[Git][security-tracker-team/security-tracker][master] CVE-2022-1949 mark as ignored for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d0d4bd4 by Anton Gladky at 2023-04-19T06:45:22+02:00 CVE-2022-1949 mark as ignored for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -74312,6 +74312,7 @@ CVE-2022-1950 (The Youzify WordPress plugin before 1.2.0 does not sanitise and e NOT-FOR-US: WordPress plugin CVE-2022-1949 (An access control bypass vulnerability found in 389-ds-base. That mish ...) - 389-ds-base 2.3.1-1 (bug #1016446) + [buster] - 389-ds-base (Too intrusive too backport) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2091781 NOTE: https://github.com/389ds/389-ds-base/issues/5170 NOTE: Fixed by: https://github.com/389ds/389-ds-base/commit/a444d3454bd719ac161c30d638983ab0ff66f1b8 (389-ds-base-2.0.16) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d0d4bd47c6264bed5e67d9f88353328fbb71264 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d0d4bd47c6264bed5e67d9f88353328fbb71264 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-1981/avahi
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aed53b23 by Salvatore Bonaccorso at 2023-04-19T06:40:47+02:00 Add Debian bug reference for CVE-2023-1981/avahi - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1312,7 +1312,7 @@ CVE-2023-1982 RESERVED CVE-2023-1981 [avahi-daemon can be crashed via DBus] RESERVED - - avahi + - avahi (bug #1034594) NOTE: https://github.com/lathiat/avahi/issues/375 NOTE: https://github.com/lathiat/avahi/pull/407 NOTE: https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aed53b232395943747f5fc9bae3007316edffefa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aed53b232395943747f5fc9bae3007316edffefa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3394-1 for asterisk
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: e53f4701 by Markus Koschany at 2023-04-19T00:11:26+02:00 Reserve DLA-3394-1 for asterisk - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Apr 2023] DLA-3394-1 asterisk - security update + {CVE-2023-27585} + [buster] - asterisk 1:16.28.0~dfsg-0+deb10u3 [18 Apr 2023] DLA-3393-1 protobuf - security update {CVE-2021-22569 CVE-2021-22570 CVE-2022-1941} [buster] - protobuf 3.6.1.3-2+deb10u1 = data/dla-needed.txt = @@ -26,11 +26,6 @@ apache2 NOTE: 20230312: Special attention: Double check an update! Package is used by many customers and users!. NOTE: 20230326: VCS: https://salsa.debian.org/apache-team/apache2. Yadd is ok for using apache2 salsa tree -- -asterisk (Markus Koschany) - NOTE: 20230418: Programming language: C. - NOTE: 20230418: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git - NOTE: 20230418: Special attention: pjproject library is included in debian directory!. --- avahi NOTE: 20230418: Programming language: C++. NOTE: 20230418: VCS: https://salsa.debian.org/lts-team/packages/avahi.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e53f47010804f537adad2b6b313ed246cf388951 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e53f47010804f537adad2b6b313ed246cf388951 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Concluded that frr package does not need an update for buster. The...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: fc98b78d by Ola Lundqvist at 2023-04-18T23:43:31+02:00 Concluded that frr package does not need an update for buster. The vilnerability at hand is clearly less problematic than many other open vulnerabilities to this package. Remote code execution + DoS is more problematic than just a DoS problem. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -62398,6 +62398,7 @@ CVE-2022-36441 (An issue was discovered in Zebra Enterprise Home Screen 4.1.19. NOT-FOR-US: Zebra Enterprise Home Screen CVE-2022-36440 (A reachable assertion was found in Frrouting frr-bgpd 8.3.0 in the pee ...) - frr 8.4.1-1 + [buster] - frr (Minor issue) NOTE: https://github.com/FRRouting/frr/issues/13202 NOTE: https://github.com/FRRouting/frrcommit/3e46b43e3788f0f87bae56a86b54d412b4710286 (base_8.4) NOTE: https://github.com/spwpun/pocs/blob/main/frr-bgpd.md View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc98b78db2d300ba05645898550ba0e185d59db8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc98b78db2d300ba05645898550ba0e185d59db8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add connman to dla-needed.txt
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: be6fa10b by Ola Lundqvist at 2023-04-18T23:35:19+02:00 LTS: add connman to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,6 +54,11 @@ configobj (Chris Lamb) NOTE: 20230416: Special attention: Low priority but high popcon. NOTE: 20230417: No upstream-blessed patch yet. (lamby) -- +connman + NOTE: 20230418: Programming language: C. + NOTE: 20230418: VCS: https://salsa.debian.org/lts-team/packages/connman.git + NOTE: 20230418: Have not checked the source code, just the description. (opal). +-- consul NOTE: 20221031: Programming language: Go. NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be6fa10b3637efbc2ee892d72dd029d39058ee52 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be6fa10b3637efbc2ee892d72dd029d39058ee52 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add avahi to dla-needed.txt
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: c525e9f5 by Ola Lundqvist at 2023-04-18T23:31:24+02:00 LTS: add avahi to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -31,6 +31,10 @@ asterisk (Markus Koschany) NOTE: 20230418: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git NOTE: 20230418: Special attention: pjproject library is included in debian directory!. -- +avahi + NOTE: 20230418: Programming language: C++. + NOTE: 20230418: VCS: https://salsa.debian.org/lts-team/packages/avahi.git +-- cairosvg (dleidert) NOTE: 20230323: Programming language: Python. NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c525e9f5d3a06a5c29d83a60de677cbeff660aca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c525e9f5d3a06a5c29d83a60de677cbeff660aca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-29197/php-guzzlehttp-psr7
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 249ee9b4 by Salvatore Bonaccorso at 2023-04-18T23:23:47+02:00 Add Debian bug reference for CVE-2023-29197/php-guzzlehttp-psr7 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4460,7 +4460,7 @@ CVE-2023-29199 (There exists a vulnerability in source code transformer (excepti CVE-2023-29198 RESERVED CVE-2023-29197 (guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. ...) - - php-guzzlehttp-psr7 + - php-guzzlehttp-psr7 (bug #1034581) NOTE: https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw CVE-2023-29196 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/249ee9b47738fcf4c26d5402ee8ca7b180090e01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/249ee9b47738fcf4c26d5402ee8ca7b180090e01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-30536/php-slim-psr7
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 45a167ff by Salvatore Bonaccorso at 2023-04-18T23:18:51+02:00 Add Debian bug reference for CVE-2023-30536/php-slim-psr7 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1089,7 +1089,7 @@ CVE-2023-30538 CVE-2023-30537 (XWiki Platform is a generic wiki platform offering runtime services fo ...) NOT-FOR-US: XWiki CVE-2023-30536 (slim/psr7 is a PSR-7 implementation for use with Slim 4. In versions p ...) - - php-slim-psr7 + - php-slim-psr7 (bug #1034580) NOTE: https://github.com/slimphp/Slim-Psr7/security/advisories/GHSA-q2qj-628g-vhfw NOTE: https://github.com/slimphp/Slim-Psr7/commit/4fea29e910391b1883de5bf6e84b50f6900355fb (1.6.1) CVE-2023-30535 (Snowflake JDBC provides a JDBC type 4 driver that supports core functi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45a167ff4eaf980f492d0d9c9152d1ab649699fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45a167ff4eaf980f492d0d9c9152d1ab649699fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Concluded that CVE-2023-1625 do not require a DLA for buster. It is an...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f8f4753 by Ola Lundqvist at 2023-04-18T23:16:31+02:00 Concluded that CVE-2023-1625 do not require a DLA for buster. It is an information leak vulnerability to authenticated users with low impact. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5693,6 +5693,7 @@ CVE-2023-1625 [information leak in API] RESERVED [experimental] - heat 1:20.0.0~rc1-1 - heat 1:19.0.0-2 (bug #1034186) + [buster] - heat (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2181621 NOTE: https://review.opendev.org/c/openstack/heat/+/868166 NOTE: https://github.com/openstack/heat/commit/1305a3152f75c6e62ec5094ea2bfc38f165204cf (20.0.0.0rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f8f4753fcf7382dffcc2efd23d07a7fed40db04 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f8f4753fcf7382dffcc2efd23d07a7fed40db04 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2023-27585,asterisk: Buster is affected
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: ec479a33 by Markus Koschany at 2023-04-18T22:40:56+02:00 CVE-2023-27585,asterisk: Buster is affected The vulnerable code is shipped in debian/pjproject_2.12.1~dfsg.orig.tar.bz2 and applied at build time. In the past the pjproject library has been packaged separately. Debians maintainer chose to embed it later. - - - - - 1b52d3ba by Markus Koschany at 2023-04-18T22:40:56+02:00 LTS: add asterisk to dla-needed.txt - - - - - 480c118b by Markus Koschany at 2023-04-18T22:40:56+02:00 Claim asterisk in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -9774,7 +9774,6 @@ CVE-2023-27586 (CairoSVG is an SVG converter based on Cairo, a 2D graphics libra NOTE: Introduced in https://github.com/Kozea/CairoSVG/commit/1ee0889f4015ebaddcf9976d43222e673155797c (0.3) CVE-2023-27585 (PJSIP is a free and open source multimedia communication library writt ...) - asterisk - [buster] - asterisk (Vulnerable code not present) - pjproject - ring NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr = data/dla-needed.txt = @@ -26,6 +26,11 @@ apache2 NOTE: 20230312: Special attention: Double check an update! Package is used by many customers and users!. NOTE: 20230326: VCS: https://salsa.debian.org/apache-team/apache2. Yadd is ok for using apache2 salsa tree -- +asterisk (Markus Koschany) + NOTE: 20230418: Programming language: C. + NOTE: 20230418: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git + NOTE: 20230418: Special attention: pjproject library is included in debian directory!. +-- cairosvg (dleidert) NOTE: 20230323: Programming language: Python. NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e743fb4f13168814042a19075075d58420abd969...480c118bf4008af50f77dbd50d34049b2c843df0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e743fb4f13168814042a19075075d58420abd969...480c118bf4008af50f77dbd50d34049b2c843df0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-30536/php-slim-psr7
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e743fb4f by Salvatore Bonaccorso at 2023-04-18T22:38:40+02:00 Add CVE-2023-30536/php-slim-psr7 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1089,7 +1089,9 @@ CVE-2023-30538 CVE-2023-30537 (XWiki Platform is a generic wiki platform offering runtime services fo ...) NOT-FOR-US: XWiki CVE-2023-30536 (slim/psr7 is a PSR-7 implementation for use with Slim 4. In versions p ...) - TODO: check + - php-slim-psr7 + NOTE: https://github.com/slimphp/Slim-Psr7/security/advisories/GHSA-q2qj-628g-vhfw + NOTE: https://github.com/slimphp/Slim-Psr7/commit/4fea29e910391b1883de5bf6e84b50f6900355fb (1.6.1) CVE-2023-30535 (Snowflake JDBC provides a JDBC type 4 driver that supports core functi ...) NOT-FOR-US: Snowflake JDBC CVE-2023-30534 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e743fb4f13168814042a19075075d58420abd969 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e743fb4f13168814042a19075075d58420abd969 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-29197/php-guzzlehttp-psr7
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4597ba98 by Salvatore Bonaccorso at 2023-04-18T22:35:07+02:00 Add CVE-2023-29197/php-guzzlehttp-psr7 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4458,7 +4458,8 @@ CVE-2023-29199 (There exists a vulnerability in source code transformer (excepti CVE-2023-29198 RESERVED CVE-2023-29197 (guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. ...) - TODO: check + - php-guzzlehttp-psr7 + NOTE: https://github.com/guzzle/psr7/security/advisories/GHSA-wxmh-65f7-jcvw CVE-2023-29196 RESERVED CVE-2023-29195 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4597ba981786e4cbc883bda2d903c69f3ff04195 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4597ba981786e4cbc883bda2d903c69f3ff04195 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-30539/nextcloud-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69e35a37 by Salvatore Bonaccorso at 2023-04-18T22:28:15+02:00 Add CVE-2023-30539/nextcloud-server - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1083,7 +1083,7 @@ CVE-2023-30541 (OpenZeppelin Contracts is a library for secure smart contract de CVE-2023-30540 (Nextcloud Talk is a chat, video audio call extension for Nextclo ...) TODO: check CVE-2023-30539 (Nextcloud is a personal home server system. Depending on the set up ta ...) - TODO: check + - nextcloud-server (bug #941708) CVE-2023-30538 RESERVED CVE-2023-30537 (XWiki Platform is a generic wiki platform offering runtime services fo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69e35a37de6502410b7767b88f33887ef48df7ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69e35a37de6502410b7767b88f33887ef48df7ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5383ce48 by Salvatore Bonaccorso at 2023-04-18T22:27:41+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -155,29 +155,29 @@ CVE-2023-2157 CVE-2023-2156 RESERVED CVE-2023-2155 (A vulnerability was found in SourceCodester Air Cargo Management Syste ...) - TODO: check + NOT-FOR-US: SourceCodester Air Cargo Management System CVE-2023-2154 (A vulnerability was found in SourceCodester Task Reminder System 1.0. ...) - TODO: check + NOT-FOR-US: SourceCodester Task Reminder System CVE-2023-2153 (A vulnerability was found in SourceCodester Complaint Management Syste ...) - TODO: check + NOT-FOR-US: SourceCodester Complaint Management System CVE-2023-2152 (A vulnerability has been found in SourceCodester Student Study Center ...) - TODO: check + NOT-FOR-US: SourceCodester Student Study Center Desk Management System CVE-2023-2151 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Student Study Center Desk Management System CVE-2023-2150 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Task Reminder System CVE-2023-2149 (A vulnerability classified as critical was found in Campcodes Online T ...) - TODO: check + NOT-FOR-US: Campcodes Online Thesis Archiving System CVE-2023-2148 (A vulnerability classified as critical has been found in Campcodes Onl ...) - TODO: check + NOT-FOR-US: Campcodes Online Thesis Archiving System CVE-2023-2147 (A vulnerability was found in Campcodes Online Thesis Archiving System ...) - TODO: check + NOT-FOR-US: Campcodes Online Thesis Archiving System CVE-2023-2146 (A vulnerability was found in Campcodes Online Thesis Archiving System ...) - TODO: check + NOT-FOR-US: Campcodes Online Thesis Archiving System CVE-2023-2145 (A vulnerability was found in Campcodes Online Thesis Archiving System ...) - TODO: check + NOT-FOR-US: Campcodes Online Thesis Archiving System CVE-2023-2144 (A vulnerability was found in Campcodes Online Thesis Archiving System ...) - TODO: check + NOT-FOR-US: Campcodes Online Thesis Archiving System CVE-2023-2143 RESERVED CVE-2023-2142 @@ -227,7 +227,7 @@ CVE-2023-2132 CVE-2023-2131 RESERVED CVE-2023-2130 (A vulnerability classified as critical has been found in SourceCodeste ...) - TODO: check + NOT-FOR-US: SourceCodester Purchase Order Management System CVE-2023-30792 RESERVED CVE-2023-30791 @@ -1067,7 +1067,7 @@ CVE-2023-30549 CVE-2023-30548 (gatsby-plugin-sharp is a plugin for the gatsby framework which exposes ...) TODO: check CVE-2023-30547 (vm2 is a sandbox that can run untrusted code with whitelisted Node's b ...) - TODO: check + NOT-FOR-US: Node vm2 CVE-2023-30546 RESERVED CVE-2023-30545 @@ -1079,7 +1079,7 @@ CVE-2023-30543 (@web3-react is a framework for building Ethereum Apps . In affec CVE-2023-30542 (OpenZeppelin Contracts is a library for secure smart contract developm ...) NOT-FOR-US: OpenZeppelin CVE-2023-30541 (OpenZeppelin Contracts is a library for secure smart contract developm ...) - TODO: check + NOT-FOR-US: OpenZeppelin CVE-2023-30540 (Nextcloud Talk is a chat, video audio call extension for Nextclo ...) TODO: check CVE-2023-30539 (Nextcloud is a personal home server system. Depending on the set up ta ...) @@ -2596,9 +2596,9 @@ CVE-2023-29857 CVE-2023-29856 RESERVED CVE-2023-29855 (WBCE CMS 1.5.3 has a command execution vulnerability via admin/languag ...) - TODO: check + NOT-FOR-US: WBCE CMS CVE-2023-29854 (DirCMS 6.0.0 has a Cross Site Scripting (XSS) vulnerability in the for ...) - TODO: check + NOT-FOR-US: DirCMS CVE-2023-29853 RESERVED CVE-2023-29852 @@ -2758,7 +2758,7 @@ CVE-2023-29776 CVE-2023-29775 RESERVED CVE-2023-29774 (Dreamer CMS 3.0.1 is vulnerable to stored Cross Site Scripting (XSS). ...) - TODO: check + NOT-FOR-US: Dreamer CMS CVE-2023-29773 RESERVED CVE-2023-29772 @@ -4426,7 +4426,7 @@ CVE-2023-29215 (In Apache Linkis =1.3.1, due to the lack of effective filter CVE-2023-29214 (XWiki Commons are technical libraries common to several other top leve ...) NOT-FOR-US: XWiki CVE-2023-29213 (XWiki Platform is a generic wiki platform offering runtime services fo ...) - TODO: check + NOT-FOR-US: XWiki CVE-2023-29212 (XWiki Commons are technical libraries common to several other top leve ...) NOT-FOR-US: XWiki CVE-2023-29211 (XWiki Commons are technical libraries common to
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20d8b5cf by security tracker role at 2023-04-18T20:10:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,211 @@ +CVE-2023-30861 + RESERVED +CVE-2023-30860 + RESERVED +CVE-2023-30859 + RESERVED +CVE-2023-30858 + RESERVED +CVE-2023-30857 + RESERVED +CVE-2023-30856 + RESERVED +CVE-2023-30855 + RESERVED +CVE-2023-30854 + RESERVED +CVE-2023-30853 + RESERVED +CVE-2023-30852 + RESERVED +CVE-2023-30851 + RESERVED +CVE-2023-30850 + RESERVED +CVE-2023-30849 + RESERVED +CVE-2023-30848 + RESERVED +CVE-2023-30847 + RESERVED +CVE-2023-30846 + RESERVED +CVE-2023-30845 + RESERVED +CVE-2023-30844 + RESERVED +CVE-2023-30843 + RESERVED +CVE-2023-30842 + RESERVED +CVE-2023-30841 + RESERVED +CVE-2023-30840 + RESERVED +CVE-2023-30839 + RESERVED +CVE-2023-30838 + RESERVED +CVE-2023-30837 + RESERVED +CVE-2023-30836 + RESERVED +CVE-2023-30835 + RESERVED +CVE-2023-30834 + RESERVED +CVE-2023-30833 + RESERVED +CVE-2023-30832 + RESERVED +CVE-2023-30831 + RESERVED +CVE-2023-30830 + RESERVED +CVE-2023-30829 + RESERVED +CVE-2023-30828 + RESERVED +CVE-2023-30827 + RESERVED +CVE-2023-30826 + RESERVED +CVE-2023-30825 + RESERVED +CVE-2023-30824 + RESERVED +CVE-2023-30823 + RESERVED +CVE-2023-30822 + RESERVED +CVE-2023-30821 + RESERVED +CVE-2023-30820 + RESERVED +CVE-2023-30819 + RESERVED +CVE-2023-30818 + RESERVED +CVE-2023-30817 + RESERVED +CVE-2023-30816 + RESERVED +CVE-2023-30815 + RESERVED +CVE-2023-30814 + RESERVED +CVE-2023-30813 + RESERVED +CVE-2023-30812 + RESERVED +CVE-2023-30811 + RESERVED +CVE-2023-30810 + RESERVED +CVE-2023-30809 + RESERVED +CVE-2023-30808 + RESERVED +CVE-2023-30807 + RESERVED +CVE-2023-30806 + RESERVED +CVE-2023-30805 + RESERVED +CVE-2023-30804 + RESERVED +CVE-2023-30803 + RESERVED +CVE-2023-30802 + RESERVED +CVE-2023-30801 + RESERVED +CVE-2023-30800 + RESERVED +CVE-2023-30799 + RESERVED +CVE-2023-30798 + RESERVED +CVE-2023-30797 + RESERVED +CVE-2023-30796 + RESERVED +CVE-2023-30795 + RESERVED +CVE-2023-2166 + RESERVED +CVE-2023-2165 + RESERVED +CVE-2023-2164 + RESERVED +CVE-2023-2163 + RESERVED +CVE-2023-2162 + RESERVED +CVE-2023-2161 + RESERVED +CVE-2023-2160 (Weak Password Requirements in GitHub repository modoboa/modoboa prior ...) + TODO: check +CVE-2023-2159 + RESERVED +CVE-2023-2158 + RESERVED +CVE-2023-2157 + RESERVED +CVE-2023-2156 + RESERVED +CVE-2023-2155 (A vulnerability was found in SourceCodester Air Cargo Management Syste ...) + TODO: check +CVE-2023-2154 (A vulnerability was found in SourceCodester Task Reminder System 1.0. ...) + TODO: check +CVE-2023-2153 (A vulnerability was found in SourceCodester Complaint Management Syste ...) + TODO: check +CVE-2023-2152 (A vulnerability has been found in SourceCodester Student Study Center ...) + TODO: check +CVE-2023-2151 (A vulnerability, which was classified as critical, was found in Source ...) + TODO: check +CVE-2023-2150 (A vulnerability, which was classified as critical, has been found in S ...) + TODO: check +CVE-2023-2149 (A vulnerability classified as critical was found in Campcodes Online T ...) + TODO: check +CVE-2023-2148 (A vulnerability classified as critical has been found in Campcodes Onl ...) + TODO: check +CVE-2023-2147 (A vulnerability was found in Campcodes Online Thesis Archiving System ...) + TODO: check +CVE-2023-2146 (A vulnerability was found in Campcodes Online Thesis Archiving System ...) + TODO: check +CVE-2023-2145 (A vulnerability was found in Campcodes Online Thesis Archiving System ...) + TODO: check +CVE-2023-2144 (A vulnerability was found in Campcodes Online Thesis Archiving System ...) + TODO: check +CVE-2023-2143 + RESERVED +CVE-2023-2142 + RESERVED +CVE-2023-2141 + RESERVED +CVE-2023-2140 + RESERVED +CVE-2023-2139 + RESERVED +CVE-2022-4942 + RESERVED +CVE-2022-48475 + RESERVED +CVE-2022-48474 + RESERVED +CVE-2022-48473 + RESERVED +CVE-2022-48472 + RESERVED +CVE-2022-48471 + RESERVED +CVE-2022-48470 + RESERVED +CVE-2022-48469 + RESERVED +CVE-2014-125099 + RESERVED CVE-2023-30794 RESERVED CVE-2023-30793 @@ -726,8 +934,8 @@ CVE-2023-2022 RESERVED CVE-2023-2021 (Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassn
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-045{8,9}/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: deed6cae by Salvatore Bonaccorso at 2023-04-18T20:35:03+02:00 Add CVE-2023-045{8,9}/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18496,8 +18496,12 @@ CVE-2023-0460 (The YouTube Embedded 1.2 SDK binds to a service within the YouTub NOT-FOR-US: YouTube Embedded 1.2 SDK CVE-2023-0459 RESERVED + - linux + NOTE: https://github.com/google/security-research/security/advisories/GHSA-m7j5-797w-vmrh CVE-2023-0458 RESERVED + - linux + NOTE: https://github.com/google/security-research/security/advisories/GHSA-m7j5-797w-vmrh CVE-2023-0457 (Plaintext Storage of a Password vulnerability in Mitsubishi Electric C ...) NOT-FOR-US: Mitsubishi CVE-2022-4896 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/deed6cae71b3af9d372915bd2c90e13113a51e8c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/deed6cae71b3af9d372915bd2c90e13113a51e8c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2023-27585 in asterisk for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 3dd091ab by Chris Lamb at 2023-04-18T18:21:44+01:00 Triage CVE-2023-27585 in asterisk for buster LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -9563,6 +9563,7 @@ CVE-2023-27586 (CairoSVG is an SVG converter based on Cairo, a 2D graphics libra NOTE: Introduced in https://github.com/Kozea/CairoSVG/commit/1ee0889f4015ebaddcf9976d43222e673155797c (0.3) CVE-2023-27585 (PJSIP is a free and open source multimedia communication library writt ...) - asterisk + [buster] - asterisk (Vulnerable code not present) - pjproject - ring NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr = data/dla-needed.txt = @@ -26,10 +26,6 @@ apache2 NOTE: 20230312: Special attention: Double check an update! Package is used by many customers and users!. NOTE: 20230326: VCS: https://salsa.debian.org/apache-team/apache2. Yadd is ok for using apache2 salsa tree -- -asterisk (Chris Lamb) - NOTE: 20230416: Programming language: C. - NOTE: 20230416: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git --- cairosvg (dleidert) NOTE: 20230323: Programming language: Python. NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dd091abd8c30efc593306aaa23cd2da5e841e8d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dd091abd8c30efc593306aaa23cd2da5e841e8d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] owslib fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d1314235 by Moritz Muehlenhoff at 2023-04-18T16:13:23+02:00 owslib fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9958,7 +9958,7 @@ CVE-2023-27477 (wasmtime is a fast and secure runtime for WebAssembly. Wasmtime' NOT-FOR-US: wasmtime CVE-2023-27476 (OWSLib is a Python package for client programming with Open Geospatial ...) [experimental] - owslib 0.28.1-1~exp1 - - owslib (bug #1034182) + - owslib 0.27.2-3 (bug #1034182) NOTE: https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063 (0.29.0) NOTE: https://github.com/geopython/OWSLib/commit/b0c687544ddc213d8dcd4a056139b63451938b21 (0.28.1) NOTE: https://github.com/geopython/OWSLib/security/advisories/GHSA-8h9c-r582-mggc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1314235ea095609e7f6a194a06238c3a64a450d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1314235ea095609e7f6a194a06238c3a64a450d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: add link to vcs for openvswitch
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d6b7615 by Emilio Pozuelo Monfort at 2023-04-18T14:41:21+02:00 lts: add link to vcs for openvswitch - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -208,6 +208,7 @@ openimageio (Markus Koschany) -- openvswitch NOTE: 20230417: Programming language: C. + NOTE: 20230417: VCS: https://salsa.debian.org/lts-team/packages/openvswitch.git -- php-cas NOTE: 20221105: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d6b7615f7b02e1783fdd3f53c53053291a443b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d6b7615f7b02e1783fdd3f53c53053291a443b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for CVE-2023-294{79,80}/rnp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2dbcf002 by Salvatore Bonaccorso at 2023-04-18T11:56:37+02:00 Add Debian bug references for CVE-2023-294{79,80}/rnp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3289,11 +3289,11 @@ CVE-2023-29481 RESERVED CVE-2023-29480 RESERVED - - rnp + - rnp (bug #1034558) NOTE: https://www.rnpgp.org/blog/2023-04-13-rnp-release-0-16-3/ CVE-2023-29479 RESERVED - - rnp + - rnp (bug #1034558) - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-15/#CVE-2023-29479 NOTE: https://www.rnpgp.org/blog/2023-04-13-rnp-release-0-16-3/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dbcf002c2537cc1069cf8c974286703ac1d60e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dbcf002c2537cc1069cf8c974286703ac1d60e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c30545da by Salvatore Bonaccorso at 2023-04-18T11:55:46+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -73,9 +73,9 @@ CVE-2023-2122 CVE-2023-2121 RESERVED CVE-2023-2120 (The Thumbnail carousel slider plugin for WordPress is vulnerable to Re ...) - TODO: check + NOT-FOR-US: Thumbnail carousel slider plugin for WordPress CVE-2023-2119 (The Responsive Filterable Portfolio plugin for WordPress is vulnerable ...) - TODO: check + NOT-FOR-US: Responsive Filterable Portfolio plugin for WordPress CVE-2023-2118 RESERVED CVE-2023-2117 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c30545dab6ed7b5158cc695c1aa0c0634eaab230 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c30545dab6ed7b5158cc695c1aa0c0634eaab230 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e527d6ed by security tracker role at 2023-04-18T08:10:27+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,25 @@ +CVE-2023-30794 + RESERVED +CVE-2023-30793 + RESERVED +CVE-2023-2138 (Use of Hard-coded Credentials in GitHub repository nuxtlabs/github-mod ...) + TODO: check +CVE-2023-2137 + RESERVED +CVE-2023-2136 + RESERVED +CVE-2023-2135 + RESERVED +CVE-2023-2134 + RESERVED +CVE-2023-2133 + RESERVED +CVE-2023-2132 + RESERVED +CVE-2023-2131 + RESERVED +CVE-2023-2130 (A vulnerability classified as critical has been found in SourceCodeste ...) + TODO: check CVE-2023-30792 RESERVED CVE-2023-30791 @@ -50,10 +72,10 @@ CVE-2023-2122 RESERVED CVE-2023-2121 RESERVED -CVE-2023-2120 - RESERVED -CVE-2023-2119 - RESERVED +CVE-2023-2120 (The Thumbnail carousel slider plugin for WordPress is vulnerable to Re ...) + TODO: check +CVE-2023-2119 (The Responsive Filterable Portfolio plugin for WordPress is vulnerable ...) + TODO: check CVE-2023-2118 RESERVED CVE-2023-2117 @@ -184,8 +206,8 @@ CVE-2023-30772 (The Linux kernel before 6.2.9 has a race condition and resultant NOTE: CONFIG_CHARGER_DA9150 not enabled in Debian. CVE-2023-30770 (A stack-based buffer overflow vulnerability was found in the ASUSTOR D ...) NOT-FOR-US: ASUSTOR Data Master (ADM) -CVE-2023-30769 - RESERVED +CVE-2023-30769 (Vulnerability discovered is related to the peer-to-peer (p2p) communic ...) + TODO: check CVE-2023-30757 RESERVED CVE-2023-30756 @@ -834,32 +856,32 @@ CVE-2023-30550 RESERVED CVE-2023-30549 RESERVED -CVE-2023-30548 - RESERVED -CVE-2023-30547 - RESERVED +CVE-2023-30548 (gatsby-plugin-sharp is a plugin for the gatsby framework which exposes ...) + TODO: check +CVE-2023-30547 (vm2 is a sandbox that can run untrusted code with whitelisted Node's b ...) + TODO: check CVE-2023-30546 RESERVED CVE-2023-30545 RESERVED CVE-2023-30544 RESERVED -CVE-2023-30543 - RESERVED +CVE-2023-30543 (@web3-react is a framework for building Ethereum Apps . In affected ve ...) + TODO: check CVE-2023-30542 (OpenZeppelin Contracts is a library for secure smart contract developm ...) NOT-FOR-US: OpenZeppelin -CVE-2023-30541 - RESERVED -CVE-2023-30540 - RESERVED -CVE-2023-30539 - RESERVED +CVE-2023-30541 (OpenZeppelin Contracts is a library for secure smart contract developm ...) + TODO: check +CVE-2023-30540 (Nextcloud Talk is a chat, video audio call extension for Nextclo ...) + TODO: check +CVE-2023-30539 (Nextcloud is a personal home server system. Depending on the set up ta ...) + TODO: check CVE-2023-30538 RESERVED CVE-2023-30537 (XWiki Platform is a generic wiki platform offering runtime services fo ...) NOT-FOR-US: XWiki -CVE-2023-30536 - RESERVED +CVE-2023-30536 (slim/psr7 is a PSR-7 implementation for use with Slim 4. In versions p ...) + TODO: check CVE-2023-30535 (Snowflake JDBC provides a JDBC type 4 driver that supports core functi ...) NOT-FOR-US: Snowflake JDBC CVE-2023-30534 @@ -4195,8 +4217,8 @@ CVE-2023-29215 (In Apache Linkis =1.3.1, due to the lack of effective filter NOT-FOR-US: Apache Linkis CVE-2023-29214 (XWiki Commons are technical libraries common to several other top leve ...) NOT-FOR-US: XWiki -CVE-2023-29213 - RESERVED +CVE-2023-29213 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + TODO: check CVE-2023-29212 (XWiki Commons are technical libraries common to several other top leve ...) NOT-FOR-US: XWiki CVE-2023-29211 (XWiki Commons are technical libraries common to several other top leve ...) @@ -4227,8 +4249,8 @@ CVE-2023-29199 (There exists a vulnerability in source code transformer (excepti NOT-FOR-US: Node vm2 CVE-2023-29198 RESERVED -CVE-2023-29197 - RESERVED +CVE-2023-29197 (guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. ...) + TODO: check CVE-2023-29196 RESERVED CVE-2023-29195 @@ -4860,79 +4882,57 @@ CVE-2023-28986 RESERVED CVE-2023-28985 RESERVED -CVE-2023-28984 - RESERVED +CVE-2023-28984 (A Use After Free vulnerability in the Layer 2 Address Learning Manager ...) NOT-FOR-US: Juniper -CVE-2023-28983 - RESERVED +CVE-2023-28983 (An OS Command Injection vulnerability in gRPC Network Operations Inter ...) NOT-FOR-US: Juniper -CVE-2023-28982 - RESERVED +CVE-2023-28982 (A Missing Release of Memory after Effective Lifetime vulnerability in ...) NOT-FOR-US: Juniper
[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Correct name of openvswitch package.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 15779fa0 by Chris Lamb at 2023-04-18T09:07:53+01:00 dla-needed.txt: Correct name of openvswitch package. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -206,7 +206,7 @@ openimageio (Markus Koschany) NOTE: 20230406: Programming language: C. NOTE: 20230406: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git -- -openvswtich +openvswitch NOTE: 20230417: Programming language: C. -- php-cas View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15779fa0c9a8533921547586a91fcd240e04bb65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15779fa0c9a8533921547586a91fcd240e04bb65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additional reference for CVE-2023-28856/redis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 678afd9f by Salvatore Bonaccorso at 2023-04-18T09:30:18+02:00 Add additional reference for CVE-2023-28856/redis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5399,6 +5399,7 @@ CVE-2023-28856 - redis NOTE: https://github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6 NOTE: https://github.com/redis/redis/commit/1c1bd618c95e26a8ff5c12e70cbf0117233ef073 (7.0.11) + NOTE: https://github.com/redis/redis/commit/e030e351fd7ae8c1b0254982a4f12a4bd15ac66b (6.2.12) CVE-2023-28855 (Fields is a GLPI plugin that allows users to add custom fields on GLPI ...) NOT-FOR-US: GLPI plugin CVE-2023-28854 (nophp is a PHP web framework. Prior to version 0.0.1, nophp is vulnera ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/678afd9f6bb5ce04fe4036c564a73be27d2561ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/678afd9f6bb5ce04fe4036c564a73be27d2561ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-28856/redis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 05acdd6f by Salvatore Bonaccorso at 2023-04-18T09:26:25+02:00 Add CVE-2023-28856/redis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5396,6 +5396,9 @@ CVE-2023-28857 RESERVED CVE-2023-28856 RESERVED + - redis + NOTE: https://github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6 + NOTE: https://github.com/redis/redis/commit/1c1bd618c95e26a8ff5c12e70cbf0117233ef073 (7.0.11) CVE-2023-28855 (Fields is a GLPI plugin that allows users to add custom fields on GLPI ...) NOT-FOR-US: GLPI plugin CVE-2023-28854 (nophp is a PHP web framework. Prior to version 0.0.1, nophp is vulnera ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05acdd6f3f162a71c5ce036ccab5993940419691 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05acdd6f3f162a71c5ce036ccab5993940419691 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3393-1 for protobuf
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: ad65f979 by Helmut Grohne at 2023-04-18T09:03:41+02:00 Reserve DLA-3393-1 for protobuf - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -170504,7 +170504,6 @@ CVE-2021-22570 (Nullptr dereference when a null char is present in a proto symbo [experimental] - protobuf 3.17.1-1 - protobuf 3.21.9-3 [bullseye] - protobuf (Minor issue) - [buster] - protobuf (Minor issue) [stretch] - protobuf (Minor issue; clean crash / Dos; patch needs to be isolated) NOTE: Fixed upstream in v3.15.0: https://github.com/protocolbuffers/protobuf/releases/tag/v3.15.0 NOTE: Fixed in merge commit https://github.com/protocolbuffers/protobuf/a00125024e9231d76746bd394fef8876f5cc15e2 @@ -170513,7 +170512,6 @@ CVE-2021-22569 (An issue in protobuf-java allowed the interleaving of com.google [experimental] - protobuf 3.19.3-1 - protobuf 3.21.9-3 [bullseye] - protobuf (Minor issue) - [buster] - protobuf (Minor issue) [stretch] - protobuf (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/01/12/4 NOTE: https://cloud.google.com/support/bulletins#gcp-2022-001 = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Apr 2023] DLA-3393-1 protobuf - security update + {CVE-2021-22569 CVE-2021-22570 CVE-2022-1941} + [buster] - protobuf 3.6.1.3-2+deb10u1 [17 Apr 2023] DLA-3392-1 ruby-rack - security update {CVE-2023-27530 CVE-2023-27539} [buster] - ruby-rack 2.0.6-3+deb10u3 = data/dla-needed.txt = @@ -222,11 +222,6 @@ pluxml NOTE: 20220913: Special attention: orphaned package. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/pluxml.git -- -protobuf (Helmut Grohne) - NOTE: 20221031: Programming language: Several. - NOTE: 20221031: Note the 'Note' that one of the CVEs affects the generated code and must therefore get special attention from the application developer using protobuf. - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/protobuf.git --- puppet-module-puppetlabs-mysql NOTE: 20221107: Programming language: Puppet, Ruby. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/puppet-module-puppetlabs-mysql.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad65f9796ca0a39e10dcadc212513d040387ecb3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad65f9796ca0a39e10dcadc212513d040387ecb3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-294{79,80}/rnp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a0f19053 by Salvatore Bonaccorso at 2023-04-18T08:57:34+02:00 Add CVE-2023-294{79,80}/rnp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3267,10 +3267,14 @@ CVE-2023-29481 RESERVED CVE-2023-29480 RESERVED + - rnp + NOTE: https://www.rnpgp.org/blog/2023-04-13-rnp-release-0-16-3/ CVE-2023-29479 RESERVED + - rnp - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-15/#CVE-2023-29479 + NOTE: https://www.rnpgp.org/blog/2023-04-13-rnp-release-0-16-3/ CVE-2023-29478 (BiblioCraft before 2.4.6 does not sanitize path-traversal characters i ...) NOT-FOR-US: BiblioCraft CVE-2023-29477 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0f1905369a9dd428adee7364edb881f6c556c38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0f1905369a9dd428adee7364edb881f6c556c38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2023-3077{4,5}/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f482b94 by Salvatore Bonaccorso at 2023-04-18T08:31:02+02:00 Update information on CVE-2023-3077{4,5}/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -74,12 +74,14 @@ CVE-2023-2110 RESERVED CVE-2023-30775 RESERVED - - tiff + - tiff 4.5.0-2 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/464 + NOTE: https://gitlab.com/libtiff/libtiff/-/afd7086090dafd3949afd172822cbcec4ed17d56 (v4.5.0rc1) CVE-2023-30774 RESERVED - - tiff + - tiff 4.5.0-2 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/463 + NOTE: https://gitlab.com/libtiff/libtiff/-/f00484b9519df933723deb38fff943dc291a793d (v4.5.0rc1) CVE-2023-2109 (Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoo ...) NOT-FOR-US: chatwoot CVE-2023-2108 (A vulnerability has been found in SourceCodester Judging Management Sy ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f482b94d64ab90e165ed89321620253094ccbf2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f482b94d64ab90e165ed89321620253094ccbf2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-3077{4,5}/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d9979b69 by Salvatore Bonaccorso at 2023-04-18T08:21:34+02:00 Add CVE-2023-3077{4,5}/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -74,8 +74,12 @@ CVE-2023-2110 RESERVED CVE-2023-30775 RESERVED + - tiff + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/464 CVE-2023-30774 RESERVED + - tiff + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/463 CVE-2023-2109 (Cross-site Scripting (XSS) - DOM in GitHub repository chatwoot/chatwoo ...) NOT-FOR-US: chatwoot CVE-2023-2108 (A vulnerability has been found in SourceCodester Judging Management Sy ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9979b69d45e4f5f7af6ce55af8fc913bc972933 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9979b69d45e4f5f7af6ce55af8fc913bc972933 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-1981/avahi
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9bd23c48 by Salvatore Bonaccorso at 2023-04-18T08:18:37+02:00 Add CVE-2023-1981/avahi - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1072,8 +1072,12 @@ CVE-2023-1983 (A vulnerability was found in SourceCodester Sales Tracker Managem NOT-FOR-US: SourceCodester Sales Tracker Management System CVE-2023-1982 RESERVED -CVE-2023-1981 +CVE-2023-1981 [avahi-daemon can be crashed via DBus] RESERVED + - avahi + NOTE: https://github.com/lathiat/avahi/issues/375 + NOTE: https://github.com/lathiat/avahi/pull/407 + NOTE: https://github.com/lathiat/avahi/commit/a2696da2f2c50ac43b6c4903f72290d5c3fa9f6f CVE-2023-1980 (Two factor authentication bypass on login in Devolutions Remote Deskto ...) NOT-FOR-US: Devolutions CVE-2023-1979 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bd23c488e0402058e1ab9c33d9277fd6976 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bd23c488e0402058e1ab9c33d9277fd6976 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits