Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 62d476ff by Moritz Muehlenhoff at 2024-05-04T18:15:00+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -237,11 +237,11 @@ CVE-2024-34408 (Tencent libpag through 4.3.51 has an integer overflow in DecodeS CVE-2024-34404 (A vulnerability was discovered in the Alta Recovery Vault feature of V ...) NOT-FOR-US: Veritas NetBackup CVE-2024-34403 (An issue was discovered in uriparser through 0.9.7. ComposeQueryMalloc ...) - - uriparser <unfixed> + - uriparser <unfixed> (bug #1070376) NOTE: https://github.com/uriparser/uriparser/issues/183 NOTE: https://github.com/uriparser/uriparser/pull/186 CVE-2024-34402 (An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine ...) - - uriparser <unfixed> + - uriparser <unfixed> (bug #1070376) NOTE: https://github.com/uriparser/uriparser/pull/185 NOTE: https://github.com/uriparser/uriparser/issues/183 CVE-2024-34401 (Savsoft Quiz 6.0 allows stored XSS via the index.php/quiz/insert_quiz/ ...) @@ -269,7 +269,7 @@ CVE-2024-34066 (Pterodactyl wings is the server control plane for Pterodactyl Pa CVE-2024-34063 (vodozemac is an implementation of Olm and Megolm in pure Rust. Version ...) TODO: check CVE-2024-34062 (tqdm is an open source progress bar for Python and CLI. Any optional n ...) - - tqdm <unfixed> + - tqdm <unfixed> (bug #1070372) NOTE: https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p NOTE: Fixed by: https://github.com/tqdm/tqdm/commit/b53348c73080b4edeb30b4823d1fa0d8d2c06721 (v4.66.3) CVE-2024-34061 (changedetection.io is a free open source web page change detection, we ...) @@ -3101,7 +3101,7 @@ CVE-2024-3411 (Implementations of IPMI Authenticated sessions does not provide e CVE-2024-3072 (The ACF Front End Editor plugin for WordPress is vulnerable to unautho ...) NOT-FOR-US: WordPress plugin CVE-2024-34088 (In FRRouting (FRR) through 9.1, it is possible for the get_edge() func ...) - - frr <unfixed> + - frr <unfixed> (bug #1070377) [bullseye] - frr <not-affected> (Vulnerable code introduced later) [buster] - frr <not-affected> (Vulnerable code introduced later) NOTE: https://github.com/FRRouting/frr/pull/15674 @@ -3243,7 +3243,7 @@ CVE-2024-33401 (Cross Site Scripting vulnerability in DedeCMS v.5.7.113 allows a CVE-2024-33350 (Directory Traversal vulnerability in TaoCMS v.3.0.2 allows a remote at ...) NOT-FOR-US: TaoCMS CVE-2024-31837 (DMitry (Deepmagic Information Gathering Tool) 1.3a has a format-string ...) - - dmitry <unfixed> + - dmitry <unfixed> (bug #1070370) [bookworm] - dmitry <no-dsa> (Minor issue) [bullseye] - dmitry <no-dsa> (Minor issue) [buster] - dmitry <postponed> (Minor issue, crash in CLI tool, requires malicious parameter) @@ -3889,7 +3889,7 @@ CVE-2024-33343 (D-Link DIR-822+ V1.0.5 was found to contain a command injection CVE-2024-33342 (D-Link DIR-822+ V1.0.5 was found to contain a command injection in Set ...) NOT-FOR-US: D-Link CVE-2024-33263 (QuickJS commit 3b45d15 was discovered to contain an Assertion Failure ...) - - quickjs <unfixed> + - quickjs <unfixed> (bug #1070373) NOTE: https://github.com/bellard/quickjs/issues/277 CVE-2024-33260 (Jerryscript commit cefd391 was discovered to contain a segmentation vi ...) - iotjs <removed> @@ -4033,11 +4033,11 @@ CVE-2024-33666 (An issue was discovered in Zammad before 6.3.0. Users with custo CVE-2024-33665 (angular-translate through 2.19.1 allows XSS via a crafted key that is ...) NOT-FOR-US: angular-translate CVE-2024-33664 (python-jose through 3.3.0 allows attackers to cause a denial of servic ...) - - python-jose <unfixed> + - python-jose <unfixed> (bug #1070375) NOTE: https://github.com/mpdavis/python-jose/issues/344 NOTE: https://github.com/mpdavis/python-jose/pull/345 CVE-2024-33663 (python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA k ...) - - python-jose <unfixed> + - python-jose <unfixed> (bug #1070375) NOTE: https://github.com/mpdavis/python-jose/issues/346 CVE-2024-33661 (Portainer before 2.20.0 allows redirects when the target is not index. ...) NOT-FOR-US: Portainer @@ -4403,7 +4403,7 @@ CVE-2024-32948 (Missing Authorization vulnerability in Repute Infosystems ARMemb CVE-2024-32947 (Cross-Site Request Forgery (CSRF) vulnerability in AlumniOnline Web Se ...) NOT-FOR-US: WordPress plugin CVE-2024-32879 (Python Social Auth is a social authentication/registration mechanism. ...) - - social-auth-app-django <unfixed> + - social-auth-app-django <unfixed> (bug #1070374) [bookworm] - social-auth-app-django <no-dsa> (Minor issue) [bullseye] - social-auth-app-django <no-dsa> (Minor issue) [buster] - social-auth-app-django <postponed> (Minor issue) @@ -4958,7 +4958,7 @@ CVE-2024-31992 (Mealie is a self hosted recipe manager and meal planner. Prior t CVE-2024-31991 (Mealie is a self hosted recipe manager and meal planner. Prior to 1.4. ...) NOT-FOR-US: Mealie CVE-2024-31584 (Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the ...) - - pytorch <unfixed> + - pytorch <unfixed> (bug #1070379) [bookworm] - pytorch <no-dsa> (Minor issue) [bullseye] - pytorch <no-dsa> (Minor issue) NOTE: https://github.com/pytorch/pytorch/commit/7c35874ad664e74c8e4252d67521f3986eadb0e6 @@ -5015,7 +5015,7 @@ CVE-2024-32644 (Evmos is a scalable, high-throughput Proof-of-Stake EVM blockcha CVE-2024-32478 (Git Credential Manager (GCM) is a secure Git credential helper. Prior ...) - git-credential-manager <itp> (bug #1002300) CVE-2024-32473 (Moby is an open source container framework that is a key component of ...) - - docker.io <unfixed> + - docker.io <unfixed> (bug #1070378) NOTE: https://github.com/moby/moby/security/advisories/GHSA-x84c-p2g9-rqv9 NOTE: https://github.com/moby/moby/commit/841c4c8057bcf5317d6565875595a3f0c046e3fa TODO: check, said to be specific to the 26.0.0 and 26.0.1 versions but needs double-checking @@ -5577,25 +5577,25 @@ CVE-2024-1426 (The Element Pack Elementor Addons (Header Footer, Free Template L CVE-2023-4509 (It is possible for an API key to be logged in clear text in the audit ...) NOT-FOR-US: Octopus Deploy CVE-2023-4235 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - - ofono <unfixed> + - ofono <unfixed> (bug #1070371) [bookworm] - ofono <no-dsa> (Minor issue) [bullseye] - ofono <no-dsa> (Minor issue) [buster] - ofono <postponed> (Minor issue, follow bullseye) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255402 CVE-2023-4234 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - - ofono <unfixed> + - ofono <unfixed> (bug #1070371) [bookworm] - ofono <no-dsa> (Minor issue) [bullseye] - ofono <no-dsa> (Minor issue) [buster] - ofono <postponed> (Minor issue, follow bullseye) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255399 CVE-2023-4233 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - - ofono <unfixed> + - ofono <unfixed> (bug #1070371) [bookworm] - ofono <no-dsa> (Minor issue) [bullseye] - ofono <no-dsa> (Minor issue) [buster] - ofono <postponed> (Minor issue, follow bullseye) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255396 CVE-2023-4232 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - - ofono <unfixed> + - ofono <unfixed> (bug #1070371) [bookworm] - ofono <no-dsa> (Minor issue) [bullseye] - ofono <no-dsa> (Minor issue) [buster] - ofono <postponed> (Minor issue, follow bullseye) @@ -5762,7 +5762,7 @@ CVE-2024-31585 (FFmpeg version n5.1 to n6.1 was discovered to contain an Off-by- NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06 (n7.0) NOTE: Introduced by https://github.com/FFmpeg/FFmpeg/commit/81df787b53eb5c6433731f6eaaf7f2a94d8a8c80 (n5.1) CVE-2024-31583 (Pytorch before version v2.2.0 was discovered to contain a use-after-fr ...) - - pytorch <unfixed> + - pytorch <unfixed> (bug #1070379) [bookworm] - pytorch <no-dsa> (Minor issue) [bullseye] - pytorch <no-dsa> (Minor issue) NOTE: https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 @@ -5781,7 +5781,7 @@ CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper valida [buster] - ffmpeg <postponed> (Pick up when fixed in 4.3.x) NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ce0c178a408d43e71085c28a47d50dc939b60196 (n7.0) CVE-2024-31580 (PyTorch before v2.2.0 was discovered to contain a heap buffer overflow ...) - - pytorch <unfixed> + - pytorch <unfixed> (bug #1070379) [bookworm] - pytorch <no-dsa> (Minor issue) [bullseye] - pytorch <no-dsa> (Minor issue) NOTE: https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81 @@ -10173,15 +10173,15 @@ CVE-2024-3347 (A vulnerability was found in SourceCodester Airline Ticket Reserv CVE-2024-3346 (A vulnerability was found in Byzoro Smart S80 up to 20240328. It has b ...) NOT-FOR-US: Byzro Smart S80 CVE-2024-31852 (LLVM before 18.1.3 generates code in which the LR register can be over ...) - - llvm-toolchain-14 <unfixed> + - llvm-toolchain-14 <unfixed> (bug #1070384) [bookworm] - llvm-toolchain-14 <no-dsa> (Minor issue) - - llvm-toolchain-15 <unfixed> + - llvm-toolchain-15 <unfixed> (bug #1070383) [bookworm] - llvm-toolchain-15 <no-dsa> (Minor issue) - - llvm-toolchain-16 <unfixed> + - llvm-toolchain-16 <unfixed> (bug #1070382) [bookworm] - llvm-toolchain-16 <no-dsa> (Minor issue) [bullseye] - llvm-toolchain-16 <no-dsa> (Minor issue) - - llvm-toolchain-17 <unfixed> - - llvm-toolchain-18 <unfixed> + - llvm-toolchain-17 <unfixed> (bug #1070381) + - llvm-toolchain-18 <unfixed> (bug #1070380) NOTE: https://github.com/llvm/llvm-project/issues/80287 NOTE: https://bugs.chromium.org/p/llvm/issues/detail?id=69 NOTE: https://github.com/llvmbot/llvm-project/commit/0e16af8e4cf3a66ad5d078d52744ae2776f9c4b2 @@ -292148,7 +292148,7 @@ CVE-2020-14932 (compose.php in SquirrelMail 1.4.22 calls unserialize for the $ma - squirrelmail <removed> NOTE: https://www.openwall.com/lists/oss-security/2020/06/20/1 CVE-2020-14931 (A stack-based buffer overflow in DMitry (Deepmagic Information Gatheri ...) - - dmitry <unfixed> + - dmitry <unfixed> (bug #1070370) [bookworm] - dmitry <no-dsa> (Minor issue) [bullseye] - dmitry <no-dsa> (Minor issue) [buster] - dmitry <postponed> (Minor issue, requires hostile whois server) @@ -472289,7 +472289,7 @@ CVE-2017-7940 (The iw_read_gif_file function in imagew-gif.c in libimageworsener CVE-2017-7939 (The read_next_pam_token function in imagew-pnm.c in libimageworsener.a ...) NOT-FOR-US: ImageWorsener CVE-2017-7938 (Stack-based buffer overflow in DMitry (Deepmagic Information Gathering ...) - - dmitry <unfixed> + - dmitry <unfixed> (bug #1070370) [bookworm] - dmitry <no-dsa> (Minor issue) [bullseye] - dmitry <no-dsa> (Minor issue) [buster] - dmitry <postponed> (Minor issue, crash in CLI tool, requires malicious parameter) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62d476ff298fb21c4d9abbcb698af3f587a286a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62d476ff298fb21c4d9abbcb698af3f587a286a5 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits