[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-2700/libvirt fix via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61a9b286 by Salvatore Bonaccorso at 2023-05-27T07:11:57+02:00 Track fixed version for CVE-2023-2700/libvirt fix via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1020,7 +1020,7 @@ CVE-2023-32758 (giturlparse (aka git-url-parse) through 1.2.2, as used in Semgre NOT-FOR-US: git-url-parse CVE-2023-2700 (A vulnerability was found in libvirt. This security flaw ouccers due t ...) [experimental] - libvirt 9.3.0-1 - - libvirt (bug #1036297) + - libvirt 9.0.0-4 (bug #1036297) [bullseye] - libvirt (Minor issue) [buster] - libvirt (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2203653 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61a9b2867a9c68107904599920d3fb43b77ddd95 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61a9b2867a9c68107904599920d3fb43b77ddd95 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3433-1 for libraw
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 16fdb0f5 by Guilhem Moulin at 2023-05-27T03:39:17+02:00 Reserve DLA-3433-1 for libraw - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -150421,7 +150421,6 @@ CVE-2021-32142 (Buffer Overflow vulnerability in LibRaw linux/unix v0.20.0 allow [experimental] - libraw 0.21.1-1 - libraw 0.20.2-2.1 (bug #1031790) [bullseye] - libraw (Minor issue) - [buster] - libraw (Minor issue) NOTE: https://github.com/LibRaw/LibRaw/issues/400 NOTE: https://github.com/LibRaw/LibRaw/commit/bc3aaf4223fdb70d52d470dae65c5a7923ea2a49 (0.21-Beta1) CVE-2021-32141 = data/DLA/list = @@ -1,3 +1,6 @@ +[27 May 2023] DLA-3433-1 libraw - security update + {CVE-2021-32142 CVE-2023-1729} + [buster] - libraw 0.19.2-2+deb10u3 [24 May 2023] DLA-3432-1 python2.7 - security update {CVE-2015-20107 CVE-2019-20907 CVE-2020-8492 CVE-2020-26116 CVE-2021-3177 CVE-2021-3733 CVE-2021-3737 CVE-2021-4189 CVE-2022-45061} [buster] - python2.7 2.7.16-2+deb10u2 = data/dla-needed.txt = @@ -89,10 +89,6 @@ libfastjson (Thorsten Alteholz) NOTE: 20230507: the CVE was fixed in json-c already NOTE: 20230521: an RCE CVE of cups-filter made a mess of the timing -- -libraw (guilhem) - NOTE: 20230520: Programming language: C++. - NOTE: 20230520: VCS: https://salsa.debian.org/lts-team/packages/libraw.git --- libssh (tobi) NOTE: 20230520: Programming language: C. NOTE: 20230520: VCS: https://salsa.debian.org/lts-team/packages/libssh.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16fdb0f5813c68cea0a004669c579d636d6bd81e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16fdb0f5813c68cea0a004669c579d636d6bd81e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim rainloop in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: ea5f4872 by Guilhem Moulin at 2023-05-27T03:05:03+02:00 LTS: claim rainloop in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -183,7 +183,7 @@ rails NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/rails.git -- -rainloop +rainloop (guilhem) NOTE: 20220913: Programming language: PHP, JavaScript. NOTE: 20220913: Special attention: orphaned as of 2022-09. NOTE: 20220913: Upstream appeared dead but there was activity 2 weeks ago, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea5f487271801886d31be0568d257064026c0634 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea5f487271801886d31be0568d257064026c0634 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add libreoffice to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8192642f by Salvatore Bonaccorso at 2023-05-26T23:04:43+02:00 Add libreoffice to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -23,6 +23,9 @@ docker-registry (jmm) jupyter-core Maintainer asked for availability to prepare updates -- +libreoffice + Maintainer prepared updates for review +-- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v5.10.y versions View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8192642f17848f92c7e21e015118821f4cf0798e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8192642f17848f92c7e21e015118821f4cf0798e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Unify NFU naming for some WordPress plugins
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 187dc025 by Salvatore Bonaccorso at 2023-05-26T23:02:05+02:00 Unify NFU naming for some WordPress plugins - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3670,7 +3670,7 @@ CVE-2023-30748 CVE-2023-30747 RESERVED CVE-2023-30746 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Booq ...) - NOT-FOR-US: Wordpress plugin + NOT-FOR-US: WordPress plugin CVE-2023-30745 RESERVED CVE-2023-30744 (In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, C ...) @@ -19510,7 +19510,7 @@ CVE-2023-25462 CVE-2023-25461 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in nami ...) NOT-FOR-US: WordPress plugin CVE-2023-25460 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Code ...) - NOT-FOR-US: Wordpress plugin + NOT-FOR-US: WordPress plugin CVE-2023-25459 RESERVED CVE-2023-25458 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in GMO ...) @@ -25280,15 +25280,15 @@ CVE-2021-46872 (An issue was discovered in Nim before 1.6.2. The RST module of t NOTE: https://github.com/nim-lang/Nim/pull/19134 NOTE: https://github.com/nim-lang/Nim/commit/9338aa24977e84a33b9a7802eaff0777fcf4d9c3 CVE-2023-23492 (The Login with Phone Number WordPress Plugin, version < 1.4.2, is affe ...) - NOT-FOR-US: WordPress Plugin + NOT-FOR-US: WordPress plugin CVE-2023-23491 (The Quick Event Manager WordPress Plugin, version < 9.7.5, is affected ...) - NOT-FOR-US: WordPress Plugin + NOT-FOR-US: WordPress plugin CVE-2023-23490 (The Survey Maker WordPress Plugin, version < 3.1.2, is affected by an ...) - NOT-FOR-US: WordPress Plugin + NOT-FOR-US: WordPress plugin CVE-2023-23489 (The Easy Digital Downloads WordPress Plugin, versions 3.1.0.2 & 3.1.0. ...) - NOT-FOR-US: WordPress Plugin + NOT-FOR-US: WordPress plugin CVE-2023-23488 (The Paid Memberships Pro WordPress Plugin, version < 2.9.8, is affecte ...) - NOT-FOR-US: WordPress Plugin + NOT-FOR-US: WordPress plugin CVE-2023-23487 RESERVED CVE-2023-23486 @@ -34624,7 +34624,7 @@ CVE-2022-46844 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerabi CVE-2022-46843 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Le Van T ...) NOT-FOR-US: WordPress plugin CVE-2022-46842 (Cross-Site Request Forgery (CSRF) vulnerability inJS Help Desk plugin ...) - NOT-FOR-US: Wordpress plugin + NOT-FOR-US: WordPress plugin CVE-2022-46841 RESERVED CVE-2022-46840 @@ -39311,7 +39311,7 @@ CVE-2022-45378 (In the default configuration of Apache SOAP, an RPCRouterServlet CVE-2022-45377 RESERVED CVE-2022-45376 (Cross-Site Request Forgery (CSRF) vulnerability in XootiX Side Cart Wo ...) - NOT-FOR-US: Wordpress plugin + NOT-FOR-US: WordPress plugin CVE-2022-45375 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) NOT-FOR-US: WordPress plugin CVE-2022-45374 @@ -40111,7 +40111,7 @@ CVE-2022-45081 CVE-2022-45080 (Cross-Site Request Forgery (CSRF) vulnerability in KrishaWeb Add Multi ...) NOT-FOR-US: WordPress plugin CVE-2022-45079 (Cross-Site Request Forgery (CSRF) vulnerability in Softaculous Loginiz ...) - NOT-FOR-US: Wordpress plugin + NOT-FOR-US: WordPress plugin CVE-2022-45078 RESERVED CVE-2022-45077 (Auth. (subscriber+) PHP Object Injection vulnerability in Betheme them ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/187dc025ef507105b027b19440fb83ec82a9a066 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/187dc025ef507105b027b19440fb83ec82a9a066 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ad5f4919 by Salvatore Bonaccorso at 2023-05-26T22:59:40+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,29 +1,29 @@ CVE-2023-33780 (A stored cross-site scripting (XSS) vulnerability in TFDi Design smart ...) - TODO: check + NOT-FOR-US: TFDi Design smartCARS CVE-2023-33779 (A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows ...) - TODO: check + NOT-FOR-US: XXL-Job CVE-2023-33720 (mp4v2 v2.1.2 was discovered to contain a memory leak via the class MP4 ...) - TODO: check + NOT-FOR-US: mp4v2 CVE-2023-33440 (Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitra ...) - TODO: check + NOT-FOR-US: Sourcecodester Faculty Evaluation System CVE-2023-33439 (Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Inj ...) - TODO: check + NOT-FOR-US: Sourcecodester Faculty Evaluation System CVE-2023-33394 (skycaiji v2.5.4 is vulnerable to Cross Site Scripting (XSS). Attackers ...) - TODO: check + NOT-FOR-US: skycaiji CVE-2023-33255 (An issue was discovered in Papaya Viewer 4a42701. User-supplied input ...) - TODO: check + NOT-FOR-US: Papaya Viewer CVE-2023-33247 (Talend Data Catalog remote harvesting server before 8.0-20230413 conta ...) - TODO: check + NOT-FOR-US: Talend CVE-2023-33197 (Craft is a CMS for creating custom digital experiences on the web. Cro ...) - TODO: check + NOT-FOR-US: Craft CMS CVE-2023-33185 (Django-SES is a drop-in mail backend for Django. The django_ses librar ...) TODO: check CVE-2023-32964 (Cross-Site Request Forgery (CSRF) vulnerability in Made with Fuel Bett ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-32318 (Nextcloud server provides a home for data. A regression in the session ...) TODO: check CVE-2023-2817 (A post-authentication stored cross-site scripting vulnerability exists ...) - TODO: check + NOT-FOR-US: Craft CMS CVE-2023-2854 [experimental] - wireshark 4.0.6-1~exp1 - wireshark @@ -2052,11 +2052,11 @@ CVE-2023-31229 CVE-2023-31228 RESERVED CVE-2023-31227 (The hwPartsDFR module has a vulnerability in API calling verification. ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-31226 (The SDK for the MediaPlaybackController module has improper permission ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-31225 (The Gallery app has the risk of hijacking attacks. Successful exploita ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-31194 RESERVED CVE-2023-27390 @@ -2102,25 +2102,25 @@ CVE-2023-2296 CVE-2022-4945 (The Dataprobe cloud usernames and passwords are stored in plain text i ...) NOT-FOR-US: Dataprobe CVE-2022-48480 (Integer overflow vulnerability in some phones. Successful exploitation ...) - TODO: check + NOT-FOR-US: Huawei CVE-2022-48479 (The facial recognition TA of some products has the out-of-bounds memor ...) - TODO: check + NOT-FOR-US: Huawei CVE-2022-48478 (The facial recognition TA of some products lacks memory length verific ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-46887 (Lack of length check vulnerability in the HW_KEYMASTER module. Success ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-46886 (The video framework has memory overwriting caused by addition overflow ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-46885 (The video framework has memory overwriting caused by addition overflow ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-46884 (The video framework has memory overwriting caused by addition overflow ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-46883 (The video framework has memory overwriting caused by addition overflow ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-46882 (The video framework has memory overwriting caused by addition overflow ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-46881 (The video framework has memory overwriting caused by addition overflow ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-31224 RESERVED CVE-2023-31223 (Dradis before 4.8.0 allows persistent XSS by authenticated author user ...) @@ -5326,7 +5326,7 @@ CVE-2023-30147 CVE-2023-30146 RESERVED CVE-2023-30145 (Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template I ...) - TODO: check + NOT-FOR-US: Camaleon CMS CVE-2023-30144 RESERVED CVE-2023-30143 @@ -8118,7 +8118,7 @@ CVE-2023-29100 CVE-2023-29099 RESERVED CVE-2023-29098 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ArtistSc ...) -
[Git][security-tracker-team/security-tracker][master] Update assessment for CVE-2023-28320/curl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d28c73d2 by Salvatore Bonaccorso at 2023-05-26T22:50:54+02:00 Update assessment for CVE-2023-28320/curl To err on the safe side ignore the issue as the impact is quite low anyway. The update needs to drop the curl_jmpenv. Unclear is if this has been considered upstream to be an ABI break and would require an SONAME bump. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11017,8 +11017,8 @@ CVE-2023-28321 [IDN wildcard match] CVE-2023-28320 [siglongjmp race condition] RESERVED - curl 7.88.1-10 (bug #1036239) - [bullseye] - curl (Minor issue) - [buster] - curl (Minor issue) + [bullseye] - curl (Minor issue; Upstream changes drop curl_jmpenv symbol) + [buster] - curl (Minor issue; Upstream changes drop curl_jmpenv symbol) NOTE: https://curl.se/docs/CVE-2023-28320.html NOTE: Introduced by: https://github.com/curl/curl/commit/3c49b405de4fbf1fd7127f91908261268640e54f (curl-7_9_8) NOTE: Fixed by: https://github.com/curl/curl/commit/13718030ad4b3209a7583b4f27f683cd3a6fa5f2 (curl-8_1_0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d28c73d25ed02c8522e47bf7716028c3c30b1dae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d28c73d25ed02c8522e47bf7716028c3c30b1dae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop notes from CVE-2023-2483
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1bbcf662 by Salvatore Bonaccorso at 2023-05-26T22:47:28+02:00 Drop notes from CVE-2023-2483 CVE is rejected as duplicate for CVE-2023-33203 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1710,12 +1710,8 @@ CVE-2023-31434 (The parameters nutzer_titel, nutzer_vn, and nutzer_nn in the use NOT-FOR-US: evasys CVE-2023-31433 (A SQL injection issue in Logbuch in evasys before 8.2 Build 2286 and 9 ...) NOT-FOR-US: evasys -CVE-2023-2483 [net: qcom/emac: Fix use after free bug in emac_remove due to race condition] +CVE-2023-2483 REJECTED - - linux 6.1.25-1 - [bullseye] - linux 5.10.178-1 - [buster] - linux 4.19.282-1 - NOTE: https://git.kernel.org/linus/6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 (6.3-rc4) CVE-2023-2479 (OS Command Injection in GitHub repository appium/appium-desktop prior ...) NOT-FOR-US: Appium CVE-2023-2477 (A vulnerability was found in Funadmin up to 3.2.3. It has been declare ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1bbcf6621d08af64115f18844ce0034625dd8a4b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1bbcf6621d08af64115f18844ce0034625dd8a4b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: fix syntax
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a4fa372b by Sylvain Beucler at 2023-05-26T22:21:48+02:00 dla: fix syntax - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -233,7 +233,7 @@ sysstat (Sylvain Beucler) NOTE: 20230524: Programming language: C. -- webkit2gtk (Emilio) - Programming language: C++. - VCS: https://salsa.debian.org/webkit-team/webkit.git + NOTE: 20230512: Programming language: C++. + NOTE: 20230512: VCS: https://salsa.debian.org/webkit-team/webkit.git NOTE: 20230512: checking if upgrade to 2.40.x is possible, otherwise we'll have to EOL webkit (pochu) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4fa372bd191e3466b4c6195ec7c0308bca59564 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4fa372bd191e3466b4c6195ec7c0308bca59564 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ffe64ae by security tracker role at 2023-05-26T20:12:12+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,29 @@ +CVE-2023-33780 (A stored cross-site scripting (XSS) vulnerability in TFDi Design smart ...) + TODO: check +CVE-2023-33779 (A lateral privilege escalation vulnerability in XXL-Job v2.4.1 allows ...) + TODO: check +CVE-2023-33720 (mp4v2 v2.1.2 was discovered to contain a memory leak via the class MP4 ...) + TODO: check +CVE-2023-33440 (Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitra ...) + TODO: check +CVE-2023-33439 (Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Inj ...) + TODO: check +CVE-2023-33394 (skycaiji v2.5.4 is vulnerable to Cross Site Scripting (XSS). Attackers ...) + TODO: check +CVE-2023-33255 (An issue was discovered in Papaya Viewer 4a42701. User-supplied input ...) + TODO: check +CVE-2023-33247 (Talend Data Catalog remote harvesting server before 8.0-20230413 conta ...) + TODO: check +CVE-2023-33197 (Craft is a CMS for creating custom digital experiences on the web. Cro ...) + TODO: check +CVE-2023-33185 (Django-SES is a drop-in mail backend for Django. The django_ses librar ...) + TODO: check +CVE-2023-32964 (Cross-Site Request Forgery (CSRF) vulnerability in Made with Fuel Bett ...) + TODO: check +CVE-2023-32318 (Nextcloud server provides a home for data. A regression in the session ...) + TODO: check +CVE-2023-2817 (A post-authentication stored cross-site scripting vulnerability exists ...) + TODO: check CVE-2023-2854 [experimental] - wireshark 4.0.6-1~exp1 - wireshark @@ -221,7 +247,7 @@ CVE-2023-32697 (SQLite JDBC is a library for accessing and creating SQLite datab CVE-2023-32685 [Clipboard based cross-site scripting (blocked with default CSP)] - kanboard NOTE: https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv -CVE-2023-32681 [ Unintended leak of Proxy-Authorization header] +CVE-2023-32681 (Requests is a HTTP library. Since Requests 2.3.0, Requests has been le ...) - requests (bug #1036693) NOTE: https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q NOTE: Fixed by: https://github.com/psf/requests/commit/74ea7cf7a6a27a4eeb2ae24e162bcc942a6706d5 (v2.31.0) @@ -364,21 +390,25 @@ CVE-2023-31689 (In Wcms 0.3.2, an attacker can send a crafted request from a vul CVE-2023-31584 (GitHub repository cu/silicon commit a9ef36 was discovered to contain a ...) NOT-FOR-US: cu/silicon CVE-2023-2840 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2 ...) + {DSA-5411-1} - gpac (bug #1036701) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/21926fc2-6eb1-4e24-8a36-e60f487d0257/ NOTE: https://github.com/gpac/gpac/commit/ba59206b3225f0e8e95a27eff41cb1c49ddf9a37 CVE-2023-2839 (Divide By Zero in GitHub repository gpac/gpac prior to 2.2.2.) + {DSA-5411-1} - gpac (bug #1036701) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/42dce889-f63d-4ea9-970f-1f20fc573d5f/ NOTE: https://github.com/gpac/gpac/commit/047f96fb39e6bf70cb9f344093f5886e51dce0ac CVE-2023-2838 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.) + {DSA-5411-1} - gpac (bug #1036701) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/711e0988-5345-4c01-a2fe-1179604dd07f/ NOTE: https://github.com/gpac/gpac/commit/c88df2e202efad214c25b4e586f243b2038779ba CVE-2023-2837 (Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2. ...) + {DSA-5411-1} - gpac (bug #1036701) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/a6bfd1b2-aba8-4c6f-90c4-e95b1831cb17/ @@ -507,7 +537,7 @@ CVE-2023-2704 (The BP Social Connect plugin for WordPress is vulnerable to authe NOT-FOR-US: WordPress plugin CVE-2023-32515 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Matt ...) NOT-FOR-US: WordPress plugin -CVE-2023-32323 +CVE-2023-32323 (Synapse is an open-source Matrix homeserver written and maintained by ...) - matrix-synapse 1.74.0-1 NOTE: https://matrix.org/blog/2023/05/24/disclosing-synapse-security-advisories/ NOTE: https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr @@ -2025,12 +2055,12 @@ CVE-2023-31229 RESERVED CVE-2023-31228 RESERVED -CVE-2023-31227 - RESERVED -CVE-2023-31226 - RESERVED -CVE-2023-31225 - RESERVED +CVE-2023-31227 (The hwPartsDFR module has a
[Git][security-tracker-team/security-tracker][master] dla: sync with lts packages database
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5dc6639b by Sylvain Beucler at 2023-05-26T21:52:08+02:00 dla: sync with lts packages database - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -65,7 +65,7 @@ golang-yaml.v2 (sgmoore) NOTE: 20230525: In review with utkarsh. -- hdf5 - NOTE: 20230318: Programming language: C. + NOTE: 20230318: Programming language: C/C++. NOTE: 20230318: VCS: https://salsa.debian.org/lts-team/packages/hdf5.git NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh) NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably @@ -122,7 +122,6 @@ nova -- nvidia-cuda-toolkit NOTE: 20230514: Programming language: binary blobs. - NOTE: 20230514: VCS: https://salsa.debian.org/lts-team/packages/nvidia-cuda-toolkit.git NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have NOTE: 20230514: piled up. (utkarsh) -- @@ -164,7 +163,7 @@ python-oslo.privsep NOTE: 20230525: It was mentioned the fix was easy but tedious. It is consumer design flaw issue. -- python3.7 - NOTE: 20230220: Programming language: Python. + NOTE: 20230220: Programming language: C, Python. NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/python3.7.git NOTE: 20230220: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/python.html NOTE: 20230228: Waiting for actual upstream fix for CVE-2023-24329. (bunk) @@ -194,7 +193,7 @@ rainloop NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/rainloop.git -- ring (Thorsten Alteholz) - NOTE: 20221120: Programming language: C. + NOTE: 20221120: Programming language: C++. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/ring.git NOTE: 20230507: testing package NOTE: 20230521: an RCE CVE of cups-filter made a mess of the timing @@ -234,5 +233,7 @@ sysstat (Sylvain Beucler) NOTE: 20230524: Programming language: C. -- webkit2gtk (Emilio) + Programming language: C++. + VCS: https://salsa.debian.org/webkit-team/webkit.git NOTE: 20230512: checking if upgrade to 2.40.x is possible, otherwise we'll have to EOL webkit (pochu) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dc6639bcc5a634066eddf01e5ec492ad4b9b43c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dc6639bcc5a634066eddf01e5ec492ad4b9b43c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-32323/matrix-synapse
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 47d23027 by Salvatore Bonaccorso at 2023-05-26T19:22:38+02:00 Add CVE-2023-32323/matrix-synapse - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -507,6 +507,10 @@ CVE-2023-2704 (The BP Social Connect plugin for WordPress is vulnerable to authe NOT-FOR-US: WordPress plugin CVE-2023-32515 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Matt ...) NOT-FOR-US: WordPress plugin +CVE-2023-32323 + - matrix-synapse 1.74.0-1 + NOTE: https://matrix.org/blog/2023/05/24/disclosing-synapse-security-advisories/ + NOTE: https://github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvr CVE-2023-32322 (Ombi is an open source application which allows users to request speci ...) NOT-FOR-US: Ombi CVE-2023-32100 (Compiler removal of buffer clearing in sli_se_driver_mac_compute in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47d230276129eb8014ba1aa2f25659518955f383 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47d230276129eb8014ba1aa2f25659518955f383 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-39335/matrix-synapse
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 28f828e7 by Salvatore Bonaccorso at 2023-05-26T19:20:43+02:00 Add CVE-2022-39335/matrix-synapse - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -58083,6 +58083,9 @@ CVE-2022-39336 RESERVED CVE-2022-39335 RESERVED + - matrix-synapse 1.69.0-1 + NOTE: https://matrix.org/blog/2023/05/24/disclosing-synapse-security-advisories/ + NOTE: https://github.com/matrix-org/synapse/security/advisories/GHSA-45cj-f97f-ggwv CVE-2022-39334 (Nextcloud also ships a CLI utility called nextcloudcmd which is someti ...) - nextcloud-desktop 3.6.1-1 [bullseye] - nextcloud-desktop (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28f828e7417e1c036d93359ced1cfb4b4308f2ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28f828e7417e1c036d93359ced1cfb4b4308f2ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-39374
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6957b68d by Salvatore Bonaccorso at 2023-05-26T19:19:02+02:00 Update information for CVE-2022-39374 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -57978,7 +57978,9 @@ CVE-2022-39375 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is NOTE: Only supported behind an authenticated HTTP zone CVE-2022-39374 RESERVED - - matrix-synapse + - matrix-synapse 1.68.0-1 + NOTE: https://matrix.org/blog/2023/05/24/disclosing-synapse-security-advisories/ + NOTE: https://github.com/matrix-org/synapse/security/advisories/GHSA-p9qp-c452-f9r7 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2209956 CVE-2022-39373 (GLPI stands for Gestionnaire Libre de Parc Informatique. GLPI is a Fre ...) - glpi (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6957b68d593af236bcd7bc92280860b2e536bd05 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6957b68d593af236bcd7bc92280860b2e536bd05 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gpac DSA
Aron Xu pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a375365 by Aron Xu at 2023-05-26T21:56:16+08:00 gpac DSA - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -365,25 +365,21 @@ CVE-2023-31584 (GitHub repository cu/silicon commit a9ef36 was discovered to con NOT-FOR-US: cu/silicon CVE-2023-2840 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2 ...) - gpac (bug #1036701) - [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/21926fc2-6eb1-4e24-8a36-e60f487d0257/ NOTE: https://github.com/gpac/gpac/commit/ba59206b3225f0e8e95a27eff41cb1c49ddf9a37 CVE-2023-2839 (Divide By Zero in GitHub repository gpac/gpac prior to 2.2.2.) - gpac (bug #1036701) - [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/42dce889-f63d-4ea9-970f-1f20fc573d5f/ NOTE: https://github.com/gpac/gpac/commit/047f96fb39e6bf70cb9f344093f5886e51dce0ac CVE-2023-2838 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.) - gpac (bug #1036701) - [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/711e0988-5345-4c01-a2fe-1179604dd07f/ NOTE: https://github.com/gpac/gpac/commit/c88df2e202efad214c25b4e586f243b2038779ba CVE-2023-2837 (Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2. ...) - gpac (bug #1036701) - [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/a6bfd1b2-aba8-4c6f-90c4-e95b1831cb17/ NOTE: https://github.com/gpac/gpac/commit/6f28c4cd607d83ce381f9b4a9f8101ca1e79c611 @@ -17830,7 +17826,6 @@ CVE-2023-0867 (Multiple stored and reflected cross-site scripting vulnerabilitie NOT-FOR-US: OpenNMS CVE-2023-0866 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3 ...) - gpac (bug #1033116) - [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/7d3c5792-d20b-4cb6-9c6d-bb14f3430d7f NOTE: https://github.com/gpac/gpac/commit/b964fe4226f1424cf676d5822ef898b6b01f5937 @@ -18274,13 +18269,11 @@ CVE-2023-0820 (The User Role by BestWebSoft WordPress plugin before 1.6.7 does n NOT-FOR-US: WordPress plugin CVE-2023-0819 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to v2. ...) - gpac (bug #1033116) - [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/35793610-dccc-46c8-9f55-6a24c621e4ef NOTE: https://github.com/gpac/gpac/commit/d067ab3ccdeaa340e8c045a0fd5bcfc22b809e8f CVE-2023-0818 (Off-by-one Error in GitHub repository gpac/gpac prior to v2.3.0-DEV.) - gpac (bug #1033116) - [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/038e7472-f3e9-46c2-9aea-d6dafb62a18a NOTE: https://github.com/gpac/gpac/commit/377ab25f3e502db2934a9cf4b54739e1c89a02ff @@ -18848,7 +18841,6 @@ CVE-2023-0771 (SQL Injection in GitHub repository ampache/ampache prior to 5.5.7 - ampache CVE-2023-0770 (Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2. ...) - gpac (bug #1033116) - [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/e0fdeee5-7909-446e-9bd0-db80fd80e8dd NOTE: https://github.com/gpac/gpac/commit/c31941822ee275a35bc148382bafef1c53ec1c26 @@ -30899,31 +30891,26 @@ CVE-2022-47664 (Libde265 1.0.9 is vulnerable to Buffer Overflow in ff_hevc_put_h NOTE: https://github.com/strukturag/libde265/commit/5583f983e012b3870e29190d2b8e43ff6d77a72e (v1.0.10) CVE-2022-47663 (GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow ...) - gpac (bug #1033116) - [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2360 NOTE: https://github.com/gpac/gpac/commit/e7e8745f677010a5cb3366d5cbf39df7cffaaa2d (v2.2.0) CVE-2022-47662 (GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 has a segment fault (/stack over ...) - gpac (bug #1033116) - [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2359 NOTE: https://github.com/gpac/gpac/commit/080a62728ccd251a7f20eaac3fda21b0716e3c9b (v2.2.0) CVE-2022-47661 (GPAC MP4Box 2.1-DEV-rev649-ga8f438d20 is vulnerable to Buffer Overflow ...) - gpac (bug #1033116) - [bullseye] - gpac
[Git][security-tracker-team/security-tracker][master] sniproxy DSA
Aron Xu pushed to branch master at Debian Security Tracker / security-tracker Commits: 9630370d by Aron Xu at 2023-05-26T21:26:30+08:00 sniproxy DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[26 May 2023] DSA-5413-1 sniproxy - security update + {CVE-2023-25076} + [bullseye] - sniproxy 0.6.0-2+deb11u1 [24 May 2023] DSA-5410-1 sofia-sip - security update {CVE-2022-31001 CVE-2022-31002 CVE-2022-31003 CVE-2022-47516 CVE-2023-22741} [bullseye] - sofia-sip 1.12.11+20110422.1-2.1+deb11u1 = data/dsa-needed.txt = @@ -77,9 +77,6 @@ salt -- samba -- -sniproxy (aron) - Thorsten Alteholz proposed changes for review --- xrdp needs some additional clarification, tentatively DSA worthy maybe upgrade to 0.9.21 within bullseye? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9630370de4787750001217d7161832a605c5b61d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9630370de4787750001217d7161832a605c5b61d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add nvidia-graphics-drivers-legacy-340xx to source packages to ignore for reporting
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9e17fcc by Salvatore Bonaccorso at 2023-05-26T15:21:26+02:00 Add nvidia-graphics-drivers-legacy-340xx to source packages to ignore for reporting NVIDIA will not provide any more updates to the 340xx series, so no point in having it on the list to report issues. This serves as well as a final test for the list update trigger and update for the view. - - - - - 1 changed file: - data/packages/ignored-debian-bug-packages Changes: = data/packages/ignored-debian-bug-packages = @@ -2,4 +2,5 @@ # bugs for Debian unstable. linux -gitlab \ No newline at end of file +gitlab +nvidia-graphics-drivers-legacy-340xx View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9e17fccd513515da31596ee8b89381474f3aad6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e9e17fccd513515da31596ee8b89381474f3aad6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker] Deleted branch fix_987283
Anton Gladky deleted branch fix_987283 at Debian Security Tracker / security-tracker -- You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Deassociate #1033756 bug for new set of issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3bbf3603 by Salvatore Bonaccorso at 2023-05-26T14:11:55+02:00 Deassociate #1033756 bug for new set of issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,32 +1,32 @@ CVE-2023-2854 [experimental] - wireshark 4.0.6-1~exp1 - - wireshark (bug #1033756) + - wireshark [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-17.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19084 CVE-2023-2856 [experimental] - wireshark 4.0.6-1~exp1 - - wireshark (bug #1033756) + - wireshark [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-16.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19083 CVE-2023-2858 [experimental] - wireshark 4.0.6-1~exp1 - - wireshark (bug #1033756) + - wireshark [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-15.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19081 CVE-2023-2857 [experimental] - wireshark 4.0.6-1~exp1 - - wireshark (bug #1033756) + - wireshark NOTE: https://www.wireshark.org/security/wnpa-sec-2023-13.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19063 CVE-2023-2855 [experimental] - wireshark 4.0.6-1~exp1 - - wireshark (bug #1033756) + - wireshark [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-12.html @@ -20157,7 +20157,7 @@ CVE-2023-0669 (Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre- CVE-2023-0668 RESERVED [experimental] - wireshark 4.0.6-1~exp1 - - wireshark (bug #1033756) + - wireshark [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-19.html @@ -20167,7 +20167,7 @@ CVE-2023-0667 CVE-2023-0666 RESERVED [experimental] - wireshark 4.0.6-1~exp1 - - wireshark (bug #1033756) + - wireshark [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-18.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bbf3603b0659d3bd03db185f9fedbf8a1f6f987 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bbf3603b0659d3bd03db185f9fedbf8a1f6f987 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new wireshark issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d2650e8 by Moritz Muehlenhoff at 2023-05-26T13:35:56+02:00 new wireshark issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,36 @@ +CVE-2023-2854 + [experimental] - wireshark 4.0.6-1~exp1 + - wireshark (bug #1033756) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-17.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19084 +CVE-2023-2856 + [experimental] - wireshark 4.0.6-1~exp1 + - wireshark (bug #1033756) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-16.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19083 +CVE-2023-2858 + [experimental] - wireshark 4.0.6-1~exp1 + - wireshark (bug #1033756) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-15.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19081 +CVE-2023-2857 + [experimental] - wireshark 4.0.6-1~exp1 + - wireshark (bug #1033756) + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-13.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19063 +CVE-2023-2855 + [experimental] - wireshark 4.0.6-1~exp1 + - wireshark (bug #1033756) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-12.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19062 CVE-2023-32074 (user_oidc app is an OpenID Connect user backend for Nextcloud. Authent ...) TODO: check CVE-2023-2903 (A vulnerability classified as problematic has been found in NFine Rapi ...) @@ -20123,10 +20156,22 @@ CVE-2023-0669 (Fortra (formerly, HelpSystems) GoAnywhere MFT suffers from a pre- NOT-FOR-US: Fortra GoAnywhere MFT CVE-2023-0668 RESERVED + [experimental] - wireshark 4.0.6-1~exp1 + - wireshark (bug #1033756) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-19.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19087 CVE-2023-0667 RESERVED CVE-2023-0666 RESERVED + [experimental] - wireshark 4.0.6-1~exp1 + - wireshark (bug #1033756) + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-18.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19085 CVE-2023-0665 (HashiCorp Vault's PKI mount issuer endpoints did not correctly authori ...) NOT-FOR-US: HashiCorp Vault CVE-2023-0664 (A flaw was found in the QEMU Guest Agent service for Windows. A local ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d2650e8e671903bc745cbceccab4274c4358726 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d2650e8e671903bc745cbceccab4274c4358726 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-46907/jspwiki
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce931548 by Salvatore Bonaccorso at 2023-05-26T10:46:28+02:00 Add CVE-2022-46907/jspwiki - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34340,7 +34340,7 @@ CVE-2022-4401 (A vulnerability was found in pallidlight online-course-selection- CVE-2022-4400 (A vulnerability was found in zbl1996 FS-Blog and classified as problem ...) NOT-FOR-US: zbl1996 FS-Blog CVE-2022-46907 (A carefully crafted request on several JSPWiki plugins could trigger a ...) - TODO: check + - jspwiki CVE-2022-4399 (A vulnerability was found in TicklishHoneyBee nodau. It has been rated ...) - nodau 0.3.8-5 (unimportant) NOTE: https://github.com/TicklishHoneyBee/nodau/commit/7a7d737a3929f335b9717ddbd31db91151b69ad2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce931548ee0cdf57d8fb8265c5053ad934996e73 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce931548ee0cdf57d8fb8265c5053ad934996e73 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add one CVE for cilium, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f1de484 by Salvatore Bonaccorso at 2023-05-26T10:45:41+02:00 Add one CVE for cilium, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3147,7 +3147,7 @@ CVE-2023-30853 (Gradle Build Action allows users to execute a Gradle Build in th CVE-2023-30852 (Pimcore is an open source data and experience management platform. Pri ...) NOT-FOR-US: Pimcore CVE-2023-30851 (Cilium is a networking, observability, and security solution with an e ...) - TODO: check + - cilium (bug #858303) CVE-2023-30850 (Pimcore is an open source data and experience management platform. Pri ...) NOT-FOR-US: Pimcore CVE-2023-30849 (Pimcore is an open source data and experience management platform. Pri ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f1de48410ccc4442059bd05fd44ef2dbd503ca9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f1de48410ccc4442059bd05fd44ef2dbd503ca9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d3566997 by Salvatore Bonaccorso at 2023-05-26T10:37:47+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2023-32074 (user_oidc app is an OpenID Connect user backend for Nextcloud. Authent ...) TODO: check CVE-2023-2903 (A vulnerability classified as problematic has been found in NFine Rapi ...) - TODO: check + NOT-FOR-US: NFine Rapid Development Platform CVE-2023-2902 (A vulnerability was found in NFine Rapid Development Platform 20230511 ...) - TODO: check + NOT-FOR-US: NFine Rapid Development Platform CVE-2023-2901 (A vulnerability was found in NFine Rapid Development Platform 20230511 ...) - TODO: check + NOT-FOR-US: NFine Rapid Development Platform CVE-2023-2900 (A vulnerability was found in NFine Rapid Development Platform 20230511 ...) - TODO: check + NOT-FOR-US: NFine Rapid Development Platform CVE-2023-33751 (A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allo ...) NOT-FOR-US: mipjz CVE-2023-33750 (A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allo ...) @@ -165,7 +165,7 @@ CVE-2023-2873 (A vulnerability classified as critical was found in Twister Antiv CVE-2023-2872 (A vulnerability classified as problematic has been found in FlexiHub 5 ...) NOT-FOR-US: FlexiHub CVE-2023-2871 (A vulnerability was found in FabulaTech USB for Remote Desktop 6.1.0.0 ...) - TODO: check + NOT-FOR-US: FabulaTech USB for Remote Desktop CVE-2023-2870 (A vulnerability was found in EnTech Monitor Asset Manager 2.9. It has ...) NOT-FOR-US: EnTech Monitor Asset Manager CVE-2023-2868 (A remote command injection vulnerability exists in the Barracuda Email ...) @@ -4484,7 +4484,7 @@ CVE-2023-30486 CVE-2023-30485 RESERVED CVE-2023-30484 (Cross-Site Request Forgery (CSRF) vulnerability in uPress Enable Acces ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-30483 RESERVED CVE-2023-30482 @@ -6165,7 +6165,7 @@ CVE-2023-29723 CVE-2023-29722 RESERVED CVE-2023-29721 (SofaWiki <= 3.8.9 has a file upload vulnerability that leads to comman ...) - TODO: check + NOT-FOR-US: SofaWiki CVE-2023-29720 (SofaWiki <=3.8.9 is vulnerable to Cross Site Scripting (XSS) via index ...) NOT-FOR-US: SofaWiki CVE-2023-29719 @@ -13444,7 +13444,7 @@ CVE-2023-1160 (Use of Platform-Dependent Third Party Components in GitHub reposi CVE-2023-1159 RESERVED CVE-2023-1158 (Hitachi Vantara Pentaho Business Analytics Server versions before 9.4. ...) - TODO: check + NOT-FOR-US: Hitachi Vantara Pentaho Business Analytics Server CVE-2023-1157 (A vulnerability, which was classified as problematic, was found in fin ...) NOT-FOR-US: Finixbit elf-parser CVE-2023-1156 (A vulnerability classified as problematic was found in SourceCodester ...) @@ -18994,9 +18994,9 @@ CVE-2022-48317 (Expired sessions were not securely terminated in the RestAPI for CVE-2023-25600 RESERVED CVE-2023-25599 (A vulnerability in the conferencing component of Mitel MiVoice Connect ...) - TODO: check + NOT-FOR-US: Mitel CVE-2023-25598 (A vulnerability in the conferencing component of Mitel MiVoice Connect ...) - TODO: check + NOT-FOR-US: Mitel CVE-2023-25597 (A vulnerability in the web conferencing component of Mitel MiCollab th ...) NOT-FOR-US: Mitel CVE-2023-25596 (A vulnerability exists in ClearPass Policy Manager that allows for an ...) @@ -19493,7 +19493,7 @@ CVE-2023-25441 CVE-2023-25440 (Stored Cross Site Scripting (XSS) vulnerability in the add contact fun ...) - civicrm (bug #1036695) CVE-2023-25439 (Stored Cross Site Scripting (XSS) vulnerability in Square Pig FusionIn ...) - TODO: check + NOT-FOR-US: Square Pig FusionInvoice CVE-2023-25438 (An issue was discovered in Genomedics MilleGP5 5.9.2, allows remote at ...) NOT-FOR-US: MilleGP5 CVE-2023-25437 (An issue was discovered in vTech VCS754 version 1.1.1.A before 1.1.1.H ...) @@ -28599,7 +28599,7 @@ CVE-2023-22506 CVE-2023-22505 RESERVED CVE-2023-22504 (Affected versions of Atlassian Confluence Server allow remote attacker ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2023-22503 (Affected versions of Atlassian Confluence Server and Data Center allow ...) NOT-FOR-US: Atlassian CVE-2023-22502 @@ -29383,7 +29383,7 @@ CVE-2022-4817 (A vulnerability was found in centic9 jgit-cookbook. It has been d CVE-2022-4816 (A denial-of-service vulnerability has been identified in Lenovo Safece ...) NOT-FOR-US: Lenovo CVE-2022-4815 (Hitachi Vantara Pentaho Business Analytics Server versions before 9.4. ...) -
[Git][security-tracker-team/security-tracker][master] Remove libbson duplicate entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: feaf86e5 by Salvatore Bonaccorso at 2023-05-26T10:23:31+02:00 Remove libbson duplicate entry The package was removed multiple time, leaving the set of supported suites, reintroduced, removed again. We did not catch that properly in past leading to two entries, which do not harm, but lets clean up the list. - - - - - 1 changed file: - data/packages/removed-packages Changes: = data/packages/removed-packages = @@ -941,4 +941,3 @@ rust-crossbeam-utils-0.7 mariadb-10.6 cgminer rust-ncurses -libbson View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/feaf86e51824c5885620372f1d82fc677e5bba23 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/feaf86e51824c5885620372f1d82fc677e5bba23 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b1967da by security tracker role at 2023-05-26T08:12:01+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,13 @@ +CVE-2023-32074 (user_oidc app is an OpenID Connect user backend for Nextcloud. Authent ...) + TODO: check +CVE-2023-2903 (A vulnerability classified as problematic has been found in NFine Rapi ...) + TODO: check +CVE-2023-2902 (A vulnerability was found in NFine Rapid Development Platform 20230511 ...) + TODO: check +CVE-2023-2901 (A vulnerability was found in NFine Rapid Development Platform 20230511 ...) + TODO: check +CVE-2023-2900 (A vulnerability was found in NFine Rapid Development Platform 20230511 ...) + TODO: check CVE-2023-33751 (A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allo ...) NOT-FOR-US: mipjz CVE-2023-33750 (A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allo ...) @@ -354,7 +364,7 @@ CVE-2023-2587 (Teltonika\u2019s Remote Management System versions prior to 4.10. NOT-FOR-US: Teltonika CVE-2023-2586 (Teltonika\u2019s Remote Management System versions 4.14.0 is vulnerabl ...) NOT-FOR-US: Teltonika -CVE-2023-32067 +CVE-2023-32067 (c-ares is an asynchronous resolver library. c-ares is vulnerable to de ...) [experimental] - c-ares 1.19.1-1 - c-ares NOTE: https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc @@ -456,7 +466,7 @@ CVE-2023-2814 (A vulnerability classified as problematic has been found in Sourc NOT-FOR-US: SourceCodester Class Scheduling System CVE-2023-2806 (A vulnerability classified as problematic was found in Weaver e-cology ...) NOT-FOR-US: Weaver e-cology -CVE-2023-2804 +CVE-2023-2804 (A heap-based buffer overflow issue was discovered in libjpeg-turbo in ...) - libjpeg-turbo (Vulnerable code not present) NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/675 NOTE: https://github.com/libjpeg-turbo/libjpeg-turbo/commit/9f756bc67a84d4566bf74a0c2432aa55da404021 @@ -2237,8 +2247,7 @@ CVE-2023-31149 (An Improper Input Validation vulnerability in the Schweitzer E NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2023-31148 (An Improper Input Validation vulnerability in the Schweitzer Enginee ...) NOT-FOR-US: Schweitzer Engineering Laboratories -CVE-2023-31147 - RESERVED +CVE-2023-31147 (c-ares is an asynchronous resolver library. When /dev/urandom or RtlGe ...) [experimental] - c-ares 1.19.1-1 - c-ares (unimportant) NOTE: https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2 @@ -2278,8 +2287,7 @@ CVE-2023-31132 RESERVED CVE-2023-31131 (Greenplum Database (GPDB) is an open source data warehouse based on Po ...) NOT-FOR-US: Greenplum Database -CVE-2023-31130 - RESERVED +CVE-2023-31130 (c-ares is an asynchronous resolver library. ares_inet_net_pton() is vu ...) [experimental] - c-ares 1.19.1-1 - c-ares NOTE: https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v @@ -2294,8 +2302,7 @@ CVE-2023-31126 (`org.xwiki.commons:xwiki-commons-xml` is an XML library used by NOT-FOR-US: org.xwiki.commons:xwiki-commons-xml CVE-2023-31125 (Engine.IO is the implementation of transport-based cross-browser/cross ...) NOT-FOR-US: Engine.IO -CVE-2023-31124 - RESERVED +CVE-2023-31124 (c-ares is an asynchronous resolver library. When cross-compiling c-are ...) [experimental] - c-ares 1.19.1-1 - c-ares (unimportant) NOTE: https://github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b1967daf5c957b2d562b128123442ca73a1e752 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b1967daf5c957b2d562b128123442ca73a1e752 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits