[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2022-42964/pymatgen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 18cfb647 by Salvatore Bonaccorso at 2023-06-27T07:49:37+02:00 Track fixed version via unstable for CVE-2022-42964/pymatgen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52260,7 +52260,7 @@ CVE-2022-42966 (An exponential ReDoS (Regular Expression Denial of Service) can CVE-2022-42965 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) NOT-FOR-US: snowflake-connector-python CVE-2022-42964 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) - - pymatgen (bug #1024017) + - pymatgen 2023.06.23+dfsg1-1 (bug #1024017) [bookworm] - pymatgen (Minor issue) NOTE: https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184/ NOTE: https://github.com/materialsproject/pymatgen/issues/2755 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18cfb647ca5944f13d1128d0297b610ea5ef6614 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18cfb647ca5944f13d1128d0297b610ea5ef6614 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for cups via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9165c292 by Salvatore Bonaccorso at 2023-06-27T07:23:01+02:00 Track proposed update for cups via bullseye-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -117,3 +117,7 @@ CVE-2022-32546 [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 CVE-2023-34969 [bullseye] - dbus 1.12.28-0+deb11u1 +CVE-2023-34241 + [bullseye] - cups 2.3.3op2-3+deb11u3 +CVE-2023-32324 + [bullseye] - cups 2.3.3op2-3+deb11u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9165c2925cc3d9061b85f1963425bd2bb69b881b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9165c2925cc3d9061b85f1963425bd2bb69b881b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed udpate for cups via bookworm-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 38a521b6 by Salvatore Bonaccorso at 2023-06-27T07:21:42+02:00 Track proposed udpate for cups via bookworm-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -22,3 +22,7 @@ CVE-2023-32697 [bookworm] - xerial-sqlite-jdbc 3.40.1.0+dfsg-1+deb12u1 CVE-2023-32668 [bookworm] - texlive-bin 2022.20220321.62855-5.1+deb12u1 +CVE-2023-32324 + [bookworm] - cups 2.4.2-3+deb12u1 +CVE-2023-34241 + [bookworm] - cups 2.4.2-3+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38a521b6215e884b51d082b55f81b2382491613f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38a521b6215e884b51d082b55f81b2382491613f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: c6287148 by Roberto C. Sánchez at 2023-06-26T19:51:05-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@debian.org - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,7 +38,7 @@ debian-archive-keyring (jspricke) NOTE: 20230619: Add bookworm keys as in #1033157; see DLA-2948-1 for a similar update NOTE: 20230619: See also https://lists.debian.org/debian-lts/2021/08/msg00037.html for context (Beuc/front-desk) -- -docker-registry (rouca) +docker-registry NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230608: Waiting for review (rouca) -- @@ -54,7 +54,7 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -erlang (Markus Koschany) +erlang NOTE: 20221119: Added by Front-Desk (ta) NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) -- @@ -62,7 +62,7 @@ flatpak NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -fusiondirectory (Abhijith PA) +fusiondirectory NOTE: 20221203: Added by Front-Desk (gladk) NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk). NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk). @@ -73,7 +73,7 @@ fusiondirectory (Abhijith PA) glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) -- -golang-yaml.v2 (sgmoore) +golang-yaml.v2 NOTE: 20230125: Added by Front-Desk (gladk) NOTE: 20230525: In review with utkarsh. -- @@ -105,7 +105,7 @@ libapache2-mod-auth-openidc (gladk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed CVE-2021-39191 (Beuc/front-desk) -- -libreoffice (Abhijith PA) +libreoffice NOTE: 20230530: Added by Front-Desk (pochu) -- libusrsctp (rouca) @@ -128,21 +128,21 @@ nova NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby) -- -nvidia-cuda-toolkit (tobi) +nvidia-cuda-toolkit NOTE: 20230514: Added by Front-Desk (utkarsh) NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have NOTE: 20230514: piled up. (utkarsh) -- -openimageio (gladk) +openimageio NOTE: 20230406: Re-added due to regressions (apo) NOTE: 20230612: Backporting is mostly done, but still some failures. -- -openjdk-11 (Emilio) +openjdk-11 NOTE: 20230419: Added by Front-Desk (ola) NOTE: 20230522: waiting for sid update (pochu) NOTE: 20230612: sid updated, preparing backport (pochu) -- -php-cas (tobi) +php-cas NOTE: 20221105: Added by Front-Desk (ola) NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) NOTE: 20221107: php-cas only has 2 reverse-deps in buster (fusiondirectory, ocsinventory-reports), @@ -223,7 +223,7 @@ salt NOTE: 20220814: I am not sure, whether it is possible to fix issues NOTE: 20220814: without backporting a newer verion. (Anton) -- -samba (Lee Garrett) +samba NOTE: 20220904: Added by Front-Desk (apo) NOTE: 20220904: Many postponed or open CVE in general. (apo) NOTE: 20230323: Still working on the long list of CVEs, will likely release an intermittent package first (lee) @@ -249,7 +249,7 @@ trafficserver (Adrian Bunk) NOTE: 20230618: Added by Front-Desk (opal) NOTE: 20230618: Low prio due to the few number of users. -- -webkit2gtk (Emilio) +webkit2gtk NOTE: 20230512: Re-added (pochu) NOTE: 20230512: checking if upgrade to 2.40.x is possible, otherwise we'll have to EOL webkit (pochu) NOTE: 20230529: made some progress on the backport, but there are still some blockers, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6287148b6665880ede66401c40d18a2d24e7a13 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6287148b6665880ede66401c40d18a2d24e7a13 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim symfony and lemonldap-ng in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 237fbc97 by Guilhem Moulin at 2023-06-26T23:17:50+02:00 LTS: claim symfony and lemonldap-ng in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -97,7 +97,7 @@ imagemagick (rouca) NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- -lemonldap-ng +lemonldap-ng (guilhem) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow 2 fixes from bullseye 11.7 (CVE-2023-28862 + unreferenced URL validation bypass) (Beuc/front-desk) -- @@ -234,7 +234,7 @@ suricata NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), NOTE: 20230620: and possibly issue a DSA with a few CVEs that were fixed in later dists (Beuc/front-desk) -- -symfony +symfony (guilhem) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) + 1 other postponed CVE (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/237fbc97cc3f4996507e86a71c2e0eded5059a56 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/237fbc97cc3f4996507e86a71c2e0eded5059a56 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f7a6940 by Salvatore Bonaccorso at 2023-06-26T22:35:35+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2023-3398 (Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.) - TODO: check + NOT-FOR-US: jgraph/drawio CVE-2023-3113 (An unauthenticated XML external entity injection (XXE) vulnerability e ...) TODO: check CVE-2023-36631 (Lack of access control in wfc.exe in Malwarebytes Binisoft Windows Fir ...) - TODO: check + NOT-FOR-US: Malwarebytes Binisoft Windows Firewall Control CVE-2023-36301 (Talend Data Catalog before 8.0-20230221 contain a directory traversal ...) - TODO: check + NOT-FOR-US: Talend Data Catalog CVE-2023-36252 (An issue in Ateme Flamingo XL v.3.6.20 and XS v.3.6.5 allows a remote ...) - TODO: check + NOT-FOR-US: Ateme Flamingo XL CVE-2023-35933 (OPenFGA is an open source authorization/permission engine built for de ...) TODO: check CVE-2023-35930 (SpiceDB is an open source, Google Zanzibar-inspired, database system f ...) @@ -23,11 +23,11 @@ CVE-2023-34420 (A valid, authenticated LXCA user with elevated privileges may be CVE-2023-34418 (A valid, authenticated LXCA user may be able to gain unauthorized acce ...) TODO: check CVE-2023-33580 (Phpgurukul Student Study Center Management System V1.0 is vulnerable t ...) - TODO: check + NOT-FOR-US: Phpgurukul Student Study Center Management System CVE-2023-33404 (An Unrestricted Upload vulnerability, due to insufficient validation o ...) TODO: check CVE-2023-33176 (BigBlueButton is an open source virtual classroom designed to help tea ...) - TODO: check + NOT-FOR-US: BigBlueButton CVE-2023-2993 (A valid, authenticated user with limited privileges may be able to use ...) TODO: check CVE-2023-2992 (An unauthenticated denial of service vulnerability exists in the SMM v ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f7a6940172fe60f097c16fca4c1c07fb0c3cf31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f7a6940172fe60f097c16fca4c1c07fb0c3cf31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ebe96281 by Salvatore Bonaccorso at 2023-06-26T22:18:40+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10380,7 +10380,7 @@ CVE-2023-29436 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerabi CVE-2023-29435 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) TODO: check CVE-2023-29434 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Fanc ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-29433 RESERVED CVE-2023-29432 @@ -60177,7 +60177,7 @@ CVE-2022-40012 CVE-2022-40011 (Cross Site Scripting (XSS) vulnerability in typora through 1.38 allows ...) NOT-FOR-US: typora CVE-2022-40010 (Tenda AC6 AC1200 Smart Dual-Band WiFi Router 15.03.06.50_multi was dis ...) - TODO: check + NOT-FOR-US: Tenda CVE-2022-40009 (SWFTools commit 772e55a was discovered to contain a heap-use-after-fre ...) - swftools NOTE: https://github.com/matthiaskramm/swftools/issues/190 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebe96281b44bdbe8c0c224c48a62c7d1c2816788 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebe96281b44bdbe8c0c224c48a62c7d1c2816788 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe9c1b5a by security tracker role at 2023-06-26T20:12:34+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,37 @@ +CVE-2023-3398 (Denial of Service in GitHub repository jgraph/drawio prior to 18.1.3.) + TODO: check +CVE-2023-3113 (An unauthenticated XML external entity injection (XXE) vulnerability e ...) + TODO: check +CVE-2023-36631 (Lack of access control in wfc.exe in Malwarebytes Binisoft Windows Fir ...) + TODO: check +CVE-2023-36301 (Talend Data Catalog before 8.0-20230221 contain a directory traversal ...) + TODO: check +CVE-2023-36252 (An issue in Ateme Flamingo XL v.3.6.20 and XS v.3.6.5 allows a remote ...) + TODO: check +CVE-2023-35933 (OPenFGA is an open source authorization/permission engine built for de ...) + TODO: check +CVE-2023-35930 (SpiceDB is an open source, Google Zanzibar-inspired, database system f ...) + TODO: check +CVE-2023-35170 (Sliver is an open source cross-platform adversary emulation/red team f ...) + TODO: check +CVE-2023-34422 (A valid, authenticated LXCA user with elevated privileges may be able ...) + TODO: check +CVE-2023-34421 (A valid, authenticated LXCA user with elevated privileges may be able ...) + TODO: check +CVE-2023-34420 (A valid, authenticated LXCA user with elevated privileges may be able ...) + TODO: check +CVE-2023-34418 (A valid, authenticated LXCA user may be able to gain unauthorized acce ...) + TODO: check +CVE-2023-33580 (Phpgurukul Student Study Center Management System V1.0 is vulnerable t ...) + TODO: check +CVE-2023-33404 (An Unrestricted Upload vulnerability, due to insufficient validation o ...) + TODO: check +CVE-2023-33176 (BigBlueButton is an open source virtual classroom designed to help tea ...) + TODO: check +CVE-2023-2993 (A valid, authenticated user with limited privileges may be able to use ...) + TODO: check +CVE-2023-2992 (An unauthenticated denial of service vulnerability exists in the SMM v ...) + TODO: check CVE-2023-36675 (An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1. ...) - mediawiki NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/921452 @@ -982,7 +1016,7 @@ CVE-2023- [RUSTSEC-2023-0038: Out-of-bounds array access leads to panic] CVE-2023-3193 (Cross-site scripting (XSS) vulnerability in the Layout module's SEO co ...) NOT-FOR-US: Liferay CVE-2023-3138 [Buffer overflows in InitExt.c in libX11] - {DSA-5433-1} + {DSA-5433-1 DLA-3472-1} - libx11 2:1.8.6-1 (bug #1038133) NOTE: https://www.openwall.com/lists/oss-security/2023/06/15/2 NOTE: https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/304a654a0d57bf0f00d8998185f0360332cfa36c @@ -1380,7 +1414,8 @@ CVE-2023-29167 (Out-of-bound reads vulnerability exists in FRENIC RHC Loader v1. NOT-FOR-US: FRENIC RHC Loader CVE-2023-29160 (Stack-based buffer overflow vulnerability exists in FRENIC RHC Loader ...) NOT-FOR-US: FRENIC RHC Loader -CVE-2023-36661 [Parsing of KeyInfo elements can cause remote resource access] +CVE-2023-36661 (Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth ...) + {DSA-5432-1 DLA-3464-1} - xmltooling 3.2.4-1 (bug #1037948) NOTE: https://shibboleth.net/community/advisories/secadv_20230612.txt NOTE: https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=6080f6343f98fec085bc0fd746913ee418cc9d30 @@ -5391,8 +5426,8 @@ CVE-2023-2292 RESERVED CVE-2023-2291 (Static credentials exist in the PostgreSQL data used in ManageEngine A ...) NOT-FOR-US: Zoho -CVE-2023-2290 - RESERVED +CVE-2023-2290 (A potential vulnerability in the LenovoFlashDeviceInterface SMI handle ...) + TODO: check CVE-2023-2289 (The wordpress vertical image slider plugin for WordPress is vulnerable ...) NOT-FOR-US: WordPress plugin CVE-2023-2288 (The Otter WordPress plugin before 2.2.6 does not sanitize some user-co ...) @@ -7673,8 +7708,8 @@ CVE-2023-2006 (A race condition was found in the Linux kernel's RxRPC network pr [buster] - linux (Vulnerable code not present) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-439/ NOTE: https://git.kernel.org/linus/3bcd6c7eaa53b56c3f584da46a1f7652e759d0e5 (6.1-rc7) -CVE-2023-2005 - RESERVED +CVE-2023-2005 (Vulnerability in Tenable Tenable.Io, Tenable Nessus, Tenable Security ...) + TODO: check CVE-2023-2004 REJECTED CVE-2023-2003 @@ -8388,8 +8423,8 @@ CVE-2023-30263 RESERVED CVE-2023-30262 (An issue found in MIM software Inc MIM License Server and MIMpacs serv ...) NOT-FOR-US: MIM software Inc MIM License
[Git][security-tracker-team/security-tracker][master] LTS: take libapache2-mod-auth-openidc
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a751704 by Anton Gladky at 2023-06-26T21:58:26+02:00 LTS: take libapache2-mod-auth-openidc - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -101,7 +101,7 @@ lemonldap-ng NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow 2 fixes from bullseye 11.7 (CVE-2023-28862 + unreferenced URL validation bypass) (Beuc/front-desk) -- -libapache2-mod-auth-openidc +libapache2-mod-auth-openidc (gladk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed CVE-2021-39191 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a7517046ac19feb90f3f8a069f7799f01967011 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a7517046ac19feb90f3f8a069f7799f01967011 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-36664/ghostscript
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: de731b8e by Salvatore Bonaccorso at 2023-06-26T21:41:37+02:00 Update information for CVE-2023-36664/ghostscript - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,10 +5,13 @@ CVE-2023-36675 (An issue was discovered in MediaWiki before 1.35.11, 1.36.x thro CVE-2023-3 (INEX IXP-Manager before 6.3.1 allows XSS. list-preamble.foil.php, page ...) NOT-FOR-US: INEX IXP-Manager CVE-2023-36664 (Artifex Ghostscript through 10.01.2 mishandles permission validation f ...) - - ghostscript + - ghostscript 10.01.2~dfsg-1 NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706761 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706778 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d + NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=5e65eeae225c7d02d447de5abaf4a8e6d234fcea (ghostpdl-10.01.2) + NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=fb342fdb60391073a69147cb71af1ac416a81099 (ghostpdl-10.01.2) CVE-2023-36663 (it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 allows ...) NOT-FOR-US: it-novum openITCOCKPIT (aka open IT COCKPIT) CVE-2023-36662 (The TechTime User Management components for Atlassian products allow s ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de731b8e94d75debea2b3a7baf34e25dfc019b4f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de731b8e94d75debea2b3a7baf34e25dfc019b4f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add ghostscript to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b8ce9c0 by Salvatore Bonaccorso at 2023-06-26T21:33:49+02:00 Add ghostscript to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -16,6 +16,8 @@ aom/oldstable -- cinder/oldstable -- +ghostscript (carnil) +-- gpac/oldstable (jmm) -- linux (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b8ce9c074ee290403017cddbe524c4aee6f9470 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b8ce9c074ee290403017cddbe524c4aee6f9470 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct tracking for CVE-2023-36660/nettle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 316f9243 by Salvatore Bonaccorso at 2023-06-26T21:24:05+02:00 Correct tracking for CVE-2023-36660/nettle I did wrongly marked as it already fixed in unstable, but the upload did land in experimental, and we still need a fix for unstable and trixie. Fixes: add5dd619ffa (Add CVE-2023-36660/nettle) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14,7 +14,8 @@ CVE-2023-36663 (it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 CVE-2023-36662 (The TechTime User Management components for Atlassian products allow s ...) NOT-FOR-US: Atlassian CVE-2023-36660 (The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory ...) - - nettle 3.9.1-1 + [experimental] - nettle 3.9.1-1 + - nettle [bookworm] - nettle (Vulnerable code not present) [bullseye] - nettle (Vulnerable code not present) [buster] - nettle (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/316f9243a6bf4f6cb4737ec3cc2857be9e10bf90 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/316f9243a6bf4f6cb4737ec3cc2857be9e10bf90 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-28370/python-tornado
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c2565706 by Salvatore Bonaccorso at 2023-06-26T21:20:37+02:00 Track fixed version for CVE-2023-28370/python-tornado - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3291,7 +3291,7 @@ CVE-2023-2500 (The Go Pricing - WordPress Responsive Pricing Tables plugin for W CVE-2023-2480 (Missing access permissions checks in M-Files Client before 23.5.12598. ...) NOT-FOR-US: M-Files CVE-2023-28370 (Open redirect vulnerability in Tornado versions 6.3.1 and earlier allo ...) - - python-tornado (bug #1036875) + - python-tornado 6.3.2-1 (bug #1036875) [bookworm] - python-tornado (Minor issue) [bullseye] - python-tornado (Minor issue) [buster] - python-tornado (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c25657064985bb7816e9e4392627b2427091b902 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c25657064985bb7816e9e4392627b2427091b902 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream question for CVE-2021-43519
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b40cdbb by Salvatore Bonaccorso at 2023-06-26T21:02:06+02:00 Reference upstream question for CVE-2021-43519 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -122937,6 +122937,7 @@ CVE-2021-43519 (Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5 NOTE: http://lua-users.org/lists/lua-l/2021-11/msg00015.html NOTE: Fixed by: https://github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868 (v5.4.4) NOTE: Likely introduced by https://github.com/lua/lua/commit/287b302acb8d925178e9edb800f0a8d18c7d35f6 + NOTE: Cf. http://lua-users.org/lists/lua-l/2023-06/msg00059.html CVE-2021-43518 (Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. ...) - teeworlds 0.7.5-2 (bug #1009070) [bullseye] - teeworlds (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b40cdbb231869b0dd3233bc413535fe008402dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b40cdbb231869b0dd3233bc413535fe008402dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 826bb966 by Moritz Muehlenhoff at 2023-06-26T18:43:04+02:00 bullseye/bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1021,9 +1021,9 @@ CVE-2023-3040 (A debug function in the lua-resty-json package, up to commit id 3 CVE-2023-3036 (An unchecked read in NTP server in github.com/cloudflare/cfnts prior t ...) NOT-FOR-US: cfnts CVE-2023-35116 (An issue was discovered jackson-databind thru 2.15.2 allows attackers ...) - - jackson-databind - [buster] - jackson-databind (Minor issue) + NOTE: Disputed jackson-databind issue NOTE: https://github.com/FasterXML/jackson-databind/issues/3972 + NOTE: https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1597218091 CVE-2023-35110 (An issue was discovered jjson thru 0.1.7 allows attackers to cause a d ...) NOT-FOR-US: jjson CVE-2023-34878 (An issue was discovered in Ujcms v6.0.2 allows attackers to gain sensi ...) @@ -2094,6 +2094,8 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse - crun - epic-base - r-cran-jsonlite + [bookworm] - r-cran-jsonlite (Minor issue) + [bullseye] - r-cran-jsonlite (Minor issue) - ruby-yajl CVE-2023-33457 (In Sogou Workflow v0.10.6, memcpy a negtive size in URIParser::parse , ...) NOT-FOR-US: Sogou Workflow @@ -20633,6 +20635,7 @@ CVE-2023-26131 (All versions of the package github.com/xyproto/algernon/engine; NOT-FOR-US: github.com/xyproto/algernon/engine CVE-2023-26130 (Versions of the package yhirose/cpp-httplib before 0.12.4 are vulnerab ...) - cpp-httplib (bug #1037100) + [bookworm] - cpp-httplib (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-UNMANAGED-YHIROSECPPHTTPLIB-5591194 NOTE: https://gist.github.com/dellalibera/094aece17a86069a7d27f93c8aba2280 NOTE: https://github.com/yhirose/cpp-httplib/commit/5b397d455d25a391ba346863830c1949627b4d08 (v0.12.4) @@ -81671,6 +81674,7 @@ CVE-2022-32150 RESERVED CVE-2022-32149 (An attacker may cause a denial of service by crafting an Accept-Langua ...) - golang-golang-x-text 0.3.8-1 (bug #1021785) + [bullseye] - golang-golang-x-text (Minor issue) - golang-x-text [buster] - golang-x-text (Limited support, minor issue, follow bullseye DSAs/point-releases (renamed package)) NOTE: https://groups.google.com/g/golang-dev/c/qfPIly0X7aU @@ -137849,6 +137853,7 @@ CVE-2021-38562 (Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 befor NOTE: https://github.com/bestpractical/rt/commit/d16f8cf13c2af517ee55a85e7b91a0267477189f (rt-4.2.17) CVE-2021-38561 (golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic ...) - golang-golang-x-text 0.3.7-1 + [bullseye] - golang-golang-x-text (Minor issue) - golang-x-text [buster] - golang-x-text (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2100495 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/826bb96661a31e35b0686f5d23f6c83e61e97185 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/826bb96661a31e35b0686f5d23f6c83e61e97185 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take trafficserver
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab0ebe8b by Adrian Bunk at 2023-06-26T19:22:03+03:00 dla: take trafficserver - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -245,7 +245,7 @@ systemd (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs + unreferenced security fixes + optionally non-security fixes) (Beuc/front-desk) -- -trafficserver +trafficserver (Adrian Bunk) NOTE: 20230618: Added by Front-Desk (opal) NOTE: 20230618: Low prio due to the few number of users. -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab0ebe8b9c3bf106db0600545c2c0e12479fd5b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab0ebe8b9c3bf106db0600545c2c0e12479fd5b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3472-1 for libx11
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 7fbaf86e by Adrian Bunk at 2023-06-26T19:17:38+03:00 Reserve DLA-3472-1 for libx11 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Jun 2023] DLA-3472-1 libx11 - security update + {CVE-2023-3138} + [buster] - libx11 2:1.6.7-1+deb10u3 [26 Jun 2023] DLA-3471-1 c-ares - security update {CVE-2023-31130 CVE-2023-32067} [buster] - c-ares 1.14.0-1+deb10u3 = data/dla-needed.txt = @@ -113,10 +113,6 @@ libusrsctp (rouca) NOTE: 20230618: May need a backport see https://lists.debian.org/debian-lts/2023/06/msg00050.html (rouca) NOTE: 20230618: Waiting for comments -- -libx11 (Adrian Bunk) - NOTE: 20230615: Added by Front-Desk (opal) - NOTE: 20230621: Cf. DSA 5433-1 (Beuc/front-desk) --- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fbaf86e1724fe351f04ccc77e19ed8ff13ae22f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fbaf86e1724fe351f04ccc77e19ed8ff13ae22f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 85359fdd by Moritz Muehlenhoff at 2023-06-26T17:32:32+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -106,13 +106,13 @@ CVE-2023-36272 (LibreDWG v0.12.5 was discovered to contain a heap buffer overflo CVE-2023-36271 (LibreDWG v0.12.5 was discovered to contain a heap buffer overflow via ...) - libredwg (bug #595191) CVE-2023-35931 (Shescape is a simple shell escape library for JavaScript. An attacker ...) - TODO: check + NOT-FOR-US: Shescape CVE-2023-35925 (FastAsyncWorldEdit (FAWE) is designed for efficient world editing. Thi ...) - TODO: check + NOT-FOR-US: FastAsyncWorldEdit CVE-2023-35759 (In Progress WhatsUp Gold before 23.0.0, an SNMP-related application en ...) NOT-FOR-US: Progress WhatsUp Gold CVE-2023-35167 (Remult is a CRUD framework for full-stack TypeScript. If you used the ...) - TODO: check + NOT-FOR-US: Remult CVE-2023-35162 (XWiki Platform is a generic wiki platform offering runtime services fo ...) NOT-FOR-US: XWiki CVE-2023-35161 (XWiki Platform is a generic wiki platform offering runtime services fo ...) @@ -154,127 +154,128 @@ CVE-2023-34465 (XWiki Platform is a generic wiki platform. Starting in version 1 CVE-2023-34464 (XWiki Platform is a generic wiki platform offering runtime services fo ...) NOT-FOR-US: XWiki CVE-2023-34460 (Tauri is a framework for building binaries for all major desktop platf ...) - TODO: check + NOT-FOR-US: Tauri CVE-2023-34203 (In Progress OpenEdge OEM (OpenEdge Management) and OEE (OpenEdge Explo ...) - TODO: check + NOT-FOR-US: Progress OpenEdge OEM CVE-2023-34188 (The HTTP server in Mongoose before 7.10 accepts requests containing ne ...) - TODO: check + NOT-FOR-US: Cesanta Mongoose + NOTE: smplayer embeds a copy, which is unused in any released version and disabled since 18.5.0~ds1-1 CVE-2023-34021 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Andy Moy ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-34012 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Premium ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-33565 (ROS2 (Robot Operating System 2) Foxy Fitzroy ROS_VERSION=2 and ROS_PYT ...) TODO: check CVE-2023-32580 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WPEx ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-32480 (Dell BIOS contains an Improper Input Validation vulnerability. An unau ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-32439 (A type confusion issue was addressed with improved checks. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32435 (A memory corruption issue was addressed with improved state management ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32434 (An integer overflow was addressed with improved input validation. This ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32423 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32422 (This issue was addressed by adding additional SQLite logging restricti ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32420 (An out-of-bounds read was addressed with improved input validation. Th ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32419 (The issue was addressed with improved bounds checks. This issue is fix ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32417 (This issue was addressed by restricting options offered on a locked de ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32415 (This issue was addressed with improved redaction of sensitive informat ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32414 (The issue was addressed with improved checks. This issue is fixed in m ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32413 (A race condition was addressed with improved state handling. This issu ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32412 (A use-after-free issue was addressed with improved memory management. ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32411 (This issue was addressed with improved entitlements. This issue is fix ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32410 (An out-of-bounds read was addressed with improved input validation. Th ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32408 (The issue was addressed with improved handling of caches. This issue i ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-32407 (A logic issue was addressed with improved state
[Git][security-tracker-team/security-tracker][master] CVE-2023-24813 does not affect bullseye
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab6f729c by Adrian Bunk at 2023-06-26T18:06:02+03:00 CVE-2023-24813 does not affect bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24655,6 +24655,7 @@ CVE-2023-24814 (TYPO3 is a free and open source Content Management Framework rel NOT-FOR-US: Typo3 CVE-2023-24813 (Dompdf is an HTML to PDF converter written in php. Due to the differen ...) - php-dompdf 2.0.3+dfsg-1 + [bullseye] - php-dompdf (SVG image references validation introduced in v2.0.0) [buster] - php-dompdf (SVG image references validation introduced in v2.0.0) NOTE: https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75 NOTE: Fixed by: https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa (v2.0.3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab6f729c5fd6efcd278784540fee9b5a074197ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab6f729c5fd6efcd278784540fee9b5a074197ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new mediawiki issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 88f42467 by Moritz Muehlenhoff at 2023-06-26T11:32:28+02:00 new mediawiki issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2023-36675 (An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1. ...) - TODO: check + - mediawiki + NOTE: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/921452 + NOTE: https://phabricator.wikimedia.org/T332889 CVE-2023-3 (INEX IXP-Manager before 6.3.1 allows XSS. list-preamble.foil.php, page ...) NOT-FOR-US: INEX IXP-Manager CVE-2023-36664 (Artifex Ghostscript through 10.01.2 mishandles permission validation f ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88f424675f120e347c46f209d45a3de679420a6a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88f424675f120e347c46f209d45a3de679420a6a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c79f840b by Salvatore Bonaccorso at 2023-06-26T10:59:07+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,16 +1,16 @@ CVE-2023-36675 (An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1. ...) TODO: check CVE-2023-3 (INEX IXP-Manager before 6.3.1 allows XSS. list-preamble.foil.php, page ...) - TODO: check + NOT-FOR-US: INEX IXP-Manager CVE-2023-36664 (Artifex Ghostscript through 10.01.2 mishandles permission validation f ...) - ghostscript NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706761 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d CVE-2023-36663 (it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 allows ...) - TODO: check + NOT-FOR-US: it-novum openITCOCKPIT (aka open IT COCKPIT) CVE-2023-36662 (The TechTime User Management components for Atlassian products allow s ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2023-36660 (The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory ...) - nettle 3.9.1-1 [bookworm] - nettle (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c79f840b6d8cfa47d1ef7f92e2dd90802621e232 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c79f840b6d8cfa47d1ef7f92e2dd90802621e232 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-36660/nettle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5549ca19 by Salvatore Bonaccorso at 2023-06-26T10:55:26+02:00 Update information for CVE-2023-36660/nettle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,8 +13,12 @@ CVE-2023-36662 (The TechTime User Management components for Atlassian products a TODO: check CVE-2023-36660 (The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory ...) - nettle 3.9.1-1 + [bookworm] - nettle (Vulnerable code not present) + [bullseye] - nettle (Vulnerable code not present) + [buster] - nettle (Vulnerable code not present) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1212112 - NOTE: https://git.lysator.liu.se/nettle/nettle/-/commit/867a4548b95705291a3afdd66d76e7f17ba2618f (nettle_3.9.1_release_20230601) + NOTE: Introduced with: https://git.lysator.liu.se/nettle/nettle/-/commit/9cf0e2d2675268a403194d85a78a44e8cbdf562b (nettle_3.9_release_20230514) + NOTE: Fixed by: https://git.lysator.liu.se/nettle/nettle/-/commit/867a4548b95705291a3afdd66d76e7f17ba2618f (nettle_3.9.1_release_20230601) CVE-2023-3396 (A vulnerability was found in Campcodes Retro Cellphone Online Store 1. ...) NOT-FOR-US: Campcodes Retro Cellphone Online Store CVE-2023-36632 (The legacy email.utils.parseaddr function in Python through 3.11.4 all ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5549ca194c2962afb1c2315ffeeb0a67af37a889 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5549ca194c2962afb1c2315ffeeb0a67af37a889 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-36660/nettle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: add5dd61 by Salvatore Bonaccorso at 2023-06-26T10:54:05+02:00 Add CVE-2023-36660/nettle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12,7 +12,9 @@ CVE-2023-36663 (it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 CVE-2023-36662 (The TechTime User Management components for Atlassian products allow s ...) TODO: check CVE-2023-36660 (The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory ...) - TODO: check + - nettle 3.9.1-1 + NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1212112 + NOTE: https://git.lysator.liu.se/nettle/nettle/-/commit/867a4548b95705291a3afdd66d76e7f17ba2618f (nettle_3.9.1_release_20230601) CVE-2023-3396 (A vulnerability was found in Campcodes Retro Cellphone Online Store 1. ...) NOT-FOR-US: Campcodes Retro Cellphone Online Store CVE-2023-36632 (The legacy email.utils.parseaddr function in Python through 3.11.4 all ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/add5dd619ffa069a17f2409af33fa7b41a2ac95d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/add5dd619ffa069a17f2409af33fa7b41a2ac95d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gitlab n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: eac452fe by Moritz Muehlenhoff at 2023-06-26T10:48:12+02:00 gitlab n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12529,7 +12529,7 @@ CVE-2023-1623 (The Custom Post Type UI WordPress plugin before 1.13.5 does not p CVE-2023-1622 REJECTED CVE-2023-1621 (An issue has been discovered in GitLab EE affecting all versions start ...) - TODO: check + - gitlab (Specific to EE) CVE-2023-1620 (Multiple WAGO devices in multiple versions may allow an authenticated ...) TODO: check CVE-2023-1619 (Multiple WAGO devices in multiple versions may allow an authenticated ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eac452feff6e56e6ae1075bed83ddf0173a89ae3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eac452feff6e56e6ae1075bed83ddf0173a89ae3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-36664/ghostscript
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 18014cff by Salvatore Bonaccorso at 2023-06-26T10:46:15+02:00 Add CVE-2023-36664/ghostscript - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,10 @@ CVE-2023-36675 (An issue was discovered in MediaWiki before 1.35.11, 1.36.x thro CVE-2023-3 (INEX IXP-Manager before 6.3.1 allows XSS. list-preamble.foil.php, page ...) TODO: check CVE-2023-36664 (Artifex Ghostscript through 10.01.2 mishandles permission validation f ...) - TODO: check + - ghostscript + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706761 + NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=505eab7782b429017eb434b2b95120855f2b0e3c + NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=0974e4f2ac0005d3731e0b5c13ebc7e965540f4d CVE-2023-36663 (it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 allows ...) TODO: check CVE-2023-36662 (The TechTime User Management components for Atlassian products allow s ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18014cff1101f790a707234ed9ee19697e820470 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18014cff1101f790a707234ed9ee19697e820470 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-36661 assigned for xmltooling issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 04feb135 by Salvatore Bonaccorso at 2023-06-26T10:41:51+02:00 CVE-2023-36661 assigned for xmltooling issue - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/DSA/list Changes: = data/CVE/list = @@ -8,8 +8,6 @@ CVE-2023-36663 (it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 TODO: check CVE-2023-36662 (The TechTime User Management components for Atlassian products allow s ...) TODO: check -CVE-2023-36661 (Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth ...) - TODO: check CVE-2023-36660 (The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory ...) TODO: check CVE-2023-3396 (A vulnerability was found in Campcodes Retro Cellphone Online Store 1. ...) @@ -1366,11 +1364,8 @@ CVE-2023-29167 (Out-of-bound reads vulnerability exists in FRENIC RHC Loader v1. NOT-FOR-US: FRENIC RHC Loader CVE-2023-29160 (Stack-based buffer overflow vulnerability exists in FRENIC RHC Loader ...) NOT-FOR-US: FRENIC RHC Loader -CVE-2023- [Parsing of KeyInfo elements can cause remote resource access] +CVE-2023-36661 [Parsing of KeyInfo elements can cause remote resource access] - xmltooling 3.2.4-1 (bug #1037948) - [bookworm] - xmltooling 3.2.3-1+deb12u1 - [bullseye] - xmltooling 3.2.0-3+deb11u1 - [buster] - xmltooling 3.0.4-1+deb10u2 NOTE: https://shibboleth.net/community/advisories/secadv_20230612.txt NOTE: https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=6080f6343f98fec085bc0fd746913ee418cc9d30 CVE-2023-33991 (SAP UI5 Variant Management - versions SAP_UI 750, SAP_UI 754, SAP_UI 7 ...) = data/DLA/list = @@ -20,6 +20,7 @@ {CVE-2023-33476} [buster] - minidlna 1.2.1+dfsg-2+deb10u4 [21 Jun 2023] DLA-3464-1 xmltooling - security update + {CVE-2023-36661} [buster] - xmltooling 3.0.4-1+deb10u2 [21 Jun 2023] DLA-3463-1 opensc - security update {CVE-2019-6502 CVE-2021-42779 CVE-2021-42780 CVE-2021-42781 CVE-2021-42782 CVE-2023-2977} = data/DSA/list = @@ -26,6 +26,7 @@ [bullseye] - libx11 2:1.7.2-1+deb11u1 [bookworm] - libx11 2:1.8.4-2+deb12u1 [18 Jun 2023] DSA-5432-1 xmltooling - security update + {CVE-2023-36661} [bookworm] - xmltooling 3.2.3-1+deb12u1 [bullseye] - xmltooling 3.2.0-3+deb11u1 [16 Jun 2023] DSA-5431-1 sofia-sip - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04feb135409baf0e6a51846c537eef049f044c0e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04feb135409baf0e6a51846c537eef049f044c0e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 29cb2e3b by security tracker role at 2023-06-26T08:12:00+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2023-36675 (An issue was discovered in MediaWiki before 1.35.11, 1.36.x through 1. ...) + TODO: check +CVE-2023-3 (INEX IXP-Manager before 6.3.1 allows XSS. list-preamble.foil.php, page ...) + TODO: check +CVE-2023-36664 (Artifex Ghostscript through 10.01.2 mishandles permission validation f ...) + TODO: check +CVE-2023-36663 (it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 allows ...) + TODO: check +CVE-2023-36662 (The TechTime User Management components for Atlassian products allow s ...) + TODO: check +CVE-2023-36661 (Shibboleth XMLTooling before 3.2.4, as used in OpenSAML and Shibboleth ...) + TODO: check +CVE-2023-36660 (The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory ...) + TODO: check CVE-2023-3396 (A vulnerability was found in Campcodes Retro Cellphone Online Store 1. ...) NOT-FOR-US: Campcodes Retro Cellphone Online Store CVE-2023-36632 (The legacy email.utils.parseaddr function in Python through 3.11.4 all ...) @@ -3592,7 +3606,7 @@ CVE-2023-2587 (Teltonika\u2019s Remote Management System versions prior to 4.10. CVE-2023-2586 (Teltonika\u2019s Remote Management System versions 4.14.0 is vulnerabl ...) NOT-FOR-US: Teltonika CVE-2023-32067 (c-ares is an asynchronous resolver library. c-ares is vulnerable to de ...) - {DSA-5419-1} + {DSA-5419-1 DLA-3471-1} [experimental] - c-ares 1.19.1-1 - c-ares 1.18.1-3 NOTE: https://github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc @@ -5576,7 +5590,7 @@ CVE-2023-31132 CVE-2023-31131 (Greenplum Database (GPDB) is an open source data warehouse based on Po ...) NOT-FOR-US: Greenplum Database CVE-2023-31130 (c-ares is an asynchronous resolver library. ares_inet_net_pton() is vu ...) - {DSA-5419-1} + {DSA-5419-1 DLA-3471-1} [experimental] - c-ares 1.19.1-1 - c-ares 1.18.1-3 NOTE: https://github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v @@ -10337,10 +10351,10 @@ CVE-2023-29426 RESERVED CVE-2023-29425 RESERVED -CVE-2023-29424 - RESERVED -CVE-2023-29423 - RESERVED +CVE-2023-29424 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Plai ...) + TODO: check +CVE-2023-29423 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI W ...) + TODO: check CVE-2023-29422 RESERVED CVE-2023-1916 (A flaw was found in tiffcrop, a program distributed by the libtiff pac ...) @@ -11464,8 +11478,8 @@ CVE-2023-29095 RESERVED CVE-2023-29094 (Auth. (admin+) Stored Cross-site Scripting (XSS) vulnerability in PI W ...) NOT-FOR-US: WordPress plugin -CVE-2023-29093 - RESERVED +CVE-2023-29093 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check CVE-2023-1783 (OrangeScrum version 2.0.11 allows an external attacker to remotely obt ...) TODO: check CVE-2023-1782 (HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow ...) @@ -11846,16 +11860,16 @@ CVE-2023-28994 RESERVED CVE-2023-28993 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Ignazio ...) NOT-FOR-US: WordPress plugin -CVE-2023-28992 - RESERVED -CVE-2023-28991 - RESERVED +CVE-2023-28992 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Elliot S ...) + TODO: check +CVE-2023-28991 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI W ...) + TODO: check CVE-2023-28990 RESERVED CVE-2023-28989 RESERVED -CVE-2023-28988 - RESERVED +CVE-2023-28988 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in PI W ...) + TODO: check CVE-2023-28987 RESERVED CVE-2023-28986 @@ -12518,10 +12532,10 @@ CVE-2023-1622 REJECTED CVE-2023-1621 (An issue has been discovered in GitLab EE affecting all versions start ...) TODO: check -CVE-2023-1620 - RESERVED -CVE-2023-1619 - RESERVED +CVE-2023-1620 (Multiple WAGO devices in multiple versions may allow an authenticated ...) + TODO: check +CVE-2023-1619 (Multiple WAGO devices in multiple versions may allow an authenticated ...) + TODO: check CVE-2023-1618 (Active Debug Code vulnerability in Mitsubishi Electric Corporation MEL ...) NOT-FOR-US: Mitsubishi CVE-2023-1617 (Improper Authentication vulnerability in B Industrial Automation B ...) @@ -17054,8 +17068,8 @@ CVE-2023-23572 (Cross-site scripting vulnerability in SEIKO EPSON printers/netwo NOT-FOR-US: Epson
[Git][security-tracker-team/security-tracker][master] Track fixed verison for CVE-2023-36192/sngrep via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a4179c9 by Salvatore Bonaccorso at 2023-06-26T09:49:19+02:00 Track fixed verison for CVE-2023-36192/sngrep via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -262,7 +262,7 @@ CVE-2023-36193 (Gifsicle v1.9.3 was discovered to contain a heap buffer overflow NOTE: https://github.com/kohler/gifsicle/commit/e21a05a00855b3e647302f06683aca743ae08deb (v1.94) NOTE: Crash in CLI tool, no security impact CVE-2023-36192 (Sngrep v1.6.0 was discovered to contain a heap buffer overflow via the ...) - - sngrep (unimportant; bug #1038975) + - sngrep 1.7.0-2 (unimportant; bug #1038975) NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/irontec/sngrep/issues/438 NOTE: https://github.com/irontec/sngrep/commit/ad1daf15c8387bfbb48097c25197bf330d2d98fc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a4179c97c472c556378a3c269ce9314b53428ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a4179c97c472c556378a3c269ce9314b53428ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits