[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-22742/libgit2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 67f2efdc by Salvatore Bonaccorso at 2023-01-23T07:09:43+01:00 Track fixed version for CVE-2023-22742/libgit2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3966,7 +3966,7 @@ CVE-2023-22744 CVE-2023-22743 RESERVED CVE-2023-22742 (libgit2 is a cross-platform, linkable library implementation of Git. W ...) - - libgit2 (bug #1029368) + - libgit2 1.5.1+ds-1 (bug #1029368) NOTE: https://github.com/libgit2/libgit2/commit/cd6f679af401eda1f172402006ef8265f8bd58ea (v1.4.5) NOTE: https://github.com/libgit2/libgit2/commit/42e5db98b963ae503229c63e44e06e439df50e56 (v1.5.1) NOTE: https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67f2efdcc5d7f114a426dbf1a4a2fe6c1975befb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67f2efdcc5d7f114a426dbf1a4a2fe6c1975befb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d6099979 by Anton Gladky at 2023-01-23T06:25:34+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -39,7 +39,7 @@ consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. -- -curl (Roberto C. Sánchez) +curl NOTE: 20220901: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/curl.git NOTE: 20220904: Special attention: high popcon!. @@ -104,7 +104,7 @@ golang-websocket graphite-web NOTE: 20221229: Programming language: Python. -- -imagemagick (Roberto C. Sánchez) +imagemagick NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6099979893cc261fd3a52e90fd87f3b8b95cc57 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6099979893cc261fd3a52e90fd87f3b8b95cc57 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add some meta-info
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d395b4c by Anton Gladky at 2023-01-23T06:21:27+01:00 LTS: add some meta-info - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -159,6 +159,8 @@ modsecurity-apache (Tobias Frost) NOTE: 20230120: Requested two CVEs for modecurity-apache (tobi) NOTE: 20230120: 1) for https://github.com/SpiderLabs/ModSecurity/pull/2857 (WAF bypass vulnerabilty) NOTE: 20230120: 2) for https://github.com/SpiderLabs/ModSecurity/pull/2797 (the counterpart of CVE 2022-39956) + NOTE: 20230123: Programming language: C + NOTE: 20230123: VCS: https://salsa.debian.org/lts-team/packages/modsecurity-apache.git -- modsecurity-crs (Tobias Frost) NOTE: 20221006: Programming language: Other. @@ -341,6 +343,7 @@ swift NOTE: 20230123: Thomas already uploaded the package; discussion on #debian-lts. (utkarsh) -- thunderbird (Emilio) + NOTE: 20230123: Programming language: C++ -- tinymce NOTE: 20221227: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d395b4c2f6f16763d2443061471dfa2be01081f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d395b4c2f6f16763d2443061471dfa2be01081f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add wireshark to dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: ec6899fd by Utkarsh Gupta at 2023-01-23T04:38:51+05:30 Add wireshark to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -355,6 +355,10 @@ trafficserver NOTE: 20221114: https://people.debian.org/~abhijith/upload/trf/ (abhijith) NOTE: 20221114: Asked upstream regarding CVE-2022-31779 (abhijith) -- +wireshark + NOTE: 20230123: Programming language: C. + NOTE: 20230123: 7 new CVEs + 3 postponed ones. Would be good to not let them pile up like last time. (utkarsh). +-- xdg-utils NOTE: 20221120: Programming language: C. NOTE: 20221120: no real fix yet View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec6899fdedb622df907350925414e1a9699a1f77 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec6899fdedb622df907350925414e1a9699a1f77 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: Mark CVE-2023-2249{6,7}/netdata as no-dsa for buster
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 17454138 by Utkarsh Gupta at 2023-01-23T03:37:19+05:30 Mark CVE-2023-2249{6,7}/netdata as no-dsa for buster - - - - - 4c6244f5 by Utkarsh Gupta at 2023-01-23T03:37:46+05:30 Mark CVE-2021-46872/nim as no-dsa for buster - - - - - 5be04707 by Utkarsh Gupta at 2023-01-23T03:38:19+05:30 Mark CVE-2022-46176/rust-cargo as no-dsa in buster - - - - - 4f16ce9f by Utkarsh Gupta at 2023-01-23T03:39:11+05:30 Mark TEMP-1028986-7037E6/sgt-puzzles as no-dsa for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1407,6 +1407,7 @@ CVE-2023-0306 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten CVE-2023- [Multiple integer overflow and buffer overflow issues in game loading] - sgt-puzzles (bug #1028986) [bullseye] - sgt-puzzles (Minor issue) + [buster] - sgt-puzzles (Minor issue) CVE-2023-0305 (A vulnerability classified as critical was found in SourceCodester Onl ...) NOT-FOR-US: SourceCodester Online Food Ordering System CVE-2023-0304 (A vulnerability classified as critical has been found in SourceCodeste ...) @@ -1794,6 +1795,7 @@ CVE-2022-48256 (Technitium DNS Server before 10.0 allows a self-CNAME denial-of- CVE-2021-46872 (An issue was discovered in Nim before 1.6.2. The RST module of the Nim ...) - nim 1.6.2-1 [bullseye] - nim (Minor issue) + [buster] - nim (Minor issue) NOTE: https://github.com/nim-lang/Nim/pull/19134 NOTE: https://github.com/nim-lang/Nim/commit/9338aa24977e84a33b9a7802eaff0777fcf4d9c3 CVE-2023-23492 (The Login with Phone Number WordPress Plugin, version 1.4.2, is a ...) @@ -4946,10 +4948,12 @@ CVE-2023-22498 CVE-2023-22497 (Netdata is an open source option for real-time infrastructure monitori ...) - netdata 1.37.0-1 [bullseye] - netdata (Minor issue) + [buster] - netdata (Minor issue) NOTE: https://github.com/netdata/netdata/security/advisories/GHSA-jx85-39cw-66f2 CVE-2023-22496 (Netdata is an open source option for real-time infrastructure monitori ...) - netdata 1.37.0-1 [bullseye] - netdata (Minor issue) + [buster] - netdata (Minor issue) NOTE: https://github.com/netdata/netdata/security/advisories/GHSA-xg38-3vmw-2978 CVE-2023-22495 (Izanami is a shared configuration service well-suited for micro-servic ...) NOT-FOR-US: Izanami @@ -12878,6 +12882,7 @@ CVE-2022-46176 (Cargo is a Rust package manager. The Rust Security Response WG w [buster] - cargo (Minor issue) - rust-cargo 0.66.0-1 [bullseye] - rust-cargo (Minor issue) + [buster] - rust-cargo (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/01/10/3 NOTE: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2022-46176 CVE-2022-46175 (JSON5 is an extension to the popular JSON file format that aims to be ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1e28fe4bb1032925e2ac6eb78ea27209012d73c4...4f16ce9f2009e1361bfcd923cd79b48197183c9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/1e28fe4bb1032925e2ac6eb78ea27209012d73c4...4f16ce9f2009e1361bfcd923cd79b48197183c9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 8 commits: Mark CVE-2023-{0358,2314{3-5}}/gpac as EOL for buster
://phabricator.wikimedia.org/T259210 NOTE: https://phabricator.wikimedia.org/T257062 NOTE: https://www.mediawiki.org/wiki/Extension:Score/2021_security_advisory = data/dla-needed.txt = @@ -74,6 +74,10 @@ fusiondirectory NOTE: 20221203: Also the package was removed from sid recently (gladk). NOTE: 20221203: Feel free to marke both CVEs as , if they are not too serious (gladk). -- +git + NOTE: 20230122: Programming language: C. + NOTE: 20230122: VCS: https://salsa.debian.org/lts-team/packages/git.git +-- golang-1.11 NOTE: 20220916: Programming language: Go. NOTE: 20220916: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't) @@ -227,6 +231,9 @@ openimageio NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git -- +openjdk-11 + NOTE: 20230123: Programming language: Java. +-- php-cas NOTE: 20221105: Programming language: PHP. NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) @@ -329,6 +336,10 @@ sox NOTE: 20221003: https://sourceforge.net/p/sox/bugs/362/ Re-pinged upstream committer (abhijith) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/sox.git -- +swift + NOTE: 20230123: Programming language: Python. + NOTE: 20230123: Thomas already uploaded the package; discussion on #debian-lts. (utkarsh) +-- thunderbird (Emilio) -- tinymce View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6268e0295f455bf57290b092b9edb81daca938d4...1e28fe4bb1032925e2ac6eb78ea27209012d73c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6268e0295f455bf57290b092b9edb81daca938d4...1e28fe4bb1032925e2ac6eb78ea27209012d73c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for w3m via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6268e029 by Salvatore Bonaccorso at 2023-01-22T20:50:58+01:00 Track proposed update for w3m via bullseye-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -94,3 +94,5 @@ CVE-2022-36760 [bullseye] - apache2 2.4.55-1~deb11u1 CVE-2022-37436 [bullseye] - apache2 2.4.55-1~deb11u1 +CVE-2022-38223 + [bullseye] - w3m 0.5.3+git20210102-6+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6268e0295f455bf57290b092b9edb81daca938d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6268e0295f455bf57290b092b9edb81daca938d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed apache2 update via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c381e8a by Salvatore Bonaccorso at 2023-01-22T20:48:57+01:00 Track proposed apache2 update via bullseye-pu Maintainer proposed to update the package addressing the three CVEs via bullseye-pu. Accordingly mark them (for now) no-dsa. We might reconsider it if we think we still should issue a DSA. - - - - - 3 changed files: - data/CVE/list - data/dsa-needed.txt - data/next-point-update.txt Changes: = data/CVE/list = @@ -34509,6 +34509,7 @@ CVE-2022-3072 (Cross-site Scripting (XSS) - Stored in GitHub repository francois NOT-FOR-US: francoisjacquet/rosariosis CVE-2006-20001 (A carefully crafted If: request header can cause a memory read, or wri ...) - apache2 2.4.55-1 + [bullseye] - apache2 (Minor update; update proposed via bullseye-pu) NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/5 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2006-20001 CVE-2022- [wordpress 6.0.3] @@ -39236,6 +39237,7 @@ CVE-2022-37437 (When using Ingest Actions to configure a destination that reside NOT-FOR-US: Splunk CVE-2022-37436 (Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the ...) - apache2 2.4.55-1 + [bullseye] - apache2 (Minor update; update proposed via bullseye-pu) NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/7 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-37436 CVE-2022-37435 (Apache ShenYu Admin has insecure permissions, which may allow low-priv ...) @@ -41150,6 +41152,7 @@ CVE-2022-36761 RESERVED CVE-2022-36760 (Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling' ...) - apache2 2.4.55-1 + [bullseye] - apache2 (Minor update; update proposed via bullseye-pu) NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/6 NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2022-36760 CVE-2022-36759 (Online Food Ordering System v1.0 was discovered to contain a SQL injec ...) = data/dsa-needed.txt = @@ -11,9 +11,6 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. --- -apache2 - Update to 2.4.55 should settle in unstable for a week, before considering an update -- curl (jmm) Team asked maintainer to prepare updates = data/next-point-update.txt = @@ -88,3 +88,9 @@ CVE-2022-47952 [bullseye] - lxc 1:4.0.6-2+deb11u2 CVE-2022-22728 [bullseye] - libapreq2 2.13-7+deb11u1 +CVE-2006-20001 + [bullseye] - apache2 2.4.55-1~deb11u1 +CVE-2022-36760 + [bullseye] - apache2 2.4.55-1~deb11u1 +CVE-2022-37436 + [bullseye] - apache2 2.4.55-1~deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c381e8a8dbdd94e614a722b76886d867b6f15f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c381e8a8dbdd94e614a722b76886d867b6f15f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for two openimageio issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cbf641d by Salvatore Bonaccorso at 2023-01-22T20:34:34+01:00 Update information for two openimageio issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22673,8 +22673,10 @@ CVE-2022-43605 CVE-2022-43604 RESERVED CVE-2022-43603 (A denial of service vulnerability exists in the ZfileOutput::close() f ...) + [experimental] - openimageio 2.4.7.1+dfsg-1 - openimageio (bug #1027808) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1657 + NOTE: https://github.com/OpenImageIO/oiio/pull/3670 CVE-2022-43602 (Multiple code execution vulnerabilities exist in the IFFOutput::close( ...) - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656 @@ -25860,8 +25862,10 @@ CVE-2022-42470 CVE-2022-42469 RESERVED CVE-2022-41999 (A denial of service vulnerability exists in the DDS native tile readin ...) + [experimental] - openimageio 2.4.7.1+dfsg-1 - openimageio (bug #1027808) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1635 + NOTE: https://github.com/OpenImageIO/oiio/pull/3625 CVE-2022-41991 RESERVED CVE-2022-41988 (An information disclosure vulnerability exists in the OpenImageIO::dec ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cbf641d7edb2cf2253ceba1b730fd3ba9954cb8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cbf641d7edb2cf2253ceba1b730fd3ba9954cb8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for redis issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 774ae6d1 by Salvatore Bonaccorso at 2023-01-22T20:26:55+01:00 Track fixed version for redis issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5117,7 +5117,7 @@ CVE-2023-22461 (The `sanitize-svg` package, a small SVG sanitizer to prevent cro CVE-2023-22460 (go-ipld-prime is an implementation of the InterPlanetary Linked Data ( ...) NOT-FOR-US: go-ipld-prime CVE-2023-22458 (Redis is an in-memory database that persists on disk. Authenticated us ...) - - redis (bug #1029363) + - redis 5:7.0.8-1 (bug #1029363) [bullseye] - redis (Vulnerable code introduced later) [buster] - redis (Vulnerable code introduced later) NOTE: https://github.com/redis/redis/security/advisories/GHSA-r8w2-2m53-gprj @@ -43167,7 +43167,7 @@ CVE-2022-35978 (Minetest is a free open-source voxel game engine with easy moddi NOTE: https://github.com/minetest/minetest/security/advisories/GHSA-663q-pcjw-27cc NOTE: https://github.com/minetest/minetest/commit/da71e86633d0b27cd02d7aac9fdac625d141ca13 (5.6.0) CVE-2022-35977 (Redis is an in-memory database that persists on disk. Authenticated us ...) - - redis + - redis 5:7.0.8-1 NOTE: https://github.com/redis/redis/commit/6c25c6b7da116e110e89a5db45eeae743879e7ea (7.0.8) CVE-2022-35976 (The GitOps Tools Extension for VSCode relies on kubeconfigs in order t ...) NOT-FOR-US: GitOps Tools Extension for VSCode View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/774ae6d1f26e6d9bca3857b41be97a5ad5ae2d74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/774ae6d1f26e6d9bca3857b41be97a5ad5ae2d74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-3770{3,4,5}/amanda
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 88a41d9a by Salvatore Bonaccorso at 2023-01-22T16:31:41+01:00 Update information for CVE-2022-3770{3,4,5}/amanda - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38557,13 +38557,20 @@ CVE-2022-37706 (enlightenment_sys in Enlightenment before 0.25.4 allows local us NOTE: https://git.enlightenment.org/enlightenment/enlightenment/commit/cc7faeccf77fef8b0ae70e312a21e4cde087e141 CVE-2022-37705 RESERVED + - amanda + NOTE: https://github.com/MaherAzzouzi/CVE-2022-37705 + NOTE: https://github.com/zmanda/amanda/issues/192 CVE-2022-37704 RESERVED + - amanda + NOTE: https://github.com/MaherAzzouzi/CVE-2022-37704 + NOTE: https://github.com/zmanda/amanda/issues/192 CVE-2022-37703 (In Amanda 3.5.1, an information leak vulnerability was found in the ca ...) - amanda (bug #1021017) [bullseye] - amanda (Minor issue) [buster] - amanda (Minor issue) NOTE: https://github.com/MaherAzzouzi/CVE-2022-37703 + NOTE: https://github.com/zmanda/amanda/issues/192 CVE-2022-37702 RESERVED CVE-2022-37701 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88a41d9ad8525377c40d1bdf6ebb514fb5c2779d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88a41d9ad8525377c40d1bdf6ebb514fb5c2779d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Update information for several CVEs addressed in libde265/1.0.9 upstream
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 428ae8cd by Salvatore Bonaccorso at 2023-01-22T15:09:32+01:00 Update information for several CVEs addressed in libde265/1.0.9 upstream - - - - - 08198e14 by Salvatore Bonaccorso at 2023-01-22T15:11:26+01:00 Update information for CVE fixes via libde265/1.0.9-1.1 upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7031,7 +7031,7 @@ CVE-2022-47656 (GPAC MP4box 2.1-DEV-rev617-g85ce76efd is vulnerable to Buffer Ov NOTE: https://github.com/gpac/gpac/issues/2353 NOTE: https://github.com/gpac/gpac/commit/c9a8118965b53d29837b1b82b6a58543efb23baf (v2.2.0) CVE-2022-47655 (Libde265 1.0.9 is vulnerable to Buffer Overflow in function void put_q ...) - - libde265 + - libde265 1.0.9-1.1 [bullseye] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/367 CVE-2022-47654 (GPAC MP4box 2.1-DEV-rev593-g007bf61a0 is vulnerable to Buffer Overflow ...) @@ -23694,21 +23694,21 @@ CVE-2022-43254 (GPAC v2.1-DEV-rev368-gfd054169b-master was discovered to contain NOTE: https://github.com/gpac/gpac/commit/4520e38aa030f059264c69b426bd8133206fbfe6 NOTE: Negligible security impact CVE-2022-43253 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 (bug #1025816) + - libde265 1.0.9-1.1 (bug #1025816) NOTE: https://github.com/strukturag/libde265/issues/348 CVE-2022-43252 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 (bug #1027179) + - libde265 1.0.9-1.1 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/347 CVE-2022-43251 RESERVED CVE-2022-43250 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 (bug #1027179) + - libde265 1.0.9-1.1 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/346 CVE-2022-43249 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - libde265 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/345 CVE-2022-43248 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 (bug #1025816) + - libde265 1.0.9-1.1 (bug #1025816) NOTE: https://github.com/strukturag/libde265/issues/349 CVE-2022-43247 RESERVED @@ -23718,34 +23718,34 @@ CVE-2022-43245 (Libde265 v1.0.8 was discovered to contain a segmentation violati - libde265 (bug #1029357) NOTE: https://github.com/strukturag/libde265/issues/352 CVE-2022-43244 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 (bug #1027179) + - libde265 1.0.9-1.1 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/342 CVE-2022-43243 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 (bug #1025816) + - libde265 1.0.9-1.1 (bug #1025816) NOTE: https://github.com/strukturag/libde265/issues/339 CVE-2022-43242 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 (bug #1027179) + - libde265 1.0.9-1.1 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/340 CVE-2022-43241 (Libde265 v1.0.8 was discovered to contain an unknown crash via ff_hevc ...) - - libde265 (bug #1027179) + - libde265 1.0.9-1.1 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/338 CVE-2022-43240 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 (bug #1027179) + - libde265 1.0.9-1.1 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/335 CVE-2022-43239 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 (bug #1027179) + - libde265 1.0.9-1.1 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/341 CVE-2022-43238 (Libde265 v1.0.8 was discovered to contain an unknown crash via ff_hevc ...) - - libde265 (bug #1027179) + - libde265 1.0.9-1.1 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/338 CVE-2022-43237 (Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vuln ...) - - libde265 (bug #1027179) + - libde265 1.0.9-1.1 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/344 CVE-2022-43236 (Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vuln ...) - - libde265 (bug #1027179) + - libde265 1.0.9-1.1 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/343 CVE-2022-43235 (Libde265 v1.0.8 was discovered to contain a
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-24038/libhtml-stripscripts-perl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ae25d0eb by Salvatore Bonaccorso at 2023-01-22T13:30:39+01:00 Add Debian bug reference for CVE-2023-24038/libhtml-stripscripts-perl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -79,7 +79,7 @@ CVE-2023-24040 (** UNSUPPORTED WHEN ASSIGNED ** dtprintinfo in Common Desktop En CVE-2023-24039 (** UNSUPPORTED WHEN ASSIGNED ** A stack-based buffer overflow in Parse ...) TODO: check CVE-2023-24038 (The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_ ...) - - libhtml-stripscripts-perl + - libhtml-stripscripts-perl (bug #1029400) NOTE: https://github.com/clintongormley/perl-html-stripscripts/issues/3 CVE-2023-24037 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae25d0ebc9e3a7a296e82d3672e8c420a756f0fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae25d0ebc9e3a7a296e82d3672e8c420a756f0fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2020-21594
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 41b126b2 by Salvatore Bonaccorso at 2023-01-22T13:28:29+01:00 Update information for CVE-2020-21594 Reviewing analysis from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029396#17 seems correct and so lets bite the bullet and consider 1.0.3 upstream fixing the issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -183464,7 +183464,7 @@ CVE-2020-21595 (libde265 v1.0.4 contains a heap buffer overflow in the mc_luma f [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/239 CVE-2020-21594 (libde265 v1.0.4 contains a heap buffer overflow in the put_epel_hv_fal ...) - - libde265 (bug #1029396) + - libde265 1.0.3-1 (bug #1029396) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41b126b299131d1e3e08d58c902092b5f165a94f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41b126b299131d1e3e08d58c902092b5f165a94f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f78ca9b6 by Salvatore Bonaccorso at 2023-01-22T13:08:49+01:00 Process some NFUs - - - - - aca335c4 by Salvatore Bonaccorso at 2023-01-22T13:08:50+01:00 Add CVE-2023-0434/pyload - - - - - 724224ed by Salvatore Bonaccorso at 2023-01-22T13:08:52+01:00 Add CVE-2023-24038/libhtml-stripscripts-perl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31,7 +31,7 @@ CVE-2023- [wnpa-sec-2023-01: EAP dissector crash] CVE-2023-24059 (Grand Theft Auto V for PC allows attackers to achieve partial remote c ...) TODO: check CVE-2023-24058 (Booked Scheduler 2.5.5 allows authenticated users to create and schedu ...) - TODO: check + NOT-FOR-US: Booked Scheduler CVE-2023-24057 RESERVED CVE-2023-24056 (In pkgconf through 1.9.3, variable duplication can cause unbounded str ...) @@ -41,7 +41,7 @@ CVE-2023-24056 (In pkgconf through 1.9.3, variable duplication can cause unbound CVE-2023-24055 (** DISPUTED ** KeePass through 2.53 (in a default installation) allows ...) TODO: check CVE-2023-0434 (Improper Input Validation in GitHub repository pyload/pyload prior to ...) - TODO: check + - pyload (bug #1001980) CVE-2023-24054 RESERVED CVE-2023-0433 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) @@ -67,7 +67,7 @@ CVE-2023-24046 CVE-2023-24045 RESERVED CVE-2023-24044 (A Host Header Injection issue on the Login page of Plesk Obsidian thro ...) - TODO: check + NOT-FOR-US: Plesk Obsidian CVE-2023-24043 RESERVED CVE-2023-24042 (A race condition in LightFTP through 2.2 allows an attacker to achieve ...) @@ -79,7 +79,8 @@ CVE-2023-24040 (** UNSUPPORTED WHEN ASSIGNED ** dtprintinfo in Common Desktop En CVE-2023-24039 (** UNSUPPORTED WHEN ASSIGNED ** A stack-based buffer overflow in Parse ...) TODO: check CVE-2023-24038 (The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_ ...) - TODO: check + - libhtml-stripscripts-perl + NOTE: https://github.com/clintongormley/perl-html-stripscripts/issues/3 CVE-2023-24037 RESERVED CVE-2023-24036 @@ -99,11 +100,11 @@ CVE-2023-24030 CVE-2023-24029 RESERVED CVE-2023-24028 (In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorre ...) - TODO: check + NOT-FOR-US: MISP CVE-2023-24027 (In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a netwo ...) - TODO: check + NOT-FOR-US: MISP CVE-2023-24026 (In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerabilit ...) - TODO: check + NOT-FOR-US: MISP CVE-2023-24025 (CRYSTALS-DILITHIUM (in Post-Quantum Cryptography Selected Algorithms 2 ...) TODO: check CVE-2023-24024 @@ -1275,7 +1276,7 @@ CVE-2023-23609 CVE-2023-23608 RESERVED CVE-2023-23607 (erohtar/Dasherr is a dashboard for self-hosted services. In affected v ...) - TODO: check + NOT-FOR-US: Dasherr CVE-2023-23606 RESERVED - firefox 109.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7d46c29badd4271edbc3d128656aedafd1f6cf2c...724224ed9239881b727df4fe91a444639f21dbdf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7d46c29badd4271edbc3d128656aedafd1f6cf2c...724224ed9239881b727df4fe91a444639f21dbdf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update bug numbers for CVE-2022-43245, CVE-2020-21596, CVE-2020-21594 (bugs have been splitted)
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d46c29b by Tobias Frost at 2023-01-22T12:58:44+01:00 Update bug numbers for CVE-2022-43245, CVE-2020-21596, CVE-2020-21594 (bugs have been splitted) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23714,7 +23714,7 @@ CVE-2022-43247 CVE-2022-43246 RESERVED CVE-2022-43245 (Libde265 v1.0.8 was discovered to contain a segmentation violation via ...) - - libde265 (bug #1027179) + - libde265 (bug #1029357) NOTE: https://github.com/strukturag/libde265/issues/352 CVE-2022-43244 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - libde265 (bug #1027179) @@ -183451,7 +183451,7 @@ CVE-2020-21597 (libde265 v1.0.4 contains a heap buffer overflow in the mc_chroma [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/238 CVE-2020-21596 (libde265 v1.0.4 contains a global buffer overflow in the decode_CABAC_ ...) - - libde265 (bug #1014999) + - libde265 (bug #1029397) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) @@ -183463,7 +183463,7 @@ CVE-2020-21595 (libde265 v1.0.4 contains a heap buffer overflow in the mc_luma f [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/239 CVE-2020-21594 (libde265 v1.0.4 contains a heap buffer overflow in the put_epel_hv_fal ...) - - libde265 (bug #1014999) + - libde265 (bug #1029396) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d46c29badd4271edbc3d128656aedafd1f6cf2c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d46c29badd4271edbc3d128656aedafd1f6cf2c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Assign spip to seb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a9ed8701 by Salvatore Bonaccorso at 2023-01-22T12:40:03+01:00 Assign spip to seb - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -59,7 +59,7 @@ salt -- samba -- -spip +spip (seb) Maintainer proposed debdiff for review -- sofia-sip View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9ed8701e7b356e4c7d3599d396ac9378298a620 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9ed8701e7b356e4c7d3599d396ac9378298a620 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for CVE-2023-24056
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4af63445 by Salvatore Bonaccorso at 2023-01-22T12:38:39+01:00 Add upstream tag information for CVE-2023-24056 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36,7 +36,7 @@ CVE-2023-24057 RESERVED CVE-2023-24056 (In pkgconf through 1.9.3, variable duplication can cause unbounded str ...) - pkgconf 1.8.1-1 - NOTE: https://gitea.treehouse.systems/ariadne/pkgconf/commit/81cc9b3e6dafcdd02579bcccec6ac47d91e5d023 + NOTE: https://gitea.treehouse.systems/ariadne/pkgconf/commit/81cc9b3e6dafcdd02579bcccec6ac47d91e5d023 (pkgconf-1.9.4, pkgconf-1.8.1) NOTE: https://nullprogram.com/blog/2023/01/18/ CVE-2023-24055 (** DISPUTED ** KeePass through 2.53 (in a default installation) allows ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4af63445f26644f8e38f7fd4f3cb65e4fc176384 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4af63445f26644f8e38f7fd4f3cb65e4fc176384 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add info for CVE-2023-24056/pkgconf
Andrej Shadura pushed to branch master at Debian Security Tracker / security-tracker Commits: 874f66ca by Andrej Shadura at 2023-01-22T12:17:45+01:00 Add info for CVE-2023-24056/pkgconf - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35,7 +35,9 @@ CVE-2023-24058 (Booked Scheduler 2.5.5 allows authenticated users to create and CVE-2023-24057 RESERVED CVE-2023-24056 (In pkgconf through 1.9.3, variable duplication can cause unbounded str ...) - TODO: check + - pkgconf 1.8.1-1 + NOTE: https://gitea.treehouse.systems/ariadne/pkgconf/commit/81cc9b3e6dafcdd02579bcccec6ac47d91e5d023 + NOTE: https://nullprogram.com/blog/2023/01/18/ CVE-2023-24055 (** DISPUTED ** KeePass through 2.53 (in a default installation) allows ...) TODO: check CVE-2023-0434 (Improper Input Validation in GitHub repository pyload/pyload prior to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/874f66cac1f6f50d6f6e010826f3804fe0c203ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/874f66cac1f6f50d6f6e010826f3804fe0c203ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add and claim spip
Sebastien Delafond pushed to branch master at Debian Security Tracker / security-tracker Commits: a32c17e3 by Sébastien Delafond at 2023-01-22T10:22:19+01:00 Add and claim spip - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -59,6 +59,9 @@ salt -- samba -- +spip + Maintainer proposed debdiff for review +-- sofia-sip Maintainer proposed debdiff for review with additional question -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a32c17e3b79b663ea3a9f8cbaad59647504bbebd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a32c17e3b79b663ea3a9f8cbaad59647504bbebd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2020-21598 CVE-2020-21600 and CVE-2020-21602
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf997f0e by Salvatore Bonaccorso at 2023-01-22T09:55:48+01:00 Update status for CVE-2020-21598 CVE-2020-21600 and CVE-2020-21602 Ad investigated by Tobias Frost those issues are fixed in 1.0.9 upstream as well, cf. https://bugs.debian.org/1004963#34 . Link: https://bugs.debian.org/1004963#34 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -183412,7 +183412,7 @@ CVE-2020-21603 (libde265 v1.0.4 contains a heap buffer overflow in the put_qpel_ [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/240 CVE-2020-21602 (libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bi ...) - - libde265 (bug #1004963) + - libde265 1.0.9-1 (bug #1004963) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) @@ -183424,7 +183424,7 @@ CVE-2020-21601 (libde265 v1.0.4 contains a stack buffer overflow in the put_qpel [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/241 CVE-2020-21600 (libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_pr ...) - - libde265 (bug #1004963) + - libde265 1.0.9-1 (bug #1004963) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) @@ -183437,7 +183437,7 @@ CVE-2020-21599 (libde265 v1.0.4 contains a heap buffer overflow in the de265_ima NOTE: https://github.com/strukturag/libde265/issues/235 NOTE: https://github.com/strukturag/libde265/commit/a3f1c6a0dea2b0d4a531255ad06ed40cdb184d25 (v1.0.9) CVE-2020-21598 (libde265 v1.0.4 contains a heap buffer overflow in the ff_hevc_put_unw ...) - - libde265 (bug #1004963) + - libde265 1.0.9-1 (bug #1004963) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf997f0ecbd929083358b443f0e920f0d2972e9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf997f0ecbd929083358b443f0e920f0d2972e9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-22884/airflow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fbbbddcc by Salvatore Bonaccorso at 2023-01-22T09:24:24+01:00 Add CVE-2023-22884/airflow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3337,7 +3337,7 @@ CVE-2023-22886 CVE-2023-22885 REJECTED CVE-2023-22884 (Improper Neutralization of Special Elements used in a Command ('Comman ...) - TODO: check + - airflow (bug #819700) CVE-2023-0144 RESERVED CVE-2023-0143 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbbbddcc590f8281011f0389dce99092f171f780 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbbbddcc590f8281011f0389dce99092f171f780 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add tempoary entries for wireshark issues wnpa-sec-2023-[01-07]
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0702cb30 by Salvatore Bonaccorso at 2023-01-22T09:19:51+01:00 Add tempoary entries for wireshark issues wnpa-sec-2023-[01-07] - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,33 @@ +CVE-2023- [wnpa-sec-2023-07: TIPC dissector crash] + - wireshark 4.0.3-1 + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-07.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18770 +CVE-2023- [wnpa-sec-2023-06: Multiple dissector excessive loops] + - wireshark 4.0.3-1 + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-06.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18711 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18720 + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18737 +CVE-2023- [wnpa-sec-2023-05: iSCSI dissector crash] + - wireshark 4.0.3-1 + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-05.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18796 +CVE-2023- [wnpa-sec-2023-04: GNW dissector crash] + - wireshark 4.0.3-1 + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-04.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18779 +CVE-2023- [wnpa-sec-2023-03: Dissection engine crash] + - wireshark 4.0.3-1 + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-03.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18766 +CVE-2023- [wnpa-sec-2023-02: NFS dissector memory leak] + - wireshark 4.0.3-1 + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-02.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18628 +CVE-2023- [wnpa-sec-2023-01: EAP dissector crash] + - wireshark 4.0.3-1 + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-01.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18622 CVE-2023-24059 (Grand Theft Auto V for PC allows attackers to achieve partial remote c ...) TODO: check CVE-2023-24058 (Booked Scheduler 2.5.5 allows authenticated users to create and schedu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0702cb30365aa8ae041a57410cb0c5ccb8a927f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0702cb30365aa8ae041a57410cb0c5ccb8a927f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2019-16370/gradle via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e33fe20 by Salvatore Bonaccorso at 2023-01-22T09:13:27+01:00 Track fixed version for CVE-2019-16370/gradle via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -247082,7 +247082,7 @@ CVE-2019-16372 CVE-2019-16371 (LogMeIn LastPass before 4.33.0 allows attackers to construct a crafted ...) NOT-FOR-US: LogMeIn LastPass CVE-2019-16370 (The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algori ...) - - gradle (low; bug #941186) + - gradle 4.4.1-18 (low; bug #941186) [bullseye] - gradle (Minor issue) [buster] - gradle (Minor issue) [stretch] - gradle (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e33fe201c189a4a53566deeefd0672aaae724ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e33fe201c189a4a53566deeefd0672aaae724ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-22617/pdns-recursor via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ad77ad6 by Salvatore Bonaccorso at 2023-01-22T09:10:55+01:00 Track fixed version for CVE-2023-22617/pdns-recursor via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4378,7 +4378,7 @@ CVE-2021-4300 (A vulnerability has been found in ghostlander Halcyon and classif CVE-2023-22618 RESERVED CVE-2023-22617 (A remote attacker might be able to cause infinite recursion in PowerDN ...) - - pdns-recursor (bug #1029367) + - pdns-recursor 4.8.1-1 (bug #1029367) [bullseye] - pdns-recursor (Vulnerable code introduced later) [buster] - pdns-recursor (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2023/01/20/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ad77ad64e3c22efe0b8bd267deb8b0afeaa4ef7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ad77ad64e3c22efe0b8bd267deb8b0afeaa4ef7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e5ba8fc6 by security tracker role at 2023-01-22T08:10:11+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,15 @@ +CVE-2023-24059 (Grand Theft Auto V for PC allows attackers to achieve partial remote c ...) + TODO: check +CVE-2023-24058 (Booked Scheduler 2.5.5 allows authenticated users to create and schedu ...) + TODO: check +CVE-2023-24057 + RESERVED +CVE-2023-24056 (In pkgconf through 1.9.3, variable duplication can cause unbounded str ...) + TODO: check +CVE-2023-24055 (** DISPUTED ** KeePass through 2.53 (in a default installation) allows ...) + TODO: check +CVE-2023-0434 (Improper Input Validation in GitHub repository pyload/pyload prior to ...) + TODO: check CVE-2023-24054 RESERVED CVE-2023-0433 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) @@ -22,8 +34,8 @@ CVE-2023-24046 RESERVED CVE-2023-24045 RESERVED -CVE-2023-24044 - RESERVED +CVE-2023-24044 (A Host Header Injection issue on the Login page of Plesk Obsidian thro ...) + TODO: check CVE-2023-24043 RESERVED CVE-2023-24042 (A race condition in LightFTP through 2.2 allows an attacker to achieve ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5ba8fc6fab84834afc51192c445bc72406e9762 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5ba8fc6fab84834afc51192c445bc72406e9762 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits