[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2022-48281/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 91be6031 by Salvatore Bonaccorso at 2023-01-26T08:40:17+01:00 Add fixed version via unstable for CVE-2022-48281/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1116,7 +1116,7 @@ CVE-2023-0435 (Excessive Attack Surface in GitHub repository pyload/pyload prior CVE-2022-4895 RESERVED CVE-2022-48281 (processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has ...) - - tiff (bug #1029653) + - tiff 4.5.0-4 (bug #1029653) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/488 CVE-2022-48280 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91be6031663ef5b4a0591921d3771e605f399785 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91be6031663ef5b4a0591921d3771e605f399785 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for two git CVEs addressed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 446d2322 by Salvatore Bonaccorso at 2023-01-26T08:38:42+01:00 Track fixed version for two git CVEs addressed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28550,7 +28550,7 @@ CVE-2022-41905 (WsgiDAV is a generic and extendable WebDAV server based on WSGI. CVE-2022-41904 (Element iOS is an iOS Matrix client provided by Element. It is based o ...) NOT-FOR-US: Element iOS CVE-2022-41903 (Git is distributed revision control system. `git log` can display comm ...) - - git (bug #1029114) + - git 1:2.39.1-0.1 (bug #1029114) NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/4 NOTE: https://github.com/git/git/commit/a244dc5b0a629290881641467c7a545de7508ab2 NOTE: https://github.com/git/git/commit/81dc898df9b4b4035534a927f3234a3839b698bf @@ -81091,7 +81091,7 @@ CVE-2022-23523 (In versions prior to 0.8.1, the linux-loader crate uses the offs CVE-2022-23522 RESERVED CVE-2022-23521 (Git is distributed revision control system. gitattributes are a mechan ...) - - git (bug #1029114) + - git 1:2.39.1-0.1 (bug #1029114) NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/4 NOTE: https://github.com/git/git/commit/eb22e7dfa23da6bd9aed9bd1dad69e1e8e167d24 NOTE: https://github.com/git/git/commit/8d0d48cf2157cfb914db1f53b3fe40785b86f3aa View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/446d2322ee8eb9e550486ac7b02acdc71b6db81d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/446d2322ee8eb9e550486ac7b02acdc71b6db81d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVEs for wireshark assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 929fad66 by Salvatore Bonaccorso at 2023-01-26T08:35:49+01:00 CVEs for wireshark assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1121,39 +1121,39 @@ CVE-2022-48281 (processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/488 CVE-2022-48280 RESERVED -CVE-2023- [wnpa-sec-2023-07: TIPC dissector crash] +CVE-2023-0412 [wnpa-sec-2023-07: TIPC dissector crash] - wireshark 4.0.3-1 [bullseye] - wireshark (Minor issue, fix along in future update) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-07.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18770 -CVE-2023- [wnpa-sec-2023-06: Multiple dissector excessive loops] +CVE-2023-0411 [wnpa-sec-2023-06: Multiple dissector excessive loops] - wireshark 4.0.3-1 [bullseye] - wireshark (Minor issue, fix along in future update) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-06.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18711 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18720 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18737 -CVE-2023- [wnpa-sec-2023-05: iSCSI dissector crash] +CVE-2023-0415 [wnpa-sec-2023-05: iSCSI dissector crash] - wireshark 4.0.3-1 [bullseye] - wireshark (Minor issue, fix along in future update) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-05.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18796 -CVE-2023- [wnpa-sec-2023-04: GNW dissector crash] +CVE-2023-0416 [wnpa-sec-2023-04: GNW dissector crash] - wireshark 4.0.3-1 [bullseye] - wireshark (Minor issue, fix along in future update) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-04.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18779 -CVE-2023- [wnpa-sec-2023-03: Dissection engine crash] +CVE-2023-0413 [wnpa-sec-2023-03: Dissection engine crash] - wireshark 4.0.3-1 [bullseye] - wireshark (Minor issue, fix along in future update) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-03.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18766 -CVE-2023- [wnpa-sec-2023-02: NFS dissector memory leak] +CVE-2023-0417 [wnpa-sec-2023-02: NFS dissector memory leak] - wireshark 4.0.3-1 [bullseye] - wireshark (Minor issue, fix along in future update) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-02.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18628 -CVE-2023- [wnpa-sec-2023-01: EAP dissector crash] +CVE-2023-0414 [wnpa-sec-2023-01: EAP dissector crash] - wireshark 4.0.3-1 [bullseye] - wireshark (Minor issue, fix along in future update) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-01.html @@ -1500,20 +1500,6 @@ CVE-2023-23922 RESERVED CVE-2023-23921 RESERVED -CVE-2023-0417 (Memory leak in the NFS dissector in Wireshark 4.0.0 to 4.0.2 and 3.6.0 ...) - TODO: check -CVE-2023-0416 (GNW dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 an ...) - TODO: check -CVE-2023-0415 (iSCSI dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 ...) - TODO: check -CVE-2023-0414 (Crash in the EAP dissector in Wireshark 4.0.0 to 4.0.2 allows denial o ...) - TODO: check -CVE-2023-0413 (Dissection engine bug in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 ...) - TODO: check -CVE-2023-0412 (TIPC dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 a ...) - TODO: check -CVE-2023-0411 (Excessive loops in multiple dissectors in Wireshark 4.0.0 to 4.0.2 and ...) - TODO: check CVE-2023-0410 (Cross-site Scripting (XSS) - Generic in GitHub repository builderio/qw ...) NOT-FOR-US: builderio/qwik CVE-2023-0409 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/929fad66453d781d9bf648a43b1fead4759bb471 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/929fad66453d781d9bf648a43b1fead4759bb471 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c24c040 by Salvatore Bonaccorso at 2023-01-26T08:30:49+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -75,7 +75,7 @@ CVE-2023-24510 CVE-2023-24509 RESERVED CVE-2023-24508 (Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB and Nova 246 ...) - TODO: check + NOT-FOR-US: Baicells CVE-2023-24507 RESERVED CVE-2023-24506 @@ -468,7 +468,7 @@ CVE-2023-0446 (The My YouTube Channel plugin for WordPress is vulnerable to Stor CVE-2023-0445 RESERVED CVE-2023-0444 (A privilege escalation vulnerability exists in Delta Electronics Infra ...) - TODO: check + NOT-FOR-US: Delta Electronics InfraSuite Device Master CVE-2023-0443 RESERVED CVE-2023-0442 @@ -1163,7 +1163,7 @@ CVE-2023-24059 (Grand Theft Auto V for PC allows attackers to achieve partial re CVE-2023-24058 (Booked Scheduler 2.5.5 allows authenticated users to create and schedu ...) NOT-FOR-US: Booked Scheduler CVE-2023-24057 (HL7 (Health Level 7) FHIR Core Libraries before 5.6.92 allow attackers ...) - TODO: check + NOT-FOR-US: HL7 (Health Level 7) FHIR Core Libraries CVE-2023-24056 (In pkgconf through 1.9.3, variable duplication can cause unbounded str ...) - pkgconf 1.8.1-1 [bullseye] - pkgconf (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c24c040273660f20488f0ac3381f9f9a34bcb68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c24c040273660f20488f0ac3381f9f9a34bcb68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9dac6589 by Salvatore Bonaccorso at 2023-01-26T08:11:13+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -80320,9 +80320,9 @@ CVE-2022-23816 CVE-2022-23815 RESERVED CVE-2022-23814 (Failure to validate addresses provided by software to BIOS commands ma ...) - TODO: check + NOT-FOR-US: AMD CVE-2022-23813 (The software interfaces to ASP and SMU may not enforce the SNP memory ...) - TODO: check + NOT-FOR-US: AMD CVE-2022-22146 (Cross-site scripting vulnerability in TransmitMail 2.5.0 to 2.6.1 allo ...) NOT-FOR-US: TransmitMail CVE-2022-21193 (Directory traversal vulnerability in TransmitMail 2.5.0 to 2.6.1 allow ...) @@ -141789,7 +141789,8 @@ CVE-2021-26348 (Failure to flush the Translation Lookaside Buffer (TLB) of the I CVE-2021-26347 (Failure to validate the integer operand in ASP (AMD Secure Processor) ...) NOT-FOR-US: AMD CVE-2021-26346 (Failure to validate the integer operand in ASP (AMD Secure Processor) ...) - TODO: check + NOT-FOR-US: AMD + NOTE: https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1031 CVE-2021-26345 RESERVED CVE-2021-26344 @@ -141853,7 +141854,7 @@ CVE-2021-26318 (A timing and power-based side channel attack leveraging the x86 CVE-2021-26317 (Failure to verify the protocol in SMM may allow an attacker to control ...) NOT-FOR-US: AMD CVE-2021-26316 (Failure to validate the communication buffer and communication service ...) - TODO: check + NOT-FOR-US: AMD CVE-2021-26315 (When the AMD Platform Security Processor (PSP) boot rom loads, authent ...) NOT-FOR-US: AMD CVE-2021-26314 (Potential floating point value injection in all supported CPU products ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9dac658974e0557f8663eb26d8829d46bb2c6da3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9dac658974e0557f8663eb26d8829d46bb2c6da3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8920c8cc by Salvatore Bonaccorso at 2023-01-26T07:49:30+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5135,6 +5135,7 @@ CVE-2023-22737 RESERVED CVE-2023-22736 RESERVED + NOT-FOR-US: Argo CD CVE-2023-22735 RESERVED CVE-2023-22734 (Shopware is an open source commerce platform based on Symfony Framewor ...) @@ -6133,7 +6134,7 @@ CVE-2023-22484 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re CVE-2023-22483 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) TODO: check CVE-2023-22482 (Argo CD is a declarative, GitOps continuous delivery tool for Kubernet ...) - TODO: check + NOT-FOR-US: Argo CD CVE-2023-22481 RESERVED CVE-2023-22480 (KubeOperator is an open source Kubernetes distribution focused on help ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8920c8cce59ec01ba78ecaecf9ff3174f904c63a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8920c8cce59ec01ba78ecaecf9ff3174f904c63a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: add tiff to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ce7e10d8 by Anton Gladky at 2023-01-26T06:25:25+01:00 LTS: add tiff to dla-needed.txt - - - - - 9247fe01 by Anton Gladky at 2023-01-26T06:28:22+01:00 LTS: add bind9 to dla-needed.txt - - - - - a3f38955 by Anton Gladky at 2023-01-26T06:30:36+01:00 LTS: add libgit2 to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -26,6 +26,11 @@ asterisk NOTE: 20221211: Programming language: C. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git -- +bind9 + NOTE: 20230126: Programming language: C. + NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/bind9.git + NOTE: 20230126: Special attention: Package is used in many cases. Please be very carefull with fix and upload!. +-- ceph (Stefano Rivera) NOTE: 20221031: Programming language: C++. NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system. @@ -127,6 +132,11 @@ libapache2-mod-auth-mellon (Adrian Bunk) NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- +libgit2 + NOTE: 20230126: Programming language: C. + NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/libgit2.git + NOTE: 20230126: Please fix also CVE-2020* (gladk). +-- libhtml-stripscripts-perl (Utkarsh) NOTE: 20230125: Programming language: Perl. NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/libhtml-stripscripts-perl.git @@ -347,6 +357,11 @@ sox thunderbird (Emilio) NOTE: 20230123: Programming language: C++ -- +tiff + NOTE: 20230126: Programming language: C. + NOTE: 20230126: VCS: https://salsa.debian.org/lts-team/packages/tiff.git + NOTE: 20230126: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/tiff.html +-- tinymce NOTE: 20221227: Programming language: PHP. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0e06eda544305a780ac64c0ef55cdc4ba01311ae...a3f389554e3c95532d90e382713cccfe15177029 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0e06eda544305a780ac64c0ef55cdc4ba01311ae...a3f389554e3c95532d90e382713cccfe15177029 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-22741/sofia-sip
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e06eda5 by Salvatore Bonaccorso at 2023-01-25T21:58:33+01:00 Add Debian bug reference for CVE-2023-22741/sofia-sip - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5122,7 +5122,7 @@ CVE-2023-22742 (libgit2 is a cross-platform, linkable library implementation of NOTE: https://github.com/libgit2/libgit2/commit/42e5db98b963ae503229c63e44e06e439df50e56 (v1.5.1) NOTE: https://github.com/libgit2/libgit2/security/advisories/GHSA-8643-3wh5-rmjq CVE-2023-22741 (Sofia-SIP is an open-source SIP User-Agent library, compliant with the ...) - - sofia-sip + - sofia-sip (bug #1029654) NOTE: https://github.com/freeswitch/sofia-sip/commit/9defd6f72dd416ee4fcc1a23cccbb159990da0f6 (v1.13.11) NOTE: https://github.com/freeswitch/sofia-sip/security/advisories/GHSA-8599-x7rq-fr54 CVE-2023-22740 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e06eda544305a780ac64c0ef55cdc4ba01311ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e06eda544305a780ac64c0ef55cdc4ba01311ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add bind9 to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 249d031a by Salvatore Bonaccorso at 2023-01-25T21:55:21+01:00 Add bind9 to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -11,6 +11,9 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. +-- +bind9 + Maintainer uploaded bullseye-security update -- chromium -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/249d031aa0ce84c38c483adad6e4ec1bd59e20fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/249d031aa0ce84c38c483adad6e4ec1bd59e20fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-48281/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 868d62e7 by Salvatore Bonaccorso at 2023-01-25T21:53:54+01:00 Add Debian bug reference for CVE-2022-48281/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1116,7 +1116,7 @@ CVE-2023-0435 (Excessive Attack Surface in GitHub repository pyload/pyload prior CVE-2022-4895 RESERVED CVE-2022-48281 (processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has ...) - - tiff + - tiff (bug #1029653) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/d1b6b9c1b3cae2d9e37754506c1ad8f4f7b646b5 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/488 CVE-2022-48280 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/868d62e7686702cfbf8925e06747183cc7a408ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/868d62e7686702cfbf8925e06747183cc7a408ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track propsed libxpm update via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 740a6a98 by Salvatore Bonaccorso at 2023-01-25T21:34:28+01:00 Track propsed libxpm update via bullseye-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -96,3 +96,9 @@ CVE-2022-37436 [bullseye] - apache2 2.4.55-1~deb11u1 CVE-2022-38223 [bullseye] - w3m 0.5.3+git20210102-6+deb11u1 +CVE-2022-4883 + [bullseye] - libxpm 1:3.5.12-1.1~deb11u1 +CVE-2022-44617 + [bullseye] - libxpm 1:3.5.12-1.1~deb11u1 +CVE-2022-46285 + [bullseye] - libxpm 1:3.5.12-1.1~deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/740a6a98d5b4baa22a07c16d9c67cdcd52eef3c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/740a6a98d5b4baa22a07c16d9c67cdcd52eef3c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 58e5b611 by Salvatore Bonaccorso at 2023-01-25T21:15:02+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23022,7 +23022,7 @@ CVE-2022-43919 CVE-2022-43918 RESERVED CVE-2022-43917 (IBM WebSphere Application Server 8.5 and 9.0 traditional container use ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-43916 RESERVED CVE-2022-43915 @@ -23128,7 +23128,7 @@ CVE-2022-43866 CVE-2022-43865 RESERVED CVE-2022-43864 (IBM Business Automation Workflow 22.0.2 could allow a remote attacker ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-43863 RESERVED CVE-2022-43862 @@ -36662,7 +36662,7 @@ CVE-2022-38760 CVE-2022-38759 RESERVED CVE-2022-38758 (Cross-site Scripting (XSS) vulnerability in NetIQ iManager prior to ve ...) - TODO: check + NOT-FOR-US: Micro Focus CVE-2022-38757 (A vulnerability has been identified in Micro Focus ZENworks 2020 Updat ...) NOT-FOR-US: Micro Focus CVE-2022-38756 (A vulnerability has been identified in Micro Focus GroupWise Web in ve ...) @@ -85203,7 +85203,7 @@ CVE-2022-22464 (IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2 CVE-2022-22463 (IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, an ...) NOT-FOR-US: IBM CVE-2022-22462 (IBM Security Verify Governance, Identity Manager virtual appliance com ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-22461 (IBM Security Verify Governance, Identity Manager 10.0.1 uses weaker th ...) NOT-FOR-US: IBM CVE-2022-22460 (IBM Security Verify Identity Manager 10.0 contains sensitive informati ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58e5b611c5a27467e2087e9f6be37bb809e00241 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58e5b611c5a27467e2087e9f6be37bb809e00241 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additional reference for CVE-2020-1493{8,9}/freedroidrpg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc5dc6bc by Salvatore Bonaccorso at 2023-01-25T21:11:02+01:00 Add additional reference for CVE-2020-1493{8,9}/freedroidrpg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -199464,6 +199464,7 @@ CVE-2020-14939 (An issue was discovered in savestruct_internal.c in FreedroidRPG [stretch] - freedroidrpg (Minor issue) [jessie] - freedroidrpg (games are not supported) NOTE: https://bugs.freedroid.org/b/issue953 + NOTE: https://bugs.freedroid.org/b/issue967 NOTE: https://logicaltrust.net/blog/2020/02/freedroid.html CVE-2020-14938 (An issue was discovered in map.c in FreedroidRPG 1.0rc2. It assumes le ...) - freedroidrpg 1.0-1 (low; bug #964197) @@ -199472,6 +199473,7 @@ CVE-2020-14938 (An issue was discovered in map.c in FreedroidRPG 1.0rc2. It assu [stretch] - freedroidrpg (Minor issue) [jessie] - freedroidrpg (games are not supported) NOTE: https://bugs.freedroid.org/b/issue952 + NOTE: https://bugs.freedroid.org/b/issue967 NOTE: https://logicaltrust.net/blog/2020/02/freedroid.html CVE-2020-14937 (Memory access out of buffer boundaries issues was discovered in Contik ...) NOT-FOR-US: Contiki-NG View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc5dc6bcf6eeef707cbfd8d1cf99cb042ab46c06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc5dc6bcf6eeef707cbfd8d1cf99cb042ab46c06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e3f5a46d by security tracker role at 2023-01-25T20:10:27+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,69 @@ +CVE-2023-24530 + RESERVED +CVE-2023-24529 + RESERVED +CVE-2023-24528 + RESERVED +CVE-2023-24527 + RESERVED +CVE-2023-24526 + RESERVED +CVE-2023-24525 + RESERVED +CVE-2023-24524 + RESERVED +CVE-2023-24523 + RESERVED +CVE-2023-24522 + RESERVED +CVE-2023-24521 + RESERVED +CVE-2023-24520 + RESERVED +CVE-2023-24519 + RESERVED +CVE-2023-24518 + RESERVED +CVE-2023-24517 + RESERVED +CVE-2023-24516 + RESERVED +CVE-2023-24515 + RESERVED +CVE-2023-24514 + RESERVED +CVE-2023-23546 + RESERVED +CVE-2023-0507 + RESERVED +CVE-2023-0506 + RESERVED +CVE-2023-0505 + RESERVED +CVE-2023-0504 + RESERVED +CVE-2023-0503 + RESERVED +CVE-2023-0502 + RESERVED +CVE-2023-0501 + RESERVED +CVE-2023-0500 + RESERVED +CVE-2023-0499 + RESERVED +CVE-2023-0498 + RESERVED +CVE-2023-0497 + RESERVED +CVE-2023-0496 + RESERVED +CVE-2023-0495 + RESERVED +CVE-2023-0494 + RESERVED +CVE-2022-4897 + RESERVED CVE-2023-24513 RESERVED CVE-2023-24512 @@ -8,7 +74,7 @@ CVE-2023-24510 RESERVED CVE-2023-24509 RESERVED -CVE-2023-24508 (Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with ...) +CVE-2023-24508 (Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB and Nova 246 ...) TODO: check CVE-2023-24507 RESERVED @@ -3649,8 +3715,8 @@ CVE-2023-23153 RESERVED CVE-2023-23152 RESERVED -CVE-2023-23151 - RESERVED +CVE-2023-23151 (bloofoxCMS v0.5.2.1 was discovered to contain an arbitrary file deleti ...) + TODO: check CVE-2023-23150 RESERVED CVE-2023-23149 @@ -6066,8 +6132,8 @@ CVE-2023-22484 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re TODO: check CVE-2023-22483 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) TODO: check -CVE-2023-22482 - RESERVED +CVE-2023-22482 (Argo CD is a declarative, GitOps continuous delivery tool for Kubernet ...) + TODO: check CVE-2023-22481 RESERVED CVE-2023-22480 (KubeOperator is an open source Kubernetes distribution focused on help ...) @@ -7878,8 +7944,8 @@ CVE-2022-47769 RESERVED CVE-2022-47768 RESERVED -CVE-2022-47767 - RESERVED +CVE-2022-47767 (A backdoor in Solar-Log Gateway products allows remote access via web ...) + TODO: check CVE-2022-47766 (PopojiCMS v2.0.1 backend plugin function has a file upload vulnerabili ...) NOT-FOR-US: PopojiCMS CVE-2022-47765 @@ -9928,8 +9994,8 @@ CVE-2022-4512 RESERVED CVE-2022-4511 (A vulnerability has been found in RainyGao DocSys and classified as cr ...) NOT-FOR-US: RainyGao DocSys -CVE-2022-4510 - RESERVED +CVE-2022-4510 (A path traversal vulnerability was identified in ReFirm Labs binwalk f ...) + TODO: check CVE-2022-4509 (The Content Control WordPress plugin before 1.1.10 does not validate a ...) NOT-FOR-US: WordPress plugin CVE-2022-43494 (An unauthorized user could be able to read any file on the system, pot ...) @@ -11253,10 +11319,10 @@ CVE-2022-47001 RESERVED CVE-2022-47000 RESERVED -CVE-2022-46999 - RESERVED -CVE-2022-46998 - RESERVED +CVE-2022-46999 (Tuzicms v2.0.6 was discovered to contain a SQL injection vulnerability ...) + TODO: check +CVE-2022-46998 (An issue in the website background of taocms v3.0.2 allows attackers t ...) + TODO: check CVE-2022-46997 (Passhunt commit 54eb987d30ead2b8ebbf1f0b880aa14249323867 was discovere ...) NOT-FOR-US: Passhunt CVE-2022-46996 (vSphere_selfuse commit 2a9fe074a64f6a0dd8ac02f21e2f10d66cac5749 was di ...) @@ -22955,8 +23021,8 @@ CVE-2022-43919 RESERVED CVE-2022-43918 RESERVED -CVE-2022-43917 - RESERVED +CVE-2022-43917 (IBM WebSphere Application Server 8.5 and 9.0 traditional container use ...) + TODO: check CVE-2022-43916 RESERVED CVE-2022-43915 @@ -23061,8 +23127,8 @@ CVE-2022-43866 RESERVED CVE-2022-43865 RESERVED -CVE-2022-43864 - RESERVED +CVE-2022-43864 (IBM Business Automation Workflow 22.0.2 could allow a remote attacker ...) + TODO: check CVE-2022-43863 RESERVED CVE-2022-43862 @@ -36595,8 +36661,8 @@ CVE-2022-38760 RESERVED CVE-2022-38759 RESERVED -CVE-2022-38758 - RESERVED +CVE-2022-38758 (Cross-site Scripting (XSS) vulnerability in NetIQ iManager prior to ve ...) + TODO: check CVE-2022-38757 (A vulnerability has been identified in Micro Focus
[Git][security-tracker-team/security-tracker][master] new bind issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a9d1dede by Moritz Muehlenhoff at 2023-01-25T20:29:23+01:00 new bind issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17063,6 +17063,8 @@ CVE-2022-3925 (The buddybadges WordPress plugin through 1.0.0 does not sanitise NOT-FOR-US: WordPress plugin CVE-2022-3924 RESERVED + - bind9 + NOTE: https://kb.isc.org/docs/cve-2022-3924 CVE-2022-3923 (The ActiveCampaign for WooCommerce WordPress plugin through 1.9.6 does ...) NOT-FOR-US: WordPress plugin CVE-2022-3922 (The Broken Link Checker WordPress plugin before 1.11.20 does not sanit ...) @@ -21570,6 +21572,8 @@ CVE-2022-43959 (Insufficiently Protected Credentials in the AD/LDAP server setti TODO: check CVE-2022-3736 RESERVED + - bind9 + NOTE: https://kb.isc.org/docs/cve-2022-3736 CVE-2022-3735 (A vulnerability was found in seccome Ehoney. It has been rated as crit ...) NOT-FOR-US: seccome Ehoney CVE-2022-3734 (** DISPUTED ** A vulnerability was found in a port or fork of Redis. I ...) @@ -35299,6 +35303,8 @@ CVE-2022-3095 (The implementation of backslash parsing in the Dart URI class for NOT-FOR-US: Dart language (different from src:dart) CVE-2022-3094 RESERVED + - bind9 + NOTE: https://kb.isc.org/docs/cve-2022-3094 CVE-2022-39197 (An XSS (Cross Site Scripting) vulnerability was found in HelpSystems C ...) NOT-FOR-US: Cobalt Strike CVE-2022-39196 (Blackboard Learn 1.10.1 allows remote authenticated users to read unin ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9d1dede2496b1e9fa2ad174713850a2fe0378ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9d1dede2496b1e9fa2ad174713850a2fe0378ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for bind9 issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb13e725 by Salvatore Bonaccorso at 2023-01-25T20:55:00+01:00 Track fixed version for bind9 issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17063,7 +17063,7 @@ CVE-2022-3925 (The buddybadges WordPress plugin through 1.0.0 does not sanitise NOT-FOR-US: WordPress plugin CVE-2022-3924 RESERVED - - bind9 + - bind9 1:9.18.11-1 NOTE: https://kb.isc.org/docs/cve-2022-3924 CVE-2022-3923 (The ActiveCampaign for WooCommerce WordPress plugin through 1.9.6 does ...) NOT-FOR-US: WordPress plugin @@ -21572,7 +21572,7 @@ CVE-2022-43959 (Insufficiently Protected Credentials in the AD/LDAP server setti TODO: check CVE-2022-3736 RESERVED - - bind9 + - bind9 1:9.18.11-1 NOTE: https://kb.isc.org/docs/cve-2022-3736 CVE-2022-3735 (A vulnerability was found in seccome Ehoney. It has been rated as crit ...) NOT-FOR-US: seccome Ehoney @@ -35307,7 +35307,7 @@ CVE-2022-3095 (The implementation of backslash parsing in the Dart URI class for NOT-FOR-US: Dart language (different from src:dart) CVE-2022-3094 RESERVED - - bind9 + - bind9 1:9.18.11-1 NOTE: https://kb.isc.org/docs/cve-2022-3094 CVE-2022-39197 (An XSS (Cross Site Scripting) vulnerability was found in HelpSystems C ...) NOT-FOR-US: Cobalt Strike View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb13e72536d19f94bd7aeca7ecd75a62b028e51f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb13e72536d19f94bd7aeca7ecd75a62b028e51f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new xen issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 137863a0 by Moritz Muehlenhoff at 2023-01-25T20:31:42+01:00 new xen issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27336,6 +27336,10 @@ CVE-2022-42331 RESERVED CVE-2022-42330 RESERVED + - xen + [bullseye] - xen (Only affects 4.17) + [buster] - xen (Only affects 4.17) + NOTE: https://xenbits.xen.org/xsa/advisory-425.html CVE-2022-42329 (Guests can trigger deadlock in Linux netback driver T[his CNA informat ...) {DLA-3245-1 DLA-3244-1} - linux 6.0.12-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/137863a01592cad7c8a13f63422722e461f135ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/137863a01592cad7c8a13f63422722e461f135ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ba44d12b by Moritz Muehlenhoff at 2023-01-25T20:15:37+01:00 chromium fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -120,16 +120,16 @@ CVE-2023-0476 CVE-2023-0475 RESERVED CVE-2023-0474 (Use after free in GuestView in Google Chrome prior to 109.0.5414.119 a ...) - - chromium + - chromium 109.0.5414.119-1 [buster] - chromium (see DSA 5046) CVE-2023-0473 (Type Confusion in ServiceWorker API in Google Chrome prior to 109.0.54 ...) - - chromium + - chromium 109.0.5414.119-1 [buster] - chromium (see DSA 5046) CVE-2023-0472 (Use after free in WebRTC in Google Chrome prior to 109.0.5414.119 allo ...) - - chromium + - chromium 109.0.5414.119-1 [buster] - chromium (see DSA 5046) CVE-2023-0471 (Use after free in WebTransport in Google Chrome prior to 109.0.5414.11 ...) - - chromium + - chromium 109.0.5414.119-1 [buster] - chromium (see DSA 5046) CVE-2023-0470 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba44d12bda695c63f3ddfb7612e7e142b8809ad0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba44d12bda695c63f3ddfb7612e7e142b8809ad0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] sgt-puzzles fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c8c45956 by Moritz Muehlenhoff at 2023-01-25T16:28:35+01:00 sgt-puzzles fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2484,7 +2484,7 @@ CVE-2023-0307 (Weak Password Requirements in GitHub repository thorsten/phpmyfaq CVE-2023-0306 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpm ...) NOT-FOR-US: phpmyfaq CVE-2023- [Multiple integer overflow and buffer overflow issues in game loading] - - sgt-puzzles (bug #1028986) + - sgt-puzzles 20230122.806ae71-1 (bug #1028986) [bullseye] - sgt-puzzles (Minor issue) [buster] - sgt-puzzles (Minor issue) CVE-2023-0305 (A vulnerability classified as critical was found in SourceCodester Onl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8c459564af540155fb0d3de14721ebc031fc03a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8c459564af540155fb0d3de14721ebc031fc03a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] DLA: Take several packages
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab011c77 by Adrian Bunk at 2023-01-25T15:58:17+02:00 DLA: Take several packages (Too) many (mostly small) packages I am taking after an initial triage round that look doable for me for working my January hours before Monday (perhaps with 1-3 leftover packages for February). - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -47,7 +47,7 @@ curl NOTE: 20230103: Sorted out issue with broken CVE fix in stable, working with secteam to land the fix (roberto) NOTE: 20230103: Packages ready for bullseye and buster, syncing ELTS releases (roberto) -- -dojo +dojo (Adrian Bunk) NOTE: 20230105: Programming language: JavaScript. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- @@ -57,7 +57,7 @@ erlang NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their VCS can be used. -- -fig2dev +fig2dev (Adrian Bunk) NOTE: 20230105: Programming language: C. NOTE: 20230105: Harmonize with bullseye 11.5 and stretch (Beuc/front-desk) -- @@ -123,7 +123,7 @@ lemonldap-ng (guilhem) NOTE: 20230105: Programming language: Perl. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- -libapache2-mod-auth-mellon +libapache2-mod-auth-mellon (Adrian Bunk) NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- @@ -131,7 +131,7 @@ libhtml-stripscripts-perl (Utkarsh) NOTE: 20230125: Programming language: Perl. NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/libhtml-stripscripts-perl.git -- -libreoffice +libreoffice (Adrian Bunk) NOTE: 20221012: Programming language: C++. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git -- @@ -139,7 +139,7 @@ libsdl2 (Markus Koschany) NOTE: 2022: Programming language: C. NOTE: 2022: Sync with jessie/stretch/bullseye (Beuc/front-desk) -- -libstb +libstb (Adrian Bunk) NOTE: 2022: Programming language: C. -- libzen (Thorsten Alteholz) @@ -206,7 +206,7 @@ node-object-path NOTE: 2022: Follow fixes from bullseye 11.1 (Beuc/front-desk) NOTE: 20221223: Functional part of CVE-2021-3805 might be https://gist.github.com/lamby/ebf0633837f16d174138bbf36bef38f3/raw (lamby) -- -node-qs +node-qs (Adrian Bunk) NOTE: 20230105: Programming language: JavaScript. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- @@ -301,7 +301,7 @@ ruby-rails-html-sanitizer NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: VCS: https://salsa.debian.org/lts-team/packages/ruby-rails-html-sanitizer.git -- -ruby-sidekiq +ruby-sidekiq (Adrian Bunk) NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: CVE-2022-23837 was fixed in stretch so should be fixed in buster for consistency even though it is not that severe. (opal). -- @@ -334,7 +334,7 @@ snort (Markus Koschany) NOTE: 20230121: Prepared new upstream version for unstable which we could NOTE: 20230121: backport to buster later. See https://bugs.debian.org/1021276 -- -sofia-sip +sofia-sip (Adrian Bunk) NOTE: 20230125: Programming language: C. NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/sofia-sip.git -- @@ -373,7 +373,7 @@ xrdp (Abhijith PA) NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git NOTE: 20230117: Fixed 6 out 10 CVEs. Testing (abhijith) -- -zabbix +zabbix (Adrian Bunk) NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too. NOTE: 20221209: Programming language: C. NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/zabbix.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab011c77e71df5252468c3929d61a2cbfab94c39 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab011c77e71df5252468c3929d61a2cbfab94c39 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] virtualbox fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 72b59d6d by Moritz Muehlenhoff at 2023-01-25T13:56:50+01:00 virtualbox fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9280,9 +9280,9 @@ CVE-2023-21901 CVE-2023-21900 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2023-21899 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - - virtualbox (bug #1029153) + - virtualbox 7.0.6-dfsg-1 (bug #1029153) CVE-2023-21898 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - - virtualbox (bug #1029153) + - virtualbox 7.0.6-dfsg-1 (bug #1029153) CVE-2023-21897 RESERVED CVE-2023-21896 @@ -9300,17 +9300,17 @@ CVE-2023-21891 (Vulnerability in the Oracle Business Intelligence Enterprise Edi CVE-2023-21890 (Vulnerability in the Oracle Communications Converged Application Serve ...) NOT-FOR-US: Oracle CVE-2023-21889 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - - virtualbox (bug #1029153) + - virtualbox 7.0.6-dfsg-1 (bug #1029153) CVE-2023-21888 (Vulnerability in the Primavera Gateway product of Oracle Construction ...) NOT-FOR-US: Oracle CVE-2023-21887 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.32-1 (bug #1029151) CVE-2023-21886 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - - virtualbox (bug #1029153) + - virtualbox 7.0.6-dfsg-1 (bug #1029153) CVE-2023-21885 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - - virtualbox (bug #1029153) + - virtualbox 7.0.6-dfsg-1 (bug #1029153) CVE-2023-21884 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - - virtualbox (bug #1029153) + - virtualbox 7.0.6-dfsg-1 (bug #1029153) CVE-2023-21883 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.32-1 (bug #1029151) CVE-2023-21882 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72b59d6d90137cc1770b281c0cb47f879d1e86ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72b59d6d90137cc1770b281c0cb47f879d1e86ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] freedroidrpg
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a4f7345 by Moritz Muehlenhoff at 2023-01-25T12:41:49+01:00 freedroidrpg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -199374,7 +199374,7 @@ CVE-2020-14940 (An issue was discovered in io/gpx/GPXDocumentReader.java in TuxG NOTE: https://logicaltrust.net/blog/2020/06/tuxguitar.html NOTE: https://sourceforge.net/p/tuxguitar/bugs/126/ CVE-2020-14939 (An issue was discovered in savestruct_internal.c in FreedroidRPG 1.0rc ...) - - freedroidrpg (low; bug #964197) + - freedroidrpg 1.0-1 (low; bug #964197) [bullseye] - freedroidrpg (Minor issue) [buster] - freedroidrpg (Minor issue) [stretch] - freedroidrpg (Minor issue) @@ -199382,7 +199382,7 @@ CVE-2020-14939 (An issue was discovered in savestruct_internal.c in FreedroidRPG NOTE: https://bugs.freedroid.org/b/issue953 NOTE: https://logicaltrust.net/blog/2020/02/freedroid.html CVE-2020-14938 (An issue was discovered in map.c in FreedroidRPG 1.0rc2. It assumes le ...) - - freedroidrpg (low; bug #964197) + - freedroidrpg 1.0-1 (low; bug #964197) [bullseye] - freedroidrpg (Minor issue) [buster] - freedroidrpg (Minor issue) [stretch] - freedroidrpg (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a4f7345ede0c3d0cdc7dec1ce852c773a23bbcc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a4f7345ede0c3d0cdc7dec1ce852c773a23bbcc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take libhtml-stripscripts-perl
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: df378eb6 by Utkarsh Gupta at 2023-01-25T16:08:06+05:30 Take libhtml-stripscripts-perl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -127,7 +127,7 @@ libapache2-mod-auth-mellon NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) -- -libhtml-stripscripts-perl +libhtml-stripscripts-perl (Utkarsh) NOTE: 20230125: Programming language: Perl. NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/libhtml-stripscripts-perl.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df378eb61a2b234b7f46c7e2105aad9db6a45198 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df378eb61a2b234b7f46c7e2105aad9db6a45198 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8083ef79 by Salvatore Bonaccorso at 2023-01-25T10:29:34+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -394,7 +394,7 @@ CVE-2023-0450 CVE-2023-0449 RESERVED CVE-2023-0448 (The WP Helper Lite WordPress plugin, in versions 4.3, returns all ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-0447 (The My YouTube Channel plugin for WordPress is vulnerable to authoriza ...) NOT-FOR-US: My YouTube Channel plugin for WordPress CVE-2023-0446 (The My YouTube Channel plugin for WordPress is vulnerable to Stored Cr ...) @@ -72022,7 +72022,7 @@ CVE-2022-26331 (Potential vulnerabilities have been identified in Micro Focus Ar CVE-2022-26330 (Potential vulnerabilities have been identified in Micro Focus ArcSight ...) NOT-FOR-US: Micro Focus CVE-2022-26329 (File existence disclosure vulnerability in NetIQ Identity Manager plug ...) - TODO: check + NOT-FOR-US: Micro Focus CVE-2022-26328 RESERVED CVE-2022-26327 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8083ef79f6e198e6e37f32219a3caac5ef07afd2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8083ef79f6e198e6e37f32219a3caac5ef07afd2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 890f5de0 by security tracker role at 2023-01-25T08:10:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,67 @@ +CVE-2023-24513 + RESERVED +CVE-2023-24512 + RESERVED +CVE-2023-24511 + RESERVED +CVE-2023-24510 + RESERVED +CVE-2023-24509 + RESERVED +CVE-2023-24508 (Baicells Nova 227, Nova 233, and Nova 243 LTE TDD eNodeB devices with ...) + TODO: check +CVE-2023-24507 + RESERVED +CVE-2023-24506 + RESERVED +CVE-2023-24505 + RESERVED +CVE-2023-24504 + RESERVED +CVE-2023-24503 + RESERVED +CVE-2023-24502 + RESERVED +CVE-2023-24501 + RESERVED +CVE-2023-24500 + RESERVED +CVE-2023-24499 + RESERVED +CVE-2023-24498 + RESERVED +CVE-2023-24497 + RESERVED +CVE-2023-24496 + RESERVED +CVE-2023-0493 + RESERVED +CVE-2023-0492 + RESERVED +CVE-2023-0491 + RESERVED +CVE-2023-0490 + RESERVED +CVE-2023-0489 + RESERVED +CVE-2023-0488 + RESERVED +CVE-2023-0487 + RESERVED +CVE-2023-0486 + RESERVED +CVE-2023-0485 + RESERVED +CVE-2023-0484 + RESERVED +CVE-2023-0483 + RESERVED +CVE-2023-0482 + RESERVED +CVE-2023-0481 + RESERVED +CVE-2023-0480 + RESERVED CVE-2023- [SQL injection, sanitization, and login bypass] - spip 4.1.7+dfsg-1 [bullseye] - spip 3.2.11-3+deb11u6 @@ -55,20 +119,16 @@ CVE-2023-0476 RESERVED CVE-2023-0475 RESERVED -CVE-2023-0474 - RESERVED +CVE-2023-0474 (Use after free in GuestView in Google Chrome prior to 109.0.5414.119 a ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-0473 - RESERVED +CVE-2023-0473 (Type Confusion in ServiceWorker API in Google Chrome prior to 109.0.54 ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-0472 - RESERVED +CVE-2023-0472 (Use after free in WebRTC in Google Chrome prior to 109.0.5414.119 allo ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-0471 - RESERVED +CVE-2023-0471 (Use after free in WebTransport in Google Chrome prior to 109.0.5414.11 ...) - chromium [buster] - chromium (see DSA 5046) CVE-2023-0470 @@ -333,16 +393,16 @@ CVE-2023-0450 RESERVED CVE-2023-0449 RESERVED -CVE-2023-0448 - RESERVED +CVE-2023-0448 (The WP Helper Lite WordPress plugin, in versions 4.3, returns all ...) + TODO: check CVE-2023-0447 (The My YouTube Channel plugin for WordPress is vulnerable to authoriza ...) NOT-FOR-US: My YouTube Channel plugin for WordPress CVE-2023-0446 (The My YouTube Channel plugin for WordPress is vulnerable to Stored Cr ...) NOT-FOR-US: My YouTube Channel plugin for WordPress CVE-2023-0445 RESERVED -CVE-2023-0444 - RESERVED +CVE-2023-0444 (A privilege escalation vulnerability exists in Delta Electronics Infra ...) + TODO: check CVE-2023-0443 RESERVED CVE-2023-0442 @@ -1036,8 +1096,8 @@ CVE-2023-24059 (Grand Theft Auto V for PC allows attackers to achieve partial re NOT-FOR-US: Grand Theft Auto V for PC CVE-2023-24058 (Booked Scheduler 2.5.5 allows authenticated users to create and schedu ...) NOT-FOR-US: Booked Scheduler -CVE-2023-24057 - RESERVED +CVE-2023-24057 (HL7 (Health Level 7) FHIR Core Libraries before 5.6.92 allow attackers ...) + TODO: check CVE-2023-24056 (In pkgconf through 1.9.3, variable duplication can cause unbounded str ...) - pkgconf 1.8.1-1 [bullseye] - pkgconf (Minor issue) @@ -1126,7 +1186,7 @@ CVE-2023-0431 RESERVED CVE-2020-36655 (Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary ...) - yii (bug #597899) -CVE-2023-24021 (In ModSecurity before 2.9.7, FILES_TMP_CONTENT sometimes lacked the co ...) +CVE-2023-24021 (Incorrect handling of '\0' bytes in file uploads in ModSecurity before ...) - modsecurity-apache 2.9.7-1 (bug #1029329) [bullseye] - modsecurity-apache (Minor issue) NOTE: https://github.com/SpiderLabs/ModSecurity/pull/2857 @@ -1374,20 +1434,20 @@ CVE-2023-23922 RESERVED CVE-2023-23921 RESERVED -CVE-2023-0417 - RESERVED -CVE-2023-0416 - RESERVED -CVE-2023-0415 - RESERVED -CVE-2023-0414 - RESERVED -CVE-2023-0413 - RESERVED -CVE-2023-0412 - RESERVED -CVE-2023-0411 - RESERVED +CVE-2023-0417 (Memory leak in the NFS dissector in Wireshark 4.0.0 to 4.0.2 and 3.6.0 ...) + TODO: check +CVE-2023-0416 (GNW dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 an ...) + TODO: check +CVE-2023-0415 (iSCSI dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 ...) + TODO: check
[Git][security-tracker-team/security-tracker][master] Revert "more updates of fixed CVEs in libde265"
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 252c6414 by Tobias Frost at 2023-01-25T08:59:41+01:00 Revert more updates of fixed CVEs in libde265 This reverts commit f5ccb5ef5b6175f466ba53e1556a9dafda7cd7d0. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -184456,42 +184456,43 @@ CVE-2020-21607 CVE-2020-21606 (libde265 v1.0.4 contains a heap buffer overflow fault in the put_epel_ ...) - libde265 1.0.9-1 (bug #1014999) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) + [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/232 CVE-2020-21605 (libde265 v1.0.4 contains a segmentation fault in the apply_sao_interna ...) - libde265 1.0.9-1 (bug #1014999) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) - [buster] - libde265 1.0.3-1+deb10u1 + [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/234 CVE-2020-21604 (libde265 v1.0.4 contains a heap buffer overflow fault in the _mm_loadl ...) - libde265 1.0.9-1 (bug #1014999) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) - [buster] - libde265 1.0.3-1+deb10u1 + [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/231 CVE-2020-21603 (libde265 v1.0.4 contains a heap buffer overflow in the put_qpel_0_0_fa ...) - libde265 1.0.9-1 (bug #1014999) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) - [buster] - libde265 1.0.3-1+deb10u1 + [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/240 CVE-2020-21602 (libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_bi ...) - libde265 1.0.9-1 (bug #1004963) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) - [buster] - libde265 1.0.3-1+deb10u1 + [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/242 CVE-2020-21601 (libde265 v1.0.4 contains a stack buffer overflow in the put_qpel_fallb ...) - libde265 1.0.9-1 (bug #1014999) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) - [buster] - libde265 1.0.3-1+deb10u1 + [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/241 CVE-2020-21600 (libde265 v1.0.4 contains a heap buffer overflow in the put_weighted_pr ...) - libde265 1.0.9-1 (bug #1004963) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) - [buster] - libde265 1.0.3-1+deb10u1 + [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/243 CVE-2020-21599 (libde265 v1.0.4 contains a heap buffer overflow in the de265_image::av ...) @@ -184519,6 +184520,7 @@ CVE-2020-21596 (libde265 v1.0.4 contains a global buffer overflow in the decode_ CVE-2020-21595 (libde265 v1.0.4 contains a heap buffer overflow in the mc_luma functio ...) - libde265 1.0.9-1 (bug #1014999) [bullseye] - libde265 (Minor issue, revisit when fixed upstream) + [buster] - libde265 (Minor issue, revisit when fixed upstream) [stretch] - libde265 (Minor issue, revisit when fixed upstream) NOTE: https://github.com/strukturag/libde265/issues/239 CVE-2020-21594 (libde265 v1.0.4 contains a heap buffer overflow in the put_epel_hv_fal ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/252c6414ee9ea59b6c9b275b1dd7858290d71c9e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/252c6414ee9ea59b6c9b275b1dd7858290d71c9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits