[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2024-27297
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0af6d74a by Salvatore Bonaccorso at 2024-03-13T06:47:32+01:00 Add reference for CVE-2024-27297 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -342,6 +342,7 @@ CVE-2024-27297 (Nix is a package manager for Linux and other Unix systems. A fix - guix (bug #1066113) - nix NOTE: Fixed by: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143 + NOTE: https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/ NOTE: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 NOTE: https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9 CVE-2024-27121 (Path traversal vulnerability exists in Machine Automation Controller N ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0af6d74a9d9c4b826ac84f80e981fe384ec205ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0af6d74a9d9c4b826ac84f80e981fe384ec205ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2024-27297/{guix,nix}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
66e9dca4 by Salvatore Bonaccorso at 2024-03-13T06:01:33+01:00
Update information for CVE-2024-27297/{guix,nix}
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -340,7 +340,10 @@ CVE-2024-27900 (Due to missing authorization check,
attacker with business user
NOT-FOR-US: SAP
CVE-2024-27297 (Nix is a package manager for Linux and other Unix systems. A
fixed-out ...)
- guix (bug #1066113)
- NOTE:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143
+ - nix
+ NOTE: Fixed by:
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143
+ NOTE:
https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37
+ NOTE:
https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9
CVE-2024-27121 (Path traversal vulnerability exists in Machine Automation
Controller N ...)
NOT-FOR-US: Machine Automation Controller
CVE-2024-26521 (HTML Injection vulnerability in CE Phoenix v1.0.8.20 and
before allows ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66e9dca4f0d2ba81bb096c625762ab07e60be755
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/66e9dca4f0d2ba81bb096c625762ab07e60be755
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for intel-microcode issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e2abb8e by Salvatore Bonaccorso at 2024-03-13T05:59:05+01:00 Track fixed version for intel-microcode issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -282,31 +282,31 @@ CVE-2024-2182 (A flaw was found in the Open Virtual Network (OVN). In OVN cluste NOTE: https://bugs.launchpad.net/bugs/2053113 NOTE: https://mail.openvswitch.org/pipermail/ovs-announce/2024-March/000346.html CVE-2023-43490 - - intel-microcode (bug #1066108) + - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01045.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-39368 - - intel-microcode (bug #1066108) + - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00972.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-38575 - - intel-microcode (bug #1066108) + - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00982.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-22655 - - intel-microcode (bug #1066108) + - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00960.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-28746 [RFDS: Register File Data Sampling] - - intel-microcode (bug #1066108) + - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e2abb8e44fc738fcdd4448b67ec193f6855d7da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e2abb8e44fc738fcdd4448b67ec193f6855d7da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add expat to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d4696d3 by Salvatore Bonaccorso at 2024-03-12T22:45:27+01:00 Add expat to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -20,6 +20,8 @@ dav1d -- dnsdist (jmm) -- +expat (carnil) +-- frr -- gpac/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d4696d35f434a7f610f07c5dd8b28a42ef33b66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2d4696d35f434a7f610f07c5dd8b28a42ef33b66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUsProcess two NFUsProcess two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 94495374 by Salvatore Bonaccorso at 2024-03-12T22:35:14+01:00 Process two NFUsProcess two NFUsProcess two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -210,7 +210,7 @@ CVE-2024-21330 (Open Management Infrastructure (OMI) Elevation of Privilege Vuln CVE-2024-20671 (Microsoft Defender Security Feature Bypass Vulnerability) NOT-FOR-US: Microsoft CVE-2024-1765 (Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an u ...) - TODO: check + NOT-FOR-US: Cloudflare quiche CVE-2024-1618 (A search path or unquoted item vulnerability in Faronics Deep Freeze S ...) NOT-FOR-US: Faronics Deep Freeze Server Standard CVE-2024-1529 (Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently e ...) @@ -51762,7 +51762,7 @@ CVE-2023-30970 (Gotham Table service and Forward App were found to be vulnerable CVE-2023-30969 (The Palantir Tiles1 service was found to be vulnerable to an API wide ...) NOT-FOR-US: Palantir CVE-2023-30968 (One of Gotham Gaia services was found to be vulnerable to a stored cro ...) - TODO: check + NOT-FOR-US: Gotham Gaia services CVE-2023-30967 (Gotham Orbital-Simulator service prior to 0.692.0 was found to be vuln ...) NOT-FOR-US: Gotham Orbital-Simulator service CVE-2023-30966 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94495374bdab167e35af1b72c93811ef87090697 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94495374bdab167e35af1b72c93811ef87090697 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-1062
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1156e60d by Salvatore Bonaccorso at 2024-03-12T22:24:38+01:00 Add Debian bug reference for CVE-2024-1062 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9873,7 +9873,7 @@ CVE-2023-31505 (An arbitrary file upload vulnerability in Schlix CMS v2.2.8-1, a CVE-2023-2439 (The UserPro plugin for WordPress is vulnerable to Stored Cross-Site Sc ...) NOT-FOR-US: WordPress plugin CVE-2024-1062 (A heap overflow flaw was found in 389-ds-base. This issue leads to a d ...) - - 389-ds-base + - 389-ds-base (bug #1066120) [bookworm] - 389-ds-base (Minor issue) [bullseye] - 389-ds-base (Minor issue) [buster] - 389-ds-base (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1156e60de3f18c9e40efc53993fd49500a9ac087 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1156e60de3f18c9e40efc53993fd49500a9ac087 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-50716/fastdds
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 98ae9040 by Salvatore Bonaccorso at 2024-03-12T22:18:24+01:00 Add Debian bug reference for CVE-2023-50716/fastdds - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1139,7 +1139,7 @@ CVE-2024-1224 (This vulnerability exists in USB Pratirodh due to the usage of a CVE-2024-1142 (Path Traversal in Sonatype IQ Server from version 143 allows remote au ...) NOT-FOR-US: Sonatype CVE-2023-50716 (eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the ...) - - fastdds + - fastdds (bug #1066119) NOTE: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-5m2f-hvj2-cx2h CVE-2023-50167 (Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with ed ...) NOT-FOR-US: Pega Platform View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98ae9040866f22d1956dd91fd9157c48b82151cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98ae9040866f22d1956dd91fd9157c48b82151cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-27758/rpyc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a03b5ed by Salvatore Bonaccorso at 2024-03-12T21:41:12+01:00 Add CVE-2024-27758/rpyc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39,7 +39,10 @@ CVE-2024-27907 (A vulnerability has been identified in Simcenter Femap (All vers CVE-2024-27894 (The Pulsar Functions Worker includes a capability that permits authent ...) NOT-FOR-US: Apache Pulsar CVE-2024-27758 (In RPyC before 6.0.0, when a server exposes a method that calls the at ...) - TODO: check + - rpyc + NOTE: https://github.com/tomerfiliba-org/rpyc/security/advisories/GHSA-h5cg-53g7-gqjw + NOTE: https://github.com/tomerfiliba-org/rpyc/issues/551 + NOTE: https://github.com/tomerfiliba-org/rpyc/commit/bba1d3562e6f9f1256ec64048cc23001c0bb7516 (6.0.0) CVE-2024-27317 (In Pulsar Functions Worker, authenticated users can upload functions i ...) NOT-FOR-US: Apache Pulsar CVE-2024-27279 (Directory traversal vulnerability exists in a-blog cms Ver.3.1.x serie ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a03b5ed89e6b6bd07510c9702bf3f440585ad21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a03b5ed89e6b6bd07510c9702bf3f440585ad21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-49453/racktables
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bbbd96aa by Salvatore Bonaccorso at 2024-03-12T21:39:53+01:00 Add CVE-2023-49453/racktables - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -373,7 +373,7 @@ CVE-2023-6814 (Insertion of Sensitive Information into Log File vulnerability in CVE-2023-49785 (NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat use ...) TODO: check CVE-2023-49453 (Reflected cross-site scripting (XSS) vulnerability in Racktables v0.22 ...) - TODO: check + - racktables (bug #629531) CVE-2024-2370 (Unrestricted file upload vulnerability in ManageEngine Desktop Central ...) NOT-FOR-US: ManageEngine CVE-2024-2357 (The Libreswan Project was notified of an issue causing libreswan to re ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbbd96aaad26ad8aec2833d92d38566e0f605ff9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbbd96aaad26ad8aec2833d92d38566e0f605ff9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 31bd1304 by Salvatore Bonaccorso at 2024-03-12T21:38:27+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,11 +7,11 @@ CVE-2024-2391 (A vulnerability was found in EVE-NG 5.0.1-13 and classified as pr CVE-2024-2371 (Information exposure vulnerability in Korenix JetI/O 6550 affecting fi ...) NOT-FOR-US: Korenix JetI/O 6550 CVE-2024-2130 (The CWW Companion plugin for WordPress is vulnerable to Stored Cross-S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2049 (Server-Side Request Forgery (SSRF) in Citrix SD-WAN Standard/Premium E ...) - TODO: check + NOT-FOR-US: Citrix CVE-2024-2031 (The Video Conferencing with Zoom plugin for WordPress is vulnerable to ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-28553 (Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the entr ...) NOT-FOR-US: Tenda CVE-2024-28535 (Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the mitI ...) @@ -25,7 +25,7 @@ CVE-2024-28338 (A login bypass in TOTOLINK A8000RU V7.1cu.643_B20200521 allows a CVE-2024-28186 (FreeScout is an open source help desk and shared inbox built with PHP. ...) NOT-FOR-US: FreeScout CVE-2024-28121 (stimulus_reflex is a system to extend the capabilities of both Rails a ...) - TODO: check + NOT-FOR-US: stimulus_reflex CVE-2024-28114 (Peering Manager is a BGP session management tool. There is a Server Si ...) NOT-FOR-US: Peering Manager CVE-2024-28113 (Peering Manager is a BGP session management tool. In Peering Manager < ...) @@ -205,75 +205,75 @@ CVE-2024-21334 (Open Management Infrastructure (OMI) Remote Code Execution Vulne CVE-2024-21330 (Open Management Infrastructure (OMI) Elevation of Privilege Vulnerabil ...) NOT-FOR-US: Microsoft CVE-2024-20671 (Microsoft Defender Security Feature Bypass Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-1765 (Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an u ...) TODO: check CVE-2024-1618 (A search path or unquoted item vulnerability in Faronics Deep Freeze S ...) - TODO: check + NOT-FOR-US: Faronics Deep Freeze Server Standard CVE-2024-1529 (Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently e ...) - TODO: check + NOT-FOR-US: CMS Made Simple CVE-2024-1528 (CMS Made Simple version 2.2.14, does not sufficiently encode user-cont ...) - TODO: check + NOT-FOR-US: CMS Made Simple CVE-2024-1527 (Unrestricted file upload vulnerability in CMS Made Simple, affecting v ...) - TODO: check + NOT-FOR-US: CMS Made Simple CVE-2024-1410 (Cloudflare quiche was discovered to be vulnerable to unbounded storage ...) - TODO: check + NOT-FOR-US: Cloudflare quiche CVE-2024-1328 (The Newsletter2Go plugin for WordPress is vulnerable to Stored Cross-S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1304 (Cross-site scripting vulnerability in Badger Meter Monitool that affec ...) - TODO: check + NOT-FOR-US: Badger Meter Monitool CVE-2024-1303 (Incorrectly limiting the path to a restricted directory vulnerability ...) - TODO: check + NOT-FOR-US: Badger Meter Monitool CVE-2024-1302 (Information exposure vulnerability in Badger Meter Monitool affecting ...) - TODO: check + NOT-FOR-US: Badger Meter Monitool CVE-2024-1301 (SQL injection vulnerability in Badger Meter Monitool affecting version ...) - TODO: check + NOT-FOR-US: Badger Meter Monitool CVE-2024-1227 (An open redirect vulnerability, the exploitation of which could allow ...) TODO: check CVE-2024-1226 (The software does not neutralize or incorrectly neutralizes certain ch ...) TODO: check CVE-2024-1138 (The FTL Server component of TIBCO Software Inc.'s TIBCO FTL - Enterpri ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2024-1137 (The Proxy and Client components of TIBCO Software Inc.'s TIBCO ActiveS ...) - TODO: check + NOT-FOR-US: TIBCO CVE-2024-0906 (The f(x) Private Site plugin for WordPress is vulnerable to Sensitive ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5410 (A potential security vulnerability has been reported in the system BIO ...) - TODO: check + NOT-FOR-US: HP CVE-2023-4780 REJECTED CVE-2023-4731 (The LadiApp plugn for WordPress is vulnerable to Cross-Site Request Fo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-4729 (The LadiApp plugin for WordPress is vulnerable to Cross-Site Request F ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-4728 (The LadiApp plugin for WordPress is
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 11d3ebd8 by Salvatore Bonaccorso at 2024-03-12T21:25:33+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,11 @@ CVE-2024-2394 (A vulnerability was found in SourceCodester Employee Management System ...) - TODO: check + NOT-FOR-US: SourceCodester Employee Management System CVE-2024-2393 (A vulnerability was found in SourceCodester CRUD without Page Reload 1 ...) - TODO: check + NOT-FOR-US: SourceCodester CRUD without Page Reload CVE-2024-2391 (A vulnerability was found in EVE-NG 5.0.1-13 and classified as problem ...) - TODO: check + NOT-FOR-US: EVE-NG CVE-2024-2371 (Information exposure vulnerability in Korenix JetI/O 6550 affecting fi ...) - TODO: check + NOT-FOR-US: Korenix JetI/O 6550 CVE-2024-2130 (The CWW Companion plugin for WordPress is vulnerable to Stored Cross-S ...) TODO: check CVE-2024-2049 (Server-Side Request Forgery (SSRF) in Citrix SD-WAN Standard/Premium E ...) @@ -13,197 +13,197 @@ CVE-2024-2049 (Server-Side Request Forgery (SSRF) in Citrix SD-WAN Standard/Prem CVE-2024-2031 (The Video Conferencing with Zoom plugin for WordPress is vulnerable to ...) TODO: check CVE-2024-28553 (Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the entr ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-28535 (Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the mitI ...) - TODO: check + NOT-FOR-US: Tenda CVE-2024-28340 (An information leak in the currentsetting.htm component of Netgear CBR ...) - TODO: check + NOT-FOR-US: Netgear CVE-2024-28339 (An information leak in the debuginfo.htm component of Netgear CBR40 2. ...) - TODO: check + NOT-FOR-US: Netgear CVE-2024-28338 (A login bypass in TOTOLINK A8000RU V7.1cu.643_B20200521 allows attacke ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2024-28186 (FreeScout is an open source help desk and shared inbox built with PHP. ...) - TODO: check + NOT-FOR-US: FreeScout CVE-2024-28121 (stimulus_reflex is a system to extend the capabilities of both Rails a ...) TODO: check CVE-2024-28114 (Peering Manager is a BGP session management tool. There is a Server Si ...) - TODO: check + NOT-FOR-US: Peering Manager CVE-2024-28113 (Peering Manager is a BGP session management tool. In Peering Manager < ...) - TODO: check + NOT-FOR-US: Peering Manager CVE-2024-28112 (Peering Manager is a BGP session management tool. Affected versions of ...) - TODO: check + NOT-FOR-US: Peering Manager CVE-2024-28098 (The vulnerability allows authenticated users with only produce or cons ...) - TODO: check + NOT-FOR-US: Apache Pulsar CVE-2024-27907 (A vulnerability has been identified in Simcenter Femap (All versions < ...) - TODO: check + NOT-FOR-US: Siemens CVE-2024-27894 (The Pulsar Functions Worker includes a capability that permits authent ...) - TODO: check + NOT-FOR-US: Apache Pulsar CVE-2024-27758 (In RPyC before 6.0.0, when a server exposes a method that calls the at ...) TODO: check CVE-2024-27317 (In Pulsar Functions Worker, authenticated users can upload functions i ...) - TODO: check + NOT-FOR-US: Apache Pulsar CVE-2024-27279 (Directory traversal vulnerability exists in a-blog cms Ver.3.1.x serie ...) - TODO: check + NOT-FOR-US: a-blog cms CVE-2024-27135 (Improper input validation in the Pulsar Function Worker allows a malic ...) - TODO: check + NOT-FOR-US: Apache Pulsar CVE-2024-26288 (An unauthenticated remote attacker can influence the communication due ...) - TODO: check + NOT-FOR-US: VDE CVE-2024-26204 (Outlook for Android Information Disclosure Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-26203 (Azure Data Studio Elevation of Privilege Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-26201 (Microsoft Intune Linux Agent Elevation of Privilege Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-26199 (Microsoft Office Elevation of Privilege Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-26198 (Microsoft Exchange Server Remote Code Execution Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-26197 (Windows Standards-Based Storage Management Service Denial of Service V ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-26190 (Microsoft QUIC Denial of Service Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-26185 (Windows Compressed Folder Tampering Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-26182 (Windows
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-27297/guix
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 185cbca9 by Salvatore Bonaccorso at 2024-03-12T21:13:30+01:00 Add Debian bug reference for CVE-2024-27297/guix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -336,7 +336,7 @@ CVE-2024-27902 (Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP CVE-2024-27900 (Due to missing authorization check, attacker with business user accoun ...) NOT-FOR-US: SAP CVE-2024-27297 (Nix is a package manager for Linux and other Unix systems. A fixed-out ...) - - guix + - guix (bug #1066113) NOTE: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143 CVE-2024-27121 (Path traversal vulnerability exists in Machine Automation Controller N ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/185cbca9316d3fe99f6feb39602381d74f2d100a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/185cbca9316d3fe99f6feb39602381d74f2d100a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64d81e4b by security tracker role at 2024-03-12T20:12:29+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,280 @@ -CVE-2024-2182 [Fix insufficient validation of incoming BFD packets] +CVE-2024-2394 (A vulnerability was found in SourceCodester Employee Management System ...) + TODO: check +CVE-2024-2393 (A vulnerability was found in SourceCodester CRUD without Page Reload 1 ...) + TODO: check +CVE-2024-2391 (A vulnerability was found in EVE-NG 5.0.1-13 and classified as problem ...) + TODO: check +CVE-2024-2371 (Information exposure vulnerability in Korenix JetI/O 6550 affecting fi ...) + TODO: check +CVE-2024-2130 (The CWW Companion plugin for WordPress is vulnerable to Stored Cross-S ...) + TODO: check +CVE-2024-2049 (Server-Side Request Forgery (SSRF) in Citrix SD-WAN Standard/Premium E ...) + TODO: check +CVE-2024-2031 (The Video Conferencing with Zoom plugin for WordPress is vulnerable to ...) + TODO: check +CVE-2024-28553 (Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the entr ...) + TODO: check +CVE-2024-28535 (Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the mitI ...) + TODO: check +CVE-2024-28340 (An information leak in the currentsetting.htm component of Netgear CBR ...) + TODO: check +CVE-2024-28339 (An information leak in the debuginfo.htm component of Netgear CBR40 2. ...) + TODO: check +CVE-2024-28338 (A login bypass in TOTOLINK A8000RU V7.1cu.643_B20200521 allows attacke ...) + TODO: check +CVE-2024-28186 (FreeScout is an open source help desk and shared inbox built with PHP. ...) + TODO: check +CVE-2024-28121 (stimulus_reflex is a system to extend the capabilities of both Rails a ...) + TODO: check +CVE-2024-28114 (Peering Manager is a BGP session management tool. There is a Server Si ...) + TODO: check +CVE-2024-28113 (Peering Manager is a BGP session management tool. In Peering Manager < ...) + TODO: check +CVE-2024-28112 (Peering Manager is a BGP session management tool. Affected versions of ...) + TODO: check +CVE-2024-28098 (The vulnerability allows authenticated users with only produce or cons ...) + TODO: check +CVE-2024-27907 (A vulnerability has been identified in Simcenter Femap (All versions < ...) + TODO: check +CVE-2024-27894 (The Pulsar Functions Worker includes a capability that permits authent ...) + TODO: check +CVE-2024-27758 (In RPyC before 6.0.0, when a server exposes a method that calls the at ...) + TODO: check +CVE-2024-27317 (In Pulsar Functions Worker, authenticated users can upload functions i ...) + TODO: check +CVE-2024-27279 (Directory traversal vulnerability exists in a-blog cms Ver.3.1.x serie ...) + TODO: check +CVE-2024-27135 (Improper input validation in the Pulsar Function Worker allows a malic ...) + TODO: check +CVE-2024-26288 (An unauthenticated remote attacker can influence the communication due ...) + TODO: check +CVE-2024-26204 (Outlook for Android Information Disclosure Vulnerability) + TODO: check +CVE-2024-26203 (Azure Data Studio Elevation of Privilege Vulnerability) + TODO: check +CVE-2024-26201 (Microsoft Intune Linux Agent Elevation of Privilege Vulnerability) + TODO: check +CVE-2024-26199 (Microsoft Office Elevation of Privilege Vulnerability) + TODO: check +CVE-2024-26198 (Microsoft Exchange Server Remote Code Execution Vulnerability) + TODO: check +CVE-2024-26197 (Windows Standards-Based Storage Management Service Denial of Service V ...) + TODO: check +CVE-2024-26190 (Microsoft QUIC Denial of Service Vulnerability) + TODO: check +CVE-2024-26185 (Windows Compressed Folder Tampering Vulnerability) + TODO: check +CVE-2024-26182 (Windows Kernel Elevation of Privilege Vulnerability) + TODO: check +CVE-2024-26181 (Windows Kernel Denial of Service Vulnerability) + TODO: check +CVE-2024-26178 (Windows Kernel Elevation of Privilege Vulnerability) + TODO: check +CVE-2024-26177 (Windows Kernel Information Disclosure Vulnerability) + TODO: check +CVE-2024-26176 (Windows Kernel Elevation of Privilege Vulnerability) + TODO: check +CVE-2024-26174 (Windows Kernel Information Disclosure Vulnerability) + TODO: check +CVE-2024-26173 (Windows Kernel Elevation of Privilege Vulnerability) + TODO: check +CVE-2024-26170 (Windows Composite Image File System (CimFS) Elevation of Privilege Vul ...) + TODO: check +CVE-2024-26169 (Windows Error Reporting Service Elevation of Privilege Vulnerability) + TODO: check +CVE-2024-26166 (Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vu ...) + TODO: check
[Git][security-tracker-team/security-tracker][master] Retake curl
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 51bdeece by Bastien Roucariès at 2024-03-12T20:03:59+00:00 Retake curl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,10 +61,11 @@ composer (rouca) NOTE: 20240304: Need to backport bullseye NOTE: 20240312: likely not affected by CVE-2024-24821 -- -curl +curl (rouca) NOTE: 20231229: Added by Front-Desk (lamby) NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) NOTE: https://salsa.debian.org/debian/curl/-/merge_requests/21 + NOTE: test fix -- dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51bdeecea0c92cf2a6ed4c79fa17d2d5f837062d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51bdeecea0c92cf2a6ed4c79fa17d2d5f837062d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] php-composer/buster likely not affected by CVE-2024-24821
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b77f3a0 by Bastien Roucariès at 2024-03-12T19:58:01+00:00 php-composer/buster likely not affected by CVE-2024-24821 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -59,6 +59,7 @@ cinder composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) NOTE: 20240304: Need to backport bullseye + NOTE: 20240312: likely not affected by CVE-2024-24821 -- curl NOTE: 20231229: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b77f3a043064876c84d2d92eb9ae9df04979971 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b77f3a043064876c84d2d92eb9ae9df04979971 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for two xen issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6489be70 by Salvatore Bonaccorso at 2024-03-12T20:53:55+01:00 Update status for two xen issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32,6 +32,8 @@ CVE-2023-28746 [RFDS: Register File Data Sampling] [bullseye] - intel-microcode (Decide after exposure on unstable for update) - linux - xen + [bullseye] - xen (EOLed in Bullseye) + [buster] - xen (DSA 4677-1) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00898.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 NOTE: https://www.openwall.com/lists/oss-security/2024/03/12/13 @@ -40,6 +42,8 @@ CVE-2023-28746 [RFDS: Register File Data Sampling] CVE-2024-2193 [GhostRace: Speculative Race Conditions] - linux - xen + [bullseye] - xen (EOLed in Bullseye) + [buster] - xen (DSA 4677-1) NOTE: https://www.openwall.com/lists/oss-security/2024/03/12/14 NOTE: https://www.vusec.net/projects/ghostrace/ NOTE: https://xenbits.xen.org/xsa/advisory-453.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6489be7056a91f45b1e49343c3e4211833473f73 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6489be7056a91f45b1e49343c3e4211833473f73 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2024-2193 and CVE-2024-26602
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a02e61d0 by Salvatore Bonaccorso at 2024-03-12T20:51:03+01:00 Update information on CVE-2024-2193 and CVE-2024-26602 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,6 +37,12 @@ CVE-2023-28746 [RFDS: Register File Data Sampling] NOTE: https://www.openwall.com/lists/oss-security/2024/03/12/13 NOTE: https://xenbits.xen.org/xsa/advisory-452.html NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html +CVE-2024-2193 [GhostRace: Speculative Race Conditions] + - linux + - xen + NOTE: https://www.openwall.com/lists/oss-security/2024/03/12/14 + NOTE: https://www.vusec.net/projects/ghostrace/ + NOTE: https://xenbits.xen.org/xsa/advisory-453.html CVE-2024-28199 (phlex is an open source framework for building object-oriented views i ...) TODO: check CVE-2024-28163 (Under certain conditions, Support Web Pages of SAP NetWeaver Process I ...) @@ -4332,6 +4338,7 @@ CVE-2024-26601 (In the Linux kernel, the following vulnerability has been resolv CVE-2024-26602 (In the Linux kernel, the following vulnerability has been resolved: s ...) - linux 6.7.7-1 NOTE: https://git.kernel.org/linus/944d5fe50f3f03daacfea16300e656a1691c4a23 (6.8-rc6) + NOTE: https://www.vusec.net/projects/ghostrace/ CVE-2024-26603 (In the Linux kernel, the following vulnerability has been resolved: x ...) - linux 6.7.7-1 [bullseye] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a02e61d0d9bfbaa1684309c7bdd6d8b9a9ec0b9e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a02e61d0d9bfbaa1684309c7bdd6d8b9a9ec0b9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim tinymce.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 4df8d8a9 by Ola Lundqvist at 2024-03-12T20:49:26+01:00 Claim tinymce. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -278,7 +278,7 @@ suricata (Adrian Bunk) thunderbird (Emilio) NOTE: 20240306: Added by Front-Desk (opal) -- -tinymce +tinymce (Ola) NOTE: 20231123: Added by Front-Desk (ola) NOTE: 20231216: Someone with more XSS experience needed to assess the NOTE: 20231216: severity of CVE-2023-48219. Also not clear to me that View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4df8d8a9fae5eab770d3abfe500c2d4a9d090cf1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4df8d8a9fae5eab770d3abfe500c2d4a9d090cf1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: ed2cc5c0 by Ola Lundqvist at 2024-03-12T20:44:33+01:00 Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -128,6 +128,10 @@ jenkins-htmlunit-core-js jetty9 NOTE: 20240303: Added by Front-Desk (apo) -- +knot-resolver + NOTE: 20231029: Added by Front-Desk (gladk) + NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. +-- libcommons-compress-java (Markus Koschany) NOTE: 20240303: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed2cc5c0026e4a6feab14a5900932f24d138e0ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ed2cc5c0026e4a6feab14a5900932f24d138e0ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-2182/ovn
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8602b8f8 by Salvatore Bonaccorso at 2024-03-12T20:42:21+01:00 Add CVE-2024-2182/ovn - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024-2182 [Fix insufficient validation of incoming BFD packets] + - ovn 24.03.1-1 + NOTE: https://bugs.launchpad.net/bugs/2053113 + NOTE: https://mail.openvswitch.org/pipermail/ovs-announce/2024-March/000346.html CVE-2023-43490 - intel-microcode (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8602b8f8ccebaee333706d21d25f5026f38f988c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8602b8f8ccebaee333706d21d25f5026f38f988c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Noted reason for a few revert decisions in dla-needed for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e1a0971 by Ola Lundqvist at 2024-03-12T20:40:41+01:00 Noted reason for a few revert decisions in dla-needed for buster. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,6 +54,7 @@ cacti (Sylvain Beucler) cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. + NOTE: 20240311: CVE-2020-10755 is fixed in bullseye -- composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) @@ -74,6 +75,7 @@ docker.io NOTE: 20230706: ask for review testing https://lists.debian.org/debian-lts/2023/07/msg00013.html NOTE: 20230801: rouca and santiago testing the swarm overlay network (including current buster version) NOTE: 20240213: CVE-2024-24557 patch does not directly apply and lack of reproducer test case + NOTE: 20230311: Reverted decision to remove from this file since three CVEs are in bullseye. -- dogecoin NOTE: 20230619: Added by Front-Desk (Beuc) @@ -188,6 +190,7 @@ nvidia-cuda-toolkit NOTE: 20230514: piled up. (utkarsh) NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) + NOTE: 20240311: CVE-2020-5991 is fixed in bullseye. However email sent to suggest removal of support. -- nvidia-graphics-drivers NOTE: 20240303: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e1a0971cd2ab97ef0e8eb9036646adbe58dc497 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e1a0971cd2ab97ef0e8eb9036646adbe58dc497 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reverted decision to remove python-os-brick from dla-needed since...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: b945d184 by Ola Lundqvist at 2024-03-12T20:36:42+01:00 Reverted decision to remove python-os-brick from dla-needed since CVE-2020-10755 is fixed in bullseye. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -212,6 +212,11 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- +python-os-brick + NOTE: 20230525: Added by Front-Desk (lamby) + NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. + NOTE: 20240311: Reverted decision to remove from this file since CVE-2020-10755 is fixed in bullseye. +--- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b945d184b880d75c585ecc49d461377bb2bae7cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b945d184b880d75c585ecc49d461377bb2bae7cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reverted the decision to remove docker.io from dla-needed while keeping the...
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 58e9fdae by Ola Lundqvist at 2024-03-12T20:30:53+01:00 Reverted the decision to remove docker.io from dla-needed while keeping the no-dsa note for some CVEs. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -67,6 +67,14 @@ curl dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) -- +docker.io + NOTE: 20230303: Added by Front-Desk (Beuc) + NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) + NOTE: 20230424: Is in preparation. (gladk) + NOTE: 20230706: ask for review testing https://lists.debian.org/debian-lts/2023/07/msg00013.html + NOTE: 20230801: rouca and santiago testing the swarm overlay network (including current buster version) + NOTE: 20240213: CVE-2024-24557 patch does not directly apply and lack of reproducer test case +-- dogecoin NOTE: 20230619: Added by Front-Desk (Beuc) NOTE: 20230619: CVE-2021-37491 and CVE-2023-30769 seem forgotten by upstream, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58e9fdae9833257fdb632f9ddc43af66e893ff1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58e9fdae9833257fdb632f9ddc43af66e893ff1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reverted the decision to remove cinder from dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: cc51d2ec by Ola Lundqvist at 2024-03-12T20:25:02+01:00 Reverted the decision to remove cinder from dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -51,6 +51,10 @@ cacti (Sylvain Beucler) NOTE: 20240222: Reported incomplete fix upstream (Beuc) NOTE: 20240227: Sent debdiffs for buster/bullseye/bookworm to maintainer+secteam; no news from upstream yet (Beuc) -- +cinder + NOTE: 20230525: Added by Front-Desk (lamby) + NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. +-- composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) NOTE: 20240304: Need to backport bullseye View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc51d2ec1b00152842a3c3bc3441392ea2a2e051 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc51d2ec1b00152842a3c3bc3441392ea2a2e051 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reverted nvidia-cuda-toolkit removal from dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: a60f675a by Ola Lundqvist at 2024-03-12T20:22:03+01:00 Reverted nvidia-cuda-toolkit removal from dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -170,6 +170,13 @@ nss NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there. NOTE: 20230310: see also: Message-ID: -- +nvidia-cuda-toolkit + NOTE: 20230514: Added by Front-Desk (utkarsh) + NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have + NOTE: 20230514: piled up. (utkarsh) + NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html + NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) +-- nvidia-graphics-drivers NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: Do we still support the NVIDIA drivers? Can we upgrade to a new upstream release? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a60f675a09da625f0139b121c0e1201ea9ca7525 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a60f675a09da625f0139b121c0e1201ea9ca7525 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reverted decision to mark CVEs as ignored back to no-dsa for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 9aadc7a2 by Ola Lundqvist at 2024-03-12T20:07:38+01:00 Reverted decision to mark CVEs as ignored back to no-dsa for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16541,7 +16541,7 @@ CVE-2023-52322 (ecrire/public/assembler.php in SPIP before 4.1.13 and 4.2.x befo - spip 4.1.13+dfsg-1 (bug #1059331) [bookworm] - spip 4.1.9+dfsg-1+deb12u4 [bullseye] - spip 3.2.11-3+deb11u10 - [buster] - spip (Minor issue) + [buster] - spip (Minor issue) NOTE: https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-7-SPIP-4-1-13.html?lang=fr NOTE: https://git.spip.net/spip/spip/commit/e90f5344b8c82711053053e778d38a35e42b7bcb CVE-2023-7059 (A vulnerability was found in SourceCodester School Visitor Log e-Book ...) @@ -27660,7 +27660,7 @@ CVE-2023-46586 - weborf 1.0-1 (bug #1054417) [bookworm] - weborf 0.19-2.1+deb12u1 [bullseye] - weborf 0.17-3+deb11u1 - [buster] - weborf (Minor issue) + [buster] - weborf (Minor issue) NOTE: https://github.com/ltworf/weborf/pull/88 NOTE: Fixed by: https://github.com/ltworf/weborf/commit/49824204add55aab0568d90a6b1e7c822d32120d (1.0) CVE-2023-5702 (A vulnerability was found in Viessmann Vitogate 300 up to 2.1.3.0 and ...) @@ -67400,7 +67400,7 @@ CVE-2023-0843 CVE-2023-0842 (xml2js version 0.4.23 allows an external attacker to edit or add new p ...) - node-xml2js 0.4.23+~cs15.4.0+dfsg-7 (bug #1034148) [bullseye] - node-xml2js 0.2.8-1+deb11u1 - [buster] - node-xml2js (Minor issue) + [buster] - node-xml2js (Minor issue) NOTE: https://fluidattacks.com/advisories/myers/ NOTE: https://github.com/Leonidas-from-XIV/node-xml2js/issues/663 NOTE: https://github.com/Leonidas-from-XIV/node-xml2js/pull/603 @@ -174617,7 +174617,7 @@ CVE-2021-42344 CVE-2021-42343 (An issue was discovered in the Dask distributed package before 2021.10 ...) - dask.distributed 2021.09.1+ds.1-2 [bullseye] - dask.distributed 2021.01.0+ds.1-2.1+deb11u1 - [buster] - dask.distributed (Minor issue; unreproducible with <2.0) + [buster] - dask.distributed (Minor issue; unreproducible with <2.0) NOTE: https://github.com/dask/distributed/pull/5427 NOTE: https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr NOTE: Likely introduced in https://github.com/quasiben/distributed/commit/fd31ecca8017bae845a73d468de0376c02363fab @@ -504571,7 +504571,7 @@ CVE-2016-1244 (The extractTree function in unADF allows remote attackers to exec - unadf 0.7.11a-6 (bug #838248) [bookworm] - unadf 0.7.11a-5+deb12u1 [bullseye] - unadf 0.7.11a-4+deb11u1 - [buster] - unadf (Minor issue) + [buster] - unadf (Minor issue) NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd NOTE: The changes between 0.7.11a-3 and 0.7.11a-4 did not include the upstream fix. CVE-2016-1243 (Stack-based buffer overflow in the extractTree function in unADF allow ...) @@ -504579,7 +504579,7 @@ CVE-2016-1243 (Stack-based buffer overflow in the extractTree function in unADF - unadf 0.7.11a-6 (bug #838248) [bookworm] - unadf 0.7.11a-5+deb12u1 [bullseye] - unadf 0.7.11a-4+deb11u1 - [buster] - unadf (Minor issue) + [buster] - unadf (Minor issue) NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd NOTE: The changes between 0.7.11a-3 and 0.7.11a-4 did not include the upstream fix. CVE-2016-1242 (file_open in Tryton before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9aadc7a2025ae1660d066cf78615d8cac3be2cad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9aadc7a2025ae1660d066cf78615d8cac3be2cad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for intel-microcode issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 719dabd5 by Salvatore Bonaccorso at 2024-03-12T19:07:02+01:00 Add Debian bug reference for intel-microcode issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,29 +1,29 @@ CVE-2023-43490 - - intel-microcode + - intel-microcode (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01045.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-39368 - - intel-microcode + - intel-microcode (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00972.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-38575 - - intel-microcode + - intel-microcode (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00982.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-22655 - - intel-microcode + - intel-microcode (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00960.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-28746 [RFDS: Register File Data Sampling] - - intel-microcode + - intel-microcode (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) - linux View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/719dabd5ef573aded07e5150849edd79d4307113 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/719dabd5ef573aded07e5150849edd79d4307113 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-27297/guix
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 16a7addf by Salvatore Bonaccorso at 2024-03-12T18:31:31+01:00 Add CVE-2024-27297/guix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46,7 +46,8 @@ CVE-2024-27902 (Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP CVE-2024-27900 (Due to missing authorization check, attacker with business user accoun ...) NOT-FOR-US: SAP CVE-2024-27297 (Nix is a package manager for Linux and other Unix systems. A fixed-out ...) - TODO: check + - guix + NOTE: https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143 CVE-2024-27121 (Path traversal vulnerability exists in Machine Automation Controller N ...) TODO: check CVE-2024-26521 (HTML Injection vulnerability in CE Phoenix v1.0.8.20 and before allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16a7addf64c5744c82a47592a84bdc60e8db809d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16a7addf64c5744c82a47592a84bdc60e8db809d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add tracking for intel-microcode issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 925e58db by Salvatore Bonaccorso at 2024-03-12T18:22:21+01:00 Add tracking for intel-microcode issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,35 @@ +CVE-2023-43490 + - intel-microcode + [bookworm] - intel-microcode (Decide after exposure on unstable for update) + [bullseye] - intel-microcode (Decide after exposure on unstable for update) + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01045.html + NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 +CVE-2023-39368 + - intel-microcode + [bookworm] - intel-microcode (Decide after exposure on unstable for update) + [bullseye] - intel-microcode (Decide after exposure on unstable for update) + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00972.html + NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 +CVE-2023-38575 + - intel-microcode + [bookworm] - intel-microcode (Decide after exposure on unstable for update) + [bullseye] - intel-microcode (Decide after exposure on unstable for update) + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00982.html + NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 +CVE-2023-22655 + - intel-microcode + [bookworm] - intel-microcode (Decide after exposure on unstable for update) + [bullseye] - intel-microcode (Decide after exposure on unstable for update) + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00960.html + NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-28746 [RFDS: Register File Data Sampling] - intel-microcode [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) - linux - xen + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00898.html + NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 NOTE: https://www.openwall.com/lists/oss-security/2024/03/12/13 NOTE: https://xenbits.xen.org/xsa/advisory-452.html NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html @@ -71277,8 +71303,6 @@ CVE-2023-22841 (Unquoted search path in the software installer for the System Fi NOT-FOR-US: Intel CVE-2023-22840 (Improper neutralization in software for the Intel(R) oneVPL GPU softwa ...) NOT-FOR-US: Intel -CVE-2023-22655 - RESERVED CVE-2023-22431 RESERVED CVE-2023-22311 (Improper access control in some Intel(R) Optane(TM) PMem 100 Series Ma ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/925e58db2238f57e7465ace3e83ec4a882c3c3c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/925e58db2238f57e7465ace3e83ec4a882c3c3c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-28746
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 97caba5b by Salvatore Bonaccorso at 2024-03-12T18:14:22+01:00 Update information for CVE-2023-28746 - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2023-28746 [RFDS: Register File Data Sampling] - intel-microcode + [bookworm] - intel-microcode (Decide after exposure on unstable for update) + [bullseye] - intel-microcode (Decide after exposure on unstable for update) - linux - xen NOTE: https://www.openwall.com/lists/oss-security/2024/03/12/13 = data/dsa-needed.txt = @@ -28,6 +28,9 @@ gtkwave -- h2o (jmm) -- +intel-microcode (carnil) + Wailt for exposure in unstable in any case +-- jetty9 -- libreswan (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97caba5b71dc00ec0036af02a7a2cec8f2ecfda9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97caba5b71dc00ec0036af02a7a2cec8f2ecfda9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add initial tracking for CVE-2023-28746
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d609363 by Salvatore Bonaccorso at 2024-03-12T18:12:20+01:00 Add initial tracking for CVE-2023-28746 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,10 @@ +CVE-2023-28746 [RFDS: Register File Data Sampling] + - intel-microcode + - linux + - xen + NOTE: https://www.openwall.com/lists/oss-security/2024/03/12/13 + NOTE: https://xenbits.xen.org/xsa/advisory-452.html + NOTE: https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html CVE-2024-28199 (phlex is an open source framework for building object-oriented views i ...) TODO: check CVE-2024-28163 (Under certain conditions, Support Web Pages of SAP NetWeaver Process I ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d6093636cf9fba98c317a6bf2f127e447052035 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d6093636cf9fba98c317a6bf2f127e447052035 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2024-23849 and CVE-2024-26613
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e3e0a269 by Salvatore Bonaccorso at 2024-03-12T16:37:16+01:00 Update information for CVE-2024-23849 and CVE-2024-26613 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2512,10 +2512,8 @@ CVE-2024-26614 (In the Linux kernel, the following vulnerability has been resolv - linux 6.6.15-1 [bookworm] - linux 6.1.76-1 NOTE: https://git.kernel.org/linus/198bc90e0e734e5f98c3d2833e8390cac3df61b2 (6.8-rc2) -CVE-2024-26613 (In the Linux kernel, the following vulnerability has been resolved: n ...) - - linux 6.6.15-1 - [bookworm] - linux 6.1.76-1 - NOTE: https://git.kernel.org/linus/13e788deb7348cc88df34bed736c3b3b9927ea52 (6.8-rc2) +CVE-2024-26613 + REJECTED CVE-2024-26612 (In the Linux kernel, the following vulnerability has been resolved: n ...) - linux 6.6.15-1 [bookworm] - linux 6.1.76-1 @@ -10873,6 +10871,7 @@ CVE-2024-23849 (In rds_recv_track_latency in net/rds/af_rds.c in the Linux kerne - linux 6.6.15-1 [bookworm] - linux 6.1.76-1 NOTE: https://lore.kernel.org/netdev/1705715319-19199-1-git-send-email-sharath.srinivasan%40oracle.com/ + NOTE: https://git.kernel.org/linus/13e788deb7348cc88df34bed736c3b3b9927ea52 (6.8-rc2) CVE-2024-23848 (In the Linux kernel through 6.7.1, there is a use-after-free in cec_qu ...) - linux NOTE: https://lore.kernel.org/lkml/e9f42704-2f99-4f2c-ade5-f952e5fd53e5%40xs4all.nl/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3e0a2690b97108138be4071934f841618ab6c55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3e0a2690b97108138be4071934f841618ab6c55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d20aaeb by Salvatore Bonaccorso at 2024-03-12T09:51:59+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,49 +1,49 @@ CVE-2024-28199 (phlex is an open source framework for building object-oriented views i ...) TODO: check CVE-2024-28163 (Under certain conditions, Support Web Pages of SAP NetWeaver Process I ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-28120 (codeium-chrome is an open source code completion plugin for the chrome ...) TODO: check CVE-2024-27938 (Postal is an open source SMTP server. Postal versions less than 3.0.0 ...) TODO: check CVE-2024-27902 (Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - vers ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-27900 (Due to missing authorization check, attacker with business user accoun ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-27297 (Nix is a package manager for Linux and other Unix systems. A fixed-out ...) TODO: check CVE-2024-27121 (Path traversal vulnerability exists in Machine Automation Controller N ...) TODO: check CVE-2024-26521 (HTML Injection vulnerability in CE Phoenix v1.0.8.20 and before allows ...) - TODO: check + NOT-FOR-US: CE Phoenix CVE-2024-25854 (Cross Site Scripting (XSS) vulnerability in Sourcecodester Insurance M ...) - TODO: check + NOT-FOR-US: Sourcecodester Insurance Management System CVE-2024-25645 (Under certain conditionSAPNetWeaver (Enterprise Portal) - version 7.50 ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-25644 (Under certain conditions SAP NetWeaverWSRM- version 7.50, allows an at ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-25331 (DIR-822 Rev. B Firmware v2.02KRB09 and DIR-822-CA Rev. B Firmware v2.0 ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-25325 (SQL injection vulnerability in Employee Management System v.1.0 allows ...) - TODO: check + NOT-FOR-US: Employee Management System CVE-2024-25114 (Collabora Online is a collaborative online office suite based on Libre ...) - TODO: check + NOT-FOR-US: Collabora Online CVE-2024-24964 (Improper access control vulnerability exists in the resident process o ...) - TODO: check + NOT-FOR-US: SKYSEA Client View CVE-2024-22133 (SAP Fiori Front End Server - version 605, allows altering of approver ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-22127 (SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) ...) - TODO: check + NOT-FOR-US: SAP CVE-2024-21805 (Improper access control vulnerability exists in the specific folder of ...) - TODO: check + NOT-FOR-US: SKYSEA Client View CVE-2024-21584 (Pleasanter 1.3.49.0 and earlier contains a cross-site scripting vulner ...) - TODO: check + NOT-FOR-US: Pleasanter CVE-2024-1645 (The Mollie Forms plugin for WordPress is vulnerable to unauthorized ac ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1400 (The Mollie Forms plugin for WordPress is vulnerable to unauthorized po ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6814 (Insertion of Sensitive Information into Log File vulnerability in Hita ...) - TODO: check + NOT-FOR-US: Hitachi CVE-2023-49785 (NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat use ...) TODO: check CVE-2023-49453 (Reflected cross-site scripting (XSS) vulnerability in Racktables v0.22 ...) @@ -86820,7 +86820,7 @@ CVE-2022-46072 (Helmet Store Showroom v1.0 vulnerable to unauthenticated SQL Inj CVE-2022-46071 (There is SQL Injection vulnerability at Helmet Store Showroom v1.0 Log ...) NOT-FOR-US: Helmet Store Showroom CVE-2022-46070 (GV-ASManager V6.0.1.0 contains a Local File Inclusion vulnerability in ...) - TODO: check + NOT-FOR-US: GV-ASManager CVE-2022-46069 RESERVED CVE-2022-46068 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d20aaebdc9cc9d234f4bedcb7aa599252128fc0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d20aaebdc9cc9d234f4bedcb7aa599252128fc0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f00c9e65 by security tracker role at 2024-03-12T08:11:42+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,53 @@ +CVE-2024-28199 (phlex is an open source framework for building object-oriented views i ...) + TODO: check +CVE-2024-28163 (Under certain conditions, Support Web Pages of SAP NetWeaver Process I ...) + TODO: check +CVE-2024-28120 (codeium-chrome is an open source code completion plugin for the chrome ...) + TODO: check +CVE-2024-27938 (Postal is an open source SMTP server. Postal versions less than 3.0.0 ...) + TODO: check +CVE-2024-27902 (Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - vers ...) + TODO: check +CVE-2024-27900 (Due to missing authorization check, attacker with business user accoun ...) + TODO: check +CVE-2024-27297 (Nix is a package manager for Linux and other Unix systems. A fixed-out ...) + TODO: check +CVE-2024-27121 (Path traversal vulnerability exists in Machine Automation Controller N ...) + TODO: check +CVE-2024-26521 (HTML Injection vulnerability in CE Phoenix v1.0.8.20 and before allows ...) + TODO: check +CVE-2024-25854 (Cross Site Scripting (XSS) vulnerability in Sourcecodester Insurance M ...) + TODO: check +CVE-2024-25645 (Under certain conditionSAPNetWeaver (Enterprise Portal) - version 7.50 ...) + TODO: check +CVE-2024-25644 (Under certain conditions SAP NetWeaverWSRM- version 7.50, allows an at ...) + TODO: check +CVE-2024-25331 (DIR-822 Rev. B Firmware v2.02KRB09 and DIR-822-CA Rev. B Firmware v2.0 ...) + TODO: check +CVE-2024-25325 (SQL injection vulnerability in Employee Management System v.1.0 allows ...) + TODO: check +CVE-2024-25114 (Collabora Online is a collaborative online office suite based on Libre ...) + TODO: check +CVE-2024-24964 (Improper access control vulnerability exists in the resident process o ...) + TODO: check +CVE-2024-22133 (SAP Fiori Front End Server - version 605, allows altering of approver ...) + TODO: check +CVE-2024-22127 (SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) ...) + TODO: check +CVE-2024-21805 (Improper access control vulnerability exists in the specific folder of ...) + TODO: check +CVE-2024-21584 (Pleasanter 1.3.49.0 and earlier contains a cross-site scripting vulner ...) + TODO: check +CVE-2024-1645 (The Mollie Forms plugin for WordPress is vulnerable to unauthorized ac ...) + TODO: check +CVE-2024-1400 (The Mollie Forms plugin for WordPress is vulnerable to unauthorized po ...) + TODO: check +CVE-2023-6814 (Insertion of Sensitive Information into Log File vulnerability in Hita ...) + TODO: check +CVE-2023-49785 (NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat use ...) + TODO: check +CVE-2023-49453 (Reflected cross-site scripting (XSS) vulnerability in Racktables v0.22 ...) + TODO: check CVE-2024-2370 (Unrestricted file upload vulnerability in ManageEngine Desktop Central ...) NOT-FOR-US: ManageEngine CVE-2024-2357 (The Libreswan Project was notified of an issue causing libreswan to re ...) @@ -86769,8 +86819,8 @@ CVE-2022-46072 (Helmet Store Showroom v1.0 vulnerable to unauthenticated SQL Inj NOT-FOR-US: Helmet Store Showroom CVE-2022-46071 (There is SQL Injection vulnerability at Helmet Store Showroom v1.0 Log ...) NOT-FOR-US: Helmet Store Showroom -CVE-2022-46070 - RESERVED +CVE-2022-46070 (GV-ASManager V6.0.1.0 contains a Local File Inclusion vulnerability in ...) + TODO: check CVE-2022-46069 RESERVED CVE-2022-46068 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f00c9e65c93941048b7e879cdd673c45230e2136 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f00c9e65c93941048b7e879cdd673c45230e2136 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update edk2 status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 010b3dfb by Sylvain Beucler at 2024-03-12T09:04:44+01:00 dla: update edk2 status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,7 +72,8 @@ dogecoin -- edk2 NOTE: 20231230: Added by Front-Desk (lamby) - NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby) + NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) + NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) -- expat (tobi) NOTE: 20240306: Added by Front-Desk (opal) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/010b3dfbd4ea91044c016cbaa2c15653bd961bcc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/010b3dfbd4ea91044c016cbaa2c15653bd961bcc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
