[Git][security-tracker-team/security-tracker][master] Reserve DLA-3567-1 for c-ares
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: f7d87040 by Anton Gladky at 2023-09-15T07:36:26+02:00 Reserve DLA-3567-1 for c-ares - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[15 Sep 2023] DLA-3567-1 c-ares - security update + {CVE-2020-22217} + [buster] - c-ares 1.14.0-1+deb10u4 [13 Sep 2023] DLA-3566-1 ruby-rails-html-sanitizer - security update {CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520} [buster] - ruby-rails-html-sanitizer 1.0.4-1+deb10u2 = data/dla-needed.txt = @@ -25,10 +25,6 @@ amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) NOTE: 20230910: still testing package (ta) -- -c-ares (gladk) - NOTE: 20230826: Added by Front-Desk (utkarsh) - NOTE: 20230826: it's a heap buffer overflow. Have mixed feelings about this one. Will look thoroughly. (utkarsh) --- cacti NOTE: 20230906: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d87040c1a130e91637598eb091cf494791e913 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d87040c1a130e91637598eb091cf494791e913 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-4863/libwebp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 174bd40d by Salvatore Bonaccorso at 2023-09-15T06:03:02+02:00 Track fixed version for CVE-2023-4863/libwebp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -505,7 +505,7 @@ CVE-2023-4863 (Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845 - firefox 117.0.1-1 - firefox-esr 115.2.1esr-1 - thunderbird 1:115.2.2-1 - - libwebp (bug #1051787) + - libwebp 1.2.4-0.3 (bug #1051787) NOTE: https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html NOTE: src:chromium builds against the system libwebp library NOTE: Fixed by: https://chromium.googlesource.com/webm/libwebp.git/+/902bc9190331343b2017211debcec8d2ab87e17a%5E%21/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/174bd40d95aecff3fffbd892960d23f6e852d2a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/174bd40d95aecff3fffbd892960d23f6e852d2a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-41081,libapache-mod-jk: fixed in sid
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7fc515b3 by Markus Koschany at 2023-09-15T00:44:53+02:00 CVE-2023-41081,libapache-mod-jk: fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -116,7 +116,7 @@ CVE-2023-42468 (The com.cutestudio.colordialer application through 2.1.8-2 for A CVE-2023-41892 (Craft CMS is a platform for creating digital experiences. This is a hi ...) NOT-FOR-US: Craft CMS CVE-2023-41081 (The mod_jk component of Apache Tomcat Connectorsin some circumstances, ...) - - libapache-mod-jk (bug #1051956) + - libapache-mod-jk 1:1.2.49-1 (bug #1051956) NOTE: https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b NOTE: http://www.openwall.com/lists/oss-security/2023/09/13/2 NOTE: https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fc515b3143717a2b8eae8de650f45952a267738 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fc515b3143717a2b8eae8de650f45952a267738 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c0134ba5 by Salvatore Bonaccorso at 2023-09-14T22:36:41+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,41 +1,41 @@ CVE-2023-4972 (Improper Privilege Management vulnerability in Yepas Digital Yepas all ...) - TODO: check + NOT-FOR-US: Yepas Digital Yepas CVE-2023-4965 (A vulnerability was found in phpipam 1.5.1. It has been rated as probl ...) - phpipam (bug #731713) CVE-2023-4951 (A cross site scripting issue was discovered with the pagination functi ...) - TODO: check + NOT-FOR-US: GreenRADIUS web admin interface CVE-2023-4832 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: Aceka Company Management CVE-2023-4766 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: Movus CVE-2023-4702 (Authentication Bypass Using an Alternate Path or Channel vulnerability ...) - TODO: check + NOT-FOR-US: Yepas Digital Yepas CVE-2023-4676 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) TODO: check CVE-2023-4669 (Authentication Bypass by Assumed-Immutable Data vulnerability in Exaga ...) - TODO: check + NOT-FOR-US: Exagate SYSGuard 3001 CVE-2023-4516 (A CWE-306: Missing Authentication for Critical Function vulnerability ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2023-42180 (An arbitrary file upload vulnerability in the /user/upload component o ...) - TODO: check + NOT-FOR-US: lenosp CVE-2023-42178 (Lenosp 1.0.0-1.2.0 is vulnerable to SQL Injection via the log query mo ...) - TODO: check + NOT-FOR-US: lenosp CVE-2023-41588 (A cross-site scripting (XSS) vulnerability in Time to SLA plugin v10.1 ...) TODO: check CVE-2023-41011 (Command Execution vulnerability in China Mobile Communications China M ...) - TODO: check + NOT-FOR-US: China Mobile Communications China Mobile Intelligent Home Gateway CVE-2023-41010 (Insecure Permissions vulnerability in Sichuan Tianyi Kanghe Communicat ...) - TODO: check + NOT-FOR-US: China Telecom Tianyi Home Gateway CVE-2023-40779 (An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remo ...) - TODO: check + NOT-FOR-US: IceWarp CVE-2023-39286 (A vulnerability in the Connect Mobility Router component of Mitel MiVo ...) - TODO: check + NOT-FOR-US: Mitel CVE-2023-39285 (A vulnerability in the Edge Gateway component of Mitel MiVoice Connect ...) - TODO: check + NOT-FOR-US: Mitel CVE-2023-38558 (A vulnerability has been identified in SIMATIC PCS neo (Administration ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-38557 (A vulnerability has been identified in Spectrum Power 7 (All versions ...) - TODO: check + NOT-FOR-US: Siemens CVE-2023-37756 (I-doit pro 25 and below and I-doit open 25 and below employ weak passw ...) TODO: check CVE-2023-37755 (i-doit pro 25 and below and I-doit open 25 and below are configured wi ...) @@ -45,7 +45,7 @@ CVE-2023-37739 (i-doit Pro v25 and below was discovered to be vulnerable to path CVE-2023-36250 (CSV Injection vulnerability in GNOME time tracker version 3.0.2, allow ...) TODO: check CVE-2023-2848 (Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hija ...) - TODO: check + NOT-FOR-US: Movim CVE-2023-4948 (The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable ...) NOT-FOR-US: WooCommerce CVR Payment Gateway plugin for WordPress CVE-2023-4945 (The Booster for WooCommerce plugin for WordPress is vulnerable to Stor ...) @@ -129,7 +129,7 @@ CVE-2023-40715 (A cleartext storage of sensitive information vulnerability [CWE- CVE-2023-3935 (A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network ...) NOT-FOR-US: Wibu CodeMeter Runtime CVE-2023-3588 (A stored Cross-site Scripting (XSS) vulnerability affecting Teamwork C ...) - TODO: check + NOT-FOR-US: 3ds CVE-2023-3280 (A problem with a protection mechanism in the Palo Alto Networks Cortex ...) NOT-FOR-US: Palo Alto Networks CVE-2023-39916 (NLnet Labs\u2019 Routinator 0.9.0 up to and including 0.12.1 contains ...) @@ -277,9 +277,9 @@ CVE-2023-40611 (Apache Airflow, versions before 2.7.1, is affected by a vulnerab CVE-2023-40218 (An issue was discovered in the NPU kernel driver in Samsung Exynos Mob ...) NOT-FOR-US: Samsung CVE-2023-3712 (Files or Directories Accessible to External Parties vulnerability in H ...) - TODO: check + NOT-FOR-US: Honeywell CVE-2023-3711 (Session Fixation vulnerability in Honeywell PM43 on 32
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4965/phpipam
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f18a3be by Salvatore Bonaccorso at 2023-09-14T22:35:47+02:00 Add CVE-2023-4965/phpipam - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2023-4972 (Improper Privilege Management vulnerability in Yepas Digital Yepas all ...) TODO: check CVE-2023-4965 (A vulnerability was found in phpipam 1.5.1. It has been rated as probl ...) - TODO: check + - phpipam (bug #731713) CVE-2023-4951 (A cross site scripting issue was discovered with the pagination functi ...) TODO: check CVE-2023-4832 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f18a3be65d89926213fb0101c00130b80536689 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f18a3be65d89926213fb0101c00130b80536689 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-4244 got preferred instread of CVE-2023-4563
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ff39f80 by Salvatore Bonaccorso at 2023-09-14T22:21:57+02:00 CVE-2023-4244 got preferred instread of CVE-2023-4563 Rewrite CVE entries to get the information under the Google CNA assigned CVE, whereas the Red Hat assigned CVE got REJECTED. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -952,7 +952,10 @@ CVE-2023-4588 (File accessibility vulnerability in Delinea Secret Server, in its CVE-2023-4498 (Tenda N300 Wireless N VDSL2 Modem Router allows unauthenticated access ...) NOT-FOR-US: Tenda CVE-2023-4244 (A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab ...) - NOTE: Duplicate of CVE-2023-4563 (RedHat assigned) + - linux 6.4.13-1 + NOTE: https://lore.kernel.org/netdev/20230810070830.24064-1-pa...@netfilter.org/ + NOTE: https://lore.kernel.org/netdev/20230815223011.7019-1...@strlen.de/ + NOTE: https://kernel.dance/3e91b0ebd994635df2346353322ac51ce84ce6d8 CVE-2023-4208 (A use-after-free vulnerability in the Linux kernel's net/sched: cls_u3 ...) {DSA-5492-1} - linux 6.4.11-1 @@ -2597,11 +2600,8 @@ CVE-2023-4567 [bookworm] - ansible (Minor issue) [bullseye] - ansible (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2235369 -CVE-2023-4563 [Use-after-free in nft_verdict_dump due to a race between set GC and transaction] +CVE-2023-4563 REJECTED - - linux 6.4.13-1 - NOTE: https://lore.kernel.org/netdev/20230810070830.24064-1-pa...@netfilter.org/ - NOTE: https://lore.kernel.org/netdev/20230815223011.7019-1...@strlen.de/ CVE-2023-41109 (SmartNode SN200 (aka SN200) 3.21.2-23021 allows unauthenticated OS Com ...) NOT-FOR-US: SmartNode SN200 (aka SN200) CVE-2023-40846 (Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is vulnerable to Bu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ff39f80ac440b8e4a5163bd319d9fa06d78393c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ff39f80ac440b8e4a5163bd319d9fa06d78393c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 57f659e5 by security tracker role at 2023-09-14T20:12:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,51 @@ +CVE-2023-4972 (Improper Privilege Management vulnerability in Yepas Digital Yepas all ...) + TODO: check +CVE-2023-4965 (A vulnerability was found in phpipam 1.5.1. It has been rated as probl ...) + TODO: check +CVE-2023-4951 (A cross site scripting issue was discovered with the pagination functi ...) + TODO: check +CVE-2023-4832 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check +CVE-2023-4766 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check +CVE-2023-4702 (Authentication Bypass Using an Alternate Path or Channel vulnerability ...) + TODO: check +CVE-2023-4676 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-4669 (Authentication Bypass by Assumed-Immutable Data vulnerability in Exaga ...) + TODO: check +CVE-2023-4516 (A CWE-306: Missing Authentication for Critical Function vulnerability ...) + TODO: check +CVE-2023-42180 (An arbitrary file upload vulnerability in the /user/upload component o ...) + TODO: check +CVE-2023-42178 (Lenosp 1.0.0-1.2.0 is vulnerable to SQL Injection via the log query mo ...) + TODO: check +CVE-2023-41588 (A cross-site scripting (XSS) vulnerability in Time to SLA plugin v10.1 ...) + TODO: check +CVE-2023-41011 (Command Execution vulnerability in China Mobile Communications China M ...) + TODO: check +CVE-2023-41010 (Insecure Permissions vulnerability in Sichuan Tianyi Kanghe Communicat ...) + TODO: check +CVE-2023-40779 (An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remo ...) + TODO: check +CVE-2023-39286 (A vulnerability in the Connect Mobility Router component of Mitel MiVo ...) + TODO: check +CVE-2023-39285 (A vulnerability in the Edge Gateway component of Mitel MiVoice Connect ...) + TODO: check +CVE-2023-38558 (A vulnerability has been identified in SIMATIC PCS neo (Administration ...) + TODO: check +CVE-2023-38557 (A vulnerability has been identified in Spectrum Power 7 (All versions ...) + TODO: check +CVE-2023-37756 (I-doit pro 25 and below and I-doit open 25 and below employ weak passw ...) + TODO: check +CVE-2023-37755 (i-doit pro 25 and below and I-doit open 25 and below are configured wi ...) + TODO: check +CVE-2023-37739 (i-doit Pro v25 and below was discovered to be vulnerable to path trave ...) + TODO: check +CVE-2023-36250 (CSV Injection vulnerability in GNOME time tracker version 3.0.2, allow ...) + TODO: check +CVE-2023-2848 (Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hija ...) + TODO: check CVE-2023-4948 (The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable ...) NOT-FOR-US: WooCommerce CVR Payment Gateway plugin for WordPress CVE-2023-4945 (The Booster for WooCommerce plugin for WordPress is vulnerable to Stor ...) @@ -2550,6 +2598,7 @@ CVE-2023-4567 [bullseye] - ansible (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2235369 CVE-2023-4563 [Use-after-free in nft_verdict_dump due to a race between set GC and transaction] + REJECTED - linux 6.4.13-1 NOTE: https://lore.kernel.org/netdev/20230810070830.24064-1-pa...@netfilter.org/ NOTE: https://lore.kernel.org/netdev/20230815223011.7019-1...@strlen.de/ @@ -17272,8 +17321,8 @@ CVE-2023-30911 RESERVED CVE-2023-30910 RESERVED -CVE-2023-30909 - RESERVED +CVE-2023-30909 (A remote authentication bypass issue exists in some OneView APIs.) + TODO: check CVE-2023-30908 (A remote authentication bypass issue exists in a OneView API.) NOT-FOR-US: HPE CVE-2023-30907 @@ -21171,13 +21220,13 @@ CVE-2013-10024 (A vulnerability has been found in Exit Strategy Plugin 1.55 and NOT-FOR-US: WordPress plugin CVE-2012-10010 (A vulnerability was found in BestWebSoft Contact Form 3.21. It has bee ...) NOT-FOR-US: WordPress plugin -CVE-2023-32636 +CVE-2023-32636 (A flaw was found in glib, where the gvariant deserialization code is v ...) - glib2.0 (Incomplete fixes for CVE-2023-29499, CVE-2023-32611 and CVE-2023-32665 not applied) NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2841 -CVE-2023-32643 +CVE-2023-32643 (A flaw was found in GLib. The GVariant deserialization code is vulnera ...) - glib2.0 (Incomplete fixes for CVE-2023-29499, CVE-2023-32611 and CVE-2023-32665 not applied) NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2840 -CVE-2023-32665 [GVariant
[Git][security-tracker-team/security-tracker][master] Associate #1051726 to src:viagee as how it was reported
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c434546d by Salvatore Bonaccorso at 2023-09-14T21:55:19+02:00 Associate #1051726 to src:viagee as how it was reported - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -216718,7 +216718,8 @@ CVE-2020-24906 CVE-2020-24905 RESERVED CVE-2020-24904 (An issue was discovered in attach parameter in GNOME Gmail version 2.5 ...) - - gnome-gmail (bug #1051726) + - viagee (bug #1051726) + - gnome-gmail [bullseye] - gnome-gmail (Minor issue) [buster] - gnome-gmail (Minor issue) NOTE: https://github.com/davesteele/gnome-gmail/issues/84 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c434546d1595fe2961cf12cb39dddab2aec4b217 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c434546d1595fe2961cf12cb39dddab2aec4b217 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark electrum issue as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8d48a80 by Salvatore Bonaccorso at 2023-09-14T21:44:41+02:00 Mark electrum issue as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -386,6 +386,8 @@ CVE-2023-33136 (Azure DevOps Server Remote Code Execution Vulnerability) NOT-FOR-US: Microsoft CVE-2023- [receiving with Lightning: partial MPP might be accepted] - electrum 4.4.6+dfsg-1 + [bookworm] - electrum (Minor issue; can be fixed via point release) + [bullseye] - electrum (Minor issue; can be fixed via point release) NOTE: https://github.com/spesmilo/electrum/security/advisories/GHSA-8r85-vp7r-hjxf CVE-2023-31417 - elasticsearch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8d48a806fa9535e21be07f5f6cc283b8d585814 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8d48a806fa9535e21be07f5f6cc283b8d585814 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-4527/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf79e27d by Salvatore Bonaccorso at 2023-09-14T21:20:35+02:00 Add Debian bug reference for CVE-2023-4527/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -160,7 +160,7 @@ CVE-2023-4806 [potential use-after-free in getaddrinfo()] - glibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30843 CVE-2023-4527 [Stack read overflow in getaddrinfo in no- mode] - - glibc + - glibc (bug #1051958) [bullseye] - glibc (Vulnerable code not present) [buster] - glibc (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30842 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf79e27d7c859c29b361e682e747f4b2829ec4c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf79e27d7c859c29b361e682e747f4b2829ec4c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additional reference for CVE-2023-4527/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a260872a by Salvatore Bonaccorso at 2023-09-14T21:19:34+02:00 Add additional reference for CVE-2023-4527/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -166,6 +166,7 @@ CVE-2023-4527 [Stack read overflow in getaddrinfo in no- mode] NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30842 NOTE: Introduced by: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=f282cdbe7f436c75864e5640a409a10485e9abb2 (glibc-2.36) NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ea972b7edd7e36610e8cde18bf7a8149d7bac4f (release/2.36/master branch) + NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b7529346025a130fee483d42178b5c118da971bb (release/2.37/master branch) NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b25508dd774b617f99419bdc3cf2ace4560cd2d6 (release/2.38/master branch) CVE-2023-4921 (A use-after-free vulnerability in the Linux kernel's net/sched: sch_qf ...) - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a260872aee50c302499f45f0c5bcb32a06e617d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a260872aee50c302499f45f0c5bcb32a06e617d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-41081/libapache-mod-jk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ee18bf7 by Salvatore Bonaccorso at 2023-09-14T21:12:45+02:00 Add Debian bug reference for CVE-2023-41081/libapache-mod-jk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -68,7 +68,7 @@ CVE-2023-42468 (The com.cutestudio.colordialer application through 2.1.8-2 for A CVE-2023-41892 (Craft CMS is a platform for creating digital experiences. This is a hi ...) NOT-FOR-US: Craft CMS CVE-2023-41081 (The mod_jk component of Apache Tomcat Connectorsin some circumstances, ...) - - libapache-mod-jk + - libapache-mod-jk (bug #1051956) NOTE: https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b NOTE: http://www.openwall.com/lists/oss-security/2023/09/13/2 NOTE: https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ee18bf7b294fcbee11616ace145753475157ddb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ee18bf7b294fcbee11616ace145753475157ddb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-34321/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 38aa5c40 by Salvatore Bonaccorso at 2023-09-14T21:11:14+02:00 Add Debian bug reference for CVE-2023-34321/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1226,7 +1226,7 @@ CVE-2023-40743 (** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x NOTE: https://www.openwall.com/lists/oss-security/2023/09/05/1 NOTE: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 CVE-2023-34321 [arm32: The cache may not be properly cleaned/invalidated] - - xen + - xen (bug #1051954) [bookworm] - xen (Minor issue, fix along in future DSA) [bullseye] - xen (Minor issue, fix along in future DSA) [buster] - xen (DSA 4677-1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38aa5c40c5accf3dc26740a84e83ec1b83c57a04 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38aa5c40c5accf3dc26740a84e83ec1b83c57a04 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-41000/gpac
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54df107b by Salvatore Bonaccorso at 2023-09-14T21:09:28+02:00 Add Debian bug reference for CVE-2023-41000/gpac - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -570,7 +570,7 @@ CVE-2023-41256 (Dover Fueling Solutions MAGLINK LX Web Console Configuration ver CVE-2023-41103 (Interact 7.9.79.5 allows stored Cross-site Scripting (XSS) attacks in ...) NOT-FOR-US: Interact CVE-2023-41000 (GPAC through 2.2.1 has a use-after-free vulnerability in the function ...) - - gpac + - gpac (bug #1051955) [bullseye] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2550 NOTE: Fixed by: https://github.com/gpac/gpac/commit/0018b5e4e07a1465287e7dff69b387929f5a75fa View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54df107be3e82b4dabc0d6d3782171c1ff59f8b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54df107be3e82b4dabc0d6d3782171c1ff59f8b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add references to upstream commits for CVE-2023-4527/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c24991aa by Salvatore Bonaccorso at 2023-09-14T21:08:05+02:00 Add references to upstream commits for CVE-2023-4527/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -165,6 +165,8 @@ CVE-2023-4527 [Stack read overflow in getaddrinfo in no- mode] [buster] - glibc (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30842 NOTE: Introduced by: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=f282cdbe7f436c75864e5640a409a10485e9abb2 (glibc-2.36) + NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ea972b7edd7e36610e8cde18bf7a8149d7bac4f (release/2.36/master branch) + NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b25508dd774b617f99419bdc3cf2ace4560cd2d6 (release/2.38/master branch) CVE-2023-4921 (A use-after-free vulnerability in the Linux kernel's net/sched: sch_qf ...) - linux NOTE: https://kernel.dance/#8fc134fee27f2263988ae38920bc03da416b03d8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c24991aa71913eafe8d24aefce74601054fa5e63 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c24991aa71913eafe8d24aefce74601054fa5e63 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-32360/cups
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f561ddc by Salvatore Bonaccorso at 2023-09-14T20:58:56+02:00 Add Debian bug reference for CVE-2023-32360/cups - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11120,7 +11120,7 @@ CVE-2023-32365 (The issue was addressed with improved checks. This issue is fixe CVE-2023-32363 (A permissions issue was addressed by removing vulnerable code and addi ...) NOT-FOR-US: Apple CVE-2023-32360 (An authentication issue was addressed with improved state management. ...) - - cups + - cups (bug #1051953) NOTE: https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 (v2.4.3) CVE-2023-32357 (An authorization issue was addressed with improved state management. T ...) NOT-FOR-US: Apple View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f561ddcdbd807d61aceffd4dfca6689745b8f86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f561ddcdbd807d61aceffd4dfca6689745b8f86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-32200,CVE-2023-22665,apache-jena: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: fdc5b5e4 by Markus Koschany at 2023-09-14T19:45:39+02:00 CVE-2023-32200,CVE-2023-22665,apache-jena: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8687,7 +8687,7 @@ CVE-2023-37174 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain NOTE: https://github.com/gpac/gpac/issues/2505 NOTE: https://github.com/gpac/gpac/commit/549ff4484246f2bc4d5fec6760332b43774db483 CVE-2023-32200 (There is insufficient restrictions of called script functions in Apach ...) - - apache-jena (bug #1041108) + - apache-jena 4.9.0-1 (bug #1041108) [bookworm] - apache-jena (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/07/11/11 CVE-2023-2869 (The WP-Members Membership plugin for WordPress is vulnerable to unauth ...) @@ -42921,7 +42921,7 @@ CVE-2014-125043 CVE-2014-125042 REJECTED CVE-2023-22665 (There is insufficient checking of user queries in Apache Jena versions ...) - - apache-jena (bug #1035952) + - apache-jena 4.9.0-1 (bug #1035952) [bookworm] - apache-jena (Minor issue) NOTE: https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s CVE-2023-22652 (A Buffer Copy without Checking Size of Input ('Classic Buffer Overflow ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdc5b5e406f1528a1df227a558374937846af278 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdc5b5e406f1528a1df227a558374937846af278 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] curl fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1fd602a7 by Moritz Muehlenhoff at 2023-09-14T15:48:38+02:00 curl fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35,7 +35,7 @@ CVE-2023-38204 (Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and ear CVE-2023-4910 NOT-FOR-US: 3scale-admin-portal CVE-2023-38039 [HTTP headers eat all memory] - - curl + - curl 8.3.0-1 [bookworm] - curl (Minor issue, can be fixed in point release) [bullseye] - curl (Vulnerable code not present) [buster] - curl (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fd602a726ae89767c4dd7ea9926d62528c4b30d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fd602a726ae89767c4dd7ea9926d62528c4b30d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim open-vm-tools in dla-needed.txt
Sean Whitton pushed to branch master at Debian Security Tracker / security-tracker Commits: bbb48f21 by Sean Whitton at 2023-09-14T11:28:33+01:00 LTS: claim open-vm-tools in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -138,7 +138,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -open-vm-tools +open-vm-tools (Sean Whitton) NOTE: 20230907: Added by Front-Desk (lamby) -- opendkim View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbb48f2166f19a561ded6063e9dbd0d28e76111a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbb48f2166f19a561ded6063e9dbd0d28e76111a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b4d93ded by Salvatore Bonaccorso at 2023-09-14T10:20:05+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,31 +7,31 @@ CVE-2023-4944 (The Awesome Weather Widget for WordPress plugin for WordPress is CVE-2023-4841 (The Feeds for YouTube for WordPress plugin for WordPress is vulnerable ...) NOT-FOR-US: Feeds for YouTube for WordPress plugin for WordPress CVE-2023-4814 (A Privilege escalation vulnerability exists in Trellix Windows DLP end ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-4568 (PaperCut NG allows for unauthenticated XMLRPC commands to be run by de ...) - TODO: check + NOT-FOR-US: PaperCut CVE-2023-42503 (Improper Input Validation, Uncontrolled Resource Consumption vulnerabi ...) TODO: check CVE-2023-41267 (In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a docume ...) - TODO: check + NOT-FOR-US: Apache Airflow HDFS Provider CVE-2023-41162 (A Reflected Cross-site scripting (XSS) vulnerability in the file manag ...) - TODO: check + NOT-FOR-US: Usermin CVE-2023-41158 (A Stored Cross-Site Scripting (XSS) vulnerability in the MIME type pro ...) - TODO: check + NOT-FOR-US: Usermin CVE-2023-41155 (A Stored Cross-Site Scripting (XSS) vulnerability in the mail forwardi ...) - webmin CVE-2023-41154 (A Stored Cross-Site Scripting (XSS) vulnerability in the scheduled cro ...) - TODO: check + NOT-FOR-US: Usermin CVE-2023-41152 (A Stored Cross-Site Scripting (XSS) vulnerability in the MIME type pro ...) - TODO: check + NOT-FOR-US: Usermin CVE-2023-40617 (A reflected cross-site scripting (XSS) vulnerability in OpenKnowledgeM ...) - TODO: check + NOT-FOR-US: OpenKnowledgeMaps Head Start CVE-2023-38206 (Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) ...) - TODO: check + NOT-FOR-US: Adobe CVE-2023-38205 (Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) ...) - TODO: check + NOT-FOR-US: Adobe CVE-2023-38204 (Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) ...) - TODO: check + NOT-FOR-US: Adobe CVE-2023-4910 NOT-FOR-US: 3scale-admin-portal CVE-2023-38039 [HTTP headers eat all memory] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4d93ded2f133e505873a6a6e20264e488590ed0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4d93ded2f133e505873a6a6e20264e488590ed0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Associate one CVE with webmin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e81aedde by Salvatore Bonaccorso at 2023-09-14T10:18:47+02:00 Associate one CVE with webmin The set of CVEs is for Webmin and Usermin, with CVE-2023-41155 mentioning both. Track this one with webmin unless a reviewer disagrees and the others without metnioning of webmin as NFU. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,7 @@ CVE-2023-41162 (A Reflected Cross-site scripting (XSS) vulnerability in the file CVE-2023-41158 (A Stored Cross-Site Scripting (XSS) vulnerability in the MIME type pro ...) TODO: check CVE-2023-41155 (A Stored Cross-Site Scripting (XSS) vulnerability in the mail forwardi ...) - TODO: check + - webmin CVE-2023-41154 (A Stored Cross-Site Scripting (XSS) vulnerability in the scheduled cro ...) TODO: check CVE-2023-41152 (A Stored Cross-Site Scripting (XSS) vulnerability in the MIME type pro ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e81aedde6681dfaf5da1e1c8ef6bf6e836739627 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e81aedde6681dfaf5da1e1c8ef6bf6e836739627 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90786045 by Salvatore Bonaccorso at 2023-09-14T10:13:38+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,11 @@ CVE-2023-4948 (The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable ...) - TODO: check + NOT-FOR-US: WooCommerce CVR Payment Gateway plugin for WordPress CVE-2023-4945 (The Booster for WooCommerce plugin for WordPress is vulnerable to Stor ...) - TODO: check + NOT-FOR-US: Booster for WooCommerce plugin for WordPress CVE-2023-4944 (The Awesome Weather Widget for WordPress plugin for WordPress is vulne ...) - TODO: check + NOT-FOR-US: Awesome Weather Widget for WordPress plugin for WordPress CVE-2023-4841 (The Feeds for YouTube for WordPress plugin for WordPress is vulnerable ...) - TODO: check + NOT-FOR-US: Feeds for YouTube for WordPress plugin for WordPress CVE-2023-4814 (A Privilege escalation vulnerability exists in Trellix Windows DLP end ...) TODO: check CVE-2023-4568 (PaperCut NG allows for unauthenticated XMLRPC commands to be run by de ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90786045d1444bdb7dc1b857f311d45179880b95 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90786045d1444bdb7dc1b857f311d45179880b95 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c128cef by security tracker role at 2023-09-14T08:12:48+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,37 @@ +CVE-2023-4948 (The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable ...) + TODO: check +CVE-2023-4945 (The Booster for WooCommerce plugin for WordPress is vulnerable to Stor ...) + TODO: check +CVE-2023-4944 (The Awesome Weather Widget for WordPress plugin for WordPress is vulne ...) + TODO: check +CVE-2023-4841 (The Feeds for YouTube for WordPress plugin for WordPress is vulnerable ...) + TODO: check +CVE-2023-4814 (A Privilege escalation vulnerability exists in Trellix Windows DLP end ...) + TODO: check +CVE-2023-4568 (PaperCut NG allows for unauthenticated XMLRPC commands to be run by de ...) + TODO: check +CVE-2023-42503 (Improper Input Validation, Uncontrolled Resource Consumption vulnerabi ...) + TODO: check +CVE-2023-41267 (In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a docume ...) + TODO: check +CVE-2023-41162 (A Reflected Cross-site scripting (XSS) vulnerability in the file manag ...) + TODO: check +CVE-2023-41158 (A Stored Cross-Site Scripting (XSS) vulnerability in the MIME type pro ...) + TODO: check +CVE-2023-41155 (A Stored Cross-Site Scripting (XSS) vulnerability in the mail forwardi ...) + TODO: check +CVE-2023-41154 (A Stored Cross-Site Scripting (XSS) vulnerability in the scheduled cro ...) + TODO: check +CVE-2023-41152 (A Stored Cross-Site Scripting (XSS) vulnerability in the MIME type pro ...) + TODO: check +CVE-2023-40617 (A reflected cross-site scripting (XSS) vulnerability in OpenKnowledgeM ...) + TODO: check +CVE-2023-38206 (Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) ...) + TODO: check +CVE-2023-38205 (Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) ...) + TODO: check +CVE-2023-38204 (Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) ...) + TODO: check CVE-2023-4910 NOT-FOR-US: 3scale-admin-portal CVE-2023-38039 [HTTP headers eat all memory] @@ -412,6 +446,7 @@ CVE-2023-4900 (Inappropriate implementation in Custom Tabs in Google Chrome on A - chromium 117.0.5938.62-1 [buster] - chromium (see DSA 5046) CVE-2023-4863 (Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 ...) + {DSA-5497-1 DSA-5496-1} - chromium 117.0.5938.62-1 (unimportant) [buster] - chromium (see DSA 5046) - firefox 117.0.1-1 @@ -31802,8 +31837,8 @@ CVE-2023-26143 RESERVED CVE-2023-26142 (All versions of the package crow are vulnerable to HTTP Response Split ...) TODO: check -CVE-2023-26141 - RESERVED +CVE-2023-26141 (Versions of the package sidekiq before 7.1.3 are vulnerable to Denial ...) + TODO: check CVE-2023-26140 (Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerab ...) NOT-FOR-US: excalidraw CVE-2023-26139 (Versions of the package underscore-keypath from 0.0.11 are vulnerable ...) @@ -38830,8 +38865,8 @@ CVE-2023-23847 (A cross-site request forgery (CSRF) vulnerability in Synopsys Je NOT-FOR-US: Jenkins plugin CVE-2023-23846 (Due to insufficient length validation in the Open5GS GTP library versi ...) NOT-FOR-US: Open5GS -CVE-2023-23845 - RESERVED +CVE-2023-23845 (The SolarWinds Platform was susceptible to the Incorrect Comparison Vu ...) + TODO: check CVE-2023-23844 (The SolarWinds Platform was susceptible to the Incorrect Comparison Vu ...) NOT-FOR-US: SolarWinds CVE-2023-23843 (The SolarWinds Platform was susceptible to the Incorrect Comparison Vu ...) @@ -38840,8 +38875,8 @@ CVE-2023-23842 (The SolarWinds Network Configuration Manager was susceptible to NOT-FOR-US: SolarWinds CVE-2023-23841 (SolarWinds Serv-U is submitting an HTTP request when changing or updat ...) NOT-FOR-US: SolarWinds -CVE-2023-23840 - RESERVED +CVE-2023-23840 (The SolarWinds Platform was susceptible to the Incorrect Comparison Vu ...) + TODO: check CVE-2023-23839 (The SolarWinds Platform was susceptible to the Exposure of Sensitive I ...) NOT-FOR-US: SolarWinds CVE-2023-23838 (Directory traversal and file enumeration vulnerability which allowed u ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c128cefb56de204778243c8e201aec420339eeb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c128cefb56de204778243c8e201aec420339eeb You're receiving this email because of your account on salsa.debian.org.
[Git][security-tracker-team/security-tracker][master] claim tiff
Aron Xu pushed to branch master at Debian Security Tracker / security-tracker Commits: d335d95b by Aron Xu at 2023-09-14T16:09:19+08:00 claim tiff - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -80,7 +80,7 @@ salt/oldstable -- samba/oldstable -- -tiff +tiff (aron) -- trafficserver -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d335d95b1eba294839d337f767ab10c30b90d0be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d335d95b1eba294839d337f767ab10c30b90d0be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ba7738a by Salvatore Bonaccorso at 2023-09-14T10:06:07+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -57,19 +57,19 @@ CVE-2023-39915 (NLnet Labs\u2019 Routinator up to and including version 0.12.1 m CVE-2023-39914 (NLnet Labs\u2019 bcder library up to and including version 0.7.2 panic ...) TODO: check CVE-2023-38215 (Adobe Experience Manager versions 6.5.17 and earlier are affected by a ...) - TODO: check + NOT-FOR-US: Adobe CVE-2023-38214 (Adobe Experience Manager versions 6.5.17 and earlier are affected by a ...) - TODO: check + NOT-FOR-US: Adobe CVE-2023-36642 (An improper neutralization of special elements used in an OS command v ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-36638 (An improper privilege management vulnerability [CWE-269] in FortiManag ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-36634 (An incomplete filtering of one or more instances of special elements v ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-36551 (A exposure of sensitive information to an unauthorized actor in Fortin ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-34984 (A protection mechanism failure in Fortinet FortiWeb 7.2.0 through 7.2. ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-4039 (A failure in the -fstack-protector feature in GCC-based toolchains th ...) - gcc-13 13.2.0-4 - gcc-12 12.3.0-9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ba7738a24b79f6b23cb6547abe2b9ceccce3de2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ba7738a24b79f6b23cb6547abe2b9ceccce3de2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track two new CVEs in routinator, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc3179e8 by Salvatore Bonaccorso at 2023-09-14T09:51:22+02:00 Track two new CVEs in routinator, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51,9 +51,9 @@ CVE-2023-3588 (A stored Cross-site Scripting (XSS) vulnerability affecting Teamw CVE-2023-3280 (A problem with a protection mechanism in the Palo Alto Networks Cortex ...) NOT-FOR-US: Palo Alto Networks CVE-2023-39916 (NLnet Labs\u2019 Routinator 0.9.0 up to and including 0.12.1 contains ...) - TODO: check + - routinator (bug #929024) CVE-2023-39915 (NLnet Labs\u2019 Routinator up to and including version 0.12.1 may cra ...) - TODO: check + - routinator (bug #929024) CVE-2023-39914 (NLnet Labs\u2019 bcder library up to and including version 0.7.2 panic ...) TODO: check CVE-2023-38215 (Adobe Experience Manager versions 6.5.17 and earlier are affected by a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc3179e8ba831e1fa9ad4a0b33eb72572cf88e88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc3179e8ba831e1fa9ad4a0b33eb72572cf88e88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-41081/libapache-mod-jk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 548c6006 by Salvatore Bonaccorso at 2023-09-14T09:26:52+02:00 Add CVE-2023-41081/libapache-mod-jk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34,7 +34,10 @@ CVE-2023-42468 (The com.cutestudio.colordialer application through 2.1.8-2 for A CVE-2023-41892 (Craft CMS is a platform for creating digital experiences. This is a hi ...) NOT-FOR-US: Craft CMS CVE-2023-41081 (The mod_jk component of Apache Tomcat Connectorsin some circumstances, ...) - TODO: check + - libapache-mod-jk + NOTE: https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b + NOTE: http://www.openwall.com/lists/oss-security/2023/09/13/2 + NOTE: https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49 CVE-2023-40850 (netentsec NS-ASG 6.3 is vulnerable to Incorrect Access Control. There ...) NOT-FOR-US: netentsec NS-ASG CVE-2023-40717 (A use of hard-coded credentials vulnerability [CWE-798] inFortiTester2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/548c60063b0329b42d1cba5f4de7e725e4ca90d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/548c60063b0329b42d1cba5f4de7e725e4ca90d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add initial tracking for CVE-2023-4785/grpc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6cda5eee by Salvatore Bonaccorso at 2023-09-14T09:23:30+02:00 Add initial tracking for CVE-2023-4785/grpc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,12 @@ CVE-2023-4802 (A reflected cross-site scripting vulnerability in the UpdateInsta CVE-2023-4801 (An improper certification validation vulnerability in the Insider Thre ...) NOT-FOR-US: Insider Threat Management (ITM) Server CVE-2023-4785 (Lack of error handling in the TCP server in Google's gRPC starting ver ...) - TODO: check + - grpc + NOTE: https://github.com/grpc/grpc/pull/33656 + NOTE: https://github.com/grpc/grpc/pull/33667 + NOTE: https://github.com/grpc/grpc/pull/33669 + NOTE: https://github.com/grpc/grpc/pull/33670 + NOTE: https://github.com/grpc/grpc/pull/33672 CVE-2023-4701 (A Improper Privilege Management vulnerability through an incorrect use ...) NOT-FOR-US: CodeMeter Runtime CVE-2023-42469 (The com.full.dialer.top.secure.encrypted application through 1.0.1 for ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6cda5eee59644dab111d2eef075ee297a651bde9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6cda5eee59644dab111d2eef075ee297a651bde9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU (concludes external check)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 500c9fa8 by Moritz Muehlenhoff at 2023-09-14T08:42:42+02:00 NFU (concludes external check) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-4910 + NOT-FOR-US: 3scale-admin-portal CVE-2023-38039 [HTTP headers eat all memory] - curl [bookworm] - curl (Minor issue, can be fixed in point release) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/500c9fa8487ac1a3c9ca10bf4317f5ec0c7e3736 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/500c9fa8487ac1a3c9ca10bf4317f5ec0c7e3736 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits