions below8110 are 
vulnerable t ...)
NOT-FOR-US: Zohocorp ManageEngine ADAudit Plus



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78549882b2fbbfbdce6959c09e09c0be748df7b7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78549882b2fbbfbdce6959c09e09c0be748df7b7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-08-20 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f0ac38f5 by Moritz Muehlenhoff at 2024-08-20T14:19:43+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -98,6 +98,7 @@ CVE-2024-7592 (There is a LOW severity vulnerability 
affecting CPython, specific
- python3.13 
- python3.12 
- python3.11 
+   [bookworm] - python3.11  (Minor issue)
- python3.9 
NOTE: https://github.com/python/cpython/pull/123075
NOTE: https://github.com/python/cpython/issues/123067
@@ -292,6 +293,7 @@ CVE-2024-7904 (A vulnerability was found in DedeBIZ 6.3.0. 
It has been rated as
NOT-FOR-US: DedeBIZ
 CVE-2024-6221 (A vulnerability in corydolphin/flask-cors version 4.0.1 allows 
the `Ac ...)
- python-flask-cors 
+   [bookworm] - python-flask-cors  (Minor issue)
NOTE: https://huntr.com/bounties/a42935fc-6f57-4818-bca4-3d528235df4d
 CVE-2024-43353 (Improper Neutralization of Input During Web Page Generation 
(XSS or 'C ...)
NOT-FOR-US: WordPress plugin
@@ -1565,6 +1567,7 @@ CVE-2023-43489 (Improper access control for some Intel(R) 
CIP software before ve
NOT-FOR-US: Intel
 CVE-2023-42667 (Improper isolation in the Intel(R) Core(TM) Ultra Processor 
stream cac ...)
- intel-microcode 3.20240813.1 (bug #1078742)
+   [bookworm] - intel-microcode  (Minor issue)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01038.html
NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813
 CVE-2023-40067 (Unchecked return value in firmware for some Intel(R) CSME may 
allow an ...)
@@ -362328,6 +362331,7 @@ CVE-2019-18861
RESERVED
 CVE-2023-49288 (Squid is a caching proxy for the Web supporting HTTP, HTTPS, 
FTP, and  ...)
- squid 6.1-1
+   [bookworm] - squid  (Vulnerable feature got removed upstream, 
workaround exists)
- squid3 
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5
NOTE: https://megamansec.github.io/Squid-Security-Audit/trace-uaf.html


=
data/dsa-needed.txt
=
@@ -26,7 +26,7 @@ cinder
 dnsmasq
   Lee Garrett showed interest to prepare an update for review
 --
-dovecot
+dovecot (jmm)
   Noah Meyerhans is preparing updates
 --
 frr



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0ac38f563938bf3ab77ab0bd66890625ea00b3e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0ac38f563938bf3ab77ab0bd66890625ea00b3e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-08-18 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4f19f99b by Moritz Muehlenhoff at 2024-08-18T13:51:52+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -,6 +,7 @@ CVE-2024-26022 (Improper access control in some Intel(R) 
UEFI Integrator Tools o
NOT-FOR-US: Intel
 CVE-2024-25939 (Mirrored regions with different values in 3rd Generation 
Intel(R) Xeon ...)
- intel-microcode 3.20240813.1 (bug #1078742)
+   [bookworm] - intel-microcode  (Minor issue)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01118.html
NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813
 CVE-2024-25576 (improper access control in firmware for some Intel(R) FPGA 
products be ...)
@@ -1127,6 +1128,7 @@ CVE-2024-24983 (Protection mechanism failure in firmware 
for some Intel(R) Ether
NOT-FOR-US: Intel
 CVE-2024-24980 (Protection mechanism failure in some 3rd, 4th, and 5th 
Generation Inte ...)
- intel-microcode 3.20240813.1 (bug #1078742)
+   [bookworm] - intel-microcode  (Minor issue)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01100.html
NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813
 CVE-2024-24977 (Uncontrolled search path for some Intel(R) License Manager for 
FLEXlm  ...)
@@ -1135,6 +1137,7 @@ CVE-2024-24973 (Improper input validation for some 
Intel(R) Distribution for GDB
NOT-FOR-US: Intel
 CVE-2024-24853 (Incorrect behavior order in transition between executive 
monitor and S ...)
- intel-microcode 3.20240813.1 (bug #1078742)
+   [bookworm] - intel-microcode  (Minor issue)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01083.html
NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813
 CVE-2024-24580 (Improper conditions check in some Intel(R) Data Center GPU Max 
Series  ...)
@@ -1589,6 +1592,7 @@ CVE-2023-31366 (Improper input validation in AMD 
\u03bcProf could allow an attac
NOT-FOR-US: AMD
 CVE-2023-31356 (Incomplete system memory cleanup in SEV firmware could allow a 
privile ...)
- amd64-microcode 
+   [bookworm] - amd64-microcode  (Minor issue)
NOTE: 
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-3003.html
TODO: check, potentially already addressed in 3.20230823.1 as this 
updates AMD-SEV firmware to version 1.55 build 21 for Family 19h models 10h-1fh 
(asked maintainer)
 CVE-2023-31349 (Incorrect default permissions in the AMD \u03bcProf 
installation direc ...)
@@ -9692,6 +9696,7 @@ CVE-2024-39697 (phonenumber is a library for parsing, 
formatting and validating
NOT-FOR-US: Rust crate phonenumber
 CVE-2024-39684 (Tencent RapidJSON is vulnerable to privilege escalation due to 
an inte ...)
- rapidjson 
+   [bookworm] - rapidjson  (Minor issue)
NOTE: https://github.com/Tencent/rapidjson/issues/2289
 CVE-2024-39675 (A vulnerability has been identified in RUGGEDCOM RMC30 (All 
versions < ...)
NOT-FOR-US: Siemens
@@ -9721,6 +9726,7 @@ CVE-2024-38867 (A vulnerability has been identified in 
SIPROTEC 5 6MD84 (CP300)
NOT-FOR-US: Siemens
 CVE-2024-38517 (Tencent RapidJSON is vulnerable to privilege escalation due to 
an inte ...)
- rapidjson 
+   [bookworm] - rapidjson  (Minor issue)
NOTE: https://github.com/Tencent/rapidjson/pull/1261
 CVE-2024-38363 (Airbyte is a data integration platform for ELT pipelines. 
Airbyte conn ...)
NOT-FOR-US: Airbyte


=
data/dsa-needed.txt
=
@@ -26,6 +26,8 @@ cinder
 dnsmasq
   Lee Garrett showed interest to prepare an update for review
 --
+dovecot
+--
 frr
   coordination with the maintainer ongoing
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f19f99bd6191a4e9db1ad585477231ade52ca0c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f19f99bd6191a4e9db1ad585477231ade52ca0c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-08-16 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c2220e4c by Moritz Muehlenhoff at 2024-08-16T15:33:58+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -8965,6 +8965,7 @@ CVE-2024-6391 (The oik plugin for WordPress is vulnerable 
to Stored Cross-Site S
NOT-FOR-US: WordPress plugin
 CVE-2024-6237 (A flaw was found in the 389 Directory Server. This flaw allows 
an unau ...)
- 389-ds-base 2.4.5+dfsg1-1
+   [bookworm] - 389-ds-base  (Minor issue)
NOTE: https://github.com/389ds/389-ds-base/issues/5989
NOTE: 
https://github.com/389ds/389-ds-base/commit/e8dd583685e6143f2027f97569de4cc45ba46e14
 (389-ds-base-2.4.5)
 CVE-2024-6222 (In Docker Desktop before v4.29.0, an attacker who has gained 
access to ...)
@@ -53416,22 +53417,27 @@ CVE-2024-24474 (QEMU before 8.2.0 has an integer 
underflow, and resultant buffer
NOTE: Fixed by: 
https://gitlab.com/qemu-project/qemu/-/commit/77668e4b9bca03a856c27ba899a2513ddf52bb52
 (v8.2.0-rc0)
 CVE-2024-23809 (A double-free vulnerability exists in the BrainVision ASCII 
Header Par ...)
- biosig 2.6.0-1
+   [bookworm] - biosig  (Minor issue)
NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1919
NOTE: 
https://sourceforge.net/p/biosig/code/ci/3848d1ca0e1b2a60df395ddc76a191e835a1e4de/
 CVE-2024-23606 (An out-of-bounds write vulnerability exists in the 
sopen_FAMOS_read fu ...)
- biosig 2.6.0-1
+   [bookworm] - biosig  (Minor issue)
NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1925
NOTE: 
https://sourceforge.net/p/biosig/code/ci/e20e81564f0709323f7b99486a0a2b4594ab05f2/
 CVE-2024-23313 (An integer underflow vulnerability exists in the 
sopen_FAMOS_read func ...)
- biosig 2.6.0-1
+   [bookworm] - biosig  (Minor issue)
NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1922
NOTE: 
https://sourceforge.net/p/biosig/code/ci/e20e81564f0709323f7b99486a0a2b4594ab05f2/
 CVE-2024-23310 (A use-after-free vulnerability exists in the sopen_FAMOS_read 
function ...)
- biosig 2.6.0-1
+   [bookworm] - biosig  (Minor issue)
NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1923
NOTE: 
https://sourceforge.net/p/biosig/code/ci/e20e81564f0709323f7b99486a0a2b4594ab05f2/
 CVE-2024-23305 (An out-of-bounds write vulnerability exists in the 
BrainVisionMarker P ...)
- biosig 2.6.0-1
+   [bookworm] - biosig  (Minor issue)
NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1918
NOTE: 
https://sourceforge.net/p/biosig/code/ci/76c1369de1a9a24feed558ab8834b4410310b07b/
 CVE-2024-22824 (An issue in Timo v.2.0.3 allows a remote attacker to execute 
arbitrary ...)
@@ -53442,16 +53448,19 @@ CVE-2024-22245 (Arbitrary Authentication Relay and 
Session Hijack vulnerabilitie
NOT-FOR-US: VMware
 CVE-2024-22097 (A double-free vulnerability exists in the BrainVision Header 
Parsing f ...)
- biosig 2.6.0-1
+   [bookworm] - biosig  (Minor issue)
NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1917
NOTE: 
https://sourceforge.net/p/biosig/code/ci/3848d1ca0e1b2a60df395ddc76a191e835a1e4de/
 CVE-2024-22054 (A malformed discovery packet sent by a malicious actor with 
preexistin ...)
NOT-FOR-US: UniFi
 CVE-2024-21812 (An integer overflow vulnerability exists in the 
sopen_FAMOS_read funct ...)
- biosig 2.6.0-1
+   [bookworm] - biosig  (Minor issue)
NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1921
NOTE: 
https://sourceforge.net/p/biosig/code/ci/e20e81564f0709323f7b99486a0a2b4594ab05f2/
 CVE-2024-21795 (A heap-based buffer overflow vulnerability exists in the .egi 
parsing  ...)
- biosig 2.6.0-1
+   [bookworm] - biosig  (Minor issue)
NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2024-1920
NOTE: 
https://sourceforge.net/p/biosig/code/ci/71057b016be545974565fdc0f903871c345da412/
 CVE-2024-21726 (Inadequate content filtering leads to XSS vulnerabilities in 
various c ...)


=
data/dsa-needed.txt
=
@@ -57,7 +57,7 @@ pymatgen
 --
 python-aiohttp
 --
-python-asyncssh
+python-asyncssh (jmm)
 --
 python-reportlab
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2220e4c36ace12896d2f9d8d72220ebb088841b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2220e4c36ace12896d2f9d8d72220ebb088841b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tra

[Git][security-tracker-team/security-tracker][master] bookworm triage

2024-08-16 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
195e5fce by Moritz Muehlenhoff at 2024-08-16T14:05:18+02:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -731,6 +731,7 @@ CVE-2024-20082 (In Modem, there is a possible memory 
corruption due to a missing
NOT-FOR-US: Mediatek
 CVE-2024-7730
- qemu 
+   [bookworm] - qemu  (Minor issue)
NOTE: 
https://lore.kernel.org/qemu-devel/virtio-snd-fuzz-2427-fix-v1-manos.pitsidiana...@linaro.org/
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2427
NOTE: Fixed by: 
https://gitlab.com/qemu-project/qemu/-/commit/98e77e3dd8dd6e7aa9a7dffa60f49c8c8a49d4e3
 (v9.1.0-rc0)
@@ -2168,6 +2169,7 @@ CVE-2024-7317 (The Folders \u2013 Unlimited Folders to 
Organize Media Library Fo
NOT-FOR-US: WordPress plugin
 CVE-2024-7246 (It's possible for a gRPC client communicating with a HTTP/2 
proxy to p ...)
- grpc 
+   [bookworm] - grpc  (Minor issue)
NOTE: https://github.com/grpc/grpc/issues/36245
NOTE: Fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 
1.65.4.
 CVE-2024-6720 (The Light Poll WordPress plugin through 1.0.0 does not have 
CSRF check ...)
@@ -12030,7 +12032,7 @@ CVE-2024-34142 (Adobe Experience Manager versions 
6.5.20 and earlier are affecte
 CVE-2024-34141 (Adobe Experience Manager versions 6.5.20 and earlier are 
affected by a ...)
NOT-FOR-US: Adobe
 CVE-2024-32111 (Improper Limitation of a Pathname to a Restricted Directory 
('Path Tra ...)
-   - wordpress 6.5.5+dfsg1-1 (bug #1074486)
+   - wordpress  (Only affects Windows systems)
NOTE: https://wordpress.org/news/2024/06/wordpress-6-5-5/
 CVE-2024-3 (Improper Neutralization of Input During Web Page Generation 
(XSS or 'C ...)
- wordpress 6.5.5+dfsg1-1 (bug #1074486)
@@ -67518,6 +67520,7 @@ CVE-2023-43364 (main.py in Searchor before 2.4.2 uses 
eval on CLI input, which m
NOT-FOR-US: Searchor
 CVE-2023-41337 (h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and 
HTTP/3. In ...)
- h2o  (bug #1059413)
+   [bookworm] - h2o  (Minor issue)
NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-5v5r-rghf-rm6q
NOTE: Fixed by: 
https://github.com/h2o/h2o/commit/35760540337a47e5150da0f4a66a609fad2ef0ab
 CVE-2023-38694 (Umbraco is an ASP.NET content management system (CMS). 
Starting in ver ...)
@@ -78693,6 +78696,7 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of 
service (server resource
[bullseye] - grpc  (Minor issue)
[buster] - grpc  (Minor issue)
- h2o 2.2.5+dfsg2-8 (bug #1054232)
+   [bookworm] - h2o  (Minor issue)
- haproxy 1.8.13-1
- nginx 1.24.0-2 (unimportant; bug #1053770)
- nghttp2 1.57.0-1 (bug #1053769)


=
data/dsa-needed.txt
=
@@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source 
package.
 
+--
+aom (jmm)
 --
 cacti
   Bastien Roucariès is proposing to work on a update and agreed on it with 
maintainer
@@ -25,8 +27,7 @@ dnsmasq
   Lee Garrett showed interest to prepare an update for review
 --
 frr
-  Tobias Frost (tobi) proposed to work on preparing an update, but discussion
-  with Debian maintainer for status on bullseye + updates
+  coordination with the maintainer ongoing
 --
 ghostscript (carnil)
 --
@@ -37,10 +38,8 @@ git
 glance
   Maintainer prepared updates for review
 --
-h2o (jmm)
---
 libreswan
-  Waiting on feedback from maintainer, proposal to EOL Bullseye
+  Waiting on feedback from maintainer
 --
 linux (carnil)
   Wait until more issues have piled up, though try to regulary rebase for point



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/195e5fce977fdbd73a6e3bf716abf90f21144645

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/195e5fce977fdbd73a6e3bf716abf90f21144645
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-05-31 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8298ccb2 by Moritz Muehlenhoff at 2023-05-31T13:22:52+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3625,11 +3625,13 @@ CVE-2023-30848 (Pimcore is an open source data and 
experience management platfor
NOT-FOR-US: Pimcore
 CVE-2023-30847 (H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when 
the rev ...)
- h2o 
+   [bookworm] - h2o  (Minor issue)
+   [bullseye] - h2o  (Minor issue)
NOTE: Fixed by: 
https://github.com/h2o/h2o/commit/a70af675328dda438ecd9d8a1673c1715fd93cc7
NOTE: Fixed by: 
https://github.com/h2o/h2o/commit/5f57d505514e937d13787b1f408837cb9197e2b2
NOTE: https://github.com/h2o/h2o/pull/3229
NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx
-   TODO: check, 
https://github.com/h2o/h2o/commit/f2d9056ba5004000755a5a7adccd27d0d79d83da has 
done a major refactoring, but issue possibly present before
+   NOTE: 
https://github.com/h2o/h2o/commit/f2d9056ba5004000755a5a7adccd27d0d79d83da has 
done a major refactoring, but issue possibly present before
 CVE-2023-30846 (typed-rest-client is a library for Node Rest and Http Clients 
with typ ...)
NOT-FOR-US: typed-rest-client
 CVE-2023-30845 (ESPv2 is a service proxy that provides API management 
capabilities usi ...)
@@ -24258,10 +24260,12 @@ CVE-2023-0407
 CVE-2023-23920 (An untrusted search path vulnerability exists in Node.js. 
<19.6.1, <18 ...)
{DSA-5395-1 DLA-3344-1}
- nodejs  (bug #1031834)
+   [bookworm] - nodejs  (Can be fixed along with next update)
NOTE: 
https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-insecure-loading-of-icu-data-through-icu_data-environment-variable-low-cve-2023-23920
NOTE: 
https://github.com/nodejs/node/commit/f369c0a739b9f0182ededa834a2a44e6fec322d1
 CVE-2023-23919 (A cryptographic vulnerability exists in Node.js <19.2.0, 
<18.14.1, <16 ...)
- nodejs  (bug #1031834)
+   [bookworm] - nodejs  (Can be fixed along with next update)
[bullseye] - nodejs  (X509Certificate API introduced in 
v15.6.0)
[buster] - nodejs  (X509Certificate API introduced in 
v15.6.0)
NOTE: 
https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-openssl-error-handling-issues-in-nodejs-crypto-library-medium-cve-2023-23919
@@ -24269,6 +24273,7 @@ CVE-2023-23919 (A cryptographic vulnerability exists in 
Node.js <19.2.0, <18.14.
NOTE: 
https://github.com/nodejs/node/commit/438812e14d3b2a705fb639b69e37c6cc4e7c8029
 CVE-2023-23918 (A privilege escalation vulnerability exists in Node.js 
<19.6.1, <18.14 ...)
- nodejs  (bug #1031834)
+   [bookworm] - nodejs  (Can be fixed along with next update)
[bullseye] - nodejs  (Permissions policy introduced in 
v16.x)
[buster] - nodejs  (v10.x doesn't support policy 
manifests)
NOTE: 
https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-permissions-policies-can-be-bypassed-via-process-mainmodule-high-cve-2023-23918
@@ -60260,8 +60265,10 @@ CVE-2022-3013 (A vulnerability classified as critical 
has been found in SourceCo
 CVE-2022-3012 (A vulnerability was found in oretnom23 Fast Food Ordering 
System. It h ...)
NOT-FOR-US: oretnom23 Fast Food Ordering System
 CVE-2022-38065 (A privilege escalation vulnerability exists in the 
oslo.privsep functi ...)
-   - python-oslo.privsep  (bug #1033114)
+   - python-oslo.privsep  (unimportant; bug #1033114)
NOTE: 
https://talosintelligence.com/vulnerability_reports/TALOS-2022-1599
+   NOTE: Deemed as additional hardening, but not a security issue by 
upstream:
+   NOTE: https://bugs.launchpad.net/oslo.privsep/+bug/1989008
 CVE-2022-3011
RESERVED
 CVE-2022-38785



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8298ccb2dda0991737330b48bb3912c52d4b5952

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8298ccb2dda0991737330b48bb3912c52d4b5952
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-05-30 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0c8307b7 by Moritz Muehlenhoff at 2023-05-30T15:52:13+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4212,6 +4212,7 @@ CVE-2023-30609 (matrix-react-sdk is a react-based SDK for 
inserting a Matrix cha
 CVE-2023-30608 (sqlparse is a non-validating SQL parser module for Python. In 
affected ...)
{DLA-3425-1}
- sqlparse  (bug #1034615)
+   [bookworm] - sqlparse  (Minor issue)
[bullseye] - sqlparse  (Minor issue)
NOTE: 
https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-rrm6-wvj7-cwh2
NOTE: Introduced by: 
https://github.com/andialbrecht/sqlparse/commit/e75e35869473832a1eb67772b1adfee2db11b85a
 (0.1.15)
@@ -7426,6 +7427,7 @@ CVE-2023-29400 (Templates containing actions in unquoted 
HTML attributes (e.g. "
- golang-1.20 1.20.4-1
[experimental] - golang-1.19 1.19.9-1
- golang-1.19 
+   [bullseye] - golang-1.19  (Minor issue)
- golang-1.15 
- golang-1.11 
NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
@@ -9184,6 +9186,7 @@ CVE-2023-28883 (In Cerebrate 1.13, a blind SQL injection 
exists in the searchAll
NOT-FOR-US: Cerebrate
 CVE-2023-28882 (Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows 
a denial ...)
- modsecurity 3.0.9-1 (bug #1035083)
+   [bookworm] - modsecurity  (Minor issue)
[bullseye] - modsecurity  (Vulnerable code not present)
[buster] - modsecurity  (Vulnerable code not present)
NOTE: 
https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-version-309/
@@ -11041,6 +11044,7 @@ CVE-2023-28372
RESERVED
 CVE-2023-28371 (In Stellarium through 1.2, attackers can write to files that 
are typic ...)
- stellarium  (bug #1034183)
+   [bookworm] - stellarium  (Minor issue)
[bullseye] - stellarium  (Minor issue)
[buster] - stellarium  (Minor issue)
NOTE: 
https://github.com/Stellarium/stellarium/commit/1261f74dc4aa6bbd01ab514343424097f8cf46b7
@@ -11805,6 +11809,7 @@ CVE-2023-28155 (The Request package through 2.88.1 for 
Node.js allows a bypass o
NOTE: https://github.com/request/request/issues/3442
 CVE-2023-28154 (Webpack 5 before 5.76.0 does not avoid cross-realm object 
access. Impo ...)
- node-webpack 5.76.1+dfsg1+~cs17.16.16-1 (bug #1032904)
+   [bookworm] - node-webpack  (Minor issue)
[bullseye] - node-webpack 4.43.0-6+deb11u1
[buster] - node-webpack  (Minor issue)
NOTE: https://github.com/webpack/webpack/pull/16500
@@ -22328,6 +22333,7 @@ CVE-2023-24540 (Not all valid JavaScript whitespace 
characters are considered to
- golang-1.20 1.20.4-1
[experimental] - golang-1.19 1.19.9-1
- golang-1.19 
+   [bullseye] - golang-1.19  (Minor issue)
- golang-1.15 
- golang-1.11 
NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU
@@ -22338,6 +22344,7 @@ CVE-2023-24539 (Angle brackets (<>) are not considered 
dangerous characters when
- golang-1.20 1.20.4-1
[experimental] - golang-1.19 1.19.9-1
- golang-1.19 
+   [bullseye] - golang-1.19  (Minor issue)
- golang-1.15 
- golang-1.11 
NOTE: https://groups.google.com/g/golang-announce/c/MEb0UyuSMsU



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c8307b7263b8114a9c9f4b6b0e02106fcbcf3fc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c8307b7263b8114a9c9f4b6b0e02106fcbcf3fc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-05-28 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
88e0c08f by Moritz Mühlenhoff at 2023-05-28T17:03:04+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -10066,6 +10066,7 @@ CVE-2023-2491 (A flaw was found in the Emacs text 
editor. Processing a specially
 CVE-2023-28617 (org-babel-execute:latex in ob-latex.el in Org Mode through 
9.6.1 for G ...)
{DLA-3416-1}
- org-mode  (bug #1033341)
+   [bookworm] - org-mode  (Minor issue)
[bullseye] - org-mode  (Minor issue)
[buster] - org-mode  (Minor issue)
- emacs 1:28.2+1-14 (bug #1033342)
@@ -10664,6 +10665,8 @@ CVE-2023-28440 (Discourse is an open source platform 
for community discussion. I
NOT-FOR-US: Discourse
 CVE-2023-28439 (CKEditor4 is an open source what-you-see-is-what-you-get HTML 
editor.  ...)
- ckeditor  (bug #1034481)
+   [bookworm] - ckeditor  (Minor issue)
+   [bullseye] - ckeditor  (Minor issue)
- ckeditor3 
[bookworm] - ckeditor3  (Minor issue)
[bullseye] - ckeditor3  (Minor issue)
@@ -12435,6 +12438,7 @@ CVE-2023-27985 (emacsclient-mail.desktop in Emacs 28.1 
through 28.2 is vulnerabl
NOTE: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60204
 CVE-2023- [RUSTSEC-2023-0018]
- rust-remove-dir-all 
+   [bookworm] - rust-remove-dir-all  (Minor issue)
[bullseye] - rust-remove-dir-all  (Minor issue)
[buster] - rust-remove-dir-all  (Minor issue, no in-place 
fix: old API deprecated + new API introduced)
NOTE: https://github.com/advisories/GHSA-mc8h-8q98-g5hr
@@ -48642,6 +48646,7 @@ CVE-2022-3561 (Cross-site Scripting (XSS) - Generic in 
GitHub repository librenm
NOT-FOR-US: LibreNMS
 CVE-2022-3560 (A flaw was found in pesign. The pesign package provides a 
systemd serv ...)
- pesign  (bug #1030168)
+   [bookworm] - pesign  (Minor issue)
[bullseye] - pesign  (Minor issue)
[buster] - pesign  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/01/31/6
@@ -229445,6 +229450,7 @@ CVE-2020-12755 (fishProtocol::establishConnection in 
fish/fish.cpp in KDE kio-ex
NOTE: 
https://github.com/KDE/kio-extras/commit/d813cef3cecdec9af1532a40d677a203ff979145
 CVE-2019-20794 (An issue was discovered in the Linux kernel 4.18 through 
5.6.11 when u ...)
- linux 
+   [bookworm] - linux  (Minor issue, revisit when fixed 
upstream)
[bullseye] - linux  (Minor issue, revisit when fixed 
upstream)
[buster] - linux  (Minor issue, revisit when fixed upstream)
NOTE: https://sourceforge.net/p/fuse/mailman/message/36598753/
@@ -459947,6 +459953,7 @@ CVE-2015-7812 (The hypercall_create_continuation 
function in arch/arm/domain.c i
NOTE: http://xenbits.xen.org/xsa/advisory-145.html
 CVE-2013-7445 (The Direct Rendering Manager (DRM) subsystem in the Linux 
kernel throu ...)
- linux  (bug #1000886)
+   [bookworm] - linux  (Minor issue, requires invasive changes)
[bullseye] - linux  (Minor issue, requires invasive changes)
[buster] - linux  (Minor issue, requires invasive changes)
[stretch] - linux  (Minor issue, requires invasive changes)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88e0c08f4b3eb0867e41894f12bd3d1fbaf3e866

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88e0c08f4b3eb0867e41894f12bd3d1fbaf3e866
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-05-28 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c672b3cb by Moritz Mühlenhoff at 2023-05-28T10:54:51+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -336,6 +336,7 @@ CVE-2023-32697 (SQLite JDBC is a library for accessing and 
creating SQLite datab
NOTE: 
https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2
 CVE-2023-32685 [Clipboard based cross-site scripting (blocked with default 
CSP)]
- kanboard 
+   [bookworm] - kanboard  (Minor issue)
NOTE: 
https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv
 CVE-2023-32681 (Requests is a HTTP library. Since Requests 2.3.0, Requests has 
been le ...)
- requests  (bug #1036693)
@@ -951,148 +952,173 @@ CVE-2023-31842 (Sourcecodester Faculty Evaluation 
System v1.0 is vulnerable to S
NOT-FOR-US: Sourcecodester Faculty Evaluation System
 CVE-2023-31631 (An issue in the sqlo_preds_contradiction component of openlink 
virtuos ...)
- virtuoso-opensource  (bug #1036467)
+   [bookworm] - virtuoso-opensource  (Minor issue)
[bullseye] - virtuoso-opensource  (Minor issue)
[buster] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1137
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/c77cd981a82a7f6385b174eb818057b2f19d8c09
 CVE-2023-31630 (An issue in the sqlo_query_spec component of openlink 
virtuoso-opensou ...)
- virtuoso-opensource  (bug #1036467)
+   [bookworm] - virtuoso-opensource  (Minor issue)
[bullseye] - virtuoso-opensource  (Minor issue)
[buster] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1138
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/f9244141ce68dc4a3314fd4a0cd5bb3bdd6ab830
 CVE-2023-31629 (An issue in the sqlo_union_scope component of openlink 
virtuoso-openso ...)
- virtuoso-opensource  (bug #1036467)
+   [bookworm] - virtuoso-opensource  (Minor issue)
[bullseye] - virtuoso-opensource  (Minor issue)
[buster] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1139
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/9553f94992f0a33f7eb7e87e74f0f78998ba5bec
 CVE-2023-31628 (An issue in the stricmp component of openlink 
virtuoso-opensource v7.2 ...)
- virtuoso-opensource  (bug #1036467)
+   [bookworm] - virtuoso-opensource  (Minor issue)
[bullseye] - virtuoso-opensource  (Minor issue)
[buster] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1141
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/2ed10333e6e973c2b3e1e60ba854ef0dd12afe07
 CVE-2023-31627 (An issue in the strhash component of openlink 
virtuoso-opensource v7.2 ...)
- virtuoso-opensource  (bug #1036467)
+   [bookworm] - virtuoso-opensource  (Minor issue)
[bullseye] - virtuoso-opensource  (Minor issue)
[buster] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1140
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/ce61d6f568568b771d7e857408e3246d31135494
 CVE-2023-31626 (An issue in the gpf_notice component of openlink 
virtuoso-opensource v ...)
- virtuoso-opensource  (bug #1036467)
+   [bookworm] - virtuoso-opensource  (Minor issue)
[bullseye] - virtuoso-opensource  (Minor issue)
[buster] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1129
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/4ad97c5a81067e3bdabe849f42f089edc9880131
 CVE-2023-31625 (An issue in the psiginfo component of openlink 
virtuoso-opensource v7. ...)
- virtuoso-opensource  (bug #1036467)
+   [bookworm] - virtuoso-opensource  (Minor issue)
[bullseye] - virtuoso-opensource  (Minor issue)
[buster] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1132
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/2ed10333e6e973c2b3e1e60ba854ef0dd12afe07
 CVE-2023-31624 (An issue in the sinv_check_exp component of openlink 
virtuoso-opensour ...)
- virtuoso-opensource  (bug #1036467)
+   [bookworm] - virtuoso-opensource  (Minor issue)
[bullseye] - virtuoso-opensource  (Minor issue)
[buster] - virtuoso-opensource  (Minor issue)
NOTE: https://github.com/openlink/virtuoso-opensource/issues/1134
NOTE: 
https://github.com/openlink/virtuoso-opensource/commit/311097fb1f23d0a1dd7dcdd2afecf6fe14665526
 CVE-2023-3162

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-05-24 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a4ad4547 by Moritz Mühlenhoff at 2023-05-24T17:22:06+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3071,6 +3071,8 @@ CVE-2023-2158 (Code Dx versions prior to 2023.4.2 are 
vulnerable to user imperso
 CVE-2023-2157
RESERVED
- imagemagick  (bug #1036476)
+   [bookworm] - imagemagick  (Minor issue)
+   [bullseye] - imagemagick  (Minor issue)
NOTE: Fixed by: 
https://github.com/ImageMagick/ImageMagick/commit/9a9896fce95d09e5e47b86baccbe1ce1a2fca76b
 (7.1.1-7)
NOTE: Fixed by: 
https://github.com/ImageMagick/ImageMagick6/commit/7e4c992f148afc5b28111e540921d5b6e4e38673
 (6.9.12-85)
 CVE-2023-2156 (A flaw was found in the networking subsystem of the Linux 
kernel withi ...)
@@ -7709,6 +7711,7 @@ CVE-2023-1787 (An issue has been discovered in GitLab 
affecting all versions sta
- gitlab 
 CVE-2023-1786 (Sensitive data could be exposed in logs of cloud-init before 
version 2 ...)
- cloud-init  (bug #1035023)
+   [bookworm] - cloud-init  (Minor issue)
[bullseye] - cloud-init  (Minor issue)
[buster] - cloud-init  (Minor issue)
NOTE: https://bugs.launchpad.net/cloud-init/+bug/2013967
@@ -11195,6 +11198,7 @@ CVE-2023-1371 (The W4 Post List WordPress plugin before 
2.4.6 does not ensure th
 CVE-2023-1370 ([Json-smart](https://netplex.github.io/json-smart/) is a 
performance f ...)
{DLA-3373-1}
- json-smart  (bug #1033474)
+   [bookworm] - json-smart  (Minor issue)
[bullseye] - json-smart  (Minor issue)
NOTE: 
https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/
NOTE: 
https://github.com/netplex/json-smart-v2/commit/5b3205d051952d3100aa0db1535f6ba6226bd87a
 (2.4.9)
@@ -20268,6 +20272,7 @@ CVE-2023-0646 (A vulnerability classified as critical 
was found in dst-admin 1.5
NOT-FOR-US: dst-admin
 CVE-2023-0645 (An out of bounds read exists in libjxl. An attacker using a 
specifical ...)
- jpeg-xl  (bug #1034722)
+   [bookworm] - jpeg-xl  (Minor issue)
NOTE: 
https://github.com/libjxl/libjxl/commit/a7c8428b61299f3b055cbbdbba3fbcd8cb38d084
NOTE: https://github.com/libjxl/libjxl/issues/2100
NOTE: https://github.com/libjxl/libjxl/pull/2101
@@ -55894,6 +55899,7 @@ CVE-2022-40153
REJECTED
 CVE-2022-40152 (Those using Woodstox to parse XML data may be vulnerable to 
Denial of  ...)
- libwoodstox-java  (bug #1032089)
+   [bookworm] - libwoodstox-java  (Minor issue)
[bullseye] - libwoodstox-java  (Minor issue)
[buster] - libwoodstox-java  (Minor issue)
NOTE: https://github.com/x-stream/xstream/issues/304



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4ad4547817109b99be975fea0f8b5e58ca10c7e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4ad4547817109b99be975fea0f8b5e58ca10c7e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-05-24 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5d541685 by Moritz Mühlenhoff at 2023-05-24T10:01:38+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -11265,6 +11265,7 @@ CVE-2023-28145
RESERVED
 CVE-2023-28144 (KDAB Hotspot 1.3.x and 1.4.x through 1.4.1, in a non-default 
configura ...)
- hotspot  (bug #1033848)
+   [bookworm] - hotspot  (Minor issue)
[bullseye] - hotspot  (Minor issue)
[buster] - hotspot  (Vulnerable code not present, 
introduced in 1.3.0)
NOTE: https://www.openwall.com/lists/oss-security/2023/03/14/8
@@ -16873,12 +16874,18 @@ CVE-2023-26119 (Versions of the package 
net.sourceforge.htmlunit:htmlunit from 0
NOT-FOR-US: net.sourceforge.htmlunit:htmlunit
 CVE-2023-26118 (Versions of the package angular from 1.4.9 are vulnerable to 
Regular E ...)
- angular.js 
+   [bookworm] - angular.js  (Minor issue)
+   [bullseye] - angular.js  (Minor issue)
NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046
 CVE-2023-26117 (Versions of the package angular from 1.0.0 are vulnerable to 
Regular E ...)
- angular.js 
+   [bookworm] - angular.js  (Minor issue)
+   [bullseye] - angular.js  (Minor issue)
NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045
 CVE-2023-26116 (Versions of the package angular from 1.2.21 are vulnerable to 
Regular  ...)
- angular.js 
+   [bookworm] - angular.js  (Minor issue)
+   [bullseye] - angular.js  (Minor issue)
NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044
 CVE-2023-26115
RESERVED
@@ -96085,6 +96092,7 @@ CVE-2022-25871 (All versions of package querymen are 
vulnerable to Prototype Pol
NOT-FOR-US: Node querymen
 CVE-2022-25869 (All versions of package angular are vulnerable to Cross-site 
Scripting ...)
- angular.js 
+   [bookworm] - angular.js  (Minor issue)
[bullseye] - angular.js  (Minor issue)
[buster] - angular.js  (Minor issue)
NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-2949781
@@ -96143,6 +96151,7 @@ CVE-2022-25845 (The package com.alibaba:fastjson before 
1.2.83 are vulnerable to
NOT-FOR-US: com.alibaba:fastjson
 CVE-2022-25844 (The package angular after 1.7.0 are vulnerable to Regular 
Expression D ...)
- angular.js  (bug #1014779)
+   [bookworm] - angular.js  (Minor issue)
[bullseye] - angular.js  (Minor issue)
[buster] - angular.js  (Minor issue, probably even not-affected)
[stretch] - angular.js  (Nodejs in stretch not covered by 
security support)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d541685df2f3b1eef3eba14b974ba6ba57225b0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d541685df2f3b1eef3eba14b974ba6ba57225b0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-05-23 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
54f50b7a by Moritz Mühlenhoff at 2023-05-23T22:16:30+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1425,6 +1425,7 @@ CVE-2023-2426 (Use of Out-of-range Pointer Offset in 
GitHub repository vim/vim p
NOTE: 
https://github.com/vim/vim/commit/caf642c25de526229264cab9425e7c9979f3509b 
(v9.0.1499)
 CVE-2023-31485 (GitLab::API::v4 through 0.26 does not verify TLS certificates 
when con ...)
- libgitlab-api-v4-perl  (bug #954051)
+   [bookworm] - libgitlab-api-v4-perl  (Minor issue)
[bullseye] - libgitlab-api-v4-perl  (Minor issue)
[buster] - libgitlab-api-v4-perl  (Minor issue)
NOTE: https://github.com/bluefeet/GitLab-API-v4/pull/57
@@ -19749,6 +19750,7 @@ CVE-2015-10073 (A vulnerability, which was classified 
as problematic, was found
NOT-FOR-US: WikiSEO
 CVE-2023-25193 (hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows 
attackers to ...)
- harfbuzz  (bug #1030612)
+   [bookworm] - harfbuzz  (Minor issue)
[bullseye] - harfbuzz  (Minor issue)
[buster] - harfbuzz  (Minor issue)
NOTE: Original fix: 
https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc
@@ -88860,6 +88862,7 @@ CVE-2022-28368 (Dompdf 1.2.1 allows remote code 
execution via a .php file in the
NOTE: 
https://github.com/dompdf/dompdf/commit/0e0261b7bce372b3a05b712a023f6f742a22d57e
 (v0.8.0)
 CVE-2022-28367 (OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling 
on STYLE ...)
- libowasp-antisamy-java  (bug #1010154)
+   [bookworm] - libowasp-antisamy-java  (Minor issue)
[bullseye] - libowasp-antisamy-java  (Minor issue)
[buster] - libowasp-antisamy-java  (Minor issue)
[stretch] - libowasp-antisamy-java  (Minor issue)
@@ -88868,6 +88871,7 @@ CVE-2022-28367 (OWASP AntiSamy before 1.6.6 allows XSS 
via HTML tag smuggling on
NOTE: 
https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0
 (v1.6.7)
 CVE-2022-28366 (Certain Neko-related HTML parsers allow a denial of service 
via crafte ...)
- libowasp-antisamy-java  (bug #1010154)
+   [bookworm] - libowasp-antisamy-java  (Minor issue)
[bullseye] - libowasp-antisamy-java  (Minor issue)
[buster] - libowasp-antisamy-java  (Minor issue)
[stretch] - libowasp-antisamy-java  (Minor issue)
@@ -148133,6 +148137,7 @@ CVE-2021-32851 (Mind-elixir is a free, open source 
mind map core. Prior to versi
NOT-FOR-US: Mind-elixir
 CVE-2021-32850 (jQuery MiniColors is a color picker built on jQuery. Prior to 
version  ...)
- jquery-minicolors  (bug #1031791)
+   [bookworm] - jquery-minicolors  (Minor issue)
[bullseye] - jquery-minicolors  (Minor issue)
[buster] - jquery-minicolors  (Minor issue)
NOTE: 
https://securitylab.github.com/advisories/GHSL-2021-1045_jQuery_MiniColors_Plugin/
@@ -151122,6 +151127,7 @@ CVE-2021-31812 (In Apache PDFBox, a carefully crafted 
PDF file can trigger an in
[bullseye] - libpdfbox2-java  (Minor issue)
[buster] - libpdfbox2-java  (Minor issue)
- libpdfbox-java  (bug #991527)
+   [bookworm] - libpdfbox-java  (Minor issue)
[bullseye] - libpdfbox-java  (Minor issue)
[buster] - libpdfbox-java  (Minor issue)
[stretch] - libpdfbox-java  (Minor issue)
@@ -151132,6 +151138,7 @@ CVE-2021-31811 (In Apache PDFBox, a carefully crafted 
PDF file can trigger an Ou
[bullseye] - libpdfbox2-java  (Minor issue)
[buster] - libpdfbox2-java  (Minor issue)
- libpdfbox-java  (bug #991527)
+   [bookworm] - libpdfbox-java  (Minor issue)
[bullseye] - libpdfbox-java  (Minor issue)
[buster] - libpdfbox-java  (Minor issue)
[stretch] - libpdfbox-java  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54f50b7af0ec660fcb46d813e438a63f3b27add8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54f50b7af0ec660fcb46d813e438a63f3b27add8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-05-23 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0fd31e5c by Moritz Mühlenhoff at 2023-05-23T21:11:20+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -916,6 +916,7 @@ CVE-2023-2641 (A vulnerability was found in SourceCodester 
Online Internship Man
NOT-FOR-US: SourceCodester Online Internship Management System
 CVE-2023-32076 (in-toto is a framework to protect supply chain integrity. The 
in-toto  ...)
- in-toto  (bug #1035934)
+   [bookworm] - in-toto  (Minor issue)
[bullseye] - in-toto  (Minor issue)
NOTE: 
https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf
NOTE: 
https://github.com/in-toto/in-toto/commit/f88138c90861953c77a1384ea2fcc58126e6fe59
 (v2.0.0)
@@ -5983,6 +5984,7 @@ CVE-2023-29660
RESERVED
 CVE-2023-29659 (A Segmentation fault caused by a floating point exception 
exists in li ...)
- libheif  (bug #1035607)
+   [bookworm] - libheif  (Minor issue)
[bullseye] - libheif  (Minor issue)
[buster] - libheif  (Minor issue)
NOTE: https://github.com/strukturag/libheif/issues/794
@@ -9968,6 +9970,7 @@ CVE-2023-1437
RESERVED
 CVE-2023-1436 (An infinite recursion is triggered in Jettison when 
constructing a JSO ...)
- libjettison-java  (bug #1033846)
+   [bookworm] - libjettison-java  (Minor issue)
[bullseye] - libjettison-java  (Minor issue)
[buster] - libjettison-java  (Minor issue, DoS)
NOTE: 
https://research.jfrog.com/vulnerabilities/jettison-json-array-dos-xray-427911/
@@ -10180,6 +10183,7 @@ CVE-2023-28429 (Pimcore is an open source data and 
experience management platfor
NOT-FOR-US: Pimcore
 CVE-2023-28428 (PDFio is a C library for reading and writing PDF files. In 
versions 1. ...)
- ippsample  (bug #1034155)
+   [bookworm] - ippsample  (Minor issue)
NOTE: 
https://github.com/michaelrsweet/pdfio/commit/97d4955666779dc5b0665e15dd951a5c12426a31
 (v1.1.1)
NOTE: 
https://github.com/michaelrsweet/pdfio/security/advisories/GHSA-68x8-9phf-j7jf
 CVE-2023-28427 (matrix-js-sdk is a Matrix messaging protocol Client-Server SDK 
for Jav ...)
@@ -14347,12 +14351,14 @@ CVE-2023-27104
RESERVED
 CVE-2023-27103 (Libde265 v1.0.11 was discovered to contain a heap buffer 
overflow via  ...)
- libde265  (bug #1033257)
+   [bookworm] - libde265  (Minor issue)
[bullseye] - libde265  (Minor issue)
[buster] - libde265  (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/394
NOTE: 
https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995
 CVE-2023-27102 (Libde265 v1.0.11 was discovered to contain a segmentation 
violation vi ...)
- libde265  (bug #1033257)
+   [bookworm] - libde265  (Minor issue)
[bullseye] - libde265  (Minor issue)
[buster] - libde265  (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/393
@@ -16806,6 +16812,8 @@ CVE-2023-26126 (All versions of the package m.static 
are vulnerable to Directory
NOT-FOR-US: m.static
 CVE-2023-26125 (Versions of the package github.com/gin-gonic/gin before 1.9.0 
are vuln ...)
- golang-github-gin-gonic-gin  (bug #1035498)
+   [bookworm] - golang-github-gin-gonic-gin  (Minor issue)
+   [bullseye] - golang-github-gin-gonic-gin  (Minor issue)
NOTE: https://github.com/gin-gonic/gin/pull/3500
NOTE: https://github.com/gin-gonic/gin/pull/3503
NOTE: 
https://github.com/gin-gonic/gin/commit/81ac7d55a09e34013225db0aeac6e70c1ae68928
 (v1.9.0)
@@ -21921,6 +21929,8 @@ CVE-2023-0476 (A LDAP injection vulnerability exists in 
Tenable.sc due to improp
NOT-FOR-US: Tenable
 CVE-2023-0475 (HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to 
decompressi ...)
- golang-github-hashicorp-go-getter  (bug #1032100)
+   [bookworm] - golang-github-hashicorp-go-getter  (Minor issue)
+   [bullseye] - golang-github-hashicorp-go-getter  (Minor issue)
[buster] - golang-github-hashicorp-go-getter  (Limited 
support, minor issue, follow bullseye DSAs/point-releases)
NOTE: 
https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125
 CVE-2023-0474 (Use after free in GuestView in Google Chrome prior to 
109.0.5414.119 a ...)
@@ -26294,10 +26304,9 @@ CVE-2023-0198 (NVIDIA GPU Display Driver for Linux 
contains a vulnerability in t
 CVE-2023-0197 (NVIDIA vGPU software contains a vulnerability in the Virtual 
GPU Manag ...)
NOT-FOR-US: NVIDIA vGPU software
 CVE-2023-0196 (NVIDIA CUDA Toolkit SDK contains a bug in cuobjdump, where a 
local use ...)
-   - nvidia-cuda-toolkit  (bug #1032668)
-   [bullseye] - nvidia-cuda-toolkit  (Non-f

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-05-23 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4e7e8196 by Moritz Mühlenhoff at 2023-05-23T15:37:10+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -19,7 +19,7 @@ CVE-2023-31708 (A Cross-Site Request Forgery (CSRF) in 
EyouCMS v1.6.2 allows att
 CVE-2023-31670 (An issue in wasm2c 1.0.32, wasm2wat 1.0.32, wasm-decompile 
1.0.32, and ...)
- wabt  (unimportant)
NOTE: https://github.com/WebAssembly/wabt/issues/2199
-   NOTE: Crash in CLI, no security impact
+   NOTE: Crash in CLI tool, no security impact
 CVE-2023-31664 (A reflected cross-site scripting (XSS) vulnerability in 
/authenticatio ...)
NOT-FOR-US: WSO2
 CVE-2023-2845 (Improper Access Control in GitHub repository 
cloudexplorer-dev/cloudex ...)
@@ -652,7 +652,6 @@ CVE-2023-32758 (giturlparse (aka git-url-parse) through 
1.2.2, as used in Semgre
 CVE-2023-2700 (A vulnerability was found in libvirt. This security flaw 
ouccers due t ...)
[experimental] - libvirt 9.3.0-1
- libvirt  (bug #1036297)
-   [bookworm] - libvirt  (Minor issue)
[bullseye] - libvirt  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2203653
NOTE: Fixed by: 
https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585
 (v9.3.0)
@@ -10144,6 +10143,8 @@ CVE-2023-28440 (Discourse is an open source platform 
for community discussion. I
 CVE-2023-28439 (CKEditor4 is an open source what-you-see-is-what-you-get HTML 
editor.  ...)
- ckeditor  (bug #1034481)
- ckeditor3 
+   [bookworm] - ckeditor3  (Minor issue)
+   [bullseye] - ckeditor3  (Minor issue)
[buster] - ckeditor3  (No longer supported in LTS)
NOTE: 
https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g
NOTE: 
https://github.com/ckeditor/ckeditor4/commit/b85af23f020a61397c6c0024aef73f2c7f62bfef
 (4.21.0)
@@ -96220,6 +96221,8 @@ CVE-2022-24066 (The package simple-git before 3.5.0 are 
vulnerable to Command In
NOT-FOR-US: simple-git
 CVE-2022-24065 (The package cookiecutter before 2.1.1 are vulnerable to 
Command Inject ...)
- cookiecutter  (bug #1013279)
+   [bookworm] - cookiecutter  (Minor issue)
+   [bullseye] - cookiecutter  (Minor issue)
[buster] - cookiecutter  (Minor issue)
[stretch] - cookiecutter  (Minor issue)
NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281
@@ -99674,6 +99677,7 @@ CVE-2022-24729 (CKEditor4 is an open source 
what-you-see-is-what-you-get HTML ed
[bullseye] - ckeditor  (Minor issue)
[buster] - ckeditor  (Minor issue)
- ckeditor3  (bug #1015217)
+   [bookworm] - ckeditor3  (Minor issue)
[bullseye] - ckeditor3  (Minor issue)
[buster] - ckeditor3  (No longer supported in LTS)
[stretch] - ckeditor3  (EOL'd for stretch)
@@ -99683,6 +99687,7 @@ CVE-2022-24728 (CKEditor4 is an open source 
what-you-see-is-what-you-get HTML ed
[bullseye] - ckeditor  (Minor issue)
[buster] - ckeditor  (Minor issue)
- ckeditor3  (bug #1015217)
+   [bookworm] - ckeditor3  (Minor issue)
[bullseye] - ckeditor3  (Minor issue)
[buster] - ckeditor3  (No longer supported in LTS)
[stretch] - ckeditor3  (EOL'd for stretch)
@@ -127231,6 +127236,7 @@ CVE-2021-41165 (CKEditor4 is an open source WYSIWYG 
HTML editor. In affected ver
[buster] - ckeditor  (Minor issue)
[stretch] - ckeditor  (Minor issue)
- ckeditor3  (bug #1015217)
+   [bookworm] - ckeditor3  (Minor issue)
[bullseye] - ckeditor3  (Minor issue)
[buster] - ckeditor3  (No longer supported in LTS)
[stretch] - ckeditor3  (EOL'd for stretch)
@@ -136268,6 +136274,7 @@ CVE-2021-37695 (ckeditor is an open source WYSIWYG 
HTML editor with rich content
[bullseye] - ckeditor  (Minor issue)
[buster] - ckeditor  (Minor issue)
- ckeditor3  (bug #1015217)
+   [bookworm] - ckeditor3  (Minor issue)
[bullseye] - ckeditor3  (Minor issue)
[buster] - ckeditor3  (No longer supported in LTS)
[stretch] - ckeditor3  (EOL'd for stretch)
@@ -145501,6 +145508,7 @@ CVE-2021-33829 (A cross-site scripting (XSS) 
vulnerability in the HTML Data Proc
- ckeditor 4.16.0+dfsg-2
[buster] - ckeditor  (Minor issue)
- ckeditor3  (bug #1015217)
+   [bookworm] - ckeditor3  (Minor issue)
[bullseye] - ckeditor3  (Minor issue)
[buster] - ckeditor3  (No longer supported in LTS)
[stretch] - ckeditor3  (EOL'd for stretch)
@@ -165322,6 +165330,7 @@ CVE-2021-26271 (It was possible to execute a 
ReDoS-type attack inside CKEditor 4
[buster] - ckeditor  (Minor issue)
[stretch] - ckeditor  (Fix along next DLA)
- ckeditor3  (bug 

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-05-23 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
37c9243b by Moritz Mühlenhoff at 2023-05-23T12:30:03+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -652,6 +652,7 @@ CVE-2023-32758 (giturlparse (aka git-url-parse) through 
1.2.2, as used in Semgre
 CVE-2023-2700 (A vulnerability was found in libvirt. This security flaw 
ouccers due t ...)
[experimental] - libvirt 9.3.0-1
- libvirt  (bug #1036297)
+   [bookworm] - libvirt  (Minor issue)
[bullseye] - libvirt  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2203653
NOTE: Fixed by: 
https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585
 (v9.3.0)
@@ -1393,6 +1394,7 @@ CVE-2023-31485 (GitLab::API::v4 through 0.26 does not 
verify TLS certificates wh
NOTE: https://github.com/bluefeet/GitLab-API-v4/pull/57
 CVE-2023-31484 (CPAN.pm before 2.35 does not verify TLS certificates when 
downloading  ...)
- perl  (bug #1035109)
+   [bookworm] - perl  (Minor issue)
[bullseye] - perl  (Minor issue)
[buster] - perl  (Minor issue)
NOTE: https://github.com/andk/cpanpm/pull/175
@@ -3530,6 +3532,7 @@ CVE-2023-30631
RESERVED
 CVE-2023-30630 (Dmidecode before 3.5 allows -dump-bin to overwrite a local 
file. This  ...)
- dmidecode  (bug #1034483)
+   [bookworm] - dmidecode  (Minor issue)
[bullseye] - dmidecode  (Minor issue)
[buster] - dmidecode  (Minor issue)
NOTE: https://github.com/adamreiser/dmiwrite
@@ -8638,6 +8641,7 @@ CVE-2023-28859 (redis-py before 4.4.4 and 4.5.x before 
4.5.4 leaves a connection
NOTE: https://github.com/redis/redis-py/pull/2641
 CVE-2023-28858 (redis-py before 4.5.3 leaves a connection open after canceling 
an asyn ...)
- python-redis  (bug #1033754)
+   [bookworm] - python-redis  (Minor issue)
[bullseye] - python-redis  (Vulnerable code not present)
[buster] - python-redis  (Vulnerable code introduced 
later)
NOTE: https://github.com/redis/redis-py/issues/2624
@@ -9772,6 +9776,7 @@ CVE-2023-28532
RESERVED
 CVE-2023-28531 (ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent 
without ...)
- openssh  (bug #1033166)
+   [bookworm] - openssh  (Minor issue)
[bullseye] - openssh  (Vulnerable code introduced later; 
per-hop desination constraints support added in OpenSSH 8.9)
[buster] - openssh  (Vulnerable code introduced later; 
per-hop desination constraints support added in OpenSSH 8.9)
 CVE-2023-28530
@@ -12771,6 +12776,7 @@ CVE-2022-48364 (The undo_mark_statuses_as_sensitive 
method in app/services/appro
- mastodon  (bug #859741)
 CVE-2023-27635 (debmany in debian-goodies 0.88.1 allows attackers to execute 
arbitrary ...)
- debian-goodies  (bug #1031267)
+   [bookworm] - debian-goodies  (Minor issue; user prompted before 
execution)
[bullseye] - debian-goodies  (Minor issue; user prompted before 
execution)
[buster] - debian-goodies  (Minor issue; user prompted before 
execution)
 CVE-2023-1181 (Cross-site Scripting (XSS) - Stored in GitHub repository 
icret/easyima ...)
@@ -18912,25 +18918,30 @@ CVE-2023-25516
 CVE-2023-25515
RESERVED
 CVE-2023-25514 (NVIDIA CUDA toolkit for Linux and Windows contains a 
vulnerability in  ...)
-   - nvidia-cuda-toolkit  (bug #1034793; bug #1034799)
+   - nvidia-cuda-toolkit  (unimportant; bug #1034793; bug 
#1034799)
[bullseye] - nvidia-cuda-toolkit  (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456
+   NOTE: Crash in CLI tool, no security impact
 CVE-2023-25513 (NVIDIA CUDA toolkit for Linux and Windows contains a 
vulnerability in  ...)
-   - nvidia-cuda-toolkit  (bug #1034799)
+   - nvidia-cuda-toolkit  (unimportant; bug #1034799)
[bullseye] - nvidia-cuda-toolkit  (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456
+   NOTE: Crash in CLI tool, no security impact
 CVE-2023-25512 (NVIDIA CUDA toolkit for Linux and Windows contains a 
vulnerability in  ...)
-   - nvidia-cuda-toolkit  (bug #1034799)
+   - nvidia-cuda-toolkit  (unimportant; bug #1034799)
[bullseye] - nvidia-cuda-toolkit  (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456
+   NOTE: Crash in CLI tool, no security impact
 CVE-2023-25511 (NVIDIA CUDA Toolkit for Linux and Windows contains a 
vulnerability in  ...)
-   - nvidia-cuda-toolkit  (bug #1034793; bug #1034799)
+   - nvidia-cuda-toolkit  (unimportant; bug #1034793; bug 
#1034799)
[bullseye] - nvidia-cuda-toolkit  (Non-free not supported)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5456
+ 

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-04-29 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
20fade1e by Moritz Muehlenhoff at 2023-04-29T12:55:45+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7670,6 +7670,7 @@ CVE-2023-1545 (SQL Injection in GitHub repository 
nilsteampassnet/teampass prior
- teampass  (bug #730180)
 CVE-2023-1544 (A flaw was found in the QEMU implementation of VMWare's 
paravirtual RD ...)
- qemu  (bug #1034179)
+   [bookworm] - qemu  (Minor issue)
[bullseye] - qemu  (Minor issue)
[buster] - qemu  (Minor issue)
NOTE: 
https://lists.nongnu.org/archive/html/qemu-devel/2023-03/msg00206.html
@@ -15172,6 +15173,8 @@ CVE-2023-26113 (Versions of the package collection.js 
before 6.8.1 are vulnerabl
NOT-FOR-US: collection.js
 CVE-2023-26112 (All versions of the package configobj are vulnerable to 
Regular Expres ...)
- configobj  (bug #1034152)
+   [bookworm] - configobj  (Minor issue)
+   [bullseye] - configobj  (Minor issue)
NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-CONFIGOBJ-3252494
NOTE: https://github.com/DiffSK/configobj/issues/232
 CVE-2023-26111 (All versions of the package @nubosoftware/node-static; all 
versions of ...)
@@ -289388,6 +289391,7 @@ CVE-2019-10181 (It was found that in icedtea-web up 
to and including 1.7.2 and 1
NOTE: 
https://github.com/AdoptOpenJDK/IcedTea-Web/commit/528cb8163b7053576a658b9602b5694b21957b0e
 (1.8)
 CVE-2019-10180 (A vulnerability was found in all pki-core 10.x.x version, 
where the To ...)
- dogtag-pki  (bug #1014855)
+   [bookworm] - dogtag-pki  (Minor issue)
[bullseye] - dogtag-pki  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1721137
 CVE-2019-10179 (A vulnerability was found in all pki-core 10.x.x versions, 
where the K ...)
@@ -289397,6 +289401,7 @@ CVE-2019-10179 (A vulnerability was found in all 
pki-core 10.x.x versions, where
NOTE: 
https://github.com/dogtagpki/pki/commit/a93a65be0b1bcf94e004ba59c6a0c8a2c086936f
 (v10.9.0)
 CVE-2019-10178 (It was found that the Token Processing Service (TPS) did not 
properly  ...)
- dogtag-pki  (bug #1014856)
+   [bookworm] - dogtag-pki  (Minor issue)
[bullseye] - dogtag-pki  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1719042
 CVE-2019-10177 (A stored cross-site scripting (XSS) vulnerability was found in 
the PDF ...)
@@ -391342,6 +391347,7 @@ CVE-2017-148 (the web framework using ljharb's qs 
module older than v6.3.2,
NOT-FOR-US: ljharb
 CVE-2017-147 (rbenv (all current versions) is vulnerable to Directory 
Traversal in t ...)
- rbenv  (bug #869702)
+   [bookworm] - rbenv  (Minor issue)
[bullseye] - rbenv  (Minor issue)
[buster] - rbenv  (Minor issue)
[stretch] - rbenv  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20fade1e6f5d2c99111cf4c45dce171cfe9ea197

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20fade1e6f5d2c99111cf4c45dce171cfe9ea197
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-04-10 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7c04442c by Moritz Muehlenhoff at 2023-04-10T19:53:01+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5852,6 +5852,7 @@ CVE-2023-28339 (OpenDoas through 6.8.2, when TIOCSTI is 
available, allows privil
- doas 
[bullseye] - doas  (Minor issue)
- opendoas  (bug #1034185)
+   [bookworm] - opendoas  (Minor issue, will be addressed via 
kernel change which isn't in 6.1 yet)
NOTE: https://github.com/Duncaen/OpenDoas/issues/106
NOTE: https://www.openwall.com/lists/oss-security/2023/03/14/4
NOTE: Restricting ioctl on the kernel side seems the better approach, 
patches have been
@@ -66389,7 +66390,6 @@ CVE-2022-2211 (A vulnerability was found in libguestfs. 
This issue occurs while
[bullseye] - libguestfs  (Minor issue)
[buster] - libguestfs  (Minor issue)
- guestfs-tools 1.48.3-4 (bug #1014764)
-   [bookworm] - guestfs-tools  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
NOTE: In 1:1.46.2-1 of src:libguestfs the tools were split out to 
src:guestfs-tools, marking that as fixed version
NOTE: 
https://listman.redhat.com/archives/libguestfs/2022-June/029274.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c04442cf2acead3b42fca985065690d3cafac99

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c04442cf2acead3b42fca985065690d3cafac99
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-04-10 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b7f29b3f by Moritz Muehlenhoff at 2023-04-10T18:16:57+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -11040,9 +11040,17 @@ CVE-2023-26486 (Vega is a visualization grammar, a 
declarative format for creati
NOT-FOR-US: Vega
 CVE-2023-26485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and 
renderin ...)
- cmark-gfm 
+   [bookworm] - cmark-gfm  (Minor issue)
+   [bullseye] - cmark-gfm  (Minor issue)
- python-cmarkgfm 
+   [bookworm] - python-cmarkgfm  (Minor issue)
+   [bullseye] - python-cmarkgfm  (Minor issue)
- r-cran-commonmark 
+   [bookworm] - r-cran-commonmark  (Minor issue)
+   [bullseye] - r-cran-commonmark  (Minor issue)
- ruby-commonmarker 
+   [bookworm] - ruby-commonmarker  (Minor issue)
+   [bullseye] - ruby-commonmarker  (Minor issue)
NOTE: 
https://github.com/github/cmark-gfm/security/advisories/GHSA-r8vr-c48j-fcc5
NOTE: 
https://github.com/github/cmark-gfm/commit/07a66c9bc341f902878e37d7da8647d6ef150987
 CVE-2023-26484 (KubeVirt is a virtual machine management add-on for 
Kubernetes. In ver ...)
@@ -15894,9 +15902,17 @@ CVE-2023-24825
RESERVED
 CVE-2023-24824 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and 
renderin ...)
- cmark-gfm 
+   [bookworm] - cmark-gfm  (Minor issue)
+   [bullseye] - cmark-gfm  (Minor issue)
- python-cmarkgfm 
+   [bookworm] - python-cmarkgfm  (Minor issue)
+   [bullseye] - python-cmarkgfm  (Minor issue)
- r-cran-commonmark 
+   [bookworm] - r-cran-commonmark  (Minor issue)
+   [bullseye] - r-cran-commonmark  (Minor issue)
- ruby-commonmarker 
+   [bookworm] - ruby-commonmarker  (Minor issue)
+   [bullseye] - ruby-commonmarker  (Minor issue)
NOTE: 
https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh
NOTE: 
https://github.com/github/cmark-gfm/commit/2300c1bd2c8226108885bf019655c4159cf26b59
 CVE-2023-24823
@@ -15935,6 +15951,7 @@ CVE-2023-24810 (Misskey is an open source, 
decentralized social media platform.
NOT-FOR-US: Misskey
 CVE-2023-24809 (NetHack is a single player dungeon exploration game. Starting 
with ver ...)
- nethack  (bug #1031869)
+   [bookworm] - nethack  (Minor issue)
[bullseye] - nethack  (Minor issue)
[buster] - nethack  (Minor issue)
NOTE: 
https://github.com/NetHack/NetHack/security/advisories/GHSA-2cqv-5w4v-mgch
@@ -23436,28 +23453,60 @@ CVE-2023-22487 (Flarum is a forum software for 
building communities. Using the m
NOT-FOR-US: Flarum
 CVE-2023-22486 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and 
renderin ...)
- cmark-gfm  (bug #1033110)
+   [bookworm] - cmark-gfm  (Minor issue)
+   [bullseye] - cmark-gfm  (Minor issue)
- python-cmarkgfm  (bug #1033111)
+   [bookworm] - python-cmarkgfm  (Minor issue)
+   [bullseye] - python-cmarkgfm  (Minor issue)
- r-cran-commonmark  (bug #1033112)
+   [bookworm] - r-cran-commonmark  (Minor issue)
+   [bullseye] - r-cran-commonmark  (Minor issue)
- ruby-commonmarker  (bug #1033113)
+   [bookworm] - ruby-commonmarker  (Minor issue)
+   [bullseye] - ruby-commonmarker  (Minor issue)
NOTE: 
https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p
NOTE: 
https://github.com/github/cmark-gfm/commit/ece074cc3378f7a8dec0395f00123e9fa6981f7b
 (0.29.0.gfm.7)
 CVE-2023-22485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and 
renderin ...)
- cmark-gfm  (bug #1033110)
+   [bookworm] - cmark-gfm  (Minor issue)
+   [bullseye] - cmark-gfm  (Minor issue)
- python-cmarkgfm  (bug #1033111)
+   [bookworm] - python-cmarkgfm  (Minor issue)
+   [bullseye] - python-cmarkgfm  (Minor issue)
- r-cran-commonmark  (bug #1033112)
+   [bookworm] - r-cran-commonmark  (Minor issue)
+   [bullseye] - r-cran-commonmark  (Minor issue)
- ruby-commonmarker  (bug #1033113)
+   [bookworm] - ruby-commonmarker  (Minor issue)
+   [bullseye] - ruby-commonmarker  (Minor issue)
NOTE: 
https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr
 CVE-2023-22484 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and 
renderin ...)
- cmark-gfm  (bug #1033110)
+   [bookworm] - cmark-gfm  (Minor issue)
+   [bullseye] - cmark-gfm  (Minor issue)
- python-cmarkgfm  (bug #1033111)
+   [bookworm] - python-cmarkgfm  (Minor issue)
+   [bullseye] - python-cmarkgfm  (Minor issue)
- r-cran-commonmark  (bug #1033112)
+   [bookworm] - r-cran-commonmark  (Minor issue)
+   [bullseye] - r-cran-commonmark  (Minor

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-04-10 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
10a900d6 by Moritz Muehlenhoff at 2023-04-10T17:21:32+02:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3098,6 +3098,8 @@ CVE-2023-29142
RESERVED
 CVE-2023-29141 (An issue was discovered in MediaWiki before 1.35.10, 1.36.x 
through 1. ...)
- mediawiki 
+   [bookworm] - mediawiki  (Minor issue)
+   [bullseye] - mediawiki  (Minor issue)
NOTE: 
https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/core/+/REL1_39/RELEASE-NOTES-1.39
NOTE: https://phabricator.wikimedia.org/T285159
 CVE-2023-29140 (An issue was discovered in the GrowthExperiments extension for 
MediaWi ...)
@@ -17063,6 +17065,7 @@ CVE-2023-0467 (The WP Dark Mode WordPress plugin before 
4.0.8 does not properly
NOT-FOR-US: WordPress plugin
 CVE-2023-0466 (The function X509_VERIFY_PARAM_add0_policy() is documented to 
implicit ...)
- openssl 
+   [bookworm] - openssl  (Minor issue)
[bullseye] - openssl  (Minor issue)
[buster] - openssl  (Minor issue)
NOTE: https://www.openssl.org/news/secadv/20230328.txt
@@ -17070,6 +17073,7 @@ CVE-2023-0466 (The function 
X509_VERIFY_PARAM_add0_policy() is documented to imp
NOTE: 
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a
 (OpenSSL_1_1_1-stable)
 CVE-2023-0465 (Applications that use a non-default option when verifying 
certificates ...)
- openssl 
+   [bookworm] - openssl  (Minor issue)
[bullseye] - openssl  (Minor issue)
[buster] - openssl  (Minor issue)
NOTE: https://www.openssl.org/news/secadv/20230328.txt
@@ -17077,6 +17081,7 @@ CVE-2023-0465 (Applications that use a non-default 
option when verifying certifi
NOTE: 
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b013765abfa80036dc779dd0e50602c57bb3bf95
 (OpenSSL_1_1_1-stable)
 CVE-2023-0464 (A security vulnerability has been identified in all supported 
versions ...)
- openssl 
+   [bookworm] - openssl  (Minor issue)
[bullseye] - openssl  (Minor issue)
[buster] - openssl  (Minor issue)
NOTE: https://www.openssl.org/news/secadv/20230322.txt
@@ -84938,6 +84943,7 @@ CVE-2022-28043
 CVE-2022-28042 (stb_image.h v2.27 was discovered to contain an heap-based 
use-after-fr ...)
{DLA-3305-1}
- libstb  (bug #1014531)
+   [bookworm] - libstb  (Minor issue)
[bullseye] - libstb  (Minor issue)
NOTE: https://github.com/nothings/stb/issues/1289
NOTE: https://github.com/nothings/stb/pull/1297
@@ -84948,6 +84954,7 @@ CVE-2022-28042 (stb_image.h v2.27 was discovered to 
contain an heap-based use-af
 CVE-2022-28041 (stb_image.h v2.27 was discovered to contain an integer 
overflow via th ...)
{DLA-3305-1}
- libstb  (bug #1014531)
+   [bookworm] - libstb  (Minor issue)
[bullseye] - libstb  (Minor issue)
NOTE: https://github.com/nothings/stb/issues/1292
NOTE: https://github.com/nothings/stb/pull/1297
@@ -116734,6 +116741,7 @@ CVE-2021-42717 (ModSecurity 3.x through 3.0.5 
mishandles excessively nested JSON
NOTE: Fixed by: 
https://github.com/SpiderLabs/ModSecurity/commit/ac79c1c29b7e6323e26cc984ad4f76ef62c731cd
 (v3.0.6)
 CVE-2021-42716 (An issue was discovered in stb stb_image.h 2.27. The PNM 
loader incorr ...)
- libstb  (bug #1014532)
+   [bookworm] - libstb  (Minor issue)
[bullseye] - libstb  (Vulnerable code introduced later)
[buster] - libstb  (Vulnerable code introduced later)
NOTE: https://github.com/nothings/stb/issues/1166
@@ -116744,6 +116752,7 @@ CVE-2021-42716 (An issue was discovered in stb 
stb_image.h 2.27. The PNM loader
 CVE-2021-42715 (An issue was discovered in stb stb_image.h 1.33 through 2.27. 
The HDR  ...)
{DLA-3305-1}
- libstb  (bug #1014532)
+   [bookworm] - libstb  (Minor issue)
[bullseye] - libstb  (Minor issue)
NOTE: https://github.com/nothings/stb/issues/1224
NOTE: https://github.com/nothings/stb/pull/1223
@@ -133848,6 +133857,7 @@ CVE-2021-36490
RESERVED
 CVE-2021-36489 (Buffer Overflow vulnerability in Allegro through 5.2.6 allows 
attacker ...)
- allegro4.4  (bug #1032670)
+   [bookworm] - allegro4.4  (Minor issue)
[bullseye] - allegro4.4  (Minor issue)
[buster] - allegro4.4  (Minor issue)
- allegro5 2:5.2.8.0-1
@@ -161495,6 +161505,7 @@ CVE-2021-25744
RESERVED
 CVE-2021-25743 (kubectl does not neutralize escape, meta or control sequences 
containe ...)
- kubernetes  (bug #1016441)
+   [bookworm] - kubernetes  (Minor issue)
[bullseye] - kubernetes  (Minor issue)
NOTE: https://github.com/kubernetes/kubernetes/issues/101695
 CVE-2021-25742 (A

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-03-17 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
73660236 by Moritz Muehlenhoff at 2023-03-17T14:47:56+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -107719,7 +107719,7 @@ CVE-2021-43519 (Stack overflow in lua_resume of ldo.c 
in Lua Interpreter 5.1.0~5
NOTE: http://lua-users.org/lists/lua-l/2021-11/msg00015.html
NOTE: Fixed by: 
https://github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868
 CVE-2021-43518 (Teeworlds up to and including 0.7.5 is vulnerable to Buffer 
Overflow.  ...)
-   - teeworlds  (bug #1009070)
+   - teeworlds 0.7.5-2 (bug #1009070)
[bullseye] - teeworlds  (Minor issue)
[buster] - teeworlds  (Minor issue)
NOTE: https://github.com/teeworlds/teeworlds/issues/2981
@@ -130466,6 +130466,7 @@ CVE-2021-3618 (ALPACA is an application layer 
protocol content confusion attack,
[bullseye] - nginx 1.18.0-6.1+deb11u2
[stretch] - nginx  (Minor issue)
- vsftpd  (bug #991329)
+   [bookworm] - vsftpd  (Minor issue)
[bullseye] - vsftpd  (Minor issue)
[buster] - vsftpd  (Minor issue)
[stretch] - vsftpd  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73660236b6341532d5411e2a26de9285f457e9cb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73660236b6341532d5411e2a26de9285f457e9cb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-03-17 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fd95911a by Moritz Muehlenhoff at 2023-03-17T11:26:51+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -44832,8 +44832,8 @@ CVE-2022-38457 (A use-after-free(UAF) vulnerability was 
found in function 'vmw_c
[buster] - linux  (Vulnerable code not present)
NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=2074
 CVE-2022-38096 (A NULL pointer dereference vulnerability was found in vmwgfx 
driver in ...)
-   - linux 
-   NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=2073
+   NOTE: PoC has been removed, original reporter is unresponsive and not 
reproducible
+   NOTE: It's unclear whether this was a really issue in the first place
 CVE-2022-36402 (An integer overflow vulnerability was found in vmwgfx driver 
in driver ...)
- linux 
NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=2072
@@ -217650,6 +217650,7 @@ CVE-2020-12695 (The Open Connectivity Foundation UPnP 
specification before 2020-
[buster] - gupnp 1.0.5-0+deb10u1
- minidlna 1.2.1+dfsg-3 (bug #976594)
- pupnp-1.8  (bug #983206)
+   [bookworm] - pupnp-1.8  (Minor issue)
[bullseye] - pupnp-1.8  (Minor issue)
[buster] - pupnp-1.8  (Minor issue)
- libupnp 
@@ -229842,6 +229843,7 @@ CVE-2020-8555 (The Kubernetes kube-controller-manager 
in versions v1.0-1.14, ver
NOTE: https://github.com/kubernetes/kubernetes/issues/91542
 CVE-2020-8554 (Kubernetes API server in all versions allow an attacker who is 
able to ...)
- kubernetes  (bug #990793)
+   [bookworm] - kubernetes  (Kubernetes in Bullseye only 
ships the client)
[bullseye] - kubernetes  (Kubernetes in Bullseye only 
ships the client)
NOTE: https://www.openwall.com/lists/oss-security/2020/12/07/5
NOTE: https://github.com/kubernetes/kubernetes/issues/97076



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd95911a49076f04baa4c3156d90fdbcebe2bab3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd95911a49076f04baa4c3156d90fdbcebe2bab3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-03-17 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c72e0539 by Moritz Muehlenhoff at 2023-03-17T09:23:29+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -25692,6 +25692,7 @@ CVE-2022-4171 (The demon image annotation plugin for 
WordPress is vulnerable to
NOT-FOR-US: demon image annotation plugin for WordPress
 CVE-2022-4170 (The rxvt-unicode package is vulnerable to a remote code 
execution, in  ...)
- rxvt-unicode  (bug #1025489)
+   [bookworm] - rxvt-unicode  (Minor issue)
[bullseye] - rxvt-unicode  (Vulnerable code introduced 
later)
[buster] - rxvt-unicode  (Vulnerable code introduced 
later)
NOTE: https://www.openwall.com/lists/oss-security/2022/12/05/1
@@ -178130,6 +178131,7 @@ CVE-2020-28492
REJECTED
 CVE-2020-28491 (This affects the package 
com.fasterxml.jackson.dataformat:jackson-data ...)
- jackson-dataformat-cbor  (bug #983664)
+   [bookworm] - jackson-dataformat-cbor  (Minor issue)
[bullseye] - jackson-dataformat-cbor  (Minor issue)
[buster] - jackson-dataformat-cbor  (Minor issue)
[stretch] - jackson-dataformat-cbor  (Minor issue; 
https://people.debian.org/~abhijith/CVE-2020-28491.txt)
@@ -185158,7 +185160,8 @@ CVE-2020-26556 (Mesh Provisioning in the Bluetooth 
Mesh profile 1.0 and 1.0.1 ma
NOTE: 
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/malleable/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960012
 CVE-2020-26555 (Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core 
Specificati ...)
-   - linux 
+   NOT-FOR-US: Bluetooth
+   NOTE: There's no indication that any Bluetooth software in Debian is 
affected
NOTE: https://kb.cert.org/vuls/id/799380
NOTE: 
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/impersonation-pin-pairing/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1918601
@@ -209120,9 +209123,7 @@ CVE-2020-15803 (Zabbix before 3.0.32rc1, 4.x before 
4.0.22rc1, 4.1.x through 4.4
[buster] - zabbix  (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-18057
 CVE-2020-15802 (Devices supporting Bluetooth before 5.1 may allow 
man-in-the-middle at ...)
-   - linux 
-   [bullseye] - linux  (Minor issue, revisit when/if fixed 
upstream)
-   [buster] - linux  (Minor issue, revisit when/if fixed 
upstream)
+   NOTE: Bluetooth protocol issue
NOTE: https://www.kb.cert.org/vuls/id/589825/
 CVE-2020-15801 (In Python 3.8.4, sys.path restrictions specified in a 
python38._pth fi ...)
- python3.9  (Windows-specific)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72e05398d71b26af09299b3f90b540b44af3bb8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72e05398d71b26af09299b3f90b540b44af3bb8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-03-16 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8fc63cfb by Moritz Muehlenhoff at 2023-03-16T09:21:09+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -60384,6 +60384,7 @@ CVE-2022-2211 (A vulnerability was found in libguestfs. 
This issue occurs while
[bullseye] - libguestfs  (Minor issue)
[buster] - libguestfs  (Minor issue)
- guestfs-tools  (bug #1014764)
+   [bookworm] - guestfs-tools  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2100862
NOTE: In 1:1.46.2-1 of src:libguestfs the tools were split out to 
src:guestfs-tools, marking that as fixed version
NOTE: 
https://listman.redhat.com/archives/libguestfs/2022-June/029274.html
@@ -515082,6 +515083,7 @@ CVE-2013-0343 (The ipv6_create_tempaddr function in 
net/ipv6/addrconf.c in the L
- linux-2.6  (low)
 CVE-2013-0342 (The CreateID function in packet.py in pyrad before 2.1 uses 
sequential ...)
- pyrad  (low; bug #701151)
+   [bookworm] - pyrad  (Minor issue)
[bullseye] - pyrad  (Minor issue)
[buster] - pyrad  (Minor issue)
[stretch] - pyrad  (Minor issue)
@@ -515104,6 +515106,7 @@ CVE-2013-0338 (libxml2 2.9.0 and earlier allows 
context-dependent attackers to c
- libxml2 2.8.0+dfsg1-7+nmu1 (bug #702260)
 CVE-2013-0337 (The default configuration of nginx, possibly 1.3.13 and 
earlier, uses  ...)
- nginx  (low; bug #701112)
+   [bookworm] - nginx  (Minor issue)
[bullseye] - nginx  (Minor issue)
[buster] - nginx  (Minor issue)
[stretch] - nginx  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fc63cfb150c92b67c266a87e73679c73982f0a8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fc63cfb150c92b67c266a87e73679c73982f0a8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-03-15 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4096b90c by Moritz Muehlenhoff at 2023-03-15T19:46:07+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -41582,6 +41582,7 @@ CVE-2020-36604 (hoek before 8.5.1 and 9.x before 9.0.3 
allows prototype poisonin
NOTE: Fixed by: 
https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90 
(v9.0.3)
 CVE-2022-3276 (Command injection is possible in the puppetlabs-mysql module 
prior to  ...)
- puppet-module-puppetlabs-mysql  (bug #1027154)
+   [bookworm] - puppet-module-puppetlabs-mysql  (Minor issue)
[bullseye] - puppet-module-puppetlabs-mysql  (Minor issue)
NOTE: https://puppet.com/security/cve/CVE-2022-3276
NOTE: 
https://github.com/puppetlabs/puppetlabs-mysql/commit/f83792b256fa6acc1b1375b3bfed257629a5c02d
 (v13.0.0)
@@ -152268,6 +152269,7 @@ CVE-2021-26827 (Buffer Overflow in TP-Link WR2041 v1 
firmware for the TL-WR2041+
NOT-FOR-US: TP-Link
 CVE-2021-26826 (A stack overflow issue exists in Godot Engine up to v3.2 and 
is caused ...)
- godot 3.5.1-stable-1 (bug #982593)
+   [bookworm] - godot  (Minor issue)
[bullseye] - godot  (Minor issue)
[buster] - godot  (Minor issue)
NOTE: https://github.com/godotengine/godot/pull/45701
@@ -152275,6 +152277,7 @@ CVE-2021-26826 (A stack overflow issue exists in 
Godot Engine up to v3.2 and is
NOTE: 
https://github.com/godotengine/godot/commit/113b5ab1c45c01b8e6d54d13ac8876d091f883a8
 (3.3-stable)
 CVE-2021-26825 (An integer overflow issue exists in Godot Engine up to v3.2 
that can b ...)
- godot 3.5.1-stable-1 (bug #982593)
+   [bookworm] - godot  (Minor issue)
[bullseye] - godot  (Minor issue)
[buster] - godot  (Minor issue)
NOTE: https://github.com/godotengine/godot/pull/45701



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4096b90c9b4ba07209e8baaf703036d3e6d67d3d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4096b90c9b4ba07209e8baaf703036d3e6d67d3d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-03-15 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a85187f8 by Moritz Muehlenhoff at 2023-03-15T19:07:14+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -123601,6 +123601,7 @@ CVE-2021-38085 (The Canon TR150 print driver through 
3.71.2.10 is vulnerable to
NOT-FOR-US: Canon
 CVE-2021-38084 (An issue was discovered in the POP3 component of Courier Mail 
Server b ...)
- courier  (bug #989375)
+   [bookworm] - courier  (Minor issue)
[bullseye] - courier  (Minor issue)
[buster] - courier  (Minor issue)
[stretch] - courier  (Minor issue, include in next update)
@@ -230813,9 +230814,10 @@ CVE-2020-8033 (Ruckus R500 3.4.2.0.384 devices allow 
XSS via the index.asp Devic
 CVE-2020-8032 (A Insecure Temporary File vulnerability in the packaging of 
cyrus-sasl ...)
- cyrus-sasl2  (openSUSE specific packaging issue)
 CVE-2020-8031 (A Improper Neutralization of Input During Web Page Generation 
('Cross- ...)
-   - open-build-service  (bug #983576)
+   - open-build-service 2.9.4-4 (bug #983576)
[stretch] - open-build-service  (Minor issue, XSS in web app)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1178880
+   NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, 
marking as fixed version
 CVE-2020-8030 (A Insecure Temporary File vulnerability in skuba of SUSE CaaS 
Platform ...)
NOT-FOR-US: SuSE CaaS
 CVE-2020-8029 (A Incorrect Permission Assignment for Critical Resource 
vulnerability  ...)
@@ -230836,14 +230838,16 @@ CVE-2020-8022 (A Incorrect Default Permissions 
vulnerability in the packaging of
NOT-FOR-US: SAP
 CVE-2020-8021 (a Improper Access Control vulnerability in of Open Build 
Service allow ...)
{DLA-2545-1}
-   - open-build-service  (bug #983576)
+   - open-build-service 2.9.4-4 (bug #983576)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1171649
NOTE: 
https://github.com/openSUSE/open-build-service/commit/7323c904f86ba9e04065c23422d06c03647589fb
+   NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, 
marking as fixed version
 CVE-2020-8020 (A Improper Neutralization of Input During Web Page Generation 
vulnerab ...)
{DLA-2545-1}
-   - open-build-service  (bug #983576)
+   - open-build-service 2.9.4-4 (bug #983576)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1171439
NOTE: 
https://github.com/openSUSE/open-build-service/commit/7cc32c8e2ff7290698e101d9a80a9dc29a5500fb
+   NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, 
marking as fixed version
 CVE-2020-8019 (A UNIX Symbolic Link (Symlink) Following vulnerability in the 
packagin ...)
NOT-FOR-US: SAP
 CVE-2020-8018 (A Incorrect Default Permissions vulnerability in the 
SLES15-SP1-CHOST- ...)
@@ -293499,6 +293503,7 @@ CVE-2019-5428
REJECTED
 CVE-2019-5427 (c3p0 version < 0.9.5.4 may be exploited by a billion laughs 
attack  ...)
- c3p0  (low; bug #927936)
+   [bookworm] - c3p0  (Minor issue)
[bullseye] - c3p0  (Minor issue)
[buster] - c3p0  (Minor issue)
[stretch] - c3p0  (Minor issue)
@@ -327340,11 +327345,12 @@ CVE-2018-12467 (Authorized users of the 
openbuildservice before 2.9.4 could dele
NOTE: Fixed by: 
https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063
NOTE: Introduced by: 
https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b
 CVE-2018-12466 (openSUSE openbuildservice before 9.2.4 allowed authenticated 
users to  ...)
-   - open-build-service  (bug #911797)
+   - open-build-service 2.9.4-4 (bug #911797)
[stretch] - open-build-service  (Minor issue)
NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1098934
NOTE: Fixed by: 
https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063
NOTE: Introduced by: 
https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b
+   NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, 
marking as fixed version
 CVE-2018-12465 (An OS command injection vulnerability in the web 
administration compon ...)
NOT-FOR-US: Micro Focus
 CVE-2018-12464 (A SQL injection vulnerability in the web administration and 
quarantine ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a85187f840c5f028834e9be400833199da643682

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a85187f840c5f028834e9be400833199da643682
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing l

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-03-08 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6979bc79 by Moritz Muehlenhoff at 2023-03-08T10:58:37+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -425778,14 +425778,11 @@ CVE-2016-5417 (Memory leak in the __res_vinit 
function in the IPv6 name server m
NOTE: Fixed by: 
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5e7fdabd7df1fc6c56d104e61390bf5a6b526c38
 (glibc-2.24)
NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=19257
 CVE-2016-5416 (389 Directory Server in Red Hat Enterprise Linux Desktop 6 
through 7,  ...)
-   - 389-ds-base  (bug #834233)
-   [bullseye] - 389-ds-base  (Minor issue)
-   [buster] - 389-ds-base  (Minor issue)
-   [stretch] - 389-ds-base  (Minor issue)
-   [jessie] - 389-ds-base  (Minor issue)
+   - 389-ds-base  (unimportant; bug #834233)
NOTE: https://fedorahosted.org/389/ticket/48852
NOTE: https://github.com/389ds/389-ds-base/issues/1912
NOTE: Potentially related: https://fedorahosted.org/389/ticket/48354
+   NOTE: Marginal impact, upstream not planning to change
 CVE-2016-5415
REJECTED
 CVE-2016-5414 (FreeIPA 4.4.0 allows remote attackers to request an arbitrary 
SAN name ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6979bc791a2ed46300966cbdacac836b13ad0c64

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6979bc791a2ed46300966cbdacac836b13ad0c64
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-03-07 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
76e65624 by Moritz Muehlenhoff at 2023-03-07T15:55:29+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -44948,7 +44948,7 @@ CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a 
CommonMark parsing and re
- ghostwriter 2.1.6+ds-1 (unimportant)
- ruby-commonmarker 
[buster] - ruby-commonmarker  (Minor issue)
-   - r-cran-commonmark 
+   - r-cran-commonmark 1.8.1-1
[bullseye] - r-cran-commonmark  (Minor issue)
NOTE: 
https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
NOTE: 
https://github.com/github/cmark-gfm/commit/cfcaa0068bf319974fdec283416fcee5035c2d70
 (0.29.0.gfm.6)
@@ -47417,9 +47417,9 @@ CVE-2021-46834 (A permission bypass vulnerability in 
Huawei cross device task ma
NOT-FOR-US: Huawei
 CVE-2020-36599 (lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and 
before  ...)
[experimental] - ruby-omniauth 2.0.4-1~exp1
-   - ruby-omniauth 
+   - ruby-omniauth 2.0.4-2
[buster] - ruby-omniauth  (Minor issue)
-   NOTE: 
https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2
 (v2.0.0-rc1)
+   NOTE: 
https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00
 (v2.0.0-rc1)
 CVE-2020-36598
RESERVED
 CVE-2020-36597
@@ -69104,11 +69104,11 @@ CVE-2022- [RUSTSEC-2022-0022]
- rust-hyper 0.14.19-1
NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0022.html
 CVE-2022- [RUSTSEC-2022-0021]
-   - rust-crossbeam-queue 
+   - rust-crossbeam-queue 0.3.5-1
[bullseye] - rust-crossbeam-queue  (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0021.html
 CVE-2022- [RUSTSEC-2022-0019]
-   - rust-crossbeam-channel 
+   - rust-crossbeam-channel 0.4.4-1
[bullseye] - rust-crossbeam-channel  (Minor issue)
[buster] - rust-crossbeam-channel  (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0019.html
@@ -137393,9 +137393,10 @@ CVE-2020-36327 (Bundler 1.16.0 through 2.2.9 and 
2.2.11 through 2.2.16 sometimes
- bundler 
[buster] - bundler  (Minor issue)
[stretch] - bundler  (Invasive change, hard to backport; 
chances of regression)
-   - rubygems 
-   [bullseye] - rubygems  (Minor issue)
+   - rubygems 3.3.5-1
+   [bullseye] - rubygems  (Minor issue, too intrusive to backport)
NOTE: https://github.com/rubygems/rubygems/issues/3982
+   NOTE: https://github.com/rubygems/rubygems/pull/4609
 CVE-2021-3521 (There is a flaw in RPM's signature functionality. OpenPGP 
subkeys are  ...)
- rpm 4.18.0+dfsg-1 (bug #1014723)
[bullseye] - rpm  (Minor issue)
@@ -164120,7 +164121,8 @@ CVE-2019-25011 (NetBox through 2.6.2 allows an 
Authenticated User to conduct an
NOT-FOR-US: NetBox
 CVE-2019-25010 (An issue was discovered in the failure crate through 
2019-11-13 for Ru ...)
- rust-failure  (bug #969839)
-   [bullseye] - rust-failure  (Minor issue, 
unmaintained/deprecated upstream)
+   [bookworm] - rust-failure  (Minor issue, 
unmaintained/deprecated upstream)
+   [bullseye] - rust-failure  (Minor issue, 
unmaintained/deprecated upstream)
[buster] - rust-failure  (Minor issue, unmaintained/deprecated 
upstream)
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0036.html
 CVE-2019-25009 (An issue was discovered in the http crate before 0.1.20 for 
Rust. The  ...)
@@ -186439,11 +186441,10 @@ CVE-2020-25574 (An issue was discovered in the http 
crate before 0.1.20 for Rust
NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0033.html
NOTE: https://github.com/hyperium/http/issues/352
 CVE-2020-25575 (** UNSUPPORTED WHEN ASSIGNED ** An issue was discovered in the 
failure ...)
-   - rust-failure  (bug #969839; low)
-   [bullseye] - rust-failure  (Minor issue; unmaintained upstream)
-   [buster] - rust-failure  (Minor issue; unmaintained upstream)
+   - rust-failure  (unimportant; bug #969839)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0036.html
NOTE: https://github.com/rust-lang-nursery/failure/issues/336
+   NOTE: This CVE ID is merely for the fact that the crate is unmaintained
 CVE-2020-25202
RESERVED
 CVE-2020-25201 (HashiCorp Consul Enterprise version 1.7.0 up to 1.8.4 includes 
a names ...)
@@ -227007,6 +227008,7 @@ CVE-2018-21034 (In Argo versions prior to v1.5.0-rc1, 
it was possible for authen
NOT-FOR-US: Argo
 CVE-2017-18641 (In LXC 2.0, many template scripts download code over cleartext 
HTTP, a ...)
- lxc-templates  (bug #988730)
+   [bookworm] - lxc-templates  

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-03-03 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3e27f195 by Moritz Muehlenhoff at 2023-03-03T20:18:19+01:00
bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/embedded-code-copies


Changes:

=
data/CVE/list
=
@@ -29488,9 +29488,10 @@ CVE-2022-44036 (** DISPUTED ** In b2evolution 7.2.5, 
if configured with admins_c
 CVE-2022-44035
RESERVED
 CVE-2022-44034 (An issue was discovered in the Linux kernel through 6.0.6. 
drivers/cha ...)
-   - linux 
+   - linux  (unimportant)
NOTE: https://lore.kernel.org/lkml/20220916050333.GA188358@ubuntu/
NOTE: https://lore.kernel.org/lkml/20220919101825.GA313940@ubuntu/
+   NOTE: Negligible security impact, would need physical access to 
"exploit"
 CVE-2022-44033 (An issue was discovered in the Linux kernel through 6.0.6. 
drivers/cha ...)
- linux  (unimportant)
NOTE: https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/
@@ -56854,7 +56855,7 @@ CVE-2022-34668 (NVFLARE, versions prior to 2.1.4, 
contains a vulnerability that
NOT-FOR-US: NVFLARE
 CVE-2022-34667 (NVIDIA CUDA Toolkit SDK contains a stack-based buffer overflow 
vulnera ...)
[experimental] - nvidia-cuda-toolkit 11.8.0-1
-   - nvidia-cuda-toolkit  (bug #1021625)
+   - nvidia-cuda-toolkit 11.8.0-2 (bug #1021625)
[bullseye] - nvidia-cuda-toolkit  (Non-free not supported)
[buster] - nvidia-cuda-toolkit  (Minor issue)
NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5373
@@ -69827,9 +69828,7 @@ CVE-2022-30046
RESERVED
 CVE-2022-30045 (An issue was discovered in libezxml.a in ezXML 0.8.6. The 
function ezx ...)
- mapcache  (unimportant; bug #1014389)
-   - scilab  (bug #1014391)
-   [bullseye] - scilab  (Minor issue)
-   [buster] - scilab  (Minor issue)
+   - scilab  (unimportant; bug #1014391)
- netcdf 1:4.9.0-1
[bullseye] - netcdf  (Minor issue)
[buster] - netcdf  (Minor issue)
@@ -137211,9 +137210,7 @@ CVE-2021-31598 (An issue was discovered in libezxml.a 
in ezXML 0.8.6. The functi
{DLA-2705-1}
- mapcache  (unimportant; bug #989363)
[stretch] - mapcache  (Minor issue)
-   - scilab  (bug #989364)
-   [bullseye] - scilab  (Minor issue)
-   [buster] - scilab  (Minor issue)
+   - scilab  (unimportant; bug #989364)
- netcdf 1:4.9.0-1 (bug #989360)
[bullseye] - netcdf  (Minor issue)
[buster] - netcdf  (Minor issue)
@@ -137856,9 +137853,7 @@ CVE-2021-31349 (The usage of an internal HTTP header 
created an authentication b
 CVE-2021-31348 (An issue was discovered in libezxml.a in ezXML 0.8.6. The 
function ezx ...)
{DLA-2705-1}
- mapcache  (unimportant; bug #989363)
-   - scilab  (bug #989364)
-   [bullseye] - scilab  (Minor issue)
-   [buster] - scilab  (Minor issue)
+   - scilab  (unimportant; bug #989364)
- netcdf 1:4.9.0-1 (bug #989360)
[bullseye] - netcdf  (Minor issue)
[buster] - netcdf  (Minor issue)
@@ -137871,9 +137866,7 @@ CVE-2021-31348 (An issue was discovered in libezxml.a 
in ezXML 0.8.6. The functi
 CVE-2021-31347 (An issue was discovered in libezxml.a in ezXML 0.8.6. The 
function ezx ...)
{DLA-2705-1}
- mapcache  (unimportant; bug #989363)
-   - scilab  (bug #989364)
-   [bullseye] - scilab  (Minor issue)
-   [buster] - scilab  (Minor issue)
+   - scilab  (unimportant; bug #989364)
- netcdf 1:4.9.0-1 (bug #989360)
[bullseye] - netcdf  (Minor issue)
[buster] - netcdf  (Minor issue)
@@ -138172,9 +138165,7 @@ CVE-2021-31230
 CVE-2021-31229 (An issue was discovered in libezxml.a in ezXML 0.8.6. The 
function ezx ...)
{DLA-2705-1}
- mapcache  (unimportant; bug #989363)
-   - scilab  (bug #989364)
-   [bullseye] - scilab  (Minor issue)
-   [buster] - scilab  (Minor issue)
+   - scilab  (unimportant; bug #989364)
- netcdf 1:4.9.0-1 (bug #989360)
[bullseye] - netcdf  (Minor issue)
[buster] - netcdf  (Minor issue)
@@ -140292,9 +140283,7 @@ CVE-2021-30486 (SysAid 20.3.64 b14 is affected by 
Blind and Stacker SQL injectio
 CVE-2021-30485 (An issue was discovered in libezxml.a in ezXML 0.8.6. The 
function ezx ...)
{DLA-2705-1}
- mapcache  (unimportant; bug #989363)
-   - scilab  (bug #989364)
-   [bullseye] - scilab  (Minor issue)
-   [buster] - scilab  (Minor issue)
+   - scilab  (unimportant; bug #989364)
- netcdf 1:4.9.0-1 (bug #989360)
[bullseye] - netcdf  (Minor issue)
[buster] - netcdf  (Minor issue)
@@ -151056,10 +151045,7 @@ CVE-2021-26223 (SQL injection vulnerability in 
SourceCodester CASAP Automated En
NOT-FOR-US: SourceCodester CASAP Automated Enrollment System
 CVE-2021-26222 (The ezxml_new function in

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-03-02 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5601a142 by Moritz Muehlenhoff at 2023-03-02T22:50:41+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -18171,6 +18171,8 @@ CVE-2022-4544 (The MashShare WordPress plugin before 
3.8.7 does not validate and
NOT-FOR-US: WordPress plugin
 CVE-2022-4543 (A flaw named "EntryBleed" was found in the Linux Kernel Page 
Table Iso ...)
- linux 
+   [bookworm] - linux  (Minor issue, revisit when/if fixed 
upstream)
+   [bullseye] - linux  (Minor issue, revisit when/if fixed 
upstream)
NOTE: https://www.openwall.com/lists/oss-security/2022/12/16/3
NOTE: https://www.willsroot.io/2022/12/entrybleed.html
 CVE-2023-0016 (SAP BPC MS 10.0 - version 810, allows an unauthorized attacker 
to exec ...)
@@ -172448,31 +172450,31 @@ CVE-2020-26235 (In Rust time crate from version 
0.2.7 and before version 0.2.23,
NOTE: Introduced by: 
https://github.com/time-rs/time/commit/5f1c4927124fefbd8d2886f83a574beb381411e9 
(v0.2.7)
NOTE: Deprecated in: 
https://github.com/time-rs/time/commit/f153a1ca5fdfec979f16c49619e6034cc67e186d 
(v0.2.23)
 CVE-2020-35914 (An issue was discovered in the lock_api crate before 0.4.2 for 
Rust. A ...)
-   - rust-lock-api  (bug #975319)
+   - rust-lock-api 0.4.5-1 (bug #975319)
[bullseye] - rust-lock-api  (Minor issue)
[buster] - rust-lock-api  (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
 CVE-2020-35913 (An issue was discovered in the lock_api crate before 0.4.2 for 
Rust. A ...)
-   - rust-lock-api  (bug #975319)
+   - rust-lock-api 0.4.5-1 (bug #975319)
[bullseye] - rust-lock-api  (Minor issue)
[buster] - rust-lock-api  (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
 CVE-2020-35912 (An issue was discovered in the lock_api crate before 0.4.2 for 
Rust. A ...)
-   - rust-lock-api  (bug #975319)
+   - rust-lock-api 0.4.5-1 (bug #975319)
[bullseye] - rust-lock-api  (Minor issue)
[buster] - rust-lock-api  (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
 CVE-2020-35911 (An issue was discovered in the lock_api crate before 0.4.2 for 
Rust. A ...)
-   - rust-lock-api  (bug #975319)
+   - rust-lock-api 0.4.5-1 (bug #975319)
[bullseye] - rust-lock-api  (Minor issue)
[buster] - rust-lock-api  (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html
NOTE: https://github.com/Amanieu/parking_lot/pull/262
 CVE-2020-35910 (An issue was discovered in the lock_api crate before 0.4.2 for 
Rust. A ...)
-   - rust-lock-api  (bug #975319)
+   - rust-lock-api 0.4.5-1 (bug #975319)
[bullseye] - rust-lock-api  (Minor issue)
[buster] - rust-lock-api  (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0070.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5601a14217efce3be87dd9761165abfc1bd9a039

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5601a14217efce3be87dd9761165abfc1bd9a039
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-03-02 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ec9c2e6e by Moritz Muehlenhoff at 2023-03-02T21:11:57+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -90052,6 +90052,7 @@ CVE-2022-23438 (An improper neutralization of input 
during web page generation (
NOT-FOR-US: Fortinet
 CVE-2022-23437 (There's a vulnerability within the Apache Xerces Java 
(XercesJ) XML pa ...)
- libxerces2-java  (bug #1016975)
+   [bookworm] - libxerces2-java  (revisit when/if fix is 
complete)
[bullseye] - libxerces2-java  (revisit when/if fix is 
complete)
[buster] - libxerces2-java  (revisit when/if fix is complete)
[stretch] - libxerces2-java  (revisit when/if fix is 
complete)
@@ -117782,8 +117783,9 @@ CVE-2021-3715 (A flaw was found in the "Routing 
decision" classifier in the Linu
NOTE: https://www.openwall.com/lists/oss-security/2021/09/07/1
NOTE: 
https://git.kernel.org/linus/ef299cc3fa1a9e1288665a9fdc8bff55629fd359 (5.6)
 CVE-2021-3714 (A flaw was found in the Linux kernels memory deduplication 
mechanism.  ...)
-   - linux 
+   - linux  (unimportant)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1931327
+   NOTE: Inherent design limitation, can be avoided by not using KSM
 CVE-2021-39245 (Hardcoded .htaccess Credentials for getlogs.cgi exist on Altus 
Nexto,  ...)
NOT-FOR-US: Altus
 CVE-2021-39244 (Authenticated Semi-Blind Command Injection (via Parameter 
Injection) e ...)
@@ -131810,6 +131812,7 @@ CVE-2021-33565
RESERVED
 CVE-2016-20011 (libgrss through 0.7.0 fails to perform TLS certificate 
verification wh ...)
- libgrss  (bug #989149)
+   [bookworm] - libgrss  (Minor issue)
[bullseye] - libgrss  (Minor issue)
[buster] - libgrss  (Minor issue)
[stretch] - libgrss  (Minor issue)
@@ -181932,18 +181935,14 @@ CVE-2020-26562
 CVE-2020-26561 (** UNSUPPORTED WHEN ASSIGNED ** Belkin LINKSYS WRT160NL 
1.0.04.002_US_ ...)
NOT-FOR-US: Belkin
 CVE-2020-26560 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 
and 1.0. ...)
-   - bluez  (bug #1006406)
-   [bullseye] - bluez  (Minor issue)
-   [buster] - bluez  (Minor issue)
-   [stretch] - bluez  (Mesh support introduced later)
+   NOT-FOR-US: Bluetooth
+   NOTE: There's no indication that any Bluetooth software in Debian is 
affected
NOTE: https://kb.cert.org/vuls/id/799380
NOTE: 
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/impersonation-mesh/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1959994
 CVE-2020-26559 (Bluetooth Mesh Provisioning in the Bluetooth Mesh profile 1.0 
and 1.0. ...)
-   - bluez  (bug #1006406)
-   [bullseye] - bluez  (Minor issue)
-   [buster] - bluez  (Minor issue)
-   [stretch] - bluez  (Mesh support introduced later)
+   NOT-FOR-US: Bluetooth
+   NOTE: There's no indication that any Bluetooth software in Debian is 
affected
NOTE: https://kb.cert.org/vuls/id/799380
NOTE: 
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/authvalue-leak/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960011
@@ -181959,10 +181958,8 @@ CVE-2020-26558 (Bluetooth LE and BR/EDR secure 
pairing in Bluetooth Core Specifi
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00517.html
NOTE: 
https://git.kernel.org/pub/scm/bluetooth/bluez.git/commit/?id=00da0fb4972cf59e1c075f313da81ea549cb8738
 CVE-2020-26557 (Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 
may perm ...)
-   - bluez  (bug #1006406)
-   [bullseye] - bluez  (Minor issue)
-   [buster] - bluez  (Minor issue)
-   [stretch] - bluez  (Mesh support introduced later)
+   NOT-FOR-US: Bluetooth
+   NOTE: There's no indication that any Bluetooth software in Debian is 
affected
NOTE: https://kb.cert.org/vuls/id/799380
NOTE: 
https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/predicatable-authvalue/
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960009
@@ -435368,6 +435365,7 @@ CVE-2016-2142 (Red Hat OpenShift Enterprise 3.1 uses 
world-readable permissions
NOT-FOR-US: OpenShift
 CVE-2016-2141 (JGroups before 4.0 does not require the proper headers for the 
ENCRYPT ...)
- libjgroups-java  (low; bug #867493)
+   [bookworm] - libjgroups-java  (Minor issue, only used as build 
dep)
[bullseye] - libjgroups-java  (Minor issue, only used as build 
dep)
[buster] - libjgroups-java  (Minor issue, only used as build 
dep)
[stretch] - libjgroups-java  (Minor issue, only used as build 
dep)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-03-01 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c12b7e8c by Moritz Muehlenhoff at 2023-03-01T20:23:33+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -28980,13 +28980,15 @@ CVE-2022-44034 (An issue was discovered in the Linux 
kernel through 6.0.6. drive
NOTE: https://lore.kernel.org/lkml/20220916050333.GA188358@ubuntu/
NOTE: https://lore.kernel.org/lkml/20220919101825.GA313940@ubuntu/
 CVE-2022-44033 (An issue was discovered in the Linux kernel through 6.0.6. 
drivers/cha ...)
-   - linux 
+   - linux  (unimportant)
NOTE: https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/
NOTE: https://lore.kernel.org/lkml/20220919040457.GA302681@ubuntu/
+   NOTE: Negligible security impact, would need physical access to 
"exploit"
 CVE-2022-44032 (An issue was discovered in the Linux kernel through 6.0.6. 
drivers/cha ...)
-   - linux 
+   - linux  (unimportant)
NOTE: https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/
NOTE: https://lore.kernel.org/lkml/20220919040701.GA302806@ubuntu/
+   NOTE: Negligible security impact, would need physical access to 
"exploit"
 CVE-2022-44031 (Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent 
XSS in i ...)
- redmine 5.0.4-1 (bug #1026048)
NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
@@ -99851,6 +99853,7 @@ CVE-2021-44505 (An issue was discovered in FIS GT.M 
through V7.0-000 (related to
NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828
 CVE-2021-44504 (An issue was discovered in FIS GT.M through V7.0-000 (related 
to the Y ...)
- fis-gtm 
+   [bookworm] - fis-gtm  (Minor issue)
[bullseye] - fis-gtm  (Minor issue)
[buster] - fis-gtm  (Minor issue)
[stretch] - fis-gtm  (Minor issue)
@@ -99907,6 +99910,7 @@ CVE-2021-44497 (An issue was discovered in FIS GT.M 
through V7.0-000 (related to
NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828
 CVE-2021-44496 (An issue was discovered in FIS GT.M through V7.0-000 (related 
to the Y ...)
- fis-gtm 
+   [bookworm] - fis-gtm  (Minor issue)
[bullseye] - fis-gtm  (Minor issue)
[buster] - fis-gtm  (Minor issue)
[stretch] - fis-gtm  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c12b7e8c5ea0005deb66cd1e7659400e11e3da7c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c12b7e8c5ea0005deb66cd1e7659400e11e3da7c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-03-01 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7bf7f45d by Moritz Muehlenhoff at 2023-03-01T17:41:58+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13589,6 +13589,8 @@ CVE-2010-10003 (A vulnerability classified as critical 
was found in gesellix tit
NOT-FOR-US: gesellix titlelink
 CVE-2023-22602 (When using Apache Shiro before 1.11.0 together with Spring 
Boot 2.6+,  ...)
- shiro  (bug #1029039)
+   [bookworm] - shiro  (Minor issue)
+   [bullseye] - shiro  (Minor issue)
NOTE: https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl
 CVE-2023-22601 (InHand Networks InRouter 302, prior to version IR302 V3.5.56, 
and InRo ...)
NOT-FOR-US: InHand Networks InRouter
@@ -19254,8 +19256,11 @@ CVE-2022-47017
 CVE-2022-47016
REJECTED
 CVE-2022-47015 (MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to 
Denial of S ...)
+   - mariadb
+   [bookworm] - mariadb  (Minor issue, wait for next point 
release)
- mariadb-10.6 
- mariadb-10.5 
+   [bullseye] - mariadb-10.5  (Minor issue)
- mariadb-10.3 
NOTE: https://jira.mariadb.org/browse/MDEV-29644
 CVE-2022-47014
@@ -39937,6 +39942,8 @@ CVE-2022-40665
REJECTED
 CVE-2022-40664 (Apache Shiro before 1.10.0, Authentication Bypass 
Vulnerability in Shi ...)
- shiro  (bug #1021671)
+   [bookworm] - shiro  (Minor issue)
+   [bullseye] - shiro  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/10/12/1
 CVE-2022-40663 (This vulnerability allows remote attackers to execute 
arbitrary code o ...)
NOT-FOR-US: NIKON
@@ -40965,6 +40972,7 @@ CVE-2022-3168
NOTE: https://www.openwall.com/lists/oss-security/2022/10/25/5
 CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x 
through 2.1 ...)
- openvswitch  (bug #1021740)
+   [bookworm] - openvswitch  (Minor issue)
[bullseye] - openvswitch  (Minor issue)
[buster] - openvswitch  (Minor issue)
NOTE: https://arxiv.org/abs/2011.09107
@@ -48826,7 +48834,7 @@ CVE-2022-37396 (In JetBrains Rider before 2022.2 Trust 
and Open Project dialog c
 CVE-2022-37395 (A Huawei device has an input verification vulnerability. 
Successful ex ...)
NOT-FOR-US: Huawei
 CVE-2022-37394 (An issue was discovered in OpenStack Nova before 23.2.2, 24.x 
before 2 ...)
-   - nova  (bug #1016980)
+   - nova 2:26.0.0-1 (bug #1016980)
[bullseye] - nova  (Minor issue)
[buster] - nova  (Minor issue)
NOTE: https://bugs.launchpad.net/ossa/+bug/1981813
@@ -61792,6 +61800,7 @@ CVE-2022-32533 (** UNSUPPORTED WHEN ASSIGNED ** Apache 
Jetspeed-2 does not suffi
NOT-FOR-US: Apache Portals Jetspeed
 CVE-2022-32532 (Apache Shiro before 1.9.1, A RegexRequestMatcher can be 
misconfigured  ...)
- shiro  (bug #1014820)
+   [bookworm] - shiro  (Minor issue)
[bullseye] - shiro  (Minor issue)
[buster] - shiro  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2022/06/28/2
@@ -88497,7 +88506,7 @@ CVE-2022-23838
RESERVED
 CVE-2022-23837 (In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no 
limit on the ...)
{DLA-2943-1}
-   - ruby-sidekiq  (bug #1004193)
+   - ruby-sidekiq 6.4.1+dfsg-1 (bug #1004193)
[bullseye] - ruby-sidekiq  (Minor issue)
NOTE: 
https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956
 (v6.4.0)
 CVE-2022-23836
@@ -112052,6 +112061,7 @@ CVE-2021-3805 (object-path is vulnerable to 
Improperly Controlled Modification o
NOTE: 
https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884
 (v0.11.8)
 CVE-2021-41303 (Apache Shiro before 1.8.0, when using Apache Shiro with Spring 
Boot, a ...)
- shiro  (bug #1014819)
+   [bookworm] - shiro  (Minor issue)
[bullseye] - shiro  (Minor issue)
[buster] - shiro  (Minor issue)
[stretch] - shiro  (Minor issue)
@@ -129211,6 +129221,7 @@ CVE-2021-34435 (In Eclipse Theia 0.3.9 to 1.8.1, the 
"mini-browser" extension al
NOT-FOR-US: Eclipse Theia
 CVE-2021-34434 (In Eclipse Mosquitto versions 2.0 to 2.0.11, when using the 
dynamic se ...)
- mosquitto  (bug #993400)
+   [bookworm] - mosquitto  (Minor issue)
[bullseye] - mosquitto  (Minor issue)
[buster] - mosquitto  (Vulnerable code introduced later)
[stretch] - mosquitto  (Vulnerable code introduced later)
@@ -130716,6 +130727,7 @@ CVE-2021-3576 (Execution with Unnecessary Privileges 
vulnerability in Bitdefende
NOT-FOR-US: Bitdefender
 CVE-2021-3575 (A heap-based buffer overflow was found in openjpeg in 
color.c:379:42 i ...)
- openjpeg2  (bug #989775)
+   [bookworm] - openjpeg2  (Minor iss

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-03-01 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
527ea393 by Moritz Muehlenhoff at 2023-03-01T17:02:38+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -22749,14 +22749,17 @@ CVE-2022-45887 (An issue was discovered in the Linux 
kernel through 6.0.9. drive
- linux 
NOTE: 
https://lore.kernel.org/linux-media/20221115131822.6640-5-imv4...@gmail.com/
 CVE-2022-45886 (An issue was discovered in the Linux kernel through 6.0.9. 
drivers/med ...)
-   - linux 
+   - linux  (unimportant)
NOTE: 
https://lore.kernel.org/linux-media/20221115131822.6640-3-imv4...@gmail.com/
+   NOTE: Negligible security impact, would need physical access to 
"exploit"
 CVE-2022-45885 (An issue was discovered in the Linux kernel through 6.0.9. 
drivers/med ...)
-   - linux 
+   - linux  (unimportant)
NOTE: 
https://lore.kernel.org/linux-media/20221115131822.6640-2-imv4...@gmail.com/
+   NOTE: Negligible security impact, would need physical access to 
"exploit"
 CVE-2022-45884 (An issue was discovered in the Linux kernel through 6.0.9. 
drivers/med ...)
-   - linux 
+   - linux  (unimportant)
NOTE: 
https://lore.kernel.org/linux-media/20221115131822.6640-4-imv4...@gmail.com/
+   NOTE: Negligible security impact, would need physical access to 
"exploit"
 CVE-2022-45883
REJECTED
 CVE-2022-45877 (OpenHarmony-v3.1.4 and prior versions had an vulnerability. 
PIN code i ...)
@@ -79405,10 +79408,8 @@ CVE-2022-26637
 CVE-2022-26636
RESERVED
 CVE-2022-26635 (PHP-Memcached v2.2.0 and below contains an improper NULL 
termination w ...)
-   - php-memcached  (bug #1009328)
-   [bullseye] - php-memcached  (Minor issue)
-   [buster] - php-memcached  (Minor issue)
-   [stretch] - php-memcached  (Minor issue)
+   NOTE: Disputed issue, not considered a security issue by upstream:
+   NOTE: 
https://github.com/php-memcached-dev/php-memcached/issues/519#issuecomment-1259303434
NOTE: https://xhzeem.me/posts/Php5-memcached-Injection-Bypass/read/
NOTE: https://github.com/php-memcached-dev/php-memcached/issues/519
 CVE-2022-26634 (HMA VPN v5.3.5913.0 contains an unquoted service path which 
allows att ...)
@@ -86209,7 +86210,7 @@ CVE-2022-24331 (In JetBrains TeamCity before 2021.1.4, 
GitLab authentication imp
 CVE-2022-24330 (In JetBrains TeamCity before 2021.2.1, a redirection to an 
external si ...)
NOT-FOR-US: JetBrains TeamCity
 CVE-2022-24329 (In JetBrains Kotlin before 1.6.0, it was not possible to lock 
dependen ...)
-   - kotlin  (bug #1007243)
+   - kotlin  (bug #1007243)
NOTE: 
https://blog.jetbrains.com/blog/2022/02/08/jetbrains-security-bulletin-q4-2021/
NOTE: https://youtrack.jetbrains.com/issue/KT-49449 (not public)
 CVE-2022-24328 (In JetBrains Hub before 2021.1.13956, an unprivileged user 
could perfo ...)
@@ -113736,10 +113737,12 @@ CVE-2021-40649 (In Connx Version 6.2.0.1269 
(20210623), a cookie can be issued b
NOT-FOR-US: Connx
 CVE-2021-40648 (In man2html 1.6g, a filename can be created to overwrite the 
previous  ...)
- man2html  (bug #1021738)
+   [bookworm] - man2html  (Minor issue)
[bullseye] - man2html  (Minor issue)
NOTE: https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933
 CVE-2021-40647 (In man2html 1.6g, a specific string being read in from a file 
will ove ...)
- man2html  (bug #1021738)
+   [bookworm] - man2html  (Minor issue)
[bullseye] - man2html  (Minor issue)
NOTE: https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933
 CVE-2021-40646
@@ -127791,6 +127794,7 @@ CVE-2021-35044
RESERVED
 CVE-2021-35043 (OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes 
when using  ...)
- libowasp-antisamy-java  (bug #1014981)
+   [bookworm] - libowasp-antisamy-java  (Minor issue)
[bullseye] - libowasp-antisamy-java  (Minor issue)
[buster] - libowasp-antisamy-java  (Minor issue)
[stretch] - libowasp-antisamy-java  (Minor issue)
@@ -170346,7 +170350,7 @@ CVE-2020-29584
 CVE-2020-29583 (Firmware version 4.60 of Zyxel USG devices contains an 
undocumented ac ...)
NOT-FOR-US: Zyxel
 CVE-2020-29582 (In JetBrains Kotlin before 1.4.21, a vulnerable Java API was 
used for  ...)
-   - kotlin  (bug #1001037)
+   - kotlin  (bug #1001037)
NOTE: https://youtrack.jetbrains.com/issue/KT-42181 (not public)
 CVE-2020-29581 (The official spiped docker images before 1.5-alpine contain a 
blank pa ...)
NOT-FOR-US: spiped Docker images
@@ -305982,11 +305986,14 @@ CVE-2019-0188 (Apache Camel prior to 2.24.0 
contains an XML external entity inje
NOT-FOR-US: Apache Camel
 CVE-2019-0187 (Unauthenticated RCE is possible when JMeter is used in 
distributed mo

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-02-28 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bb556c99 by Moritz Muehlenhoff at 2023-02-28T17:24:25+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -38083,6 +38083,7 @@ CVE-2022-3278 (NULL Pointer Dereference in GitHub 
repository vim/vim prior to 9.
 CVE-2022-3277 [unrestricted creation of security groups]
RESERVED
- neutron  (bug #1027150)
+   [bookworm] - neutron  (Minor issue)
[bullseye] - neutron  (Minor issue)
[buster] - neutron  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2129193
@@ -47524,17 +47525,17 @@ CVE-2022-37772 (Maarch RM 2.8.3 solution contains an 
improper restriction of exc
 CVE-2022-37771 (IObit Malware Fighter v9.2 for Microsoft Windows lacks tamper 
protecti ...)
NOT-FOR-US: IObit Malware Fighter
 CVE-2022-37770 (libjpeg commit 281daa9 was discovered to contain a 
segmentation fault  ...)
-   - libjpeg  (unimportant)
+   - libjpeg 0.0~git20220805.54ec643-1 (unimportant)
NOTE: https://github.com/thorfdbg/libjpeg/issues/79
NOTE: 
https://github.com/thorfdbg/libjpeg/commit/281daa9ccee18742b83a77cd29bd2726b69b7977
NOTE: Crash in CLI tool, no security impact
 CVE-2022-37769 (libjpeg commit 281daa9 was discovered to contain a 
segmentation fault  ...)
-   - libjpeg  (bug #1025339)
+   - libjpeg 0.0~git20220805.54ec643-1 (bug #1025339)
[bullseye] - libjpeg  (Minor issue)
NOTE: https://github.com/thorfdbg/libjpeg/issues/78
NOTE: 
https://github.com/thorfdbg/libjpeg/commit/281daa9ccee18742b83a77cd29bd2726b69b7977
 CVE-2022-37768 (libjpeg commit 281daa9 was discovered to contain an infinite 
loop via  ...)
-   - libjpeg  (unimportant)
+   - libjpeg 0.0~git20220805.54ec643-1 (unimportant)
NOTE: https://github.com/thorfdbg/libjpeg/issues/77
NOTE: 
https://github.com/thorfdbg/libjpeg/commit/281daa9ccee18742b83a77cd29bd2726b69b7977
NOTE: Hang in CLI tool, no security impact
@@ -130427,6 +130428,7 @@ CVE-2021-33814
 CVE-2021-33813 (An XXE issue in SAXBuilder in JDOM through 2.0.6 allows 
attackers to c ...)
{DLA-2712-1 DLA-2696-1}
- libjdom2-intellij-java  (bug #990673)
+   [bookworm] - libjdom2-intellij-java  (Minor issue)
[bullseye] - libjdom2-intellij-java  (Minor issue)
[buster] - libjdom2-intellij-java  (Minor issue)
- libjdom2-java 2.0.6-2.1 (bug #990671)
@@ -133003,7 +133005,7 @@ CVE-2021-32825 (bblfshd is an open source self-hosted 
server for source code par
 CVE-2021-32824 (Apache Dubbo is a java based, open source RPC framework. 
Versions prio ...)
TODO: check
 CVE-2021-32823 (In the bindata RubyGem before version 2.4.10 there is a 
potential deni ...)
-   - ruby-bindata  (bug #990577)
+   - ruby-bindata 2.4.14-1 (bug #990577)
[bullseye] - ruby-bindata  (Minor issue)
[buster] - ruby-bindata  (Minor issue)
[stretch] - ruby-bindata  (Minor issue)
@@ -163502,7 +163504,7 @@ CVE-2021-21306 (Marked is an open-source markdown 
parser and compiler (npm packa
NOTE: 
https://github.com/markedjs/marked/security/advisories/GHSA-4r62-v4vq-hr96
NOTE: 
https://github.com/markedjs/marked/commit/7293251c438e3ee968970f7609f1a27f9007bccd
 CVE-2021-21305 (CarrierWave is an open-source RubyGem which provides a simple 
and flex ...)
-   - ruby-carrierwave  (bug #982551)
+   - ruby-carrierwave 1.3.2-1 (bug #982551)
[buster] - ruby-carrierwave  (Minor issue)
[stretch] - ruby-carrierwave  (No reverse dependencies)
NOTE: 
https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4
@@ -204199,6 +204201,7 @@ CVE-2020-16156 (CPAN 2.28 allows Signature 
Verification Bypass. ...)
NOTE: 
https://github.com/andk/cpanpm/commit/89b13baf1d46e4fb10023af30ef305efec4fd603 
(2.33-TRIAL)
 CVE-2020-16155 (The CPAN::Checksums package 2.12 for Perl does not uniquely 
define sig ...)
- libcpan-checksums-perl 
+   [bookworm] - libcpan-checksums-perl  (Minor issue)
[bullseye] - libcpan-checksums-perl  (Minor issue)
[buster] - libcpan-checksums-perl  (Minor issue)
[stretch] - libcpan-checksums-perl  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb556c99e0da30ced15af92856f0cae5c2d1bdab

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb556c99e0da30ced15af92856f0cae5c2d1bdab
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commit

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-02-28 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
16c529b4 by Moritz Muehlenhoff at 2023-02-28T16:23:12+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -9894,6 +9894,7 @@ CVE-2023-0331 (The Correos Oficial WordPress plugin 
through 1.2.0.2 does not hav
 CVE-2023-0330
RESERVED
- qemu  (bug #1029155)
+   [bookworm] - qemu  (Minor issue)
[bullseye] - qemu  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2160151
NOTE: Proposed patch: 
https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html
@@ -25189,6 +25190,7 @@ CVE-2022-3873 (Cross-site Scripting (XSS) - DOM in 
GitHub repository jgraph/draw
NOT-FOR-US: jgraph/drawio
 CVE-2022-3872 (An off-by-one read/write issue was found in the SDHCI device of 
QEMU.  ...)
- qemu  (bug #1024022)
+   [bookworm] - qemu  (Minor issue)
[bullseye] - qemu  (Minor issue)
[buster] - qemu  (Minor issue, DoS, waiting for sanctioned 
patch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2140567
@@ -88907,7 +88909,7 @@ CVE-2022-23608 (PJSIP is a free and open source 
multimedia communication library
NOTE: 
https://github.com/pjsip/pjproject/commit/db3235953baa56d2fb0e276ca510fefca751643f
 CVE-2022-23607 (treq is an HTTP library inspired by requests but written on 
top of Twi ...)
{DLA-2954-1}
-   - python-treq  (bug #1005041)
+   - python-treq 22.2.0-0.1 (bug #1005041)
[bullseye] - python-treq  (Minor issue)
[buster] - python-treq  (Minor issue)
NOTE: 
https://github.com/twisted/treq/security/advisories/GHSA-fhpf-pp6p-55qc
@@ -163175,7 +163177,7 @@ CVE-2021-21417 (fluidsynth is a software synthesizer 
based on the SoundFont 2 sp
NOTE: https://github.com/FluidSynth/fluidsynth/issues/808
NOTE: 
https://github.com/FluidSynth/fluidsynth/security/advisories/GHSA-6fcq-pxhc-jxc9
 CVE-2021-21416 (django-registration is a user registration package for Django. 
The dja ...)
-   - python-django-registration  (bug #987366)
+   - python-django-registration 3.3-1 (bug #987366)
[bullseye] - python-django-registration  (Minor issue)
[buster] - python-django-registration  (Minor issue)
[stretch] - python-django-registration  (Minor issue)
@@ -397130,15 +397132,14 @@ CVE-2016-10126 (Splunk Web in Splunk Enterprise 
5.0.x before 5.0.17, 6.0.x befor
 CVE-2016-10125 (D-Link DGS-1100 devices with Rev.B firmware 1.01.018 have a 
hardcoded  ...)
NOT-FOR-US: D-Link
 CVE-2016-10127 (PySAML2 allows remote attackers to conduct XML external entity 
(XXE) a ...)
-   - python-pysaml2  (low; bug #859135)
-   [bullseye] - python-pysaml2  (Minor issue)
-   [buster] - python-pysaml2  (Minor issue)
+   - python-pysaml2 4.5.0-2 (low; bug #859135)
[stretch] - python-pysaml2  (Minor issue)
[jessie] - python-pysaml2  (Minor issue)
NOTE: https://github.com/rohe/pysaml2/issues/366
NOTE: A proper fix for this issue would be to fix the underlying issue 
in src:libxml2
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1411794#c12
NOTE: https://www.openwall.com/lists/oss-security/2017/01/19/5 (for the 
scope of the CVE)
+   NOTE: https://github.com/IdentityPython/pysaml2/commit/6e09a25d9 
(4.4.0-1)
 CVE-2016-10149 (XML External Entity (XXE) vulnerability in PySAML2 4.4.0 and 
earlier a ...)
{DSA-3759-1}
- python-pysaml2 3.0.0-5 (bug #850716)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16c529b4ee6c664dd750ceef7a23eccf1e5e49de

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16c529b4ee6c664dd750ceef7a23eccf1e5e49de
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-02-27 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9a9f9a19 by Moritz Muehlenhoff at 2023-02-27T21:02:03+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7408,6 +7408,7 @@ CVE-2023-0483
 CVE-2023-0482 (In RESTEasy the insecure File.createTempFile() is used in the 
DataSour ...)
- resteasy  (bug #1031728)
- resteasy3.0  (bug #1031729)
+   [bookworm] - resteasy3.0  (Minor issue)
[bullseye] - resteasy3.0  (Minor issue)
[buster] - resteasy3.0  (Minor issue)
NOTE: https://github.com/resteasy/resteasy/pull/3409/
@@ -82569,7 +82570,7 @@ CVE-2022-0676 (Heap-based Buffer Overflow in GitHub 
repository radareorg/radare2
NOTE: https://huntr.dev/bounties/5ad814a1-5dd3-43f4-869b-33b8dab78485
NOTE: 
https://github.com/radareorg/radare2/commit/c84b7232626badd075caf3ae29661b609164bac6
 CVE-2022-0675 (In certain situations it is possible for an unmanaged rule to 
exist on ...)
-   - puppet-module-puppetlabs-firewall  (bug #1006749)
+   - puppet-module-puppetlabs-firewall 3.4.0-1 (bug #1006749)
[bullseye] - puppet-module-puppetlabs-firewall  (Minor issue)
[buster] - puppet-module-puppetlabs-firewall  (Minor issue)
NOTE: 
https://github.com/puppetlabs/puppetlabs-firewall/pull/1030/commits/2c0047e09be82dd9e1aa4d93c0cb103f83d2a01e
 (3.4.0)
@@ -183489,6 +183490,7 @@ CVE-2020-25634 (A flaw was found in Red Hat 
3scale’s API docs URL, where i
 CVE-2020-25633 (A flaw was found in RESTEasy client in all versions of 
RESTEasy up to  ...)
- resteasy  (bug #970585)
- resteasy3.0  (bug #1014983)
+   [bookworm] - resteasy3.0  (Minor issue)
[bullseye] - resteasy3.0  (Minor issue)
[buster] - resteasy3.0  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1879042
@@ -205265,9 +205267,7 @@ CVE-2020-15710 (Potential double free in Bluez 5 
module of PulseAudio could allo
NOTE: 
https://bugs.launchpad.net/ubuntu/%2Bsource/pulseaudio/%2Bbug/1884738
 CVE-2020-15709 (Versions of add-apt-repository before 0.98.9.2, 0.96.24.32.14, 
0.96.20 ...)
{DLA-2339-1}
-   - software-properties  (bug #968850)
-   [bullseye] - software-properties  (Minor issue)
-   [buster] - software-properties  (Minor issue)
+   - software-properties  (unimportant; bug #968850)
NOTE: https://www.openwall.com/lists/oss-security/2020/08/03/1
NOTE: 
https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/1890286
 CVE-2020-15708 (Ubuntu's packaging of libvirt in 20.04 LTS created a control 
socket wi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a9f9a19f24d880c8c04b0cb7ddc12f7f6af04c0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a9f9a19f24d880c8c04b0cb7ddc12f7f6af04c0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-02-27 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dd810cc0 by Moritz Muehlenhoff at 2023-02-27T17:29:00+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -56924,6 +56924,7 @@ CVE-2022-34300 (In tinyexr 1.0.1, there is a heap-based 
buffer over-read in tiny
NOTE: https://github.com/syoyo/tinyexr/pull/175
 CVE-2022-34299 (There is a heap-based buffer over-read in libdwarf 0.4.0. This 
issue i ...)
- dwarfutils  (bug #1014493)
+   [bookworm] - dwarfutils  (Minor issue)
[bullseye] - dwarfutils  (Minor issue)
[buster] - dwarfutils  (Minor issue)
[stretch] - dwarfutils  (Minor issue)
@@ -62404,6 +62405,7 @@ CVE-2022-32201 (In libjpeg 1.63, there is a NULL 
pointer dereference in Componen
NOTE: Crash in CLI tool, no security impact
 CVE-2022-32200 (libdwarf 0.4.0 has a heap-based buffer over-read in 
_dwarf_check_strin ...)
- dwarfutils  (bug #1012515)
+   [bookworm] - dwarfutils  (Minor issue)
[bullseye] - dwarfutils  (Minor issue)
[buster] - dwarfutils  (Minor issue)
[stretch] - dwarfutils  (Minor issue)
@@ -118405,11 +118407,12 @@ CVE-2021-38580
 CVE-2021-38579
RESERVED
 CVE-2021-38578 (Existing CommBuffer checks in SmmEntryPoint will not catch 
underflow w ...)
-   - edk2  (bug #1014468)
+   - edk2 2022.11-1 (bug #1014468)
[bullseye] - edk2  (Minor issue)
[buster] - edk2  (Minor issue)
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3387 (private)
NOTE: https://edk2.groups.io/g/devel/message/90516
+   NOTE: 
https://github.com/tianocore/edk2/commit/cab1f02565d3b29081dd21afb074f35fdb4e1fd6
 CVE-2021-38577
REJECTED
 CVE-2021-38576 (A BIOS bug in firmware for a particular PC model leaves the 
Platform a ...)
@@ -144077,6 +144080,7 @@ CVE-2021-3448 (A flaw was found in dnsmasq in 
versions before 2.85. When configu
NOTE: 
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=74d4fcd756a85bc1823232ea74334f7ccfb9d5d2
 CVE-2021-3447 (A flaw was found in several ansible modules, where parameters 
containi ...)
- ansible  (bug #1014721)
+   [bookworm] - ansible  (Minor issue)
[bullseye] - ansible  (Minor issue)
[buster] - ansible  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939349
@@ -26,9 +244450,8 @@ CVE-2019-19380
 CVE-2019-19379 (In app/Controller/TagsController.php in MISP 2.4.118, users 
can bypass ...)
NOT-FOR-US: MISP
 CVE-2019-19378 (In the Linux kernel 5.0.21, mounting a crafted btrfs 
filesystem image  ...)
-   - linux 
-   [bullseye] - linux  (Minor issue)
-   [buster] - linux  (Minor issue)
+   - linux  (unimportant)
+   NOTE: raid 5/6 is marked as not production ready for btrfs
 CVE-2019-19377 (In the Linux kernel 5.0.21, mounting a crafted btrfs 
filesystem image, ...)
{DLA-2483-1}
- linux 5.6.7-1
@@ -261170,6 +261173,7 @@ CVE-2019-14855 (A flaw was found in the way 
certificate signatures could be forg
[stretch] - gnupg2  (Minor issue)
[jessie] - gnupg2  (No backport to version << 2.2.x, low 
impact, danger of breaking things)
- gnupg1  (low)
+   [bookworm] - gnupg1  (Minor issue)
[bullseye] - gnupg1  (Minor issue)
[buster] - gnupg1  (Minor issue)
[stretch] - gnupg1  (Minor issue)
@@ -270228,6 +270232,7 @@ CVE-2019-12215 (** DISPUTED ** A full path disclosure 
vulnerability was discover
- matomo  (bug #448532)
 CVE-2019-12214 (In FreeImage 3.18.0, an out-of-bounds access occurs because of 
mishand ...)
- freeimage  (bug #947478)
+   [bookworm] - freeimage  (Revisit when upstream fixes are 
available)
[bullseye] - freeimage  (Revisit when upstream fixes are 
available)
[buster] - freeimage  (Revisit when upstream fixes are 
available)
[stretch] - freeimage  (Revisit when upstream fixes are 
available)
@@ -270245,6 +270250,7 @@ CVE-2019-12213 (When FreeImage 3.18.0 reads a special 
TIFF file, the TIFFReadDir
NOTE: https://sourceforge.net/p/freeimage/svn/1825/
 CVE-2019-12212 (When FreeImage 3.18.0 reads a special JXR file, the 
StreamCalcIFDSize  ...)
- freeimage  (bug #947477)
+   [bookworm] - freeimage  (Revisit when upstream fixes are 
available)
[bullseye] - freeimage  (Revisit when upstream fixes are 
available)
[buster] - freeimage  (Revisit when upstream fixes are 
available)
[stretch] - freeimage  (Revisit when upstream fixes are 
available)
@@ -336924,12 +336930,8 @@ CVE-2018-7588 (An issue was discovered in CImg 
v.220. A heap-based buffer over-r
NOTE: https://github.com/dtschump/CImg/issues/183
NOTE: 
https://github.com/dtschump/CImg/commit/8447076ef22322a14a0ce130837e44c5ba8095f4
 CVE-2018-7587 (An is

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-02-27 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
041decee by Moritz Muehlenhoff at 2023-02-27T13:37:13+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -24418,11 +24418,13 @@ CVE-2022-3966 (A vulnerability, which was classified 
as critical, has been found
NOT-FOR-US: Ultimate Member Plugin
 CVE-2022-3965 (A vulnerability classified as problematic was found in ffmpeg. 
This vu ...)
- ffmpeg 
+   [bookworm] - ffmpeg  (Wait until it lands in 5.1.x)
[bullseye] - ffmpeg  (Wait until it lands in 4.3.x)
[buster] - ffmpeg  (Wait until it lands in 4.1.x)
NOTE: 
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/13c13109759090b7f7182480d075e13b36ed8edd
 CVE-2022-3964 (A vulnerability classified as problematic has been found in 
ffmpeg. Th ...)
- ffmpeg 
+   [bookworm] - ffmpeg  (Wait until it lands in 5.1.x)
[bullseye] - ffmpeg  (Wait until it lands in 4.3.x)
[buster] - ffmpeg  (Wait until it lands in 4.1.x)
NOTE: 
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/92f9b28ed84a77138105475beba16c146bdaf984
@@ -33264,7 +33266,7 @@ CVE-2022-42965 (An exponential ReDoS (Regular 
Expression Denial of Service) can
 CVE-2022-42964 (An exponential ReDoS (Regular Expression Denial of Service) 
can be tri ...)
- pymatgen  (bug #1024017)
NOTE: 
https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184/
-   NOTE: Doesn't seem to be reported upstream so far
+   NOTE: https://github.com/materialsproject/pymatgen/issues/2755
 CVE-2022-3520 (Heap-based Buffer Overflow in GitHub repository vim/vim prior 
to 9.0.0 ...)
- vim 2:9.0.0813-1 (unimportant)
NOTE: https://huntr.dev/bounties/c1db3b70-f4fe-481f-8a24-0b1449c94246
@@ -133015,6 +133017,7 @@ CVE-2021-32752 (Ether Logs is a package that allows 
one to check one's logs in t
NOT-FOR-US: Ether Logs
 CVE-2021-32751 (Gradle is a build tool with a focus on build automation. In 
versions p ...)
- gradle  (bug #1014778)
+   [bookworm] - gradle  (Minor issue)
[bullseye] - gradle  (Minor issue)
[buster] - gradle  (Minor issue)
[stretch] - gradle  (Minor issue)
@@ -142066,12 +142069,14 @@ CVE-2021-29430 (Sydent is a reference Matrix 
identity server. Sydent does not li
NOT-FOR-US: Matrix Sydent
 CVE-2021-29429 (In Gradle before version 7.0, files created with open 
permissions in t ...)
- gradle  (bug #987284)
+   [bookworm] - gradle  (Minor issue)
[bullseye] - gradle  (Minor issue)
[buster] - gradle  (Minor issue)
[stretch] - gradle  (Minor issue)
NOTE: 
https://github.com/gradle/gradle/security/advisories/GHSA-fp8h-qmr5-j4c8
 CVE-2021-29428 (In Gradle before version 7.0, on Unix-like systems, the system 
tempora ...)
- gradle  (bug #987284)
+   [bookworm] - gradle  (Minor issue)
[bullseye] - gradle  (Minor issue)
[buster] - gradle  (Minor issue)
[stretch] - gradle  (Minor issue; sticky bit on /tmp is set by 
default)
@@ -260342,6 +260347,7 @@ CVE-2019-15053 (The "HTML Include and replace macro" 
plugin before 1.5.0 for Con
NOT-FOR-US: "HTML Include and replace macro" plugin for Confluence 
Server
 CVE-2019-15052 (The HTTP client in Gradle before 5.6 sends authentication 
credentials  ...)
- gradle  (low; bug #941187)
+   [bookworm] - gradle  (Minor issue)
[bullseye] - gradle  (Minor issue)
[buster] - gradle  (Minor issue)
[stretch] - gradle  (Minor issue)
@@ -276806,11 +276812,9 @@ CVE-2019-9906
 CVE-2019-9905
RESERVED
 CVE-2019-9904 (An issue was discovered in lib\cdt\dttree.c in libcdt.a in 
graphviz 2. ...)
-   - graphviz  (low; bug #925284)
-   [bullseye] - graphviz  (Minor issue)
-   [buster] - graphviz  (Minor issue)
-   [stretch] - graphviz  (Minor issue)
-   [jessie] - graphviz  (Minor issue)
+   NOTE: Does not reproduce with the version of Graphviz in Bullseye, 
might be bogus
+   NOTE: or Windows-specific. Even if applicable to some older release, 
impact is
+   NOTE: negligible anyway
NOTE: https://gitlab.com/graphviz/graphviz/issues/1512
 CVE-2019-9903 (PDFDoc::markObject in PDFDoc.cc in Poppler 0.74.0 mishandles 
dict mark ...)
{DLA-3120-1}
@@ -432788,6 +432792,7 @@ CVE-2016-2569 (Squid 3.x before 3.5.15 and 4.x before 
4.0.7 does not properly ap
NOTE: Upstream confirmed it does not affect squid 2.7.x
 CVE-2016-2568 (pkexec, when used with --user nonpriv, allows local users to 
escape to ...)
- policykit-1  (low; bug #816062; bug #812512)
+   [bookworm] - policykit-1  (Minor issue)
[bullseye] - policykit-1  (Minor issue)
[buster] - policykit-1  (Minor issue)
[stretch] - policykit-1  (Minor issue)



View it

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-02-24 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d4d1ee1f by Moritz Muehlenhoff at 2023-02-24T14:41:20+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -96080,6 +96080,7 @@ CVE-2021-44960 (In SVGPP SVG++ library 1.3.0, the 
XMLDocument::getRoot function
[bullseye] - svgpp  (Minor issue)
[buster] - svgpp  (Minor issue)
NOTE: https://github.com/svgpp/svgpp/issues/101
+   NOTE: 
https://github.com/svgpp/svgpp/commit/0bc57f2cc6d9d86a0fa1ce73e508c2b5994b4b91
 CVE-2021-44959
RESERVED
 CVE-2021-44958
@@ -119123,6 +119124,7 @@ CVE-2021-37746 (textview_uri_security_check in 
textview.c in Claws Mail before 3
[buster] - claws-mail  (Minor issue)
[stretch] - claws-mail  (Minor issue)
- sylpheed  (bug #991723)
+   [bookworm] - sylpheed  (Minor issue)
[bullseye] - sylpheed  (Minor issue)
[buster] - sylpheed  (Minor issue)
[stretch] - sylpheed  (Minor issue)
@@ -178621,6 +178623,7 @@ CVE-2020-26881
RESERVED
 CVE-2020-26880 (Sympa through 6.2.57b.2 allows a local privilege escalation 
from the s ...)
- sympa  (bug #972114)
+   [bookworm] - sympa  (Revisit when fixed upstream; most 
setups mitigated)
[bullseye] - sympa  (Revisit when fixed upstream; most 
setups mitigated)
[buster] - sympa  (Revisit when fixed upstream; most setups 
mitigated)
[stretch] - sympa  (Mitigated, revisit when fixed upstream)
@@ -207645,6 +207648,7 @@ CVE-2020-14305 (An out-of-bounds memory write flaw 
was found in how the Linux ke
NOTE: 
https://patchwork.ozlabs.org/project/netfilter-devel/patch/c2385b5c-309c-cc64-2e10-a0ef62897...@virtuozzo.com/
 CVE-2020-14304 (A memory disclosure flaw was found in the Linux kernel's 
ethernet driv ...)
- linux  (bug #960702)
+   [bookworm] - linux  (Minor issue)
[bullseye] - linux  (Minor issue)
[buster] - linux  (Minor issue)
 CVE-2020-14303 (A flaw was found in the AD DC NBT server in all Samba versions 
before  ...)
@@ -257984,6 +257988,7 @@ CVE-2019-15214 (An issue was discovered in the Linux 
kernel before 5.0.10. There
[stretch] - linux 4.9.184-1
 CVE-2019-15213 (An issue was discovered in the Linux kernel before 5.2.3. 
There is a u ...)
- linux 
+   [bookworm] - linux  (Revisit when correctly fixed upstream)
[bullseye] - linux  (Revisit when correctly fixed upstream)
[stretch] - linux  (Vulnerable code introduced later)
[jessie] - linux  (Vulnerable code introduced later)
@@ -320576,6 +320581,7 @@ CVE-2018-12929 (ntfs_read_locked_inode in the ntfs.ko 
filesystem driver in the L
[jessie] - linux  (ntfs is not supportable)
 CVE-2018-12928 (In the Linux kernel 4.15.0, a NULL pointer dereference was 
discovered  ...)
- linux  (low)
+   [bookworm] - linux  (Minor issue)
[bullseye] - linux  (Minor issue)
[buster] - linux  (Minor issue)
[stretch] - linux  (Minor issue)
@@ -324109,33 +324115,21 @@ CVE-2018-11742 (NEC Univerge Sv9100 WebPro 6.00.00 
devices have Cleartext Passwo
 CVE-2018-11741 (NEC Univerge Sv9100 WebPro 6.00.00 devices have Predictable 
Session ID ...)
NOT-FOR-US: NEC Univerge Sv9100 WebPro devices
 CVE-2018-11740 (An issue was discovered in libtskbase.a in The Sleuth Kit 
(TSK) from r ...)
-   - sleuthkit  (low; bug #902187)
-   [bullseye] - sleuthkit  (Minor issue)
-   [buster] - sleuthkit  (Minor issue)
-   [stretch] - sleuthkit  (Minor issue)
-   [jessie] - sleuthkit  (Minor issue)
+   - sleuthkit  (unimportant; bug #902187)
NOTE: https://github.com/sleuthkit/sleuthkit/issues/1264
+   NOTE: Negligible security impact
 CVE-2018-11739 (An issue was discovered in libtskimg.a in The Sleuth Kit (TSK) 
from re ...)
-   - sleuthkit  (low; bug #902187)
-   [bullseye] - sleuthkit  (Minor issue)
-   [buster] - sleuthkit  (Minor issue)
-   [stretch] - sleuthkit  (Minor issue)
-   [jessie] - sleuthkit  (Minor issue)
+   - sleuthkit  (unimportant; bug #902187)
NOTE: https://github.com/sleuthkit/sleuthkit/issues/1267
+   NOTE: Negligible security impact
 CVE-2018-11738 (An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) 
from rel ...)
-   - sleuthkit  (low; bug #902187)
-   [bullseye] - sleuthkit  (Minor issue)
-   [buster] - sleuthkit  (Minor issue)
-   [stretch] - sleuthkit  (Minor issue)
-   [jessie] - sleuthkit  (Minor issue)
+   - sleuthkit  (unimportant; bug #902187)
NOTE: https://github.com/sleuthkit/sleuthkit/issues/1265
+   NOTE: Negligible security impact
 CVE-2018-11737 (An issue was discovered in libtskfs.a in The Sleuth Kit (TSK) 
from rel ...)
-   - sleuthkit  (low; bug #902187)
-   [bullseye] - sleuthkit  (Minor issue)
-   

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-02-23 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ce345456 by Moritz Muehlenhoff at 2023-02-23T17:52:23+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -71738,6 +71738,7 @@ CVE-2022-28392
RESERVED
 CVE-2022-28391 (BusyBox through 1.35.0 allows remote attackers to execute 
arbitrary co ...)
- busybox  (bug #1010264)
+   [bookworm] - busybox  (Minor issue)
[bullseye] - busybox  (Minor issue)
[buster] - busybox  (Minor issue)
[stretch] - busybox  (Minor issue)
@@ -101743,15 +101744,18 @@ CVE-2021-43519 (Stack overflow in lua_resume of 
ldo.c in Lua Interpreter 5.1.0~5
- lua5.4 5.4.4-1 (bug #1000228)
[bullseye] - lua5.4  (Minor issue)
- lua5.3 
-   [bullseye] - lua5.3  (Minor issue)
+   [bookworm] - lua5.3  (Minor issue)
+   [bullseye] - lua5.3  (Minor issue)
[buster] - lua5.3  (Minor issue)
[stretch] - lua5.3  (Minor issue)
- lua5.2 
-   [bullseye] - lua5.2  (Minor issue)
+   [bookworm] - lua5.2  (Minor issue)
+   [bullseye] - lua5.2  (Minor issue)
[buster] - lua5.2  (Minor issue)
[stretch] - lua5.2  (Minor issue)
- lua5.1 
-   [bullseye] - lua5.1  (Minor issue)
+   [bookworm] - lua5.1  (Minor issue)
+   [bullseye] - lua5.1  (Minor issue)
[buster] - lua5.1  (Minor issue)
[stretch] - lua5.1  (Minor issue)
- lua50  (Vulnerable code not present)
@@ -164207,6 +164211,7 @@ CVE-2021-20256 (A flaw was found in Red Hat 
Satellite. The BMC interface exposes
 CVE-2021-20255 (A stack overflow via an infinite recursion vulnerability was 
found in  ...)
{DLA-2623-1}
- qemu  (bug #984451)
+   [bookworm] - qemu  (Minor issue)
[bullseye] - qemu  (Minor issue)
[buster] - qemu  (Minor issue, waiting for sanctioned patch, 
fixed in stretch-lts)
NOTE: 
https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
@@ -165060,6 +165065,7 @@ CVE-2020-35504 (A NULL pointer dereference flaw was 
found in the SCSI emulation
NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=607206948cacda4a80be5b976dba
 CVE-2020-35503 (A NULL pointer dereference flaw was found in the megasas-gen2 
SCSI hos ...)
- qemu  (bug #979678)
+   [bookworm] - qemu  (Minor issue)
[bullseye] - qemu  (Minor issue)
[buster] - qemu  (Minor issue, waiting for sanctioned patch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910346



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce3454562a36f2c8faac7d60e665e81bf801229e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce3454562a36f2c8faac7d60e665e81bf801229e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-02-23 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
923be14c by Moritz Muehlenhoff at 2023-02-23T13:28:34+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -49912,7 +49912,7 @@ CVE-2022-36114 (Cargo is a package manager for the rust 
programming language. It
- cargo 0.63.1-1 (bug #1021142)
[bullseye] - cargo  (Minor issue)
[buster] - cargo  (Minor issue)
-   - rust-cargo  (bug #1021143)
+   - rust-cargo 0.66.0-1 (bug #1021143)
[bullseye] - rust-cargo  (Minor issue)
[buster] - rust-cargo  (Minor issue)
NOTE: 
https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp
@@ -49921,7 +49921,7 @@ CVE-2022-36113 (Cargo is a package manager for the rust 
programming language. Af
- cargo 0.63.1-1 (bug #1021142)
[bullseye] - cargo  (Minor issue)
[buster] - cargo  (Minor issue)
-   - rust-cargo  (bug #1021143)
+   - rust-cargo 0.66.0-1 (bug #1021143)
[bullseye] - rust-cargo  (Minor issue)
[buster] - rust-cargo  (Minor issue)
NOTE: 
https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j
@@ -65309,10 +65309,11 @@ CVE-2022- [RUSTSEC-2022-0019]
[buster] - rust-crossbeam-channel  (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0019.html
 CVE-2022- [RUSTSEC-2022-0020]
-   - rust-crossbeam 
+   - rust-crossbeam 0.8.1-1
[bullseye] - rust-crossbeam  (Minor issue)
[buster] - rust-crossbeam  (Minor issue)
NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0020.html
+   NOTE: advisory seems wrong about fixed version, should be >= 0.8.0
 CVE-2022-30600 (A flaw was found in moodle where logic used to count failed 
login atte ...)
- moodle 
 CVE-2022-30599 (A flaw was found in moodle where an SQL injection risk was 
identified  ...)
@@ -167924,7 +167925,7 @@ CVE-2020-35919 (An issue was discovered in the net2 
crate before 0.2.36 for Rust
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0078.html
NOTE: https://github.com/deprecrated/net2-rs/issues/105
 CVE-2020-35916 (An issue was discovered in the image crate before 0.23.12 for 
Rust. A  ...)
-   - rust-image  (bug #976869)
+   - rust-image 0.23.14-1 (bug #976869)
NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0073.html
NOTE: https://github.com/image-rs/image/issues/1357
 CVE-2020-29606
@@ -276971,6 +276972,7 @@ CVE-2019-9546 (SolarWinds Orion Platform before 
2018.4 Hotfix 2 allows privilege
NOT-FOR-US: SolarWinds Orion Platform
 CVE-2019-9545 (An issue was discovered in Poppler 0.74.0. A recursive function 
call,  ...)
- poppler  (low; bug #923552)
+   [bookworm] - poppler  (Minor issue)
[bullseye] - poppler  (Minor issue)
[buster] - poppler  (Minor issue)
[stretch] - poppler  (Minor issue)
@@ -276980,6 +276982,7 @@ CVE-2019-9544 (An issue was discovered in Bento4 
1.5.1-628. An out of bounds wri
NOT-FOR-US: Bento4
 CVE-2019-9543 (An issue was discovered in Poppler 0.74.0. A recursive function 
call,  ...)
- poppler  (low; bug #923553)
+   [bookworm] - poppler  (Minor issue)
[bullseye] - poppler  (Minor issue)
[buster] - poppler  (Minor issue)
[stretch] - poppler  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/923be14c8108a68520c576efbe3d4b0b48ab3782

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/923be14c8108a68520c576efbe3d4b0b48ab3782
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-02-22 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
06788701 by Moritz Muehlenhoff at 2023-02-22T20:33:10+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -112553,6 +112553,7 @@ CVE-2021-3739 (A NULL pointer dereference flaw was 
found in the btrfs_rm_device
NOTE: https://www.openwall.com/lists/oss-security/2021/08/25/3
 CVE-2021-3735 (A deadlock issue was found in the AHCI controller device of 
QEMU. It o ...)
- qemu  (bug #1014767)
+   [bookworm] - qemu  (Minor issue)
[bullseye] - qemu  (Minor issue)
[buster] - qemu  (Minor issue, waiting for patch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997184
@@ -137713,6 +137714,7 @@ CVE-2021-30185 (CERN Indico before 2.3.4 can use an 
attacker-supplied Host heade
NOT-FOR-US: CERN Indico
 CVE-2021-30184 (GNU Chess 6.2.7 allows attackers to execute arbitrary code via 
crafted ...)
- gnuchess  (bug #986801)
+   [bookworm] - gnuchess  (Minor issue)
[bullseye] - gnuchess  (Minor issue)
[buster] - gnuchess  (Minor issue)
[stretch] - gnuchess  (Minor issue in a game; can be fixed 
in next update)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/067887010077b80f6cc9b5f6ac4914b3945e7047

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/067887010077b80f6cc9b5f6ac4914b3945e7047
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-02-21 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f015e682 by Moritz Muehlenhoff at 2023-02-21T22:50:29+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -128832,6 +128832,7 @@ CVE-2021-33465 (An issue was discovered in yasm 
version 1.3.0. There is a NULL p
NOTE: Crash in CLI tool, no security impact
 CVE-2021-33464 (An issue was discovered in yasm version 1.3.0. There is a 
heap-buffer- ...)
- yasm  (bug #1016353)
+   [bookworm] - yasm  (Minor issue)
[bullseye] - yasm  (Minor issue)
[buster] - yasm  (Minor issue)
NOTE: https://github.com/yasm/yasm/issues/164
@@ -132999,6 +133000,7 @@ CVE-2021-31880
RESERVED
 CVE-2021-31879 (GNU Wget through 1.21.1 does not omit the Authorization header 
upon a  ...)
- wget  (bug #988209)
+   [bookworm] - wget  (Minor issue)
[bullseye] - wget  (Minor issue)
[buster] - wget  (Minor issue)
[stretch] - wget  (Minor issue; can be fixed in next update)
@@ -145164,6 +145166,7 @@ CVE-2021-27212 (In OpenLDAP through 2.4.57 and 2.5.x 
through 2.5.1alpha, an asse
NOTE: REL_ENG 2.4.x: 
https://git.openldap.org/openldap/openldap/-/commit/9badb73425a67768c09bcaed1a9c26c684af6c30
 CVE-2021-27211 (steghide 0.5.1 relies on a certain 32-bit seed value, which 
makes it e ...)
- steghide  (bug #983267)
+   [bookworm] - steghide  (Minor issue)
[bullseye] - steghide  (Minor issue)
[buster] - steghide  (Minor issue)
[stretch] - steghide  (Minor issue; can be fixed in next DLA)
@@ -204945,6 +204948,7 @@ CVE-2020-14941
RESERVED
 CVE-2020-14940 (An issue was discovered in io/gpx/GPXDocumentReader.java in 
TuxGuitar  ...)
- tuxguitar  (bug #963626)
+   [bookworm] - tuxguitar  (Minor issue)
[bullseye] - tuxguitar  (Minor issue)
[buster] - tuxguitar  (Minor issue)
[stretch] - tuxguitar  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f015e6825bcd314633c129a827cd8d66804394a6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f015e6825bcd314633c129a827cd8d66804394a6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-02-21 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2f59193d by Moritz Muehlenhoff at 2023-02-21T20:37:23+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -72531,6 +72531,10 @@ CVE-2022-28048 (STB v2.27 was discovered to contain an 
integer shift of invalid
NOTE: https://github.com/nothings/stb/issues/1293
NOTE: https://github.com/nothings/stb/pull/1297
NOTE: Negligible security impact
+   NOTE: 
https://github.com/nothings/stb/commit/84b94010a7b08003cc3fb93635582849398e7ae2
+   NOTE: 
https://github.com/nothings/stb/commit/96fe76c21308653d22672e986dd39506f6871421
+   NOTE: 
https://github.com/nothings/stb/commit/47164e4086c1349ef3042fb04e0f7f7ceaf1fcee
+   NOTE: 
https://github.com/nothings/stb/commit/5cfc2a744ad7047cda2396cc67772f313a46093d
 CVE-2022-28047
RESERVED
 CVE-2022-28046
@@ -72550,12 +72554,20 @@ CVE-2022-28042 (stb_image.h v2.27 was discovered to 
contain an heap-based use-af
[bullseye] - libstb  (Minor issue)
NOTE: https://github.com/nothings/stb/issues/1289
NOTE: https://github.com/nothings/stb/pull/1297
+   NOTE: 
https://github.com/nothings/stb/commit/84b94010a7b08003cc3fb93635582849398e7ae2
+   NOTE: 
https://github.com/nothings/stb/commit/96fe76c21308653d22672e986dd39506f6871421
+   NOTE: 
https://github.com/nothings/stb/commit/47164e4086c1349ef3042fb04e0f7f7ceaf1fcee
+   NOTE: 
https://github.com/nothings/stb/commit/5cfc2a744ad7047cda2396cc67772f313a46093d
 CVE-2022-28041 (stb_image.h v2.27 was discovered to contain an integer 
overflow via th ...)
{DLA-3305-1}
- libstb  (bug #1014531)
[bullseye] - libstb  (Minor issue)
NOTE: https://github.com/nothings/stb/issues/1292
NOTE: https://github.com/nothings/stb/pull/1297
+   NOTE: 
https://github.com/nothings/stb/commit/84b94010a7b08003cc3fb93635582849398e7ae2
+   NOTE: 
https://github.com/nothings/stb/commit/96fe76c21308653d22672e986dd39506f6871421
+   NOTE: 
https://github.com/nothings/stb/commit/47164e4086c1349ef3042fb04e0f7f7ceaf1fcee
+   NOTE: 
https://github.com/nothings/stb/commit/5cfc2a744ad7047cda2396cc67772f313a46093d
 CVE-2022-28040
RESERVED
 CVE-2022-28039
@@ -241726,6 +241738,7 @@ CVE-2019-19450
RESERVED
 CVE-2019-19449 (In the Linux kernel 5.0.21, mounting a crafted f2fs filesystem 
image c ...)
- linux 
+   [bookworm] - linux  (Minor issue, revisit once fixed 
upstream)
[bullseye] - linux  (Minor issue, revisit once fixed 
upstream)
[buster] - linux  (Minor issue, revisit once fixed upstream)
[stretch] - linux  (f2fs is not supportable)
@@ -254720,6 +254733,7 @@ CVE-2019-16061 (A number of files on the NETSAS 
Enigma NMS server 65.0.0 and pri
NOT-FOR-US: NETSAS Enigma NMS
 CVE-2019-16089 (An issue was discovered in the Linux kernel through 5.2.13. 
nbd_genl_s ...)
- linux 
+   [bookworm] - linux  (Minor issue, revisit when fixed 
upstream)
[bullseye] - linux  (Minor issue, revisit when fixed 
upstream)
[buster] - linux  (Minor issue, revisit when fixed upstream)
[stretch] - linux  (Vulnerable code not present)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f59193df95c9ac4637121512c01c969d94950d9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f59193df95c9ac4637121512c01c969d94950d9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-02-21 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
755f3d05 by Moritz Muehlenhoff at 2023-02-21T19:44:10+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -66583,6 +66583,7 @@ CVE-2022-29979 (Simple Client Management System 1.0 is 
vulnerable to SQL Injecti
NOT-FOR-US: Sourcecodester Simple Client Management System
 CVE-2022-29978 (There is a floating point exception error in 
sixel_encoder_do_resize,  ...)
- libsixel  (bug #1014527)
+   [bookworm] - libsixel  (Minor issue)
[bullseye] - libsixel  (Minor issue)
[buster] - libsixel  (Minor issue)
[stretch] - libsixel  (Minor issue)
@@ -66590,6 +66591,7 @@ CVE-2022-29978 (There is a floating point exception 
error in sixel_encoder_do_re
NOTE: Previously also reported in 
https://github.com/saitoha/libsixel/issues/166
 CVE-2022-29977 (There is an assertion failure error in stbi__jpeg_huff_decode, 
stb_ima ...)
- libsixel  (bug #1014526)
+   [bookworm] - libsixel  (Minor issue)
[bullseye] - libsixel  (Minor issue)
[buster] - libsixel  (Minor issue)
[stretch] - libsixel  (Minor issue)
@@ -79987,6 +79989,7 @@ CVE-2022-0684 (The WP Home Page Menu WordPress plugin 
before 3.1 does not saniti
NOT-FOR-US: WordPress plugin
 CVE-2021-46700 (In libsixel 1.8.6, sixel_encoder_output_without_macro (called 
from six ...)
- libsixel  (bug #1014469)
+   [bookworm] - libsixel  (Minor issue)
[bullseye] - libsixel  (Minor issue)
[buster] - libsixel  (Minor issue)
[stretch] - libsixel  (Minor issue)
@@ -108120,12 +108123,14 @@ CVE-2021-41738 (ZeroShell 3.9.5 has a command 
injection vulnerability in /cgi-bi
 CVE-2021-41737
RESERVED
- faust  (bug #1014783)
+   [bookworm] - faust  (Minor issue)
[bullseye] - faust  (Minor issue)
[buster] - faust  (Minor issue)
[stretch] - faust  (Minor issue, no patch/acknowledgment yet)
NOTE: https://github.com/grame-cncm/faust/issues/653
 CVE-2021-41736 (Faust v2.35.0 was discovered to contain a heap-buffer overflow 
in the  ...)
- faust  (bug #1014783)
+   [bookworm] - faust  (Minor issue)
[bullseye] - faust  (Minor issue)
[buster] - faust  (Minor issue)
[stretch] - faust  (Minor issue, no patch/acknowledgment yet)
@@ -115981,6 +115986,7 @@ CVE-2021-38577
REJECTED
 CVE-2021-38576 (A BIOS bug in firmware for a particular PC model leaves the 
Platform a ...)
- edk2  (bug #1014468)
+   [bookworm] - edk2  (Minor issue)
[bullseye] - edk2  (Minor issue)
[buster] - edk2  (Minor issue)
NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=3499 (private)
@@ -136920,24 +136926,28 @@ CVE-2021-30473 (aom_image.c in libaom in AOMedia 
before 2021-04-07 frees memory
NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=2998
 CVE-2021-30472 (A flaw was found in PoDoFo 0.9.7. A stack-based buffer 
overflow in Pdf ...)
- libpodofo  (bug #986794)
+   [bookworm] - libpodofo  (Minor issue)
[bullseye] - libpodofo  (Minor issue)
[buster] - libpodofo  (Minor issue)
[stretch] - libpodofo  (Minor issue; can be fixed in next 
update)
NOTE: https://sourceforge.net/p/podofo/tickets/132/
 CVE-2021-30471 (A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive 
call in Pd ...)
- libpodofo  (bug #986793)
+   [bookworm] - libpodofo  (Minor issue)
[bullseye] - libpodofo  (Minor issue)
[buster] - libpodofo  (Minor issue)
[stretch] - libpodofo  (Minor issue; can be fixed in next 
update)
NOTE: https://sourceforge.net/p/podofo/tickets/131/
 CVE-2021-30470 (A flaw was found in PoDoFo 0.9.7. An uncontrolled recursive 
call among ...)
- libpodofo  (bug #986792)
+   [bookworm] - libpodofo  (Minor issue)
[bullseye] - libpodofo  (Minor issue)
[buster] - libpodofo  (Minor issue)
[stretch] - libpodofo  (Minor issue; can be fixed in next 
update)
NOTE: https://sourceforge.net/p/podofo/tickets/130/
 CVE-2021-30469 (A flaw was found in PoDoFo 0.9.7. An use-after-free in 
PoDoFo::PdfVecO ...)
- libpodofo  (bug #986791)
+   [bookworm] - libpodofo  (Minor issue)
[bullseye] - libpodofo  (Minor issue)
[buster] - libpodofo  (Minor issue)
[stretch] - libpodofo  (Minor issue; can be fixed in next 
update)
@@ -143459,6 +143469,7 @@ CVE-2021-27918 (encoding/xml in Go before 1.15.9 and 
1.16.x before 1.16.1 has an
NOTE: https://github.com/golang/go/issues/44913
 CVE-2021-3420 (A flaw was found in newlib in versions prior to 4.0.0. Improper 
overfl ...)
- newlib  (bug #984446)
+   [bookworm] - newlib  (Minor issue)
[bullseye] - newlib  (Minor issue)
[buster]

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-02-21 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c102f0c6 by Moritz Muehlenhoff at 2023-02-21T19:04:11+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -82630,6 +82630,7 @@ CVE-2022-24600 (Luocms v2.0 is affected by SQL 
Injection through /admin/login.ph
NOT-FOR-US: Luocms
 CVE-2022-24599 (In autofile Audio File Library 0.3.6, there exists one memory 
leak vul ...)
- audiofile  (bug #1008017)
+   [bookworm] - audiofile  (Minor issue)
[bullseye] - audiofile  (Minor issue)
[buster] - audiofile  (Minor issue)
[stretch] - audiofile  (Minor issue)
@@ -128644,6 +128645,7 @@ CVE-2021-33498 (Pexip Infinity before 26 allows 
remote denial of service because
NOT-FOR-US: Pexip Infinity
 CVE-2021-3563 (A flaw was found in openstack-keystone. Only the first 72 
characters o ...)
- keystone  (bug #989998)
+   [bookworm] - keystone  (Minor issue)
[bullseye] - keystone  (Minor issue)
[buster] - keystone  (Minor issue)
[stretch] - keystone  (Keystone is not supported in 
stretch)
@@ -265105,6 +265107,7 @@ CVE-2019-13148 (An issue was discovered in TRENDnet 
TEW-827DRU firmware before 2
NOT-FOR-US: TRENDnet TEW-827DRU firmware
 CVE-2019-13147 (In Audio File Library (aka audiofile) 0.3.6, there exists one 
NULL poi ...)
- audiofile  (low; bug #931343)
+   [bookworm] - audiofile  (Minor issue)
[bullseye] - audiofile  (Minor issue)
[buster] - audiofile  (Minor issue)
[stretch] - audiofile  (Minor issue)
@@ -268147,6 +268150,7 @@ CVE-2019-12068 (In QEMU 1:4.1-1, 
1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.
NOTE: 
https://git.qemu.org/?p=qemu.git;a=commit;h=de594e47659029316bbf9391efb79da0a1a08e08
 CVE-2019-12067 (The ahci_commit_buf function in ide/ahci.c in QEMU allows 
attackers to ...)
- qemu  (low; bug #972099)
+   [bookworm] - qemu  (Minor issue, revisit when fixed upstream)
[bullseye] - qemu  (Minor issue, revisit when fixed upstream)
[buster] - qemu  (Minor issue, waiting for sanctioned patch)
- qemu-kvm 
@@ -292230,8 +292234,9 @@ CVE-2018-20544 (There is floating point exception at 
caca/dither.c (function cac
NOTE: https://github.com/cacalabs/libcaca/issues/36
NOTE: Upstream fix: 
https://github.com/cacalabs/libcaca/commit/84bd155087b93ab2d8d7cb5b1ac94ecd4cf4f93c
 CVE-2018-20543 (There is an attempted excessive memory allocation at 
libxsmm_sparse_cs ...)
-   - libxsmm  (bug #917573)
+   - libxsmm  (unimportant; bug #917573)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652634
+   NOTE: Negligible security impact
 CVE-2018-20542 (There is a heap-based buffer-overflow at 
generator_spgemm_csc_reader.c ...)
- libxsmm 1.17-1 (bug #917526)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1652633



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c102f0c69020082f0c59095fd1dc85a128c3ee2b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c102f0c69020082f0c59095fd1dc85a128c3ee2b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits


[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-02-21 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e24005dd by Moritz Muehlenhoff at 2023-02-21T10:30:07+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -20278,6 +20278,7 @@ CVE-2022-45749
RESERVED
 CVE-2022-45748 (An issue was discovered with assimp 5.1.4, a use after free 
occurred i ...)
- assimp  (bug #1029833)
+   [bookworm] - assimp  (Minor issue)
[bullseye] - assimp  (Minor issue)
[buster] - assimp  (Minor issue)
NOTE: https://github.com/assimp/assimp/issues/4286
@@ -42679,6 +42680,7 @@ CVE-2022-38529 (tinyexr commit 0647fb3 was discovered 
to contain a heap-buffer o
NOTE: 
https://github.com/syoyo/tinyexr/commit/82984a37d1dba67000a35b083b26df5e57a2bb72
 CVE-2022-38528 (Open Asset Import Library (assimp) commit 3c253ca was 
discovered to co ...)
- assimp  (bug #1021018)
+   [bookworm] - assimp  (Minor issue)
[bullseye] - assimp  (Minor issue)
[buster] - assimp  (Minor issue)
NOTE: https://github.com/assimp/assimp/issues/4662
@@ -93759,6 +93761,7 @@ CVE-2021-45341 (A buffer overflow vulnerability in 
CDataMoji of the jwwlib compo
NOTE: Fixed by: 
https://github.com/LibreCAD/LibreCAD/commit/f3502963eaf379a429bc9da73c1224c5db649997
 CVE-2021-45340 (In Libsixel prior to and including v1.10.3, a NULL pointer 
dereference ...)
- libsixel  (bug #1004377)
+   [bookworm] - libsixel  (Minor issue)
[bullseye] - libsixel  (Minor issue)
[buster] - libsixel  (Minor issue)
[stretch] - libsixel  (Minor issue)
@@ -131741,6 +131744,7 @@ CVE-2021-32295
RESERVED
 CVE-2021-32294 (An issue was discovered in libgig through 20200507. A 
heap-buffer-over ...)
- libgig  (bug #1014777)
+   [bookworm] - libgig  (Minor issue)
[bullseye] - libgig  (Minor issue)
[buster] - libgig  (Minor issue)
[stretch] - libgig  (Minor issue, revisit when/if fixed 
upstream)
@@ -159072,11 +159076,13 @@ CVE-2020-36121
RESERVED
 CVE-2020-36120 (Buffer Overflow in the "sixel_encoder_encode_bytes" function 
of Libsix ...)
- libsixel  (bug #988159)
-   [bullseye] - libsixel  (Minor issue)
+   [bookworm] - libsixel  (Minor issue, fix modifies the API)
+   [bullseye] - libsixel  (Minor issue, fix modifies the API)
[buster] - libsixel  (Minor issue)
[stretch] - libsixel  (Minor issue; can be fixed in next 
update)
-   NOTE: https://github.com/saitoha/libsixel/issues/143
+   NOTE: https://github.com/saitoha/libsixel/issues/143 (old/defunct repo)
NOTE: https://github.com/libsixel/libsixel/issues/46
+   NOTE: https://github.com/libsixel/libsixel/pull/47
 CVE-2020-36119
RESERVED
 CVE-2020-36118
@@ -333036,6 +333042,7 @@ CVE-2017-18227 (TitanHQ WebTitan Gateway has 
incorrect certificate validation fo
NOT-FOR-US: TitanHQ WebTitan Gateway
 CVE-2017-18226 (The Gentoo net-im/jabberd2 package through 2.6.1 sets the 
ownership of ...)
- jabberd2  (low; bug #902783)
+   [bookworm] - jabberd2  (Minor issue, default init system not 
affected)
[bullseye] - jabberd2  (Minor issue, default init system not 
affected)
[buster] - jabberd2  (Minor issue, default init system not 
affected)
[stretch] - jabberd2  (Minor issue, default init system not 
affected)
@@ -434175,11 +434182,7 @@ CVE-2016-1587 (The Snapweb interface before version 
0.21.2 was exposing controls
 CVE-2016-1586 (A malicious webview could install long-lived unload handlers 
that re-u ...)
NOT-FOR-US: Oxide
 CVE-2016-1585 (In all versions of AppArmor mount rules are accidentally 
widened when  ...)
-   - apparmor  (low; bug #929990)
-   [bullseye] - apparmor  (Minor overall security impact)
-   [buster] - apparmor  (Minor overall security impact)
-   [stretch] - apparmor  (Minor overall security impact)
-   [jessie] - apparmor  (Minor overall security impact)
+   - apparmor  (unimportant; bug #929990)
NOTE: https://bugs.launchpad.net/apparmor/+bug/1597017
NOTE: https://bugzilla.opensuse.org/show_bug.cgi?id=995594
NOTE: Introduced around AppArmor 2.8 upstream.
@@ -434188,6 +434191,7 @@ CVE-2016-1585 (In all versions of AppArmor mount 
rules are accidentally widened
NOTE: by default before buster, in particular not with mount rules), 2. 
libvirtd
NOTE: but the profile is not meant to be a strong security boundary.
NOTE: https://bugs.launchpad.net/apparmor/+bug/1597017/comments/6
+   NOTE: Negligible security impact / known limitation
 CVE-2016-1584 (In all versions of Unity8 a running but not active application 
on a la ...)
- unity  (bug #609278)
 CVE-2016-1583 (The ecryptfs_privileged_open function in fs/ecryptfs/kthread.c 
in the  ...)



View it on GitL

[Git][security-tracker-team/security-tracker][master] bookworm triage

2023-01-11 Thread Moritz Muehlenhoff (@jmm)


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1310760a by Moritz Muehlenhoff at 2023-01-11T14:47:36+01:00
bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -110082,6 +110082,7 @@ CVE-2021-37232 (A stack overflow vulnerability occurs 
in Atomicparsley 20210124.
[buster] - atomicparsley  (Minor issue)
[stretch] - atomicparsley  (Minor issue)
- gtkpod  (bug #993376)
+   [bookworm] - gtkpod  (Minor issue)
[bullseye] - gtkpod  (Minor issue)
[buster] - gtkpod  (Minor issue)
[stretch] - gtkpod  (Minor issue)
@@ -110093,6 +110094,7 @@ CVE-2021-37231 (A stack-buffer-overflow occurs in 
Atomicparsley 20210124.204813.
[buster] - atomicparsley  (Minor issue)
[stretch] - atomicparsley  (Minor issue)
- gtkpod  (bug #993375)
+   [bookworm] - gtkpod  (Minor issue)
[bullseye] - gtkpod  (Minor issue)
[buster] - gtkpod  (Minor issue)
[stretch] - gtkpod  (Minor issue)
@@ -173394,6 +173396,7 @@ CVE-2020-24828
RESERVED
 CVE-2020-24827 (A vulnerability in the dwarf::cursor::skip_form function of 
Libelfin v ...)
- libelfin  (bug #1014122)
+   [bookworm] - libelfin  (Minor issue)
[bullseye] - libelfin  (Minor issue)
[buster] - libelfin  (Minor issue)
[stretch] - libelfin  (Minor issue)
@@ -173401,6 +173404,7 @@ CVE-2020-24827 (A vulnerability in the 
dwarf::cursor::skip_form function of Libe
NOTE: 
https://github.com/xiaoxiongwang/function_bugs/tree/master/libelfin#segv-in-function-dwarfcursorskip_form-at-dwarfcursorcc181
 CVE-2020-24826 (A vulnerability in the elf::section::as_strtab function of 
Libelfin v0 ...)
- libelfin  (bug #1014122)
+   [bookworm] - libelfin  (Minor issue)
[bullseye] - libelfin  (Minor issue)
[buster] - libelfin  (Minor issue)
[stretch] - libelfin  (Minor issue)
@@ -173408,6 +173412,7 @@ CVE-2020-24826 (A vulnerability in the 
elf::section::as_strtab function of Libel
NOTE: 
https://github.com/xiaoxiongwang/function_bugs/tree/master/libelfin#segv-in-function-elfsectionas_strtab-at-elfelfcc284
 CVE-2020-24825 (A vulnerability in the line_table::line_table function of 
Libelfin v0. ...)
- libelfin  (bug #1014122)
+   [bookworm] - libelfin  (Minor issue)
[bullseye] - libelfin  (Minor issue)
[buster] - libelfin  (Minor issue)
[stretch] - libelfin  (Minor issue)
@@ -173415,6 +173420,7 @@ CVE-2020-24825 (A vulnerability in the 
line_table::line_table function of Libelf
NOTE: 
https://github.com/xiaoxiongwang/function_bugs/tree/master/libelfin#segv-in-function-line_tableline_table-at-dwarflinecc104
 CVE-2020-24824 (A global buffer overflow issue in the 
dwarf::line_table::line_table fu ...)
- libelfin  (bug #1014122)
+   [bookworm] - libelfin  (Minor issue)
[bullseye] - libelfin  (Minor issue)
[buster] - libelfin  (Minor issue)
[stretch] - libelfin  (Minor issue)
@@ -173422,6 +173428,7 @@ CVE-2020-24824 (A global buffer overflow issue in the 
dwarf::line_table::line_ta
NOTE: 
https://github.com/xiaoxiongwang/function_bugs/tree/master/libelfin#global-buffer-overflow-in-function-dwarfline_tableline_table-at-dwarflinecc107
 CVE-2020-24823 (A vulnerability in the dwarf::to_string function of Libelfin 
v0.3 allo ...)
- libelfin  (bug #1014122)
+   [bookworm] - libelfin  (Minor issue)
[bullseye] - libelfin  (Minor issue)
[buster] - libelfin  (Minor issue)
[stretch] - libelfin  (Minor issue)
@@ -173429,6 +173436,7 @@ CVE-2020-24823 (A vulnerability in the 
dwarf::to_string function of Libelfin v0.
NOTE: 
https://github.com/xiaoxiongwang/function_bugs/tree/master/libelfin#segv-in-function-dwarfto_string-at-dwarfvaluecc300
 CVE-2020-24822 (A vulnerability in the dwarf::cursor::uleb function of 
Libelfin v0.3 a ...)
- libelfin  (bug #1014122)
+   [bookworm] - libelfin  (Minor issue)
[bullseye] - libelfin  (Minor issue)
[buster] - libelfin  (Minor issue)
[stretch] - libelfin  (Minor issue)
@@ -173436,6 +173444,7 @@ CVE-2020-24822 (A vulnerability in the 
dwarf::cursor::uleb function of Libelfin
NOTE: 
https://github.com/xiaoxiongwang/function_bugs/tree/master/libelfin#segv-in-function-dwarfcursoruleb128-at-dwarfinternalhh154
 CVE-2020-24821 (A vulnerability in the dwarf::cursor::skip_form function of 
Libelfin v ...)
- libelfin  (bug #1014122)
+   [bookworm] - libelfin  (Minor issue)
[bullseye] - libelfin  (Minor issue)
[buster] - libelfin  (Minor issue)
[stretch] - libelfin  (Minor issue)
@@ -274955,6 +274964,7 @@ CVE-2015-9281 (Logon Manager in SAS Web 
Infrastructure Platform before 9.4M3 all
NOT-FOR-US: SAS Web Infrastructure Platform