[Git][security-tracker-team/security-tracker][master] Reserve DLA-3567-1 for c-ares
Anton Gladky pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f7d87040 by Anton Gladky at 2023-09-15T07:36:26+02:00
Reserve DLA-3567-1 for c-ares
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[15 Sep 2023] DLA-3567-1 c-ares - security update
+ {CVE-2020-22217}
+ [buster] - c-ares 1.14.0-1+deb10u4
[13 Sep 2023] DLA-3566-1 ruby-rails-html-sanitizer - security update
{CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520}
[buster] - ruby-rails-html-sanitizer 1.0.4-1+deb10u2
=
data/dla-needed.txt
=
@@ -25,10 +25,6 @@ amanda (Thorsten Alteholz)
NOTE: 20230730: Added by Front-Desk (apo)
NOTE: 20230910: still testing package (ta)
--
-c-ares (gladk)
- NOTE: 20230826: Added by Front-Desk (utkarsh)
- NOTE: 20230826: it's a heap buffer overflow. Have mixed feelings about this
one. Will look thoroughly. (utkarsh)
---
cacti
NOTE: 20230906: Added by Front-Desk (lamby)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d87040c1a130e91637598eb091cf494791e913
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7d87040c1a130e91637598eb091cf494791e913
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-4863/libwebp
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 174bd40d by Salvatore Bonaccorso at 2023-09-15T06:03:02+02:00 Track fixed version for CVE-2023-4863/libwebp - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -505,7 +505,7 @@ CVE-2023-4863 (Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845 - firefox 117.0.1-1 - firefox-esr 115.2.1esr-1 - thunderbird 1:115.2.2-1 - - libwebp (bug #1051787) + - libwebp 1.2.4-0.3 (bug #1051787) NOTE: https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html NOTE: src:chromium builds against the system libwebp library NOTE: Fixed by: https://chromium.googlesource.com/webm/libwebp.git/+/902bc9190331343b2017211debcec8d2ab87e17a%5E%21/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/174bd40d95aecff3fffbd892960d23f6e852d2a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/174bd40d95aecff3fffbd892960d23f6e852d2a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-41081,libapache-mod-jk: fixed in sid
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7fc515b3 by Markus Koschany at 2023-09-15T00:44:53+02:00 CVE-2023-41081,libapache-mod-jk: fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -116,7 +116,7 @@ CVE-2023-42468 (The com.cutestudio.colordialer application through 2.1.8-2 for A CVE-2023-41892 (Craft CMS is a platform for creating digital experiences. This is a hi ...) NOT-FOR-US: Craft CMS CVE-2023-41081 (The mod_jk component of Apache Tomcat Connectorsin some circumstances, ...) - - libapache-mod-jk (bug #1051956) + - libapache-mod-jk 1:1.2.49-1 (bug #1051956) NOTE: https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b NOTE: http://www.openwall.com/lists/oss-security/2023/09/13/2 NOTE: https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fc515b3143717a2b8eae8de650f45952a267738 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fc515b3143717a2b8eae8de650f45952a267738 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c0134ba5 by Salvatore Bonaccorso at 2023-09-14T22:36:41+02:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,41 +1,41 @@
CVE-2023-4972 (Improper Privilege Management vulnerability in Yepas Digital
Yepas all ...)
- TODO: check
+ NOT-FOR-US: Yepas Digital Yepas
CVE-2023-4965 (A vulnerability was found in phpipam 1.5.1. It has been rated
as probl ...)
- phpipam (bug #731713)
CVE-2023-4951 (A cross site scripting issue was discovered with the pagination
functi ...)
- TODO: check
+ NOT-FOR-US: GreenRADIUS web admin interface
CVE-2023-4832 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
- TODO: check
+ NOT-FOR-US: Aceka Company Management
CVE-2023-4766 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
- TODO: check
+ NOT-FOR-US: Movus
CVE-2023-4702 (Authentication Bypass Using an Alternate Path or Channel
vulnerability ...)
- TODO: check
+ NOT-FOR-US: Yepas Digital Yepas
CVE-2023-4676 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
TODO: check
CVE-2023-4669 (Authentication Bypass by Assumed-Immutable Data vulnerability
in Exaga ...)
- TODO: check
+ NOT-FOR-US: Exagate SYSGuard 3001
CVE-2023-4516 (A CWE-306: Missing Authentication for Critical Function
vulnerability ...)
- TODO: check
+ NOT-FOR-US: Schneider Electric
CVE-2023-42180 (An arbitrary file upload vulnerability in the /user/upload
component o ...)
- TODO: check
+ NOT-FOR-US: lenosp
CVE-2023-42178 (Lenosp 1.0.0-1.2.0 is vulnerable to SQL Injection via the log
query mo ...)
- TODO: check
+ NOT-FOR-US: lenosp
CVE-2023-41588 (A cross-site scripting (XSS) vulnerability in Time to SLA
plugin v10.1 ...)
TODO: check
CVE-2023-41011 (Command Execution vulnerability in China Mobile Communications
China M ...)
- TODO: check
+ NOT-FOR-US: China Mobile Communications China Mobile Intelligent Home
Gateway
CVE-2023-41010 (Insecure Permissions vulnerability in Sichuan Tianyi Kanghe
Communicat ...)
- TODO: check
+ NOT-FOR-US: China Telecom Tianyi Home Gateway
CVE-2023-40779 (An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2
allows a remo ...)
- TODO: check
+ NOT-FOR-US: IceWarp
CVE-2023-39286 (A vulnerability in the Connect Mobility Router component of
Mitel MiVo ...)
- TODO: check
+ NOT-FOR-US: Mitel
CVE-2023-39285 (A vulnerability in the Edge Gateway component of Mitel MiVoice
Connect ...)
- TODO: check
+ NOT-FOR-US: Mitel
CVE-2023-38558 (A vulnerability has been identified in SIMATIC PCS neo
(Administration ...)
- TODO: check
+ NOT-FOR-US: Siemens
CVE-2023-38557 (A vulnerability has been identified in Spectrum Power 7 (All
versions ...)
- TODO: check
+ NOT-FOR-US: Siemens
CVE-2023-37756 (I-doit pro 25 and below and I-doit open 25 and below employ
weak passw ...)
TODO: check
CVE-2023-37755 (i-doit pro 25 and below and I-doit open 25 and below are
configured wi ...)
@@ -45,7 +45,7 @@ CVE-2023-37739 (i-doit Pro v25 and below was discovered to be
vulnerable to path
CVE-2023-36250 (CSV Injection vulnerability in GNOME time tracker version
3.0.2, allow ...)
TODO: check
CVE-2023-2848 (Movim prior to version 0.22 is affected by a Cross-Site
WebSocket Hija ...)
- TODO: check
+ NOT-FOR-US: Movim
CVE-2023-4948 (The WooCommerce CVR Payment Gateway plugin for WordPress is
vulnerable ...)
NOT-FOR-US: WooCommerce CVR Payment Gateway plugin for WordPress
CVE-2023-4945 (The Booster for WooCommerce plugin for WordPress is vulnerable
to Stor ...)
@@ -129,7 +129,7 @@ CVE-2023-40715 (A cleartext storage of sensitive
information vulnerability [CWE-
CVE-2023-3935 (A heap buffer overflow vulnerability in Wibu CodeMeter Runtime
network ...)
NOT-FOR-US: Wibu CodeMeter Runtime
CVE-2023-3588 (A stored Cross-site Scripting (XSS) vulnerability affecting
Teamwork C ...)
- TODO: check
+ NOT-FOR-US: 3ds
CVE-2023-3280 (A problem with a protection mechanism in the Palo Alto Networks
Cortex ...)
NOT-FOR-US: Palo Alto Networks
CVE-2023-39916 (NLnet Labs\u2019 Routinator 0.9.0 up to and including 0.12.1
contains ...)
@@ -277,9 +277,9 @@ CVE-2023-40611 (Apache Airflow, versions before 2.7.1, is
affected by a vulnerab
CVE-2023-40218 (An issue was discovered in the NPU kernel driver in Samsung
Exynos Mob ...)
NOT-FOR-US: Samsung
CVE-2023-3712 (Files or Directories Accessible to External Parties
vulnerability in H ...)
- TODO: check
+ NOT-FOR-US: Honeywell
CVE-2023-3711 (Session Fixation vulnerability in Honeywell PM43 on 32
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4965/phpipam
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3f18a3be by Salvatore Bonaccorso at 2023-09-14T22:35:47+02:00
Add CVE-2023-4965/phpipam
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,7 +1,7 @@
CVE-2023-4972 (Improper Privilege Management vulnerability in Yepas Digital
Yepas all ...)
TODO: check
CVE-2023-4965 (A vulnerability was found in phpipam 1.5.1. It has been rated
as probl ...)
- TODO: check
+ - phpipam (bug #731713)
CVE-2023-4951 (A cross site scripting issue was discovered with the pagination
functi ...)
TODO: check
CVE-2023-4832 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f18a3be65d89926213fb0101c00130b80536689
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f18a3be65d89926213fb0101c00130b80536689
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-4244 got preferred instread of CVE-2023-4563
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2ff39f80 by Salvatore Bonaccorso at 2023-09-14T22:21:57+02:00
CVE-2023-4244 got preferred instread of CVE-2023-4563
Rewrite CVE entries to get the information under the Google CNA assigned
CVE, whereas the Red Hat assigned CVE got REJECTED.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -952,7 +952,10 @@ CVE-2023-4588 (File accessibility vulnerability in Delinea
Secret Server, in its
CVE-2023-4498 (Tenda N300 Wireless N VDSL2 Modem Router allows unauthenticated
access ...)
NOT-FOR-US: Tenda
CVE-2023-4244 (A use-after-free vulnerability in the Linux kernel's netfilter:
nf_tab ...)
- NOTE: Duplicate of CVE-2023-4563 (RedHat assigned)
+ - linux 6.4.13-1
+ NOTE:
https://lore.kernel.org/netdev/20230810070830.24064-1-pa...@netfilter.org/
+ NOTE: https://lore.kernel.org/netdev/20230815223011.7019-1...@strlen.de/
+ NOTE: https://kernel.dance/3e91b0ebd994635df2346353322ac51ce84ce6d8
CVE-2023-4208 (A use-after-free vulnerability in the Linux kernel's net/sched:
cls_u3 ...)
{DSA-5492-1}
- linux 6.4.11-1
@@ -2597,11 +2600,8 @@ CVE-2023-4567
[bookworm] - ansible (Minor issue)
[bullseye] - ansible (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2235369
-CVE-2023-4563 [Use-after-free in nft_verdict_dump due to a race between set GC
and transaction]
+CVE-2023-4563
REJECTED
- - linux 6.4.13-1
- NOTE:
https://lore.kernel.org/netdev/20230810070830.24064-1-pa...@netfilter.org/
- NOTE: https://lore.kernel.org/netdev/20230815223011.7019-1...@strlen.de/
CVE-2023-41109 (SmartNode SN200 (aka SN200) 3.21.2-23021 allows
unauthenticated OS Com ...)
NOT-FOR-US: SmartNode SN200 (aka SN200)
CVE-2023-40846 (Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is
vulnerable to Bu ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ff39f80ac440b8e4a5163bd319d9fa06d78393c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ff39f80ac440b8e4a5163bd319d9fa06d78393c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
57f659e5 by security tracker role at 2023-09-14T20:12:23+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,51 @@
+CVE-2023-4972 (Improper Privilege Management vulnerability in Yepas Digital
Yepas all ...)
+ TODO: check
+CVE-2023-4965 (A vulnerability was found in phpipam 1.5.1. It has been rated
as probl ...)
+ TODO: check
+CVE-2023-4951 (A cross site scripting issue was discovered with the pagination
functi ...)
+ TODO: check
+CVE-2023-4832 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-4766 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-4702 (Authentication Bypass Using an Alternate Path or Channel
vulnerability ...)
+ TODO: check
+CVE-2023-4676 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2023-4669 (Authentication Bypass by Assumed-Immutable Data vulnerability
in Exaga ...)
+ TODO: check
+CVE-2023-4516 (A CWE-306: Missing Authentication for Critical Function
vulnerability ...)
+ TODO: check
+CVE-2023-42180 (An arbitrary file upload vulnerability in the /user/upload
component o ...)
+ TODO: check
+CVE-2023-42178 (Lenosp 1.0.0-1.2.0 is vulnerable to SQL Injection via the log
query mo ...)
+ TODO: check
+CVE-2023-41588 (A cross-site scripting (XSS) vulnerability in Time to SLA
plugin v10.1 ...)
+ TODO: check
+CVE-2023-41011 (Command Execution vulnerability in China Mobile Communications
China M ...)
+ TODO: check
+CVE-2023-41010 (Insecure Permissions vulnerability in Sichuan Tianyi Kanghe
Communicat ...)
+ TODO: check
+CVE-2023-40779 (An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2
allows a remo ...)
+ TODO: check
+CVE-2023-39286 (A vulnerability in the Connect Mobility Router component of
Mitel MiVo ...)
+ TODO: check
+CVE-2023-39285 (A vulnerability in the Edge Gateway component of Mitel MiVoice
Connect ...)
+ TODO: check
+CVE-2023-38558 (A vulnerability has been identified in SIMATIC PCS neo
(Administration ...)
+ TODO: check
+CVE-2023-38557 (A vulnerability has been identified in Spectrum Power 7 (All
versions ...)
+ TODO: check
+CVE-2023-37756 (I-doit pro 25 and below and I-doit open 25 and below employ
weak passw ...)
+ TODO: check
+CVE-2023-37755 (i-doit pro 25 and below and I-doit open 25 and below are
configured wi ...)
+ TODO: check
+CVE-2023-37739 (i-doit Pro v25 and below was discovered to be vulnerable to
path trave ...)
+ TODO: check
+CVE-2023-36250 (CSV Injection vulnerability in GNOME time tracker version
3.0.2, allow ...)
+ TODO: check
+CVE-2023-2848 (Movim prior to version 0.22 is affected by a Cross-Site
WebSocket Hija ...)
+ TODO: check
CVE-2023-4948 (The WooCommerce CVR Payment Gateway plugin for WordPress is
vulnerable ...)
NOT-FOR-US: WooCommerce CVR Payment Gateway plugin for WordPress
CVE-2023-4945 (The Booster for WooCommerce plugin for WordPress is vulnerable
to Stor ...)
@@ -2550,6 +2598,7 @@ CVE-2023-4567
[bullseye] - ansible (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2235369
CVE-2023-4563 [Use-after-free in nft_verdict_dump due to a race between set GC
and transaction]
+ REJECTED
- linux 6.4.13-1
NOTE:
https://lore.kernel.org/netdev/20230810070830.24064-1-pa...@netfilter.org/
NOTE: https://lore.kernel.org/netdev/20230815223011.7019-1...@strlen.de/
@@ -17272,8 +17321,8 @@ CVE-2023-30911
RESERVED
CVE-2023-30910
RESERVED
-CVE-2023-30909
- RESERVED
+CVE-2023-30909 (A remote authentication bypass issue exists in some OneView
APIs.)
+ TODO: check
CVE-2023-30908 (A remote authentication bypass issue exists in a OneView API.)
NOT-FOR-US: HPE
CVE-2023-30907
@@ -21171,13 +21220,13 @@ CVE-2013-10024 (A vulnerability has been found in
Exit Strategy Plugin 1.55 and
NOT-FOR-US: WordPress plugin
CVE-2012-10010 (A vulnerability was found in BestWebSoft Contact Form 3.21. It
has bee ...)
NOT-FOR-US: WordPress plugin
-CVE-2023-32636
+CVE-2023-32636 (A flaw was found in glib, where the gvariant deserialization
code is v ...)
- glib2.0 (Incomplete fixes for CVE-2023-29499,
CVE-2023-32611 and CVE-2023-32665 not applied)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2841
-CVE-2023-32643
+CVE-2023-32643 (A flaw was found in GLib. The GVariant deserialization code is
vulnera ...)
- glib2.0 (Incomplete fixes for CVE-2023-29499,
CVE-2023-32611 and CVE-2023-32665 not applied)
NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2840
-CVE-2023-32665 [GVariant
[Git][security-tracker-team/security-tracker][master] Associate #1051726 to src:viagee as how it was reported
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c434546d by Salvatore Bonaccorso at 2023-09-14T21:55:19+02:00 Associate #1051726 to src:viagee as how it was reported - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -216718,7 +216718,8 @@ CVE-2020-24906 CVE-2020-24905 RESERVED CVE-2020-24904 (An issue was discovered in attach parameter in GNOME Gmail version 2.5 ...) - - gnome-gmail (bug #1051726) + - viagee (bug #1051726) + - gnome-gmail [bullseye] - gnome-gmail (Minor issue) [buster] - gnome-gmail (Minor issue) NOTE: https://github.com/davesteele/gnome-gmail/issues/84 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c434546d1595fe2961cf12cb39dddab2aec4b217 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c434546d1595fe2961cf12cb39dddab2aec4b217 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark electrum issue as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d8d48a80 by Salvatore Bonaccorso at 2023-09-14T21:44:41+02:00 Mark electrum issue as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -386,6 +386,8 @@ CVE-2023-33136 (Azure DevOps Server Remote Code Execution Vulnerability) NOT-FOR-US: Microsoft CVE-2023- [receiving with Lightning: partial MPP might be accepted] - electrum 4.4.6+dfsg-1 + [bookworm] - electrum (Minor issue; can be fixed via point release) + [bullseye] - electrum (Minor issue; can be fixed via point release) NOTE: https://github.com/spesmilo/electrum/security/advisories/GHSA-8r85-vp7r-hjxf CVE-2023-31417 - elasticsearch View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8d48a806fa9535e21be07f5f6cc283b8d585814 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8d48a806fa9535e21be07f5f6cc283b8d585814 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-4527/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bf79e27d by Salvatore Bonaccorso at 2023-09-14T21:20:35+02:00 Add Debian bug reference for CVE-2023-4527/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -160,7 +160,7 @@ CVE-2023-4806 [potential use-after-free in getaddrinfo()] - glibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30843 CVE-2023-4527 [Stack read overflow in getaddrinfo in no- mode] - - glibc + - glibc (bug #1051958) [bullseye] - glibc (Vulnerable code not present) [buster] - glibc (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30842 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf79e27d7c859c29b361e682e747f4b2829ec4c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bf79e27d7c859c29b361e682e747f4b2829ec4c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additional reference for CVE-2023-4527/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a260872a by Salvatore Bonaccorso at 2023-09-14T21:19:34+02:00 Add additional reference for CVE-2023-4527/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -166,6 +166,7 @@ CVE-2023-4527 [Stack read overflow in getaddrinfo in no- mode] NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30842 NOTE: Introduced by: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=f282cdbe7f436c75864e5640a409a10485e9abb2 (glibc-2.36) NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ea972b7edd7e36610e8cde18bf7a8149d7bac4f (release/2.36/master branch) + NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b7529346025a130fee483d42178b5c118da971bb (release/2.37/master branch) NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b25508dd774b617f99419bdc3cf2ace4560cd2d6 (release/2.38/master branch) CVE-2023-4921 (A use-after-free vulnerability in the Linux kernel's net/sched: sch_qf ...) - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a260872aee50c302499f45f0c5bcb32a06e617d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a260872aee50c302499f45f0c5bcb32a06e617d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-41081/libapache-mod-jk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ee18bf7 by Salvatore Bonaccorso at 2023-09-14T21:12:45+02:00 Add Debian bug reference for CVE-2023-41081/libapache-mod-jk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -68,7 +68,7 @@ CVE-2023-42468 (The com.cutestudio.colordialer application through 2.1.8-2 for A CVE-2023-41892 (Craft CMS is a platform for creating digital experiences. This is a hi ...) NOT-FOR-US: Craft CMS CVE-2023-41081 (The mod_jk component of Apache Tomcat Connectorsin some circumstances, ...) - - libapache-mod-jk + - libapache-mod-jk (bug #1051956) NOTE: https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b NOTE: http://www.openwall.com/lists/oss-security/2023/09/13/2 NOTE: https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ee18bf7b294fcbee11616ace145753475157ddb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ee18bf7b294fcbee11616ace145753475157ddb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-34321/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 38aa5c40 by Salvatore Bonaccorso at 2023-09-14T21:11:14+02:00 Add Debian bug reference for CVE-2023-34321/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1226,7 +1226,7 @@ CVE-2023-40743 (** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x NOTE: https://www.openwall.com/lists/oss-security/2023/09/05/1 NOTE: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 CVE-2023-34321 [arm32: The cache may not be properly cleaned/invalidated] - - xen + - xen (bug #1051954) [bookworm] - xen (Minor issue, fix along in future DSA) [bullseye] - xen (Minor issue, fix along in future DSA) [buster] - xen (DSA 4677-1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38aa5c40c5accf3dc26740a84e83ec1b83c57a04 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38aa5c40c5accf3dc26740a84e83ec1b83c57a04 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-41000/gpac
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54df107b by Salvatore Bonaccorso at 2023-09-14T21:09:28+02:00 Add Debian bug reference for CVE-2023-41000/gpac - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -570,7 +570,7 @@ CVE-2023-41256 (Dover Fueling Solutions MAGLINK LX Web Console Configuration ver CVE-2023-41103 (Interact 7.9.79.5 allows stored Cross-site Scripting (XSS) attacks in ...) NOT-FOR-US: Interact CVE-2023-41000 (GPAC through 2.2.1 has a use-after-free vulnerability in the function ...) - - gpac + - gpac (bug #1051955) [bullseye] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2550 NOTE: Fixed by: https://github.com/gpac/gpac/commit/0018b5e4e07a1465287e7dff69b387929f5a75fa View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54df107be3e82b4dabc0d6d3782171c1ff59f8b6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54df107be3e82b4dabc0d6d3782171c1ff59f8b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add references to upstream commits for CVE-2023-4527/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c24991aa by Salvatore Bonaccorso at 2023-09-14T21:08:05+02:00 Add references to upstream commits for CVE-2023-4527/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -165,6 +165,8 @@ CVE-2023-4527 [Stack read overflow in getaddrinfo in no- mode] [buster] - glibc (Vulnerable code not present) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30842 NOTE: Introduced by: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=f282cdbe7f436c75864e5640a409a10485e9abb2 (glibc-2.36) + NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ea972b7edd7e36610e8cde18bf7a8149d7bac4f (release/2.36/master branch) + NOTE: Fixed by: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b25508dd774b617f99419bdc3cf2ace4560cd2d6 (release/2.38/master branch) CVE-2023-4921 (A use-after-free vulnerability in the Linux kernel's net/sched: sch_qf ...) - linux NOTE: https://kernel.dance/#8fc134fee27f2263988ae38920bc03da416b03d8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c24991aa71913eafe8d24aefce74601054fa5e63 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c24991aa71913eafe8d24aefce74601054fa5e63 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-32360/cups
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f561ddc by Salvatore Bonaccorso at 2023-09-14T20:58:56+02:00 Add Debian bug reference for CVE-2023-32360/cups - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11120,7 +11120,7 @@ CVE-2023-32365 (The issue was addressed with improved checks. This issue is fixe CVE-2023-32363 (A permissions issue was addressed by removing vulnerable code and addi ...) NOT-FOR-US: Apple CVE-2023-32360 (An authentication issue was addressed with improved state management. ...) - - cups + - cups (bug #1051953) NOTE: https://github.com/OpenPrinting/cups/commit/a0c8b9c9556882f00c68b9727a95a1b6d1452913 (v2.4.3) CVE-2023-32357 (An authorization issue was addressed with improved state management. T ...) NOT-FOR-US: Apple View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f561ddcdbd807d61aceffd4dfca6689745b8f86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f561ddcdbd807d61aceffd4dfca6689745b8f86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-32200,CVE-2023-22665,apache-jena: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
fdc5b5e4 by Markus Koschany at 2023-09-14T19:45:39+02:00
CVE-2023-32200,CVE-2023-22665,apache-jena: fixed in unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -8687,7 +8687,7 @@ CVE-2023-37174 (GPAC v2.3-DEV-rev381-g817a848f6-master
was discovered to contain
NOTE: https://github.com/gpac/gpac/issues/2505
NOTE:
https://github.com/gpac/gpac/commit/549ff4484246f2bc4d5fec6760332b43774db483
CVE-2023-32200 (There is insufficient restrictions of called script functions
in Apach ...)
- - apache-jena (bug #1041108)
+ - apache-jena 4.9.0-1 (bug #1041108)
[bookworm] - apache-jena (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/07/11/11
CVE-2023-2869 (The WP-Members Membership plugin for WordPress is vulnerable to
unauth ...)
@@ -42921,7 +42921,7 @@ CVE-2014-125043
CVE-2014-125042
REJECTED
CVE-2023-22665 (There is insufficient checking of user queries in Apache Jena
versions ...)
- - apache-jena (bug #1035952)
+ - apache-jena 4.9.0-1 (bug #1035952)
[bookworm] - apache-jena (Minor issue)
NOTE: https://lists.apache.org/thread/s0dmpsxcwqs57l4qfs415klkgmhdxq7s
CVE-2023-22652 (A Buffer Copy without Checking Size of Input ('Classic Buffer
Overflow ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdc5b5e406f1528a1df227a558374937846af278
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdc5b5e406f1528a1df227a558374937846af278
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] curl fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1fd602a7 by Moritz Muehlenhoff at 2023-09-14T15:48:38+02:00 curl fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35,7 +35,7 @@ CVE-2023-38204 (Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and ear CVE-2023-4910 NOT-FOR-US: 3scale-admin-portal CVE-2023-38039 [HTTP headers eat all memory] - - curl + - curl 8.3.0-1 [bookworm] - curl (Minor issue, can be fixed in point release) [bullseye] - curl (Vulnerable code not present) [buster] - curl (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fd602a726ae89767c4dd7ea9926d62528c4b30d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fd602a726ae89767c4dd7ea9926d62528c4b30d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim open-vm-tools in dla-needed.txt
Sean Whitton pushed to branch master at Debian Security Tracker / security-tracker Commits: bbb48f21 by Sean Whitton at 2023-09-14T11:28:33+01:00 LTS: claim open-vm-tools in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -138,7 +138,7 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -open-vm-tools +open-vm-tools (Sean Whitton) NOTE: 20230907: Added by Front-Desk (lamby) -- opendkim View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbb48f2166f19a561ded6063e9dbd0d28e76111a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbb48f2166f19a561ded6063e9dbd0d28e76111a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b4d93ded by Salvatore Bonaccorso at 2023-09-14T10:20:05+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,31 +7,31 @@ CVE-2023-4944 (The Awesome Weather Widget for WordPress plugin for WordPress is CVE-2023-4841 (The Feeds for YouTube for WordPress plugin for WordPress is vulnerable ...) NOT-FOR-US: Feeds for YouTube for WordPress plugin for WordPress CVE-2023-4814 (A Privilege escalation vulnerability exists in Trellix Windows DLP end ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-4568 (PaperCut NG allows for unauthenticated XMLRPC commands to be run by de ...) - TODO: check + NOT-FOR-US: PaperCut CVE-2023-42503 (Improper Input Validation, Uncontrolled Resource Consumption vulnerabi ...) TODO: check CVE-2023-41267 (In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a docume ...) - TODO: check + NOT-FOR-US: Apache Airflow HDFS Provider CVE-2023-41162 (A Reflected Cross-site scripting (XSS) vulnerability in the file manag ...) - TODO: check + NOT-FOR-US: Usermin CVE-2023-41158 (A Stored Cross-Site Scripting (XSS) vulnerability in the MIME type pro ...) - TODO: check + NOT-FOR-US: Usermin CVE-2023-41155 (A Stored Cross-Site Scripting (XSS) vulnerability in the mail forwardi ...) - webmin CVE-2023-41154 (A Stored Cross-Site Scripting (XSS) vulnerability in the scheduled cro ...) - TODO: check + NOT-FOR-US: Usermin CVE-2023-41152 (A Stored Cross-Site Scripting (XSS) vulnerability in the MIME type pro ...) - TODO: check + NOT-FOR-US: Usermin CVE-2023-40617 (A reflected cross-site scripting (XSS) vulnerability in OpenKnowledgeM ...) - TODO: check + NOT-FOR-US: OpenKnowledgeMaps Head Start CVE-2023-38206 (Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) ...) - TODO: check + NOT-FOR-US: Adobe CVE-2023-38205 (Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) ...) - TODO: check + NOT-FOR-US: Adobe CVE-2023-38204 (Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and earlier) ...) - TODO: check + NOT-FOR-US: Adobe CVE-2023-4910 NOT-FOR-US: 3scale-admin-portal CVE-2023-38039 [HTTP headers eat all memory] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4d93ded2f133e505873a6a6e20264e488590ed0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4d93ded2f133e505873a6a6e20264e488590ed0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Associate one CVE with webmin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e81aedde by Salvatore Bonaccorso at 2023-09-14T10:18:47+02:00 Associate one CVE with webmin The set of CVEs is for Webmin and Usermin, with CVE-2023-41155 mentioning both. Track this one with webmin unless a reviewer disagrees and the others without metnioning of webmin as NFU. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,7 @@ CVE-2023-41162 (A Reflected Cross-site scripting (XSS) vulnerability in the file CVE-2023-41158 (A Stored Cross-Site Scripting (XSS) vulnerability in the MIME type pro ...) TODO: check CVE-2023-41155 (A Stored Cross-Site Scripting (XSS) vulnerability in the mail forwardi ...) - TODO: check + - webmin CVE-2023-41154 (A Stored Cross-Site Scripting (XSS) vulnerability in the scheduled cro ...) TODO: check CVE-2023-41152 (A Stored Cross-Site Scripting (XSS) vulnerability in the MIME type pro ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e81aedde6681dfaf5da1e1c8ef6bf6e836739627 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e81aedde6681dfaf5da1e1c8ef6bf6e836739627 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90786045 by Salvatore Bonaccorso at 2023-09-14T10:13:38+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,11 @@ CVE-2023-4948 (The WooCommerce CVR Payment Gateway plugin for WordPress is vulnerable ...) - TODO: check + NOT-FOR-US: WooCommerce CVR Payment Gateway plugin for WordPress CVE-2023-4945 (The Booster for WooCommerce plugin for WordPress is vulnerable to Stor ...) - TODO: check + NOT-FOR-US: Booster for WooCommerce plugin for WordPress CVE-2023-4944 (The Awesome Weather Widget for WordPress plugin for WordPress is vulne ...) - TODO: check + NOT-FOR-US: Awesome Weather Widget for WordPress plugin for WordPress CVE-2023-4841 (The Feeds for YouTube for WordPress plugin for WordPress is vulnerable ...) - TODO: check + NOT-FOR-US: Feeds for YouTube for WordPress plugin for WordPress CVE-2023-4814 (A Privilege escalation vulnerability exists in Trellix Windows DLP end ...) TODO: check CVE-2023-4568 (PaperCut NG allows for unauthenticated XMLRPC commands to be run by de ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90786045d1444bdb7dc1b857f311d45179880b95 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90786045d1444bdb7dc1b857f311d45179880b95 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8c128cef by security tracker role at 2023-09-14T08:12:48+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,37 @@
+CVE-2023-4948 (The WooCommerce CVR Payment Gateway plugin for WordPress is
vulnerable ...)
+ TODO: check
+CVE-2023-4945 (The Booster for WooCommerce plugin for WordPress is vulnerable
to Stor ...)
+ TODO: check
+CVE-2023-4944 (The Awesome Weather Widget for WordPress plugin for WordPress
is vulne ...)
+ TODO: check
+CVE-2023-4841 (The Feeds for YouTube for WordPress plugin for WordPress is
vulnerable ...)
+ TODO: check
+CVE-2023-4814 (A Privilege escalation vulnerability exists in Trellix Windows
DLP end ...)
+ TODO: check
+CVE-2023-4568 (PaperCut NG allows for unauthenticated XMLRPC commands to be
run by de ...)
+ TODO: check
+CVE-2023-42503 (Improper Input Validation, Uncontrolled Resource Consumption
vulnerabi ...)
+ TODO: check
+CVE-2023-41267 (In the Apache Airflow HDFS Provider, versions prior to 4.1.1,
a docume ...)
+ TODO: check
+CVE-2023-41162 (A Reflected Cross-site scripting (XSS) vulnerability in the
file manag ...)
+ TODO: check
+CVE-2023-41158 (A Stored Cross-Site Scripting (XSS) vulnerability in the MIME
type pro ...)
+ TODO: check
+CVE-2023-41155 (A Stored Cross-Site Scripting (XSS) vulnerability in the mail
forwardi ...)
+ TODO: check
+CVE-2023-41154 (A Stored Cross-Site Scripting (XSS) vulnerability in the
scheduled cro ...)
+ TODO: check
+CVE-2023-41152 (A Stored Cross-Site Scripting (XSS) vulnerability in the MIME
type pro ...)
+ TODO: check
+CVE-2023-40617 (A reflected cross-site scripting (XSS) vulnerability in
OpenKnowledgeM ...)
+ TODO: check
+CVE-2023-38206 (Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and
earlier) ...)
+ TODO: check
+CVE-2023-38205 (Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and
earlier) ...)
+ TODO: check
+CVE-2023-38204 (Adobe ColdFusion versions 2018u18 (and earlier), 2021u8 (and
earlier) ...)
+ TODO: check
CVE-2023-4910
NOT-FOR-US: 3scale-admin-portal
CVE-2023-38039 [HTTP headers eat all memory]
@@ -412,6 +446,7 @@ CVE-2023-4900 (Inappropriate implementation in Custom Tabs
in Google Chrome on A
- chromium 117.0.5938.62-1
[buster] - chromium (see DSA 5046)
CVE-2023-4863 (Heap buffer overflow in WebP in Google Chrome prior to
116.0.5845.187 ...)
+ {DSA-5497-1 DSA-5496-1}
- chromium 117.0.5938.62-1 (unimportant)
[buster] - chromium (see DSA 5046)
- firefox 117.0.1-1
@@ -31802,8 +31837,8 @@ CVE-2023-26143
RESERVED
CVE-2023-26142 (All versions of the package crow are vulnerable to HTTP
Response Split ...)
TODO: check
-CVE-2023-26141
- RESERVED
+CVE-2023-26141 (Versions of the package sidekiq before 7.1.3 are vulnerable to
Denial ...)
+ TODO: check
CVE-2023-26140 (Versions of the package @excalidraw/excalidraw from 0.0.0 are
vulnerab ...)
NOT-FOR-US: excalidraw
CVE-2023-26139 (Versions of the package underscore-keypath from 0.0.11 are
vulnerable ...)
@@ -38830,8 +38865,8 @@ CVE-2023-23847 (A cross-site request forgery (CSRF)
vulnerability in Synopsys Je
NOT-FOR-US: Jenkins plugin
CVE-2023-23846 (Due to insufficient length validation in the Open5GS GTP
library versi ...)
NOT-FOR-US: Open5GS
-CVE-2023-23845
- RESERVED
+CVE-2023-23845 (The SolarWinds Platform was susceptible to the Incorrect
Comparison Vu ...)
+ TODO: check
CVE-2023-23844 (The SolarWinds Platform was susceptible to the Incorrect
Comparison Vu ...)
NOT-FOR-US: SolarWinds
CVE-2023-23843 (The SolarWinds Platform was susceptible to the Incorrect
Comparison Vu ...)
@@ -38840,8 +38875,8 @@ CVE-2023-23842 (The SolarWinds Network Configuration
Manager was susceptible to
NOT-FOR-US: SolarWinds
CVE-2023-23841 (SolarWinds Serv-U is submitting an HTTP request when changing
or updat ...)
NOT-FOR-US: SolarWinds
-CVE-2023-23840
- RESERVED
+CVE-2023-23840 (The SolarWinds Platform was susceptible to the Incorrect
Comparison Vu ...)
+ TODO: check
CVE-2023-23839 (The SolarWinds Platform was susceptible to the Exposure of
Sensitive I ...)
NOT-FOR-US: SolarWinds
CVE-2023-23838 (Directory traversal and file enumeration vulnerability which
allowed u ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c128cefb56de204778243c8e201aec420339eeb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c128cefb56de204778243c8e201aec420339eeb
You're receiving this email because of your account on salsa.debian.org.
[Git][security-tracker-team/security-tracker][master] claim tiff
Aron Xu pushed to branch master at Debian Security Tracker / security-tracker Commits: d335d95b by Aron Xu at 2023-09-14T16:09:19+08:00 claim tiff - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -80,7 +80,7 @@ salt/oldstable -- samba/oldstable -- -tiff +tiff (aron) -- trafficserver -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d335d95b1eba294839d337f767ab10c30b90d0be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d335d95b1eba294839d337f767ab10c30b90d0be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ba7738a by Salvatore Bonaccorso at 2023-09-14T10:06:07+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -57,19 +57,19 @@ CVE-2023-39915 (NLnet Labs\u2019 Routinator up to and including version 0.12.1 m CVE-2023-39914 (NLnet Labs\u2019 bcder library up to and including version 0.7.2 panic ...) TODO: check CVE-2023-38215 (Adobe Experience Manager versions 6.5.17 and earlier are affected by a ...) - TODO: check + NOT-FOR-US: Adobe CVE-2023-38214 (Adobe Experience Manager versions 6.5.17 and earlier are affected by a ...) - TODO: check + NOT-FOR-US: Adobe CVE-2023-36642 (An improper neutralization of special elements used in an OS command v ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-36638 (An improper privilege management vulnerability [CWE-269] in FortiManag ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-36634 (An incomplete filtering of one or more instances of special elements v ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-36551 (A exposure of sensitive information to an unauthorized actor in Fortin ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-34984 (A protection mechanism failure in Fortinet FortiWeb 7.2.0 through 7.2. ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-4039 (A failure in the -fstack-protector feature in GCC-based toolchains th ...) - gcc-13 13.2.0-4 - gcc-12 12.3.0-9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ba7738a24b79f6b23cb6547abe2b9ceccce3de2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ba7738a24b79f6b23cb6547abe2b9ceccce3de2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track two new CVEs in routinator, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dc3179e8 by Salvatore Bonaccorso at 2023-09-14T09:51:22+02:00 Track two new CVEs in routinator, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -51,9 +51,9 @@ CVE-2023-3588 (A stored Cross-site Scripting (XSS) vulnerability affecting Teamw CVE-2023-3280 (A problem with a protection mechanism in the Palo Alto Networks Cortex ...) NOT-FOR-US: Palo Alto Networks CVE-2023-39916 (NLnet Labs\u2019 Routinator 0.9.0 up to and including 0.12.1 contains ...) - TODO: check + - routinator (bug #929024) CVE-2023-39915 (NLnet Labs\u2019 Routinator up to and including version 0.12.1 may cra ...) - TODO: check + - routinator (bug #929024) CVE-2023-39914 (NLnet Labs\u2019 bcder library up to and including version 0.7.2 panic ...) TODO: check CVE-2023-38215 (Adobe Experience Manager versions 6.5.17 and earlier are affected by a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc3179e8ba831e1fa9ad4a0b33eb72572cf88e88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc3179e8ba831e1fa9ad4a0b33eb72572cf88e88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-41081/libapache-mod-jk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 548c6006 by Salvatore Bonaccorso at 2023-09-14T09:26:52+02:00 Add CVE-2023-41081/libapache-mod-jk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34,7 +34,10 @@ CVE-2023-42468 (The com.cutestudio.colordialer application through 2.1.8-2 for A CVE-2023-41892 (Craft CMS is a platform for creating digital experiences. This is a hi ...) NOT-FOR-US: Craft CMS CVE-2023-41081 (The mod_jk component of Apache Tomcat Connectorsin some circumstances, ...) - TODO: check + - libapache-mod-jk + NOTE: https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b + NOTE: http://www.openwall.com/lists/oss-security/2023/09/13/2 + NOTE: https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49 CVE-2023-40850 (netentsec NS-ASG 6.3 is vulnerable to Incorrect Access Control. There ...) NOT-FOR-US: netentsec NS-ASG CVE-2023-40717 (A use of hard-coded credentials vulnerability [CWE-798] inFortiTester2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/548c60063b0329b42d1cba5f4de7e725e4ca90d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/548c60063b0329b42d1cba5f4de7e725e4ca90d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add initial tracking for CVE-2023-4785/grpc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6cda5eee by Salvatore Bonaccorso at 2023-09-14T09:23:30+02:00 Add initial tracking for CVE-2023-4785/grpc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,12 @@ CVE-2023-4802 (A reflected cross-site scripting vulnerability in the UpdateInsta CVE-2023-4801 (An improper certification validation vulnerability in the Insider Thre ...) NOT-FOR-US: Insider Threat Management (ITM) Server CVE-2023-4785 (Lack of error handling in the TCP server in Google's gRPC starting ver ...) - TODO: check + - grpc + NOTE: https://github.com/grpc/grpc/pull/33656 + NOTE: https://github.com/grpc/grpc/pull/33667 + NOTE: https://github.com/grpc/grpc/pull/33669 + NOTE: https://github.com/grpc/grpc/pull/33670 + NOTE: https://github.com/grpc/grpc/pull/33672 CVE-2023-4701 (A Improper Privilege Management vulnerability through an incorrect use ...) NOT-FOR-US: CodeMeter Runtime CVE-2023-42469 (The com.full.dialer.top.secure.encrypted application through 1.0.1 for ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6cda5eee59644dab111d2eef075ee297a651bde9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6cda5eee59644dab111d2eef075ee297a651bde9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU (concludes external check)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 500c9fa8 by Moritz Muehlenhoff at 2023-09-14T08:42:42+02:00 NFU (concludes external check) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-4910 + NOT-FOR-US: 3scale-admin-portal CVE-2023-38039 [HTTP headers eat all memory] - curl [bookworm] - curl (Minor issue, can be fixed in point release) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/500c9fa8487ac1a3c9ca10bf4317f5ec0c7e3736 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/500c9fa8487ac1a3c9ca10bf4317f5ec0c7e3736 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
