[Git][security-tracker-team/security-tracker][master] CVE-2024-29894/cacti: reference final fix
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: db01f0d4 by Sylvain Beucler at 2024-05-21T14:48:46+02:00 CVE-2024-29894/cacti: reference final fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3729,7 +3729,7 @@ CVE-2024-29894 (Cacti provides an operational monitoring and fault management fr - cacti 1.2.27+ds1-1 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh NOTE: Fixed by: https://github.com/Cacti/cacti/commit/9c75f8da5b609d17c8c031fd46362f730358b792 (1.2.27) - NOTE: Follow-up fix: https://github.com/Cacti/cacti/pull/5751 + NOTE: Follow-up fix: https://github.com/Cacti/cacti/commit/6a82fa1abe81d96238a87727087572ff749d0a8d (1.2.x) CVE-2024-29513 (An issue in briscKernelDriver.sys in BlueRiSC WindowsSCOPE Cyber Foren ...) NOT-FOR-US: BlueRiSC WindowsSCOPE Cyber Forensics CVE-2024-28866 (GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db01f0d43e6615bbfcc68dc1e8cde22512a083e1 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db01f0d43e6615bbfcc68dc1e8cde22512a083e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-29894/cacti: reference fixes
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 1fbbf5aa by Sylvain Beucler at 2024-05-15T18:17:07+02:00 CVE-2024-29894/cacti: reference fixes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -915,6 +915,8 @@ CVE-2024-29895 (Cacti provides an operational monitoring and fault management fr CVE-2024-29894 (Cacti provides an operational monitoring and fault management framewor ...) - cacti NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-grj5-8fcj-34gh + NOTE: Fixed by: https://github.com/Cacti/cacti/commit/9c75f8da5b609d17c8c031fd46362f730358b792 (1.2.27) + NOTE: Follow-up fix: https://github.com/Cacti/cacti/pull/5751 CVE-2024-29513 (An issue in briscKernelDriver.sys in BlueRiSC WindowsSCOPE Cyber Foren ...) NOT-FOR-US: BlueRiSC WindowsSCOPE Cyber Forensics CVE-2024-28866 (GoCD is a continuous delivery server. GoCD versions from 19.4.0 to 23. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fbbf5aaaf63065f955a25eb59a2388e2f023a59 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fbbf5aaaf63065f955a25eb59a2388e2f023a59 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: drop netty
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d53fb1e1 by Sylvain Beucler at 2024-05-11T21:42:25+02:00 dla: drop netty Only CVE-2024-29025 needs to be fixed, and this is a minor issue that doesnt warrant a DSA/DLA/ELA on its own. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -16239,6 +16239,7 @@ CVE-2024-29025 (Netty is an asynchronous event-driven network application framew - netty (bug #1068110) [bookworm] - netty (Minor issue, fix along with future update) [bullseye] - netty (Minor issue, fix along with future update) + [buster] - netty (Minor issue, HTTP multipart DoS, fix along with future update) NOTE: https://github.com/netty/netty/security/advisories/GHSA-5jpm-x58v-624v NOTE: https://github.com/netty/netty/commit/0d0c6ed782d13d423586ad0c71737b2c7d02058c (netty-4.1.108.Final) NOTE: https://gist.github.com/vietj/f558b8ea81ec6505f1e9a6ca283c9ae3 = data/dla-needed.txt = @@ -171,9 +171,6 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -netty - NOTE: 20240419: Added by Front-Desk (apo) --- nodejs (guilhem) NOTE: 20240406: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d53fb1e151cb2b672bd810d25205e1650bf6b436 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d53fb1e151cb2b672bd810d25205e1650bf6b436 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: reference glib2.0's maintainer message
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b9b58a1 by Sylvain Beucler at 2024-05-11T18:30:44+02:00 dla: reference glib2.0s maintainer message - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -103,6 +103,7 @@ ghostscript (Markus Koschany) -- glib2.0 (Markus Koschany) NOTE: 20240509: Added by Front-Desk (ta) + NOTE: 20240511: Coordinate with maintainer https://lists.debian.org/debian-lts/2024/05/msg8.html (Beuc) -- glibc (Adrian Bunk) NOTE: 20240504: Re-add for remaining CVEs. (bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b9b58a1ded83ba840d3fd6487bdb8ccc718eb88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b9b58a1ded83ba840d3fd6487bdb8ccc718eb88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: node-ejs: follow stable triage, buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f3180c9 by Sylvain Beucler at 2024-05-04T18:05:59+02:00 node-ejs: follow stable triage, buster postponed - - - - - b1dd32d8 by Sylvain Beucler at 2024-05-04T18:10:48+02:00 CVE-2024-3572/python-scrapy: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3543,6 +3543,7 @@ CVE-2024-33883 (The ejs (aka Embedded JavaScript templates) package before 3.1.1 - node-ejs 3.1.10+~3.1.5-1 [bookworm] - node-ejs (Minor issue) [bullseye] - node-ejs (Minor issue) + [buster] - node-ejs (Minor issue, follow bullseye) NOTE: https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5 (v3.1.10) CVE-2024-33851 (phpecc, as used in paragonie/phpecc before 2.0.1, has a branch-based t ...) NOT-FOR-US: phpecc @@ -7036,6 +7037,7 @@ CVE-2024-3572 (The scrapy/scrapy project is vulnerable to XML External Entity (X - python-scrapy 2.11.1-1 [bookworm] - python-scrapy (Minor issue) [bullseye] - python-scrapy (Minor issue) + [buster] - python-scrapy (Minor issue, DoS) NOTE: https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb NOTE: https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f (2.11.1) NOTE: The CVE and bounty descriptions discuss general XML issues (not specifically XXE), but View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5c3f6593ac7705285bafd1e310639110f8b285a4...b1dd32d80f246b98c16b38ee19ae996c40eed42e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5c3f6593ac7705285bafd1e310639110f8b285a4...b1dd32d80f246b98c16b38ee19ae996c40eed42e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 4 commits: CVE-2017-7938,CVE-2020-14931,CVE-2024-31837/dmitry: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: c8c8eeed by Sylvain Beucler at 2024-05-04T18:03:21+02:00 CVE-2017-7938,CVE-2020-14931,CVE-2024-31837/dmitry: buster postponed - - - - - 5aa5566a by Sylvain Beucler at 2024-05-04T18:03:23+02:00 ofono: follow stable triage, buster posponed - - - - - 89bee352 by Sylvain Beucler at 2024-05-04T18:03:25+02:00 gdcm: follow stable triage, buster postponed - - - - - 5c3f6593 by Sylvain Beucler at 2024-05-04T18:03:25+02:00 dla: add libkf5ksieve - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -3246,6 +3246,7 @@ CVE-2024-31837 (DMitry (Deepmagic Information Gathering Tool) 1.3a has a format- - dmitry [bookworm] - dmitry (Minor issue) [bullseye] - dmitry (Minor issue) + [buster] - dmitry (Minor issue, crash in CLI tool, requires malicious parameter) NOTE: https://github.com/jaygreig86/dmitry/pull/12 CVE-2024-28294 (Limbas up to v5.2.14 was discovered to contain a SQL injection vulnera ...) NOT-FOR-US: Limbas @@ -4241,6 +4242,7 @@ CVE-2024-25569 (An out-of-bounds read vulnerability exists in the RAWCodec::Deco - gdcm [bookworm] - gdcm (Minor issue) [bullseye] - gdcm (Minor issue) + [buster] - gdcm (Minor issue, follow bullseye) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1944 CVE-2024-25026 (IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Applicatio ...) NOT-FOR-US: IBM @@ -4248,11 +4250,13 @@ CVE-2024-22391 (A heap-based buffer overflow vulnerability exists in the LookupT - gdcm [bookworm] - gdcm (Minor issue) [bullseye] - gdcm (Minor issue) + [buster] - gdcm (Minor issue, follow bullseye) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1924 CVE-2024-22373 (An out-of-bounds write vulnerability exists in the JPEG2000Codec::Deco ...) - gdcm [bookworm] - gdcm (Minor issue) [bullseye] - gdcm (Minor issue) + [buster] - gdcm (Minor issue, follow bullseye) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1935 CVE-2024-22144 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...) NOT-FOR-US: WordPress plugin @@ -5575,21 +5579,25 @@ CVE-2023-4235 (A flaw was found in ofono, an Open Source Telephony on Linux. A s - ofono [bookworm] - ofono (Minor issue) [bullseye] - ofono (Minor issue) + [buster] - ofono (Minor issue, follow bullseye) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255402 CVE-2023-4234 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - ofono [bookworm] - ofono (Minor issue) [bullseye] - ofono (Minor issue) + [buster] - ofono (Minor issue, follow bullseye) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255399 CVE-2023-4233 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - ofono [bookworm] - ofono (Minor issue) [bullseye] - ofono (Minor issue) + [buster] - ofono (Minor issue, follow bullseye) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255396 CVE-2023-4232 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - ofono [bookworm] - ofono (Minor issue) [bullseye] - ofono (Minor issue) + [buster] - ofono (Minor issue, follow bullseye) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255394 CVE-2024-3914 (Use after free in V8 in Google Chrome prior to 124.0.6367.60 allowed a ...) {DSA-5668-1} @@ -8431,6 +8439,7 @@ CVE-2023-2794 (A flaw was found in ofono, an Open Source Telephony on Linux. A s - ofono (bug #1069679) [bookworm] - ofono (Minor issue) [bullseye] - ofono (Minor issue) + [buster] - ofono (Minor issue, follow bullseye) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255387 NOTE: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682 NOTE: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae824f8e2c3ae86a3f51da31ee400 @@ -292140,6 +292149,7 @@ CVE-2020-14931 (A stack-based buffer overflow in DMitry (Deepmagic Information G - dmitry [bookworm] - dmitry (Minor issue) [bullseye] - dmitry (Minor issue) + [buster] - dmitry (Minor issue, requires hostile whois server) NOTE: https://github.com/jaygreig86/dmitry/issues/4 NOTE: https://github.com/jaygreig86/dmitry/pull/6 NOTE: Fixed by: https://github.com/jaygreig86/dmitry/commit/da1fda491145719ae15dd36dd37a69bdbba0b192 @@ -472280,6 +472290,7 @@ CVE-2017-7938 (Stack
[Git][security-tracker-team/security-tracker][master] dla: add ruby2.5
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 76371c0c by Sylvain Beucler at 2024-05-04T12:56:15+02:00 dla: add ruby2.5 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -256,6 +256,10 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- +ruby2.5 + NOTE: 20240504: Added by Front-Desk (Beuc) + NOTE: 20240504: Follow DSA-5677-1 (Beuc/front-desk) +-- runc (dleidert) NOTE: 20240312: Added by coordinator (roberto) NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76371c0c7a3feb27a9109ba0241e7113dab3410b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76371c0c7a3feb27a9109ba0241e7113dab3410b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-46566/tftpy: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: f36a742d by Sylvain Beucler at 2024-05-03T18:26:24+02:00 CVE-2023-46566/tftpy: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1231,6 +1231,7 @@ CVE-2023-46960 (Buffer Overflow vulnerability in PyPXE v.1.8.4 allows a remote a NOT-FOR-US: PyPXE CVE-2023-46566 (Buffer Overflow vulnerability in msoulier tftpy commit 467017b844bf6e3 ...) - tftpy + [buster] - tftpy (Minor issue, DoS/exception, no sanctioned patch, no recent upstream activity) NOTE: https://github.com/msoulier/tftpy/issues/140 CVE-2023-31889 (An issue discovered in httpd in ASUS RT-AC51U with firmware version up ...) NOT-FOR-US: ASUS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f36a742d82660c25ccc7bf2a071b8d619f0622b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f36a742d82660c25ccc7bf2a071b8d619f0622b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-1892/python-scrapy: link GHSA to help disambiguate CVE-2024-3572
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 274e77ed by Sylvain Beucler at 2024-05-03T18:19:48+02:00 CVE-2024-1892/python-scrapy: link GHSA to help disambiguate CVE-2024-3572 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4981,7 +4981,6 @@ CVE-2024-3572 (The scrapy/scrapy project is vulnerable to XML External Entity (X NOTE: The CVE and bounty descriptions discuss general XML issues (not specifically XXE), but NOTE: the bounty comments and the patch discuss a compression bomb. NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7 (compression bomb) - NOTE: (or https://github.com/scrapy/scrapy/security/advisories/GHSA-cc65-xxvf-f7r9 (XML ReDoS) ?) CVE-2024-3571 (langchain-ai/langchain is vulnerable to path traversal due to improper ...) NOT-FOR-US: langchain CVE-2024-3493 (A specific malformed fragmented packet type (fragmented packets may be ...) @@ -19393,6 +19392,7 @@ CVE-2024-1892 (A Regular Expression Denial of Service (ReDoS) vulnerability exis [buster] - python-scrapy (Minor issue) NOTE: https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b/ NOTE: https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5 (2.11.1) + NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-cc65-xxvf-f7r9 CVE-2024-1866 REJECTED CVE-2024-1865 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/274e77ed2b2f65fdf13049db6459ef71e50a21de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/274e77ed2b2f65fdf13049db6459ef71e50a21de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] RUSTSEC-2024-0332: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 1dfb2671 by Sylvain Beucler at 2024-05-03T18:17:01+02:00 RUSTSEC-2024-0332: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8024,6 +8024,7 @@ CVE-2024-22328 (IBM Maximo Application Suite 8.10 and 8.11 could allow a remote CVE-2024- [RUSTSEC-2024-0332: Degradation of service in h2 servers with CONTINUATION Flood] - rust-h2 0.4.4-1 [bookworm] - rust-h2 (Minor issue) + [buster] - rust-h2 (Minor issue, CPU DoS) NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0332.html NOTE: https://github.com/advisories/GHSA-q6cp-qfwq-4gcv CVE-2024-3362 (A vulnerability was found in SourceCodester Online Library System 1.0 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dfb2671ec8d191a87b8b8358c637436264ed7de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1dfb2671ec8d191a87b8b8358c637436264ed7de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla: add pypy3
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 838a46e8 by Sylvain Beucler at 2024-05-03T18:14:03+02:00 dla: add pypy3 - - - - - 9cd54b9d by Sylvain Beucler at 2024-05-03T18:14:05+02:00 CVE-2024-3572/python-scrapy: un-triage buster, theres vulnerability mix-up - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4976,10 +4976,12 @@ CVE-2024-3572 (The scrapy/scrapy project is vulnerable to XML External Entity (X - python-scrapy 2.11.1-1 [bookworm] - python-scrapy (Minor issue) [bullseye] - python-scrapy (Minor issue) - [buster] - python-scrapy (Minor issue, XXE) NOTE: https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb NOTE: https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f (2.11.1) - NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7 + NOTE: The CVE and bounty descriptions discuss general XML issues (not specifically XXE), but + NOTE: the bounty comments and the patch discuss a compression bomb. + NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7 (compression bomb) + NOTE: (or https://github.com/scrapy/scrapy/security/advisories/GHSA-cc65-xxvf-f7r9 (XML ReDoS) ?) CVE-2024-3571 (langchain-ai/langchain is vulnerable to path traversal due to improper ...) NOT-FOR-US: langchain CVE-2024-3493 (A specific malformed fragmented packet type (fragmented packets may be ...) = data/dla-needed.txt = @@ -225,6 +225,12 @@ putty (rouca) pymongo NOTE: 20240420: Added by Front-Desk (apo) -- +pypy3 + NOTE: 20240503: Added by Front-Desk (Beuc) + NOTE: 20240503: Fix newly triaged (but old) issues; + NOTE: 20240503: follow PU #1070218; + NOTE: 20240503: check with maintainers about syncing bullseye too (Beuc/front-desk) +-- python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/50c5ca558591d556bbaf649e05747a377af2c4fb...9cd54b9dbf334785a14753f756e3ce521bede479 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/50c5ca558591d556bbaf649e05747a377af2c4fb...9cd54b9dbf334785a14753f756e3ce521bede479 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-3572,CVE-2024-3574/python-scrapy: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ba50baa by Sylvain Beucler at 2024-05-03T17:43:06+02:00 CVE-2024-3572,CVE-2024-3574/python-scrapy: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4966,6 +4966,7 @@ CVE-2024-3574 (In scrapy version 2.10.1, an issue was identified where the Autho - python-scrapy 2.11.1-1 [bookworm] - python-scrapy (Minor issue) [bullseye] - python-scrapy (Minor issue) + [buster] - python-scrapy (Minor issue, HTTP-redirect leak) NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-cw9j-q3vf-hrrv NOTE: https://huntr.com/bounties/49974321-2718-43e3-a152-62b16eed72a9 NOTE: https://github.com/scrapy/scrapy/commit/5bcb8fd5019c72d05c4a96da78a7fcb6ecb55b75 (2.11.1) @@ -4975,6 +4976,7 @@ CVE-2024-3572 (The scrapy/scrapy project is vulnerable to XML External Entity (X - python-scrapy 2.11.1-1 [bookworm] - python-scrapy (Minor issue) [bullseye] - python-scrapy (Minor issue) + [buster] - python-scrapy (Minor issue, XXE) NOTE: https://huntr.com/bounties/c4a0fac9-0c5a-4718-9ee4-2d06d58adabb NOTE: https://github.com/scrapy/scrapy/commit/809bfac4890f75fc73607318a04d2ccba71b3d9f (2.11.1) NOTE: https://github.com/scrapy/scrapy/security/advisories/GHSA-7j7m-v7m3-jqm7 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ba50baadf678561d09c37ef9dfa3a561bbafc52 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ba50baadf678561d09c37ef9dfa3a561bbafc52 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-32039, CVE-2024-32040, CVE-2024-32041, CVE-2024-32458, CVE-2024-32459, CVE...
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 058e502a by Sylvain Beucler at 2024-05-03T15:09:09+02:00 CVE-2024-32039,CVE-2024-32040,CVE-2024-32041,CVE-2024-32458,CVE-2024-32459,CVE-2024-32460/freerdp*: reference patches - - - - - 32ef1278 by Sylvain Beucler at 2024-05-03T15:09:11+02:00 Introductory commits for CVE-2024-32659,CVE-2024-32661,CVE-2024-32662/freerdp* + CVE-2024-32662/freerdp2 not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2438,9 +2438,10 @@ CVE-2024-32675 (Missing Authorization vulnerability in Xfinity Soft Order Limit NOT-FOR-US: WordPress plugin CVE-2024-32662 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - freerdp3 3.5.1+dfsg1-1 - - freerdp2 + - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vffh-j6hh-95f4 NOTE: https://github.com/FreeRDP/FreeRDP/commit/626d10a94a88565d957ddc30768ed08b320049a7 (3.5.1) + NOTE: Introduced by: https://github.com/FreeRDP/FreeRDP/commit/ae8f0106bd9d79dc0369c19b632c5112338ecad4 (3.0.0-beta1) CVE-2024-32432 (Missing Authorization vulnerability in Ovic Team Ovic Addon Toolkit.Th ...) NOT-FOR-US: WordPress plugin CVE-2024-32078 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in F ...) @@ -2575,6 +2576,7 @@ CVE-2024-32661 (FreeRDP is a free implementation of the Remote Desktop Protocol. - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-p5m5-342g-pv9m NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/71e463e31b4d69f4022d36bfc814592f56600793 (3.5.1) + NOTE: Introduced by: https://github.com/FreeRDP/FreeRDP/commit/1b2b1c4ac14ac43f4e475488763d8659bd934eb6 (2.0.0-beta1+android10) CVE-2024-32660 (FreeRDP is a free implementation of the Remote Desktop Protocol. Prior ...) - freerdp3 3.5.1+dfsg1-1 (bug #1069752) - freerdp2 @@ -2585,6 +2587,7 @@ CVE-2024-32659 (FreeRDP is a free implementation of the Remote Desktop Protocol. - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-8jgr-7r33-x87w NOTE: Fixed by: https://github.com/FreeRDP/FreeRDP/commit/6430945ce003a5e24d454d8566f54aae1b6b617b (3.5.1) + NOTE: Introduced by: https://github.com/FreeRDP/FreeRDP/commit/c697941de2b7062821e004411ec18ea71e50a30d (1.2.0-beta1+android7) CVE-2024-32658 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - freerdp3 3.5.1+dfsg1-1 (bug #1069752) - freerdp2 @@ -2809,26 +2812,38 @@ CVE-2024-32041 (FreeRDP is a free implementation of the Remote Desktop Protocol. - freerdp3 (Fixed with initial upload to Debian unstable) - freerdp2 (bug #1069728) NOTE: https://www.freerdp.com/2024/04/17/2_11_6-release + NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5r4p-mfx2-m44r + NOTE: https://github.com/FreeRDP/FreeRDP/commit/d88ad1acd142769650a6159906ac90f46a766265 (2.11.6) CVE-2024-32039 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - freerdp3 (Fixed with initial upload to Debian unstable) - freerdp2 (bug #1069728) NOTE: https://www.freerdp.com/2024/04/17/2_11_6-release + NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5h8-7j42-j4r9 + NOTE: https://github.com/FreeRDP/FreeRDP/commit/d88ad1acd142769650a6159906ac90f46a766265 (2.11.6) CVE-2024-32040 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - freerdp3 (Fixed with initial upload to Debian unstable) - freerdp2 (bug #1069728) NOTE: https://www.freerdp.com/2024/04/17/2_11_6-release + NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-23c5-cp23-h2h5 + NOTE: https://github.com/FreeRDP/FreeRDP/commit/5893b5f277db38b0040c572b078de838b84cfc07 (2.11.6) CVE-2024-32458 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - freerdp3 (Fixed with initial upload to Debian unstable) - freerdp2 (bug #1069728) NOTE: https://www.freerdp.com/2024/04/17/2_11_6-release + NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vvr6-h646-mp4p + NOTE: https://github.com/FreeRDP/FreeRDP/commit/9bc624c721ecde8251cfabd1edf069bc713ccc97 (2.11.6) CVE-2024-32459 (FreeRDP is a free implementation of the Remote Desktop Protocol. FreeR ...) - freerdp3 (Fixed with initial upload to Debian unstable) - freerdp2 (bug #1069728) NOTE: https://www.freerdp.com/2024/04/17/2_11_6-release + NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cp4q-p737-rmw9 + NOTE: https://github.com/FreeRDP/FreeRDP/commit
[Git][security-tracker-team/security-tracker][master] CVE-2023-26793/libmodbus: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 569f7b20 by Sylvain Beucler at 2024-05-03T12:00:52+02:00 CVE-2023-26793/libmodbus: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -80735,6 +80735,7 @@ CVE-2023-26793 (libmodbus v3.1.10 has a heap-based buffer overflow vulnerability - libmodbus [bookworm] - libmodbus (Minor issue) [bullseye] - libmodbus (Minor issue) + [buster] - libmodbus (Minor issue, no patch) NOTE: https://github.com/stephane/libmodbus/issues/683 CVE-2023-26792 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/569f7b2070132874ed07220dbca4973d038ab4a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/569f7b2070132874ed07220dbca4973d038ab4a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-4140/libemail-mime-perl: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 00651f20 by Sylvain Beucler at 2024-05-03T11:06:51+02:00 CVE-2024-4140/libemail-mime-perl: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6,6 +6,7 @@ CVE-2024-4140 - libemail-mime-perl (bug #960062) [bookworm] - libemail-mime-perl (Minor issue) [bullseye] - libemail-mime-perl (Minor issue) + [buster] - libemail-mime-perl (Minor issue; OOM DoS) NOTE: https://github.com/rjbs/Email-MIME/issues/66 NOTE: https://github.com/rjbs/Email-MIME/pull/80 NOTE: https://github.com/rjbs/Email-MIME/commit/fc0fededd24a71ccc51bcd8b1e486385d09aae63 (1.954) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00651f2052bea0a9dcde7fb4301bc1eb44e04e74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00651f2052bea0a9dcde7fb4301bc1eb44e04e74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-34088/frr: buster not-affected + introductory commit
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d9c936a4 by Sylvain Beucler at 2024-05-03T10:42:12+02:00 CVE-2024-34088/frr: buster not-affected + introductory commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1034,8 +1034,10 @@ CVE-2024-3072 (The ACF Front End Editor plugin for WordPress is vulnerable to un NOT-FOR-US: WordPress plugin CVE-2024-34088 (In FRRouting (FRR) through 9.1, it is possible for the get_edge() func ...) - frr + [buster] - frr (Vulnerable code introduced later) NOTE: https://github.com/FRRouting/frr/pull/15674 NOTE: Proposed fix: https://github.com/FRRouting/frr/commit/34d704fb0ea60dc5063af477a2c11d4884984d4f + NOTE: Introduced by: https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5 (base_8.0) CVE-2024-33832 (OneNav v0.9.35-20240318 was discovered to contain a Server-Side Reques ...) NOT-FOR-US: OneNav CVE-2024-33831 (A stored cross-site scripting (XSS) vulnerability in the Advanced Expe ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9c936a4422616d017b3007ff6651c7900835a8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9c936a4422616d017b3007ff6651c7900835a8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim firmware-nonfree for tobi who claimed elts uploads
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f9f34c9 by Sylvain Beucler at 2024-05-02T15:56:33+02:00 dla: claim firmware-nonfree for tobi who claimed elts uploads - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,7 +81,7 @@ edk2 NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) -- -firmware-nonfree +firmware-nonfree (tobi) NOTE: 20240502: Added by Front-Desk (Beuc) -- freeimage View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f9f34c9fee8e0a6a110364343650c449dece9d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f9f34c9fee8e0a6a110364343650c449dece9d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add firmware-nonfree + fix triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 127467c1 by Sylvain Beucler at 2024-05-02T15:54:27+02:00 dla: add firmware-nonfree + fix triage - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -22485,7 +22485,6 @@ CVE-2023-35061 (Improper initialization for some Intel(R) PROSet/Wireless and In - firmware-nonfree (bug #1064229) [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) - [buster] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html NOTE: Fixed upstream in linux-firmware/20231211 CVE-2023-35060 (Uncontrolled search path in some Intel(R) Battery Life Diagnostic Tool ...) @@ -22496,7 +22495,6 @@ CVE-2023-34983 (Improper input validation for some Intel(R) PROSet/Wireless and - firmware-nonfree (bug #1064229) [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) - [buster] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html NOTE: Fixed upstream in linux-firmware/20231211 CVE-2023-34351 (Buffer underflow in some Intel(R) PCM software before version 202307 m ...) @@ -22507,7 +22505,6 @@ CVE-2023-33875 (Improper access control for some Intel(R) PROSet/Wireless and In - firmware-nonfree (bug #1064229) [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) - [buster] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html NOTE: Fixed upstream in linux-firmware/20231211 CVE-2023-33870 (Insecure inherited permissions in some Intel(R) Ethernet tools and dri ...) @@ -22516,7 +22513,6 @@ CVE-2023-32651 (Improper validation of specified type of input for some Intel(R) - firmware-nonfree (bug #1064229) [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) - [buster] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html NOTE: Fixed upstream in linux-firmware/20231211 CVE-2023-32647 (Improper access control in some Intel(R) XTU software before version 7 ...) @@ -22527,14 +22523,12 @@ CVE-2023-32644 (Protection mechanism failure for some Intel(R) PROSet/Wireless a - firmware-nonfree (bug #1064229) [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) - [buster] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html NOTE: Fixed upstream in linux-firmware/20231211 CVE-2023-32642 (Insufficient adherence to expected conventions for some Intel(R) PROSe ...) - firmware-nonfree (bug #1064229) [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) - [buster] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html NOTE: Fixed upstream in linux-firmware/20231211 CVE-2023-32618 (Uncontrolled search path in some Intel(R) oneAPI Toolkit and component ...) @@ -22555,14 +22549,12 @@ CVE-2023-28720 (Improper initialization for some Intel(R) PROSet/Wireless and In - firmware-nonfree (bug #1064229) [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) - [buster] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html NOTE: Fixed upstream in linux-firmware/20231211 CVE-2023-28374 (Improper input validation for some Intel(R) PROSet/Wireless and Intel( ...) - firmware-nonfree (bug #1064229) [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) - [buster] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00947.html NOTE: Fixed upstream in linux-firmware/20231211 CVE-2023-49721 (An insecure default to allow UEFI Shell in EDK2 was left enabled in LX ...) @@ -78658,14 +78650,12 @@ CVE-2023-26586 (Uncaught exception for some Intel(R) PROSet/Wireless and Intel(R - firmware
[Git][security-tracker-team/security-tracker][master] dla: add intel-microcode and attribute to tobi who claimed elts uploads
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 07b3d895 by Sylvain Beucler at 2024-05-02T15:47:14+02:00 dla: add intel-microcode and attribute to tobi who claimed elts uploads - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -102,6 +102,12 @@ i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 -- +intel-microcode (tobi) + NOTE: 20240502: Added by Front-Desk (Beuc) + NOTE: 20240502: Update being tested in unstable, + NOTE: 20240502: (CVE-2023-22655 CVE-2023-28746 CVE-2023-38575 CVE-2023-39368 CVE-2023-43490) + NOTE: 20240502: Follow PU: #1068082 and #1068084 (Beuc/front-desk) +-- jenkins-htmlunit-core-js NOTE: 20231231: Added by Front-Desk (lamby) NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick glance View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07b3d895a0f5edad947e50b89892e3434db85d69 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/07b3d895a0f5edad947e50b89892e3434db85d69 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-XXXX/ngircd: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ea3b4831 by Sylvain Beucler at 2024-04-30T16:11:19+02:00 CVE-2024-/ngircd: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4149,6 +4149,7 @@ CVE-2024- [validate a server certificate in a TLS-based server-server connec - ngircd 27~rc1-1 [bookworm] - ngircd (Minor issue, will be fixed via point update) [bullseye] - ngircd (Minor issue, will be fixed via point update) + [buster] - ngircd (Minor issue, follow bullseye point update) NOTE: https://github.com/ngircd/ngircd/issues/120 NOTE: https://github.com/ngircd/ngircd/commit/817937b218c4b57515f54216ebc936cd69df0aae (rel-27-rc1) CVE-2024-3778 (The file upload functionality of Ai3 QbiBot does not properly restrict ...) @@ -291190,7 +291191,7 @@ CVE-2020-14149 (In uftpd before 2.12, handle_CWD in ftpcmd.c mishandled the path CVE-2020-14148 (The Server-Server protocol implementation in ngIRCd before 26~rc2 allo ...) {DLA-2252-1} - ngircd 26-1 (bug #963147) - [buster] - ngircd (Minor issue) + [buster] - ngircd (Minor issue, fix along with next update) [stretch] - ngircd (Minor issue) NOTE: https://github.com/ngircd/ngircd/issues/274 NOTE: https://github.com/ngircd/ngircd/issues/277 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea3b48313bd5866136c3f761dba82823ad16227f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea3b48313bd5866136c3f761dba82823ad16227f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-6597/python: reference introductory commit
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 8267dca4 by Sylvain Beucler at 2024-04-29T23:10:41+02:00 CVE-2023-6597/python: reference introductory commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12408,6 +12408,7 @@ CVE-2023-6597 (An issue was found in the CPython `tempfile.TemporaryDirectory` c NOTE: https://github.com/python/cpython/commit/8eaeefe49d179ca4908d052745e3bb8b6f238f82 (v3.10.14) NOTE: https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b (v3.9.19) NOTE: https://mail.python.org/archives/list/security-annou...@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/ + NOTE: Introduced by: https://github.com/python/cpython/commit/e9b51c0ad81da1da11ae65840ac8b50a8521373c (v3.8.0b1) CVE-2023-50966 (erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow atta ...) - erlang-jose (bug #1067456) NOTE: https://github.com/potatosalad/erlang-jose/issues/156 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8267dca495cbcd673ce4e3b6114070415fc100cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8267dca495cbcd673ce4e3b6114070415fc100cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-31031/libcoap: buster not-affected + UB-related commits
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f4efcf2 by Sylvain Beucler at 2024-04-29T22:40:40+02:00 CVE-2024-31031/libcoap: buster not-affected + UB-related commits - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2455,13 +2455,16 @@ CVE-2024-31040 (Buffer Overflow vulnerability in the get_var_integer function in NOT-FOR-US: NanoMQ CVE-2024-31031 (An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to cause un ...) - libcoap + [buster] - libcoap (Vulnerable code not present) - libcoap2 [bullseye] - libcoap2 (Minor issue) [buster] - libcoap2 (Vulnerable code not present) - libcoap3 [bookworm] - libcoap3 (Minor issue) NOTE: https://github.com/obgm/libcoap/issues/1351 - NOTE: https://github.com/obgm/libcoap/commit/214665ac4b44b1b6a7e38d4d6907ee835a174928 + NOTE: https://github.com/obgm/libcoap/commit/214665ac4b44b1b6a7e38d4d6907ee835a174928 (develop) + NOTE: Introduced by: https://github.com/obgm/libcoap/commit/7033555d2978b8d4d5e16d43cfbfe1b1781c418f (v4.3.0-rc1) + NOTE: Introduced by: https://github.com/obgm/libcoap/commit/47a83549a80dad9a83f84cdfaba54c54defb5444 (v4.3.2-rc1) CVE-2024-30990 (SQL Injection vulnerability in the "Invoices" page in phpgurukul Clien ...) NOT-FOR-US: phpgurukul Client Management System CVE-2024-30989 (Cross Site Scripting vulnerability in /edit-client-details.php of phpg ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f4efcf2a3c006d9a56b2de7b5e9a4a0160e515c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f4efcf2a3c006d9a56b2de7b5e9a4a0160e515c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] samba/buster: tidy remaining CVEs
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: c9168180 by Sylvain Beucler at 2024-04-29T12:29:15+02:00 samba/buster: tidy remaining CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -141195,6 +141195,7 @@ CVE-2022-32743 (Samba does not validate the Validated-DNS-Host-Name right for th [experimental] - samba 2:4.17.0+dfsg-1 - samba 2:4.17.2+dfsg-3 (bug #1021022) [bullseye] - samba (Minor issue) + [buster] - samba (Minor issue) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14833 CVE-2022-32742 (A flaw was found in Samba. Some SMB1 write requests were not correctly ...) {DSA-5205-1 DLA-3792-1} @@ -195401,7 +195402,7 @@ CVE-2021-40146 (A Remote Code Execution (RCE) vulnerability was discovered in th CVE-2021-3738 (In DCE/RPC it is possible to share the handles (cookies for resource s ...) {DSA-5003-1} - samba 2:4.13.14+dfsg-1 - [buster] - samba (Minor issue; affects Samba as AD DC) + [buster] - samba (Domain controller functionality is EOLed, see DSA-5015-1) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14468 NOTE: https://www.samba.org/samba/security/CVE-2021-3738.html CVE-2021-3737 (A flaw was found in python. An improperly handled HTTP response in the ...) @@ -201660,7 +201661,7 @@ CVE-2021-3671 (A null pointer de-reference was found in the way samba kerberos s [stretch] - heimdal (Minor issue) - samba 2:4.13.13+dfsg-1 [bullseye] - samba 2:4.13.13+dfsg-1~deb11u1 - [buster] - samba (Minor issue) + [buster] - samba (Domain controller functionality is EOLed, see DSA-5015-1) [stretch] - samba (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2013080 NOTE: https://bugzilla.samba.org/show_bug.cgi?id=14770 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9168180d58fc5f3eaecdcaf8b6e2370d2f661f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9168180d58fc5f3eaecdcaf8b6e2370d2f661f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-45288/golang-1.11: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f3c929e by Sylvain Beucler at 2024-04-29T11:59:52+02:00 CVE-2023-45288/golang-1.11: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7333,6 +7333,7 @@ CVE-2023-45288 (An attacker may cause an HTTP/2 endpoint to read arbitrary amoun - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) - golang-golang-x-net 1:0.23.0+dfsg-1 NOTE: https://github.com/golang/go/issues/65051 NOTE: https://github.com/golang/go/commit/e55d7cf8435ba4e58d4a5694e63b391821d4ee9b (go1.22.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f3c929ee1899a1fb8a8ed8ba0b1b0387565e6f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f3c929ee1899a1fb8a8ed8ba0b1b0387565e6f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-30202,CVE-2024-30203/emacs,org-mode: precise commit versions
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ac058e87 by Sylvain Beucler at 2024-04-29T11:30:17+02:00 CVE-2024-30202,CVE-2024-30203/emacs,org-mode: precise commit versions - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10696,7 +10696,7 @@ CVE-2024-30204 (In Emacs before 29.3, LaTeX preview is enabled by default for e- [bullseye] - emacs (Minor issue, will be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2024/03/24/1 NOTE: https://lists.gnu.org/archive/html/info-gnu/2024-03/msg5.html - NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29=6f9ea396f49cbe38c2173e0a72ba6af3e03b271c + NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29=6f9ea396f49cbe38c2173e0a72ba6af3e03b271c (emacs-29.3) NOTE: org-mode/9.5.2+dfsh-5 dropped all lisp files from the produced binary packages NOTE: making an empty dependency package only. CVE-2024-30203 (In Emacs before 29.3, Gnus treats inline MIME contents as trusted.) @@ -10705,7 +10705,7 @@ CVE-2024-30203 (In Emacs before 29.3, Gnus treats inline MIME contents as truste [bullseye] - emacs (Minor issue, will be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2024/03/24/1 NOTE: https://lists.gnu.org/archive/html/info-gnu/2024-03/msg5.html - NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29=937b9042ad7426acdcca33e3d931d8f495bdd804 + NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29=937b9042ad7426acdcca33e3d931d8f495bdd804 (emacs-29.3) CVE-2024-30202 (In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turn ...) - emacs 1:29.3+1-1 (bug #1067630) [bookworm] - emacs (Minor issue, will be fixed via point release) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac058e87d90e9aab94a12d26b39f1cd98ae3828c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac058e87d90e9aab94a12d26b39f1cd98ae3828c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-30202/emacs,org-mode: precise commit versions
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d28a91c3 by Sylvain Beucler at 2024-04-29T11:26:53+02:00 CVE-2024-30202/emacs,org-mode: precise commit versions - - - - - 14f3d07e by Sylvain Beucler at 2024-04-29T11:26:53+02:00 CVE-2024-30205/emacs,org-mode: precise commit versions - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10687,9 +10687,9 @@ CVE-2024-30205 (In Emacs before 29.3, Org mode considers contents of remote file [bullseye] - org-mode (Minor issue; can be fixed via point release) NOTE: https://www.openwall.com/lists/oss-security/2024/03/24/1 NOTE: https://lists.gnu.org/archive/html/info-gnu/2024-03/msg5.html - NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29=2bc865ace050ff118db43f01457f95f95112b877 + NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29=2bc865ace050ff118db43f01457f95f95112b877 (emacs-29.3) NOTE: https://list.orgmode.org/87o7b3eczr@bzg.fr/T/#t - NOTE: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=4255d5dcc0657915f90e4fba7e0a5514cced514d + NOTE: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=4255d5dcc0657915f90e4fba7e0a5514cced514d (release_9.6.23) CVE-2024-30204 (In Emacs before 29.3, LaTeX preview is enabled by default for e-mail a ...) - emacs 1:29.3+1-1 (bug #1067630) [bookworm] - emacs (Minor issue, will be fixed via point release) @@ -10719,8 +10719,9 @@ CVE-2024-30202 (In Emacs before 29.3, arbitrary Lisp code is evaluated as part o NOTE: https://lists.gnu.org/archive/html/info-gnu/2024-03/msg5.html NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29=befa9fcaae29a6c9a283ba371c3c5234c7f644eb NOTE: https://list.orgmode.org/87o7b3eczr@bzg.fr/T/#t - NOTE: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9 - NOTE: Introduced by: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8abdbbee395f284f2262a89187d662eaf40080b1 + NOTE: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=003ddacf1c8d869b1858181c29ea21b731a8d8d9 (release_9.6.23) + NOTE: Introduced by: https://git.savannah.gnu.org/cgit/emacs/org-mode.git/commit/?id=8abdbbee395f284f2262a89187d662eaf40080b1 (release_9.5) + NOTE: Introduced by: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=bf9ec3d91a79414deac039f7bf83352a9b0a9a85 (emacs-28.0.90) NOTE: org-mode/9.5.2+dfsh-5 dropped all lisp files from the produced binary packages NOTE: making an empty dependency package only. CVE-2024-2865 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0388317923da14943723872f5d267e5613c31b01...14f3d07e974300c9db0ac010f8904a2deefecd32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0388317923da14943723872f5d267e5613c31b01...14f3d07e974300c9db0ac010f8904a2deefecd32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-51794/qemu: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: bde8f63a by Sylvain Beucler at 2024-04-29T10:24:33+02:00 CVE-2023-51794/qemu: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -538,6 +538,7 @@ CVE-2023-51794 (Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 al - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + [buster] - ffmpeg (Pick up when fixed in 4.1.x) NOTE: https://trac.ffmpeg.org/ticket/10746 NOTE: Fixed in https://github.com/ffmpeg/FFmpeg/commit/50f0f8c53c818f73fe2d752708e2fa9d2a2d8a07 (n7.0) CVE-2023-51365 (A path traversal vulnerability has been reported to affect several QNA ...) @@ -2297,7 +2298,7 @@ CVE-2024-31582 (FFmpeg version n6.1 was discovered to contain a heap buffer over - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) - [buster] - ffmpeg (Pick up when fixed in 4.3.x) + [buster] - ffmpeg (Pick up when fixed in 4.1.x) NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/99debe5f823f45a482e1dc08de35879aa9c74bd2 (n7.0) CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper validation o ...) [experimental] - ffmpeg 7:7.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bde8f63a44ded7717328ac0e0526cb864f913db9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bde8f63a44ded7717328ac0e0526cb864f913db9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: clarify nss status a little
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a39bd63c by Sylvain Beucler at 2024-04-17T18:46:24+02:00 dla: clarify nss status a little - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -181,8 +181,9 @@ nova -- nss NOTE: 20240121: Added by Front-Desk (apo) - NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there. - NOTE: 20240310: see also: Message-ID: (tobi) + NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a patch for 3.90.x (their LTS version) available and backport from there. + NOTE: 20240310: see also: Message-ID: + NOTE: 20240310: (2024-02-27 [deblts-t...@freexian.com] Re: Current status: nss for buster) (tobi) -- nvidia-cuda-toolkit NOTE: 20230514: Added by Front-Desk (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a39bd63ccb24eaa9c6ec5da5276f67ee29c2675e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a39bd63ccb24eaa9c6ec5da5276f67ee29c2675e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: reference freeimage discussion
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 93fc6fbe by Sylvain Beucler at 2024-04-10T19:33:00+02:00 dla: reference freeimage discussion - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -81,6 +81,7 @@ freeimage (Ola Lundqvist) NOTE: 20240320: lots of postponed issue could be fixed as well NOTE: 20240325: Lack of upstream activity, NOTE: 20240325: postponed issues are "Revisit when fixed upstream (bunk) + NOTE: 20240410: See discussion at: https://lists.debian.org/debian-lts/2024/04/threads.html#00012 -- frr NOTE: 20231119: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93fc6fbee3eb497bb51b61989e9a3ac8349af250 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93fc6fbee3eb497bb51b61989e9a3ac8349af250 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop obsolete LTS package info from packages/
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 856a542b by Sylvain Beucler at 2024-04-08T17:15:58+02:00 Drop obsolete LTS package info from packages/ Cf. https://lts-team.pages.debian.net/wiki/TestSuites.html for updated info. - - - - - 2 changed files: - packages/clamav - − packages/php5.txt Changes: = packages/clamav = @@ -3,9 +3,3 @@ issues, clamav needs a current runtime to be able to parse all malware signatures. The security team updates clamav via {old,}stable-updates. - -https://lists.debian.org/debian-lts/2018/03/msg00033.html -https://lists.debian.org/debian-lts/2019/03/msg00161.html - -LTS updates need to wait until a respective SUA has been issued to avoid -breaking upgrades. = packages/php5.txt deleted = @@ -1,15 +0,0 @@ -LTS-specific instructions -- - -php5 tends to have a regular flow of security updates, so when you add -it to dla-needed.txt, you should define a target release date and -fixes for the various CVE published should be added progressively -to the git repository in collab-maint (branch debian/wheezy): -https://anonscm.debian.org/cgit/collab-maint/debian-lts/php5.git -git clone git.debian.org:/git/collab-maint/debian-lts/php5.git - -Please leave a comment in dla-needed.txt which explains the above -instructions. - -Obviously a severe vulnerability can lead to an early publication -of the update (i.e. before the planned release date). View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/856a542badd136717c5bdd54b1d761ffad9df1ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/856a542badd136717c5bdd54b1d761ffad9df1ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3765-1 for cacti
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d8aeddc1 by Sylvain Beucler at 2024-03-18T18:46:31+01:00 Reserve DLA-3765-1 for cacti - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Mar 2024] DLA-3765-1 cacti - security update + {CVE-2023-39357 CVE-2023-39360 CVE-2023-39361 CVE-2023-39362 CVE-2023-39364 CVE-2023-39365 CVE-2023-39513 CVE-2023-39515 CVE-2023-39516 CVE-2023-49084 CVE-2023-49085 CVE-2023-49086 CVE-2023-49088} + [buster] - cacti 1.2.2+ds1-2+deb10u6 [18 Mar 2024] DLA-3764-1 postgresql-11 - security update {CVE-2024-0985} [buster] - postgresql-11 11.22-0+deb10u2 = data/dla-needed.txt = @@ -38,20 +38,6 @@ bind9 NOTE: 20240218: Added by Front-Desk (lamby) NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) -- -cacti (Sylvain Beucler) - NOTE: 20230906: Added by Front-Desk (lamby) - NOTE: 20231205: Triaging CVEs backlog (Beuc) - NOTE: 20231218: Keep triaging CVEs backlog (Beuc) - NOTE: 20240102: Triage more CVEs backlog, fix a couple bullseye triage, sync with maintainer (Beuc) - NOTE: 20240112: No progress as I've been busy on other tasks, but all bugs are minor so far (Beuc) - NOTE: 20240123: Backport patches, report duplicate to MITRE (CVE-2023-50569) (Beuc) - NOTE: 20240131: Tidy https://salsa.debian.org/debian/cacti/-/tree/buster?ref_type=heads (Beuc) - NOTE: 20240219: Backport patches, update patch commits (Beuc) - NOTE: 20240222: Coordinating with maintainer to prepare bullseye updates (Beuc) - NOTE: 20240222: Reported incomplete fix upstream (Beuc) - NOTE: 20240227: Sent debdiffs for buster/bullseye/bookworm to maintainer+secteam; no news from upstream yet (Beuc) - NOTE: 20240315: Final (hopefully) debdiffs sent for upcoming DSA, buster update ready; still no news from upstream (Beuc) --- composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) NOTE: 20240304: Need to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8aeddc13786c746ba3ea187d395c19bc87ff85c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d8aeddc13786c746ba3ea187d395c19bc87ff85c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-27043/python*: sync with stable triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d1975f9 by Sylvain Beucler at 2024-03-16T19:28:53+01:00 CVE-2023-27043/python*: sync with stable triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -65425,10 +65425,10 @@ CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses e-m - python3.9 [bullseye] - python3.9 (Minor issue, wait until upstream has decided whether to backport to older branches) - python3.7 - [buster] - python3.7 (Minor issue) + [buster] - python3.7 (Minor issue, wait until upstream has decided whether to backport to older branches) - python2.7 [bullseye] - python2.7 (Unsupported in Bullseye, only included to build a few applications) - [buster] - python2.7 (Minor issue) + [buster] - python2.7 (Minor issue, wait until upstream has decided whether to backport to older branches) NOTE: https://github.com/python/cpython/issues/102988 CVE-2023-27042 (Tenda AX3 V16.03.12.11 is vulnerable to Buffer Overflow via /goform/Se ...) NOT-FOR-US: Tenda View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d1975f9ef78e247f120b618215bce1268b96825 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8d1975f9ef78e247f120b618215bce1268b96825 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-26540/cimg: buster postponed, reference patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 8cea774f by Sylvain Beucler at 2024-03-16T13:36:03+01:00 CVE-2024-26540/cimg: buster postponed, reference patch - - - - - 246888dc by Sylvain Beucler at 2024-03-16T13:44:52+01:00 CVE-2024-28849/node-follow-redirects: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -351,7 +351,12 @@ CVE-2024-26540 (A heap-based buffer overflow in Clmg before 3.3.3 can occur via - cimg [bookworm] - cimg (Minor issue) [bullseye] - cimg (Minor issue) + [buster] - cimg (Minor issue; no rdeps) NOTE: https://github.com/GreycLab/CImg/issues/403 + NOTE: https://github.com/GreycLab/CImg/commit/6a97a5209987e60fcce293ea102a068a88085098 (v.3.3.3) + NOTE: https://github.com/GreycLab/CImg/commit/c214dfee22a3fedcfae48fba7645f7a819cc9385 (v.3.3.3) + NOTE: https://github.com/GreycLab/CImg/commit/ec6a1f2183620a90b4dcf456813e597ade791dc6 (v.3.3.3) + NOTE: https://github.com/GreycLab/CImg/commit/cb9c5518905ea370954a59903ff747650c6edd40 (v.3.3.3) CVE-2024-26503 (Unrestricted File Upload vulnerability in Greek Universities Network O ...) NOT-FOR-US: Greek Universities Network Open eClass CVE-2024-26475 (An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5 ...) @@ -417,6 +422,7 @@ CVE-2024-28849 (follow-redirects is an open source, drop-in replacement for Node - node-follow-redirects (bug #1066971) [bookworm] - node-follow-redirects (Minor issue) [bullseye] - node-follow-redirects (Minor issue) + [buster] - node-follow-redirects (Follow-up to CVE-2022-0155) NOTE: https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp NOTE: https://github.com/psf/requests/issues/1885 NOTE: https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b (v1.15.6) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5c76fbe69e1756873c56b82990615c555d15f113...246888dcbdba2fe2cdc324dabfe4f7aa6abfab02 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5c76fbe69e1756873c56b82990615c555d15f113...246888dcbdba2fe2cdc324dabfe4f7aa6abfab02 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-2496/libvirt: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 15535e20 by Sylvain Beucler at 2024-03-16T13:00:23+01:00 CVE-2024-2496/libvirt: buster postponed - - - - - 5c76fbe6 by Sylvain Beucler at 2024-03-16T13:09:36+01:00 dla: add libvirt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1577,6 +1577,7 @@ CVE-2024-2496 [NULL pointer dereference in udevConnectListAllInterfaces()] - libvirt 9.8.0-1 [bookworm] - libvirt (Minor issue) [bullseye] - libvirt (Minor issue) + [buster] - libvirt (Minor issue; DoS / clean crash) NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/2ca94317ac642a70921947150ced8acc674ccdc8 (v9.8.0-rc1) CVE-2024-1441 (An off-by-one error flaw was found in the udevListInterfacesByStatus() ...) - libvirt (bug #1066058) = data/dla-needed.txt = @@ -172,6 +172,11 @@ libstb NOTE: 20240314: several CVEs fixed in DLA-3305-1 remain unfixed (no-dsa) in bullseye NOTE: 20240314: and bookwork. Uploads to spu and ospu should be coordinated. (roberto) -- +libvirt + NOTE: 20240316: Added by Front-Desk (Beuc) + NOTE: 20240316: A few years of minor vulnerabilities piled up; + NOTE: 20240316: coordinate with stable/oldstable to fix them uniformly (Beuc/front-desk) +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/72788521a0bcb3f302e27bd45b2f6df9a979c20f...5c76fbe69e1756873c56b82990615c555d15f113 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/72788521a0bcb3f302e27bd45b2f6df9a979c20f...5c76fbe69e1756873c56b82990615c555d15f113 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-2467/libcrypt-openssl-rsa-perl: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 72788521 by Sylvain Beucler at 2024-03-16T12:52:06+01:00 CVE-2024-2467/libcrypt-openssl-rsa-perl: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2024-2467 [Crypt-OpenSSL-RSA vulnerable to the Marvin Attack] - libcrypt-openssl-rsa-perl (bug #1066969) + [buster] - libcrypt-openssl-rsa-perl (Minor issue; side-channel timing attack) NOTE: https://people.redhat.com/~hkario/marvin/ NOTE: https://github.com/toddr/Crypt-OpenSSL-RSA/issues/42 CVE-2024-2514 (A vulnerability classified as critical was found in MAGESH-K21 Online- ...) @@ -2148,7 +2149,7 @@ CVE-2024-2236 (A timing-based side-channel flaw was found in libgcrypt's RSA imp - libgcrypt20 (bug #1065683) [bookworm] - libgcrypt20 (Minor issue) [bullseye] - libgcrypt20 (Minor issue) - [buster] - libgcrypt20 (Minor issue) + [buster] - libgcrypt20 (Minor issue; side-channel timing attack) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2268268 NOTE: https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html NOTE: https://github.com/tomato42/marvin-toolkit/tree/master/example/libgcrypt View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72788521a0bcb3f302e27bd45b2f6df9a979c20f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72788521a0bcb3f302e27bd45b2f6df9a979c20f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-28318,CVE-2024-28319/gpac: buster end-of-life
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c12 by Sylvain Beucler at 2024-03-16T12:42:12+01:00 CVE-2024-28318,CVE-2024-28319/gpac: buster end-of-life - - - - - de17954c by Sylvain Beucler at 2024-03-16T12:42:14+01:00 intel-microcode: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -205,10 +205,12 @@ CVE-2024-28401 (TOTOLINK X2000R before v1.0.0-B20231213.1013 contains a Store Cr NOT-FOR-US: TOTOLINK CVE-2024-28319 (gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain an out ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2763 NOTE: https://github.com/gpac/gpac/commit/cb3c29809bddfa32686e3deb231a76af67b68e1e CVE-2024-28318 (gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain a out ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2764 NOTE: https://github.com/gpac/gpac/commit/ae831621a08a64e3325ce532f8b78811a1581716 CVE-2024-28255 (OpenMetadata is a unified platform for discovery, observability, and g ...) @@ -1342,30 +1344,35 @@ CVE-2023-43490 (Incorrect calculation in microcode keying mechanism for some Int - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) + [buster] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01045.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-39368 (Protection mechanism failure of bus lock regulator for some Intel(R) P ...) - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) + [buster] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00972.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-38575 (Non-transparent sharing of return predictor targets between contexts i ...) - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) + [buster] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00982.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-22655 (Protection mechanism failure in some 3rd and 4th Generation Intel(R) X ...) - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) + [buster] - intel-microcode (Decide after exposure on unstable for update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00960.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312 CVE-2023-28746 (Information exposure through microarchitectural state after transient ...) - intel-microcode 3.20240312.1 (bug #1066108) [bookworm] - intel-microcode (Decide after exposure on unstable for update) [bullseye] - intel-microcode (Decide after exposure on unstable for update) + [buster] - intel-microcode (Decide after exposure on unstable for update) - linux 6.7.9-2 - xen [bullseye] - xen (EOLed in Bullseye) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a2277a693b180af1a6d9d9cda1cb8b1b7977ab8c...de17954c678e70c408728d1bc9bcad3361035dd8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a2277a693b180af1a6d9d9cda1cb8b1b7977ab8c...de17954c678e70c408728d1bc9bcad3361035dd8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: reference DSA 5632-1/composer
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: dc8d397b by Sylvain Beucler at 2024-03-15T13:41:42+01:00 dla: reference DSA 5632-1/composer - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,6 +56,7 @@ composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) NOTE: 20240304: Need to backport bullseye (rouca) NOTE: 20240312: likely not affected by CVE-2024-24821 (rouca) + NOTE: 20240315: DSA 5632-1 is out (Beuc/front-desk) -- curl (rouca) NOTE: 20231229: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc8d397bd3846584024cc36293019136e6dfc4e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dc8d397bd3846584024cc36293019136e6dfc4e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-28054/amavisd-new: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: bb96c54f by Sylvain Beucler at 2024-03-15T12:53:53+01:00 CVE-2024-28054/amavisd-new: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -72,6 +72,7 @@ CVE-2024-28054 - amavisd-new 1:2.13.0-5 [bookworm] - amavisd-new (Minor issue; will be fixed via point release) [bullseye] - amavisd-new (Minor issue; will be fixed via point release) + [buster] - amavisd-new (Minor issue; new configuration to spam-tag some broken e-mails; follow point release) NOTE: https://gitlab.com/amavis/amavis/commit/78c4b7076ebf1d711629a95860aae1bc0db5277a (v2.13.1) NOTE: https://gitlab.com/amavis/amavis/commit/d921bc5208ce5b4e8f3e387a1d4e1f8fa4e85008 (v2.13.1) NOTE: https://gitlab.com/amavis/amavis/commit/c6c4a4c27c60194b68b617b7d3cfb033d6c587e2 (v2.13.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb96c54f4bcfbc8a16b5fe39402c3cb3febe7d7c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb96c54f4bcfbc8a16b5fe39402c3cb3febe7d7c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: cacti status update
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 8841ff3b by Sylvain Beucler at 2024-03-15T12:02:46+01:00 dla: cacti status update - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -50,6 +50,7 @@ cacti (Sylvain Beucler) NOTE: 20240222: Coordinating with maintainer to prepare bullseye updates (Beuc) NOTE: 20240222: Reported incomplete fix upstream (Beuc) NOTE: 20240227: Sent debdiffs for buster/bullseye/bookworm to maintainer+secteam; no news from upstream yet (Beuc) + NOTE: 20240315: Final (hopefully) debdiffs sent for upcoming DSA, buster update ready; still no news from upstream (Beuc) -- composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8841ff3b4ab8e2034d3dc0a04d890a35ef9d1523 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8841ff3b4ab8e2034d3dc0a04d890a35ef9d1523 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] cacti update in progress
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 178ab9e7 by Sylvain Beucler at 2024-03-14T17:55:37+01:00 cacti update in progress - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -12,7 +12,7 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. -- -cacti +cacti (beuc) -- cryptojs -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/178ab9e7eae0c4f9ad02cfbac0307d62c7e3f48b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/178ab9e7eae0c4f9ad02cfbac0307d62c7e3f48b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: tidy notes
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 8cbf87fb by Sylvain Beucler at 2024-03-14T17:51:03+01:00 dla: tidy notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -307,6 +307,6 @@ zabbix -- zfs-linux NOTE: 20231127: Added by Front-Desk (Beuc) - NOTE: 20240801: the fix for other CVE wasn't obvious but about to be ready; D/ELA to be out soon. (utkarsh) + NOTE: 20240108: the fix for other CVE wasn't obvious but about to be ready; D/ELA to be out soon. (utkarsh) NOTE: 20240209: I was out last to last week so couldn't process this but it's nearly ready. (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cbf87fb3d8da44dd397ad37bebf3a3762550bbf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cbf87fb3d8da44dd397ad37bebf3a3762550bbf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: tidy notes
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c4e6aba by Sylvain Beucler at 2024-03-14T17:45:04+01:00 dla: tidy notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,14 +53,14 @@ cacti (Sylvain Beucler) -- composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) - NOTE: 20240304: Need to backport bullseye - NOTE: 20240312: likely not affected by CVE-2024-24821 + NOTE: 20240304: Need to backport bullseye (rouca) + NOTE: 20240312: likely not affected by CVE-2024-24821 (rouca) -- curl (rouca) NOTE: 20231229: Added by Front-Desk (lamby) NOTE: 20231229: CVE-2023-27534 fixed in bullseye via DSA or point release. (lamby) - NOTE: https://salsa.debian.org/debian/curl/-/merge_requests/21 - NOTE: test fix + NOTE: 20240129: https://salsa.debian.org/debian/curl/-/merge_requests/21 (rouca) + NOTE: 20240312: test fix (rouca) -- dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) @@ -72,7 +72,8 @@ docker.io NOTE: 20230706: ask for review testing https://lists.debian.org/debian-lts/2023/07/msg00013.html NOTE: 20230801: rouca and santiago testing the swarm overlay network (including current buster version) NOTE: 20240213: CVE-2024-24557 patch does not directly apply and lack of reproducer test case - NOTE: 20230311: Reverted decision to remove from this file since three CVEs are in bullseye. + NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) + NOTE: 20230311: Reverted decision to remove from this file since three CVEs are in bullseye. (ola) -- dogecoin NOTE: 20230619: Added by Front-Desk (Beuc) @@ -111,8 +112,8 @@ i2p imagemagick NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) - NOTE: 20231014: Some work under git branch debian/buster but unease - NOTE: 20240227: Made a partial release + NOTE: 20231014: Some work under git branch debian/buster but unease (rouca) + NOTE: 20240227: Made a partial release (rouca) -- jenkins-htmlunit-core-js NOTE: 20231231: Added by Front-Desk (lamby) @@ -127,7 +128,8 @@ jetty9 -- knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) - NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. + NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) + NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- libcommons-compress-java (Markus Koschany) NOTE: 20240303: Added by Front-Desk (apo) @@ -187,7 +189,7 @@ nova nss NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there. - NOTE: 20230310: see also: Message-ID: + NOTE: 20230310: see also: Message-ID: (tobi) -- nvidia-cuda-toolkit NOTE: 20230514: Added by Front-Desk (utkarsh) @@ -195,16 +197,16 @@ nvidia-cuda-toolkit NOTE: 20230514: piled up. (utkarsh) NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) - NOTE: 20240311: CVE-2020-5991 is fixed in bullseye. However email sent to suggest removal of support. + NOTE: 20240311: CVE-2020-5991 is fixed in bullseye. However email sent to suggest removal of support. (ola) -- nvidia-graphics-drivers NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: Do we still support the NVIDIA drivers? Can we upgrade to a new upstream release? - NOTE: 20240303: Maybe it's time to mark them EOL? + NOTE: 20240303: Maybe it's time to mark them EOL? (apo/front-desk) -- nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) - NOTE: 20240303: See comment for nvidia-graphics-drivers. + NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk) -- pdns-recursor (dleidert) NOTE: 20240306: Added by Front-Desk (opal) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c4e6aba9f7d3a5f3d0f8ebf76100dca1731596d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c4e6aba9f7d3a5f3d0f8ebf76100dca1731596d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39513/cacti: clarify fixes
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d55ea526 by Sylvain Beucler at 2024-03-14T16:37:43+01:00 CVE-2023-39513/cacti: clarify fixes - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36208,8 +36208,9 @@ CVE-2023-39513 (Cacti is an open source operational monitoring and fault managem [bookworm] - cacti (Minor issue) [bullseye] - cacti (Minor issue) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-9fj7-8f2j-2rw2 - NOTE: Initial fix: https://github.com/Cacti/cacti/commit/976f44dd8dfb2410e0dba00de9c4bbca17ee8910 (release/1.2.25) - NOTE: Final fix: https://github.com/Cacti/cacti/commit/23abb0e0a9729bd056b56f4fb5a6fc8e7ebda523 (release/1.2.25) + NOTE: Initial fix (partially reverted): https://github.com/Cacti/cacti/commit/976f44dd8dfb2410e0dba00de9c4bbca17ee8910 (release/1.2.25) + NOTE: General fix: https://github.com/Cacti/cacti/commit/f66ed84ee2dfd22581e831db97afd2bb145312ef (release/1.2.25) + NOTE: Actual fix: https://github.com/Cacti/cacti/commit/23abb0e0a9729bd056b56f4fb5a6fc8e7ebda523 (release/1.2.25) CVE-2023-39512 (Cacti is an open source operational monitoring and fault management fr ...) - cacti 1.2.25+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d55ea5261408ef650815ff1107edc032dc7af5df -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d55ea5261408ef650815ff1107edc032dc7af5df You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: confirm drop cinder and python-os-brick
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a278aa25 by Sylvain Beucler at 2024-03-14T12:55:27+01:00 dla: confirm drop cinder and python-os-brick Rationale: - Issue is marked Minor - No particular effort was made to fix CVE-2023-2088 in stable/oldstable since 2023-05, - No particular effort was made in LTS either, except (untested) https://salsa.debian.org/lts-team/packages/python-glance-store/-/commit/186ddf92525198c1be41e0e40a576451c2a419d7 - CVE-2020-10755 was not explicitly fixed in bullseye/bookworm, but through unstable - None of these packages are sponsored so we cant expect more focused effort in the near future So lets keep those postponed and catch-up on future stable/oldstable updates through lts-cve-triage.py. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -51,11 +51,6 @@ cacti (Sylvain Beucler) NOTE: 20240222: Reported incomplete fix upstream (Beuc) NOTE: 20240227: Sent debdiffs for buster/bullseye/bookworm to maintainer+secteam; no news from upstream yet (Beuc) -- -cinder - NOTE: 20230525: Added by Front-Desk (lamby) - NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. - NOTE: 20240311: CVE-2020-10755 is fixed in bullseye --- composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) NOTE: 20240304: Need to backport bullseye @@ -225,11 +220,6 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- -python-os-brick - NOTE: 20230525: Added by Front-Desk (lamby) - NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. - NOTE: 20240311: Reverted decision to remove from this file since CVE-2020-10755 is fixed in bullseye. --- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a278aa253c0ee95020cb9cf3ad4486c4c3649541 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a278aa253c0ee95020cb9cf3ad4486c4c3649541 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Tidy golang* buster triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e32da8c by Sylvain Beucler at 2024-03-14T12:34:47+01:00 Tidy golang* buster triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17035,7 +17035,7 @@ CVE-2023-50658 (The jose2go component before 1.6.0 for Go allows attackers to ca - golang-github-dvsekhvalnov-jose2go (bug #1059507) [bookworm] - golang-github-dvsekhvalnov-jose2go (Minor issue) [bullseye] - golang-github-dvsekhvalnov-jose2go (Minor issue) - [buster] - golang-github-dvsekhvalnov-jose2go (Minor issue) + [buster] - golang-github-dvsekhvalnov-jose2go (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/dvsekhvalnov/jose2go/commit/a4584e9dd7128608fedbc67892eba9697f0d5317 (v1.6.0) CVE-2023-50339 (Stored cross-site scripting vulnerability exists in the User Managemen ...) NOT-FOR-US: GROWI @@ -18553,7 +18553,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - golang-go.crypto 1:0.17.0-1 (bug #1059003) [bookworm] - golang-go.crypto (Minor issue) [bullseye] - golang-go.crypto (Minor issue) - [buster] - golang-go.crypto (Minor issue) + [buster] - golang-go.crypto (Limited support, minor issue, follow bullseye DSAs/point-releases) - jsch (ChaCha20-Poly1305 support introduced in 0.1.61; *-EtM support introduced in 0.1.58) - libssh 0.10.6-1 (bug #1059004) - libssh2 1.11.0-4 (bug #1059005) @@ -56964,7 +56964,7 @@ CVE-2023-29408 (The TIFF decoder does not place a limit on the size of compresse - golang-golang-x-image 0.11.0-1 (bug #1043159) [bookworm] - golang-golang-x-image (Minor issue) [bullseye] - golang-golang-x-image (Minor issue) - [buster] - golang-golang-x-image (Limited support, minor issue, DoS) + [buster] - golang-golang-x-image (Limited support, minor issue, DoS) NOTE: https://go.dev/issue/61582 NOTE: https://go.dev/cl/514897 NOTE: https://github.com/golang/image/commit/cb227cd2c919b27c6206fe0c1041a8bcc677949d (v0.10.0) @@ -67304,7 +67304,7 @@ CVE-2023-26125 (Versions of the package github.com/gin-gonic/gin before 1.9.0 ar - golang-github-gin-gonic-gin (bug #1035498) [bookworm] - golang-github-gin-gonic-gin (Minor issue) [bullseye] - golang-github-gin-gonic-gin (Minor issue) - [buster] - golang-github-gin-gonic-gin (Minor issue) + [buster] - golang-github-gin-gonic-gin (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://github.com/gin-gonic/gin/pull/3500 NOTE: https://github.com/gin-gonic/gin/pull/3503 NOTE: https://github.com/gin-gonic/gin/commit/81ac7d55a09e34013225db0aeac6e70c1ae68928 (v1.9.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e32da8cc8402aa58089df0e41fad6ee94eed5d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e32da8cc8402aa58089df0e41fad6ee94eed5d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-21626/runc: clarify and source buster triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 03cc0b97 by Sylvain Beucler at 2024-03-14T12:27:28+01:00 CVE-2024-21626/runc: clarify and source buster triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10311,8 +10311,8 @@ CVE-2024-21626 (runc is a CLI tool for spawning and running containers on Linux NOTE: https://github.com/opencontainers/runc/commit/89c93ddf289437d5c8558b37047c54af6a0edb48 NOTE: https://github.com/opencontainers/runc/commit/ee73091a8d28692fa4868bac81aa40a0b05f9780 NOTE: https://github.com/opencontainers/runc/commit/d8edada9f252873b88043279a71099db71941dea - NOTE: For buster DLA-3735-1 do not completely fix the issue. The rest requires - NOTE: backport that is hard to do so that will not be done. + NOTE: DLA-3735-1/buster fixes everything but additional hardening: + NOTE: https://lists.debian.org/debian-lts/2024/03/msg00022.html CVE-2024-24579 (stereoscope is a go library for processing container images and simula ...) NOT-FOR-US: stereoscope CVE-2024-24566 (Lobe Chat is a chatbot framework that supports speech synthesis, multi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03cc0b978d0270ec27b6bc397eb9ba6a54e5e4a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03cc0b978d0270ec27b6bc397eb9ba6a54e5e4a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Typo
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e1648a73 by Sylvain Beucler at 2024-03-14T11:02:31+01:00 Typo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17168,7 +17168,7 @@ CVE-2023-51767 (OpenSSH through 9.6, when common types of DRAM are used, might a NOTE: https://arxiv.org/abs/2309.02545 NOTE: Upstream does not consider CVE-2023-51767 a bug underlying in OpenSSH and NOTE: does not intent to address it in OpenSSH. To todays knowledge (2024-03-13) - NOTE: it has not been demostrated that the issue is exploitable in any real + NOTE: it has not been demonstrated that the issue is exploitable in any real NOTE: software configuration. CVE-2023-51766 (Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKIN ...) {DSA-5597-1 DLA-3708-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1648a73e13f5df7f0e58241cad10888c44e364f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1648a73e13f5df7f0e58241cad10888c44e364f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add unadf
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 50212642 by Sylvain Beucler at 2024-03-14T10:38:55+01:00 dla: add unadf - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -298,6 +298,10 @@ tinymce (Ola) tomcat9 NOTE: 20240121: Added by Front-Desk (apo) -- +unadf + NOTE: 20240314: Added by Front-Desk (Beuc) + NOTE: 20240314: Follow fixes from bullseye 11.9 (two 2016 CVEs) (Beuc/front-desk) +-- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/502126424b82d8ec0af3c080abce195354286bfd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/502126424b82d8ec0af3c080abce195354286bfd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-46586/weborf: buster no-dsa -> not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b670457 by Sylvain Beucler at 2024-03-13T19:31:37+01:00 CVE-2023-46586/weborf: buster no-dsa - not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28064,9 +28064,10 @@ CVE-2023-46586 - weborf 1.0-1 (bug #1054417) [bookworm] - weborf 0.19-2.1+deb12u1 [bullseye] - weborf 0.17-3+deb11u1 - [buster] - weborf (Minor issue) + [buster] - weborf (Vulnerable code introduced later) NOTE: https://github.com/ltworf/weborf/pull/88 NOTE: Fixed by: https://github.com/ltworf/weborf/commit/49824204add55aab0568d90a6b1e7c822d32120d (1.0) + NOTE: Introduced by: https://github.com/ltworf/weborf/commit/6f83c3e9ceed8b0d93608fd5d42b53c081057991 (0.16) CVE-2023-5702 (A vulnerability was found in Viessmann Vitogate 300 up to 2.1.3.0 and ...) NOT-FOR-US: Viessmann Vitogate 300 CVE-2023-5701 (A vulnerability has been found in vnotex vnote up to 3.17.0 and classi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b67045720715f1a7021086c9204de61bcf6c52f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b67045720715f1a7021086c9204de61bcf6c52f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add node-xml2js
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 20855786 by Sylvain Beucler at 2024-03-13T19:26:21+01:00 dla: add node-xml2js - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -170,6 +170,10 @@ linux-5.10 lucene-solr NOTE: 20240213: Added by Front-Desk (lamby) -- +node-xml2js + NOTE: 20240313: Added by Front-Desk (Beuc) + NOTE: 20240313: Follow fix from bullseye 11.9 (CVE-2023-0842) (Beuc/front-desk) +-- nodejs (guilhem) NOTE: 20240218: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/208557865ef18ac02e72e0fe16930c37ffae8e92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/208557865ef18ac02e72e0fe16930c37ffae8e92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add spip
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e4597ae by Sylvain Beucler at 2024-03-13T19:05:38+01:00 dla: add spip - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -262,6 +262,10 @@ sendmail shim NOTE: 20240306: Added by Front-Desk (opal) -- +spip + NOTE: 20240313: Added by Front-Desk (Beuc) + NOTE: 20240313: Follow fix from bullseye 11.9 (CVE-2023-52322) (Beuc/front-desk) +-- squid NOTE: 20240109: Added by Front-Desk (apo) NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e4597ae423d44aa7cc8c48406e7c66a170c1baf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e4597ae423d44aa7cc8c48406e7c66a170c1baf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-2314/bpfcc: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c29b571 by Sylvain Beucler at 2024-03-13T18:43:37+01:00 CVE-2024-2314/bpfcc: buster not-affected - - - - - e2f4acec by Sylvain Beucler at 2024-03-13T18:50:56+01:00 CVE-2024-2313/bpftrace: buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -643,12 +643,16 @@ CVE-2024-2314 (If kernel headers need to be extracted, bcc will attempt to load - bpfcc [bookworm] - bpfcc (Minor issue) [bullseye] - bpfcc (Minor issue) + [buster] - bpfcc (Vulnerable code introduced later) NOTE: https://github.com/iovisor/bcc/commit/008ea09e891194c072f2a9305a3c872a241dc342 + NOTE: Introduced by: https://github.com/iovisor/bcc/commit/ae92f3ddb6aa5b81c750abf3540b99f24d219e67 (v0.10.0) CVE-2024-2313 (If kernel headers need to be extracted, bpftrace will attempt to load ...) - bpftrace [bookworm] - bpftrace (Minor issue) [bullseye] - bpftrace (Minor issue) + [buster] - bpftrace (Vulnerable code introduced later) NOTE: https://github.com/bpftrace/bpftrace/commit/4be4b7191acb8218240e6b7178c30fa8c9b59998 + NOTE: Introduced by: https://github.com/bpftrace/bpftrace/commit/896fafbe925385500c6626b19348739142944b88 (v0.9.3) CVE-2024-2184 (Buffer overflow in identifier field of WSD probe request process of Sm ...) NOT-FOR-US: Small Office Multifunction Printers and Laser Printers (Canon) CVE-2024-28823 (Amazon AWS aws-js-s3-explorer (aka AWS JavaScript S3 Explorer) 1.0.0 a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a80cc6f01ee022017c37086b6a7560f157824556...e2f4acec090ac5abdce821e7f81b95f05996c267 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a80cc6f01ee022017c37086b6a7560f157824556...e2f4acec090ac5abdce821e7f81b95f05996c267 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-42343/dask.distributed: precise buster triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a80cc6f0 by Sylvain Beucler at 2024-03-13T18:26:26+01:00 CVE-2021-42343/dask.distributed: precise buster triage ignored since guilhem reviewed and explicitly dropped the entry in 72180b0eadf7b78f7b8a78087c4578ea2c589730 Now out of lts-cve-triage.py radar. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -175017,10 +175017,10 @@ CVE-2021-42344 CVE-2021-42343 (An issue was discovered in the Dask distributed package before 2021.10 ...) - dask.distributed 2021.09.1+ds.1-2 [bullseye] - dask.distributed 2021.01.0+ds.1-2.1+deb11u1 - [buster] - dask.distributed (Minor issue; unreproducible with <2.0) + [buster] - dask.distributed (Minor issue; unreproducible with <2.0) NOTE: https://github.com/dask/distributed/pull/5427 NOTE: https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr - NOTE: Likely introduced in https://github.com/quasiben/distributed/commit/fd31ecca8017bae845a73d468de0376c02363fab + NOTE: Likely introduced in https://github.com/quasiben/distributed/commit/fd31ecca8017bae845a73d468de0376c02363fab (2.0.0) CVE-2021-42342 (An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. In the fi ...) NOT-FOR-US: Embedthis GoAhead CVE-2021-42341 (checkpath in OpenRC before 0.44.7 uses the direct output of strlen() t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a80cc6f01ee022017c37086b6a7560f157824556 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a80cc6f01ee022017c37086b6a7560f157824556 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-1441/libvirt: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 70d498bd by Sylvain Beucler at 2024-03-13T17:54:27+01:00 CVE-2024-1441/libvirt: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -587,6 +587,7 @@ CVE-2024-1441 (An off-by-one error flaw was found in the udevListInterfacesBySta - libvirt (bug #1066058) [bookworm] - libvirt (Minor issue) [bullseye] - libvirt (Minor issue) + [buster] - libvirt (Minor issue; very rare crash before v5.10) NOTE: Introduced by: https://gitlab.com/libvirt/libvirt/-/commit/5a33366f5c0b18c93d161bd144f9f079de4ac8ca (v1.0.0-rc1) NOTE: Introduced by: https://gitlab.com/libvirt/libvirt/-/commit/d6064e2759a24e0802f363e3a810dc5a7d7ebb15 (v5.10.0-rc1) NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/c664015fe3a7bf59db26686e9ed69af011c6ebb8 (v10.1.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70d498bd33956182bf4c08c80eda2c0f52e702cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70d498bd33956182bf4c08c80eda2c0f52e702cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: fix syntax
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: fa253efd by Sylvain Beucler at 2024-03-13T16:11:06+01:00 dla: fix syntax - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -225,7 +225,7 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. NOTE: 20240311: Reverted decision to remove from this file since CVE-2020-10755 is fixed in bullseye. +-- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa253efd7ec824d84b982570e5697765be10c54e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa253efd7ec824d84b982570e5697765be10c54e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update edk2 status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 010b3dfb by Sylvain Beucler at 2024-03-12T09:04:44+01:00 dla: update edk2 status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -72,7 +72,8 @@ dogecoin -- edk2 NOTE: 20231230: Added by Front-Desk (lamby) - NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby) + NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) + NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) -- expat (tobi) NOTE: 20240306: Added by Front-Desk (opal) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/010b3dfbd4ea91044c016cbaa2c15653bd961bcc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/010b3dfbd4ea91044c016cbaa2c15653bd961bcc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Removed sendmail from dla-needed since there is no CVE marked as need...
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a2a182d by Sylvain Beucler at 2024-03-11T12:07:53+01:00 Revert Removed sendmail from dla-needed since there is no CVE marked as need for a fix for buster. This reverts commit f95d3ce82bb4c126f1895a4fc26d26e068cd8ccb. Rationale: - SMTP Smuggling (CVE-2023-51765) had significant impact - SMTP Smuggling was fixed in e.g. Postfix and Exim - Sendmail is sponsored for LTS - Preliminary LTS work was done - CVE-2023-51765 is still not triaged for sendmail/buster Consequently its hard to explain why we would not attempt to fix it. In this case, I believe LTS should make an effort to fix sendmail for all dists, rather than follow secteams initial triage. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -220,6 +220,15 @@ ruby-rack (Adrian Bunk) samba NOTE: 20230918: Added by Front-Desk (apo) -- +sendmail + NOTE: 20231224: Added by Front-Desk (ta) + NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches (CVE-2023-51765) + NOTE: 20240217: Patch extracted and being reviewed (rouca) + NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) + NOTE: 20240311: Re-added to dla-needed.txt; while secteam tagged it no-dsa in later dists, + NOTE: 20240311: I believe we should fix this sponsored package, like postfix and exim, in all dists, + NOTE: 20240311: please coordinate with the package maintainer to help make this happen. (Beuc/front-desk) +-- shim NOTE: 20240306: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a2a182dc53f0632ecd32108c91c071bdad76289 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a2a182dc53f0632ecd32108c91c071bdad76289 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-6110/python-openstackclient: buster no-dsa -> not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 2dd2e31c by Sylvain Beucler at 2024-03-07T10:59:39+01:00 CVE-2023-6110/python-openstackclient: buster no-dsa - not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6619,7 +6619,7 @@ CVE-2023-6110 [deleting a non existing access rule deletes another existing acce - python-openstackclient 6.3.0-2 [bookworm] - python-openstackclient (Minor issue) [bullseye] - python-openstackclient (Minor issue) - [buster] - python-openstackclient (Minor issue) + [buster] - python-openstackclient (app cred access rules introduced in v5) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2212960 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2209607 NOTE: https://review.opendev.org/888697 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dd2e31c15f4db09d326841c90a7ad8678b68588 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2dd2e31c15f4db09d326841c90a7ad8678b68588 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-25126/ruby-rack: reference upstream patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 039bf355 by Sylvain Beucler at 2024-03-07T10:24:23+01:00 CVE-2024-25126/ruby-rack: reference upstream patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3990,6 +3990,7 @@ CVE-2024-26141 (Rack is a modular Ruby web server interface. Carefully crafted R CVE-2024-25126 (Rack is a modular Ruby web server interface. Carefully crafted content ...) - ruby-rack (bug #1064516) NOTE: https://github.com/rack/rack/releases/tag/v2.2.8.1 + NOTE: https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49 (v2.2.8.1) CVE-2024-26146 (Rack is a modular Ruby web server interface. Carefully crafted headers ...) - ruby-rack (bug #1064516) NOTE: https://github.com/rack/rack/releases/tag/v2.2.8.1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/039bf355bc8d15fd30bb0131640f9030ef169ce8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/039bf355bc8d15fd30bb0131640f9030ef169ce8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-22201/jetty9: precision
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: cfbf8d9d by Sylvain Beucler at 2024-03-07T09:44:05+01:00 CVE-2024-22201/jetty9: precision - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3458,7 +3458,7 @@ CVE-2024-22201 (Jetty is a Java based web server and servlet engine. An HTTP/2 S - jetty9 (bug #1064923) NOTE: https://github.com/jetty/jetty.project/security/advisories/GHSA-rggv-cv7r-mw98 NOTE: https://github.com/jetty/jetty.project/issues/11256 - NOTE: 9.x branch fixed by https://github.com/jetty/jetty.project/commit/86586df0a8a4d9c6b5af9a621ad1adf1b494d39b + NOTE: 9.4.x branch fixed by https://github.com/jetty/jetty.project/commit/86586df0a8a4d9c6b5af9a621ad1adf1b494d39b CVE-2024-21836 (A heap-based buffer overflow vulnerability exists in the GGUF library ...) NOT-FOR-US: llama.cpp CVE-2024-21825 (A heap-based buffer overflow vulnerability exists in the GGUF library ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfbf8d9dbe56b5cc99b37e0d2803d60f7af15095 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfbf8d9dbe56b5cc99b37e0d2803d60f7af15095 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix tab
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: f752d354 by Sylvain Beucler at 2024-03-02T11:35:19+01:00 Fix tab - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -35429,7 +35429,7 @@ CVE-2022-48564 (read_ints in plistlib.py in Python through 3.9.1 is vulnerable t - python2.7 (In 2.7, the plistlib parser only supports XML and not the affected binary format) NOTE: https://bugs.python.org/issue42103 NOTE: https://github.com/python/cpython/issues/86269 - NOTE: https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f (v3.10.0a2) + NOTE: https://github.com/python/cpython/commit/34637a0ce21e7261b952fbd9d006474cc29b681f (v3.10.0a2) NOTE: https://github.com/python/cpython/commit/e277cb76989958fdbc092bf0b2cb55c43e86610a (v3.9.1rc1) NOTE: https://github.com/python/cpython/commit/547d2bcc55e348043b2f338027c1acd9549ada76 (v3.8.7rc1) NOTE: https://github.com/python/cpython/commit/225e3659556616ad70186e7efc02baeebfeb5ec4 (v3.7.10) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f752d354e0cf6b359cb80e528e12cfb995fc8078 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f752d354e0cf6b359cb80e528e12cfb995fc8078 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update cacti status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: f1d7559b by Sylvain Beucler at 2024-02-27T13:04:30+01:00 dla: update cacti status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,6 +49,7 @@ cacti (Sylvain Beucler) NOTE: 20240219: Backport patches, update patch commits (Beuc) NOTE: 20240222: Coordinating with maintainer to prepare bullseye updates (Beuc) NOTE: 20240222: Reported incomplete fix upstream (Beuc) + NOTE: 20240227: Sent debdiffs for buster/bullseye/bookworm to maintainer+secteam; no news from upstream yet (Beuc) -- cairosvg NOTE: 20230323: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1d7559b5e734d750013c79b2bfe32fd4464b1a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1d7559b5e734d750013c79b2bfe32fd4464b1a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-49084/cacti: follow-up patch + mitigation note
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a8640782 by Sylvain Beucler at 2024-02-27T11:42:15+01:00 CVE-2023-49084/cacti: follow-up patch + mitigation note - - - - - 8d95dc5b by Sylvain Beucler at 2024-02-27T11:43:48+01:00 CVE-2023-49085/cacti: add note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12466,6 +12466,7 @@ CVE-2023-49085 (Cacti provides an operational monitoring and fault management fr - cacti 1.2.26+ds1-1 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855 NOTE: https://github.com/Cacti/cacti/commit/5f451bc680d7584525d18026836af2a1e31b2188 (release/1.2.26) + NOTE: Requires multi-pollers setup CVE-2023-48704 (ClickHouse is an open-source column-oriented database management syste ...) - clickhouse (bug #1059367) [bookworm] - clickhouse (Minor issue) @@ -12587,6 +12588,8 @@ CVE-2023-49084 (Cacti is a robust performance and fault management framework and - cacti 1.2.26+ds1-1 (bug #1059254) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp NOTE: https://github.com/Cacti/cacti/commit/5f451bc680d7584525d18026836af2a1e31b2188 (release/1.2.26) + NOTE: https://github.com/Cacti/cacti/commit/c3a647e9867ae8e2982e26342630ba9edb2d94b7 (release/1.2.26) + NOTE: Mitigated in Debian by not shipping or creating 'include/content/' CVE-2023-48723 REJECTED CVE-2023-48722 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c17c219bb6c244fa50ea884d7a0b4c4bcfb0bf05...8d95dc5bec06c31c652bddd8df274941a82fc993 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c17c219bb6c244fa50ea884d7a0b4c4bcfb0bf05...8d95dc5bec06c31c652bddd8df274941a82fc993 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39362/cacti: note limitations
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 37ae384b by Sylvain Beucler at 2024-02-26T20:59:28+01:00 CVE-2023-39362/cacti: note limitations - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31020,6 +31020,8 @@ CVE-2023-39362 (Cacti is an open source operational monitoring and fault managem NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp NOTE: https://github.com/cacti/cacti/commit/cb9ab92f2580fc6cb9b64ce129655fb15e35d056 (release/1.2.25) NOTE: https://github.com/Cacti/cacti/commit/4c26f39fa3567553192823a5e8096b187bbaddde (release/1.2.25) + NOTE: snmp_escape_string broken and non-exploitable until https://github.com/Cacti/cacti/commit/c66d5815b8381eaa7ef679abc8d041f23105ef34 (release/1.2.23) + NOTE: Requires php-snmp be disabled. CVE-2023-39361 (Cacti is an open source operational monitoring and fault management fr ...) {DSA-5550-1} - cacti 1.2.25+ds1-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37ae384b58b7a3497aae605ed7b6fbbd9898b1e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/37ae384b58b7a3497aae605ed7b6fbbd9898b1e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update cacti status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: eda6d880 by Sylvain Beucler at 2024-02-22T23:23:58+01:00 dla: update cacti status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -47,6 +47,8 @@ cacti (Sylvain Beucler) NOTE: 20240123: Backport patches, report duplicate to MITRE (CVE-2023-50569) (Beuc) NOTE: 20240131: Tidy https://salsa.debian.org/debian/cacti/-/tree/buster?ref_type=heads (Beuc) NOTE: 20240219: Backport patches, update patch commits (Beuc) + NOTE: 20240222: Coordinating with maintainer to prepare bullseye updates (Beuc) + NOTE: 20240222: Reported incomplete fix upstream (Beuc) -- cairosvg NOTE: 20230323: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eda6d8808332b2be4c08488bef5d99a42289ffc1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eda6d8808332b2be4c08488bef5d99a42289ffc1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39360/cacti: precise note again
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 79e1fa5a by Sylvain Beucler at 2024-02-22T18:26:28+01:00 CVE-2023-39360/cacti: precise note again - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30371,7 +30371,7 @@ CVE-2023-39360 (Cacti is an open source operational monitoring and fault managem NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4 NOTE: Initial fix: https://github.com/cacti/cacti/commit/9696bbd8060c7332b11b709f4dd17e6c3776bba2 (release/1.2.25) NOTE: Final fix: https://github.com/cacti/cacti/commit/bc6dc996745ef0dee3427178c8d87a6402f3fefa (release/1.2.25) - NOTE: Attack is usually blocked by browser CORS/CSP policies before https://github.com/Cacti/cacti/commit/137340264ac550d060ef17c4d0794fa4abae1c26 (release/1.2.23) + NOTE: PoC doesn't seem to trigger without https://github.com/Cacti/cacti/commit/137340264ac550d060ef17c4d0794fa4abae1c26 (release/1.2.23) CVE-2023-39359 (Cacti is an open source operational monitoring and fault management fr ...) {DSA-5550-1} - cacti 1.2.25+ds1-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79e1fa5a8ad748d48aa852d78507f6456b99934e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79e1fa5a8ad748d48aa852d78507f6456b99934e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-49088,CVE-2023-50250/cacti: another follow-up commit
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0470d1be by Sylvain Beucler at 2024-02-22T18:00:36+01:00 CVE-2023-49088,CVE-2023-50250/cacti: another follow-up commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11532,6 +11532,7 @@ CVE-2023-50250 (Cacti is an open source operational monitoring and fault managem NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73 NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc (release/1.2.26) NOTE: https://github.com/Cacti/cacti/commit/73d9a60e24d6d826e6343b94d833b48c28b68643 (release/1.2.26) + NOTE: https://github.com/Cacti/cacti/commit/59e39b34f8f1d80b28d38a391d7aa6e7a3302f5b (release/1.2.26) NOTE: Introduced by: https://github.com/Cacti/cacti/commit/27a36d48e1cea172b0750c970324208b39d2bec5 (release/1.2.23) CVE-2023-50147 (There is an arbitrary command execution vulnerability in the setDiagno ...) NOT-FOR-US: TOTOLINK @@ -11554,6 +11555,7 @@ CVE-2023-49088 (Cacti is an open source operational monitoring and fault managem NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-hrg9-qqqx-wc4h (CVE-2023-39515) NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc (release/1.2.26) NOTE: https://github.com/Cacti/cacti/commit/73d9a60e24d6d826e6343b94d833b48c28b68643 (release/1.2.26) + NOTE: https://github.com/Cacti/cacti/commit/59e39b34f8f1d80b28d38a391d7aa6e7a3302f5b (release/1.2.26) NOTE: https://github.com/Cacti/cacti/commit/56f9d99e6e5ab434ea18fa344236f41e78f99c59 (1.2.x) CVE-2023-49085 (Cacti provides an operational monitoring and fault management framewor ...) - cacti 1.2.26+ds1-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0470d1bee0d1738f176e54b83a480de7b602c6ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0470d1bee0d1738f176e54b83a480de7b602c6ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-49088/cacti: reference additional patches
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 296cb887 by Sylvain Beucler at 2024-02-22T17:39:49+01:00 CVE-2023-49088/cacti: reference additional patches Despite the reference to CVE-2023-49088 in 56f9d99e6e5ab434ea18fa344236f41e78f99c59, that patch doesnt fix the tooltip issue. This is done with the commit introducing purify.js. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11552,6 +11552,8 @@ CVE-2023-49088 (Cacti is an open source operational monitoring and fault managem NOTE: Caused by an incomplete fix for CVE-2023-39515 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-q7g7-gcf6-wh4x NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-hrg9-qqqx-wc4h (CVE-2023-39515) + NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc (release/1.2.26) + NOTE: https://github.com/Cacti/cacti/commit/73d9a60e24d6d826e6343b94d833b48c28b68643 (release/1.2.26) NOTE: https://github.com/Cacti/cacti/commit/56f9d99e6e5ab434ea18fa344236f41e78f99c59 (1.2.x) CVE-2023-49085 (Cacti provides an operational monitoring and fault management framewor ...) - cacti 1.2.26+ds1-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/296cb88759992e5bcbf54127cb3d9a03d79a024a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/296cb88759992e5bcbf54127cb3d9a03d79a024a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39360/cacti: precise note
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 56b966d9 by Sylvain Beucler at 2024-02-22T12:36:19+01:00 CVE-2023-39360/cacti: precise note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30356,7 +30356,7 @@ CVE-2023-39360 (Cacti is an open source operational monitoring and fault managem NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4 NOTE: Initial fix: https://github.com/cacti/cacti/commit/9696bbd8060c7332b11b709f4dd17e6c3776bba2 (release/1.2.25) NOTE: Final fix: https://github.com/cacti/cacti/commit/bc6dc996745ef0dee3427178c8d87a6402f3fefa (release/1.2.25) - NOTE: Attack is usually blocked by browser CORS/CSP policies. + NOTE: Attack is usually blocked by browser CORS/CSP policies before https://github.com/Cacti/cacti/commit/137340264ac550d060ef17c4d0794fa4abae1c26 (release/1.2.23) CVE-2023-39359 (Cacti is an open source operational monitoring and fault management fr ...) {DSA-5550-1} - cacti 1.2.25+ds1-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56b966d955358a84963e59965f4fcbe011ae6d72 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56b966d955358a84963e59965f4fcbe011ae6d72 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39361/cacti: reference complementary fix
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0293e780 by Sylvain Beucler at 2024-02-21T19:14:50+01:00 CVE-2023-39361/cacti: reference complementary fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30138,6 +30138,7 @@ CVE-2023-39361 (Cacti is an open source operational monitoring and fault managem NOTE: https://github.com/cacti/cacti/commit/4246aee6310846d0e106bd05279e54fff3765822 (release/1.2.25) NOTE: Introduced by: https://github.com/cacti/cacti/commit/36269461cb9b03581ad5d7f6ddbc085a28fb9c37 (release/1.2.17) NOTE: but the patch still fixes multiple similar issues including one present in earlier versions. + NOTE: Additional hardening with CVE-2023-39365. CVE-2023-39360 (Cacti is an open source operational monitoring and fault management fr ...) - cacti 1.2.25+ds1-1 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0293e7807ee21d953506b1641df9c9ad6daf13ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0293e7807ee21d953506b1641df9c9ad6daf13ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39361/cacti: reference introductory commit
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e56496d by Sylvain Beucler at 2024-02-21T19:09:14+01:00 CVE-2023-39361/cacti: reference introductory commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30136,6 +30136,8 @@ CVE-2023-39361 (Cacti is an open source operational monitoring and fault managem - cacti 1.2.25+ds1-1 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-6r43-q2fw-5wrg NOTE: https://github.com/cacti/cacti/commit/4246aee6310846d0e106bd05279e54fff3765822 (release/1.2.25) + NOTE: Introduced by: https://github.com/cacti/cacti/commit/36269461cb9b03581ad5d7f6ddbc085a28fb9c37 (release/1.2.17) + NOTE: but the patch still fixes multiple similar issues including one present in earlier versions. CVE-2023-39360 (Cacti is an open source operational monitoring and fault management fr ...) - cacti 1.2.25+ds1-1 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e56496dbc2ab0d1a2a97bdd9cb48107488911f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e56496dbc2ab0d1a2a97bdd9cb48107488911f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39360/cacti: wrong patch, bookworm still vulnerable
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 902dd979 by Sylvain Beucler at 2024-02-21T18:26:16+01:00 CVE-2023-39360/cacti: wrong patch, bookworm still vulnerable Follow-up to c3cae9377156c963d7b475fda3a82413188d8446 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30124,7 +30124,6 @@ CVE-2023-39361 (Cacti is an open source operational monitoring and fault managem NOTE: https://github.com/cacti/cacti/commit/4246aee6310846d0e106bd05279e54fff3765822 (release/1.2.25) CVE-2023-39360 (Cacti is an open source operational monitoring and fault management fr ...) - cacti 1.2.25+ds1-1 - [bookworm] - cacti 1.2.24+ds1-1+deb12u1 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4 NOTE: Initial fix: https://github.com/cacti/cacti/commit/9696bbd8060c7332b11b709f4dd17e6c3776bba2 (release/1.2.25) NOTE: Final fix: https://github.com/cacti/cacti/commit/bc6dc996745ef0dee3427178c8d87a6402f3fefa (release/1.2.25) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/902dd9790a4e442d0817be361d7eba4a62bb57e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/902dd9790a4e442d0817be361d7eba4a62bb57e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39359/cacti: buster actually not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cad43f5 by Sylvain Beucler at 2024-02-21T17:02:59+01:00 CVE-2023-39359/cacti: buster actually not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30116,8 +30116,10 @@ CVE-2023-39360 (Cacti is an open source operational monitoring and fault managem CVE-2023-39359 (Cacti is an open source operational monitoring and fault management fr ...) {DSA-5550-1} - cacti 1.2.25+ds1-1 + [buster] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-q4wh-3f9w-836h NOTE: https://github.com/cacti/cacti/commit/7459ff57abcd97ab8bc7a19de9e308ca62c17d38 (release/1.2.25) + NOTE: Introduced by: https://github.com/cacti/cacti/commit/518800fdb0bd25f311a530d78bab635b3c96c500 (release/1.2.7) CVE-2023-39358 (Cacti is an open source operational monitoring and fault management fr ...) - cacti 1.2.25+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cad43f56f903274333d4391652a76276f9d9382 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cad43f56f903274333d4391652a76276f9d9382 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: CVE-2023-49085/cacti: reference patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 40e4289c by Sylvain Beucler at 2024-02-20T13:18:40+01:00 CVE-2023-49085/cacti: reference patch - - - - - 76b9bb2f by Sylvain Beucler at 2024-02-20T13:18:42+01:00 CVE-2023-49084/cacti: fix patch - - - - - 8597007f by Sylvain Beucler at 2024-02-20T13:18:44+01:00 cacti: add commit tags - - - - - fe197fd8 by Sylvain Beucler at 2024-02-20T13:18:46+01:00 CVE-2023-46490/cacti: drop unrelated patch According to https://gist.github.com/ISHGARD-2/a9563238fcd7ccf7432ccb145b53 this is an SQL injection vulnerability, so patches related to purify.js are not necessary. - - - - - aff19bde by Sylvain Beucler at 2024-02-20T13:50:34+01:00 CVE-2023-50250/cacti: reference patches - - - - - 2f19f0cd by Sylvain Beucler at 2024-02-20T14:38:47+01:00 CVE-2023-46490,CVE-2023-51448/cacti: probably duplicates, same description (unserialize abuse), same impact (blind SQLi) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10592,7 +10592,9 @@ CVE-2023-51448 (Cacti provides an operational monitoring and fault management fr [bullseye] - cacti (Vulnerable code introduced later; Fix for CVE-2023-30534 not applied) [buster] - cacti (Vulnerable code introduced later; Fix for CVE-2023-30534 not applied) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-w85f-7c4w-7594 + NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc (release/1.2.26) NOTE: Introduced by: https://github.com/Cacti/cacti/commit/7b1ae5bcab3caca020da0080e19ac51c2743adfe (release/1.2.25, CVE-2023-30534) + NOTE: Probably duplicate of CVE-2023-46490 CVE-2023-51035 (TOTOLINK EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary com ...) NOT-FOR-US: TOTOLINK CVE-2023-51034 (TOTOlink EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary com ...) @@ -10662,6 +10664,8 @@ CVE-2023-50250 (Cacti is an open source operational monitoring and fault managem [bullseye] - cacti (Vulnerable code introduced later) [buster] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73 +NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc (release/1.2.26) +NOTE: https://github.com/Cacti/cacti/commit/73d9a60e24d6d826e6343b94d833b48c28b68643 (release/1.2.26) NOTE: Introduced by: https://github.com/Cacti/cacti/commit/27a36d48e1cea172b0750c970324208b39d2bec5 (release/1.2.23) CVE-2023-50147 (There is an arbitrary command execution vulnerability in the setDiagno ...) NOT-FOR-US: TOTOLINK @@ -10686,6 +10690,7 @@ CVE-2023-49088 (Cacti is an open source operational monitoring and fault managem CVE-2023-49085 (Cacti provides an operational monitoring and fault management framewor ...) - cacti 1.2.26+ds1-1 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855 + NOTE: https://github.com/Cacti/cacti/commit/5f451bc680d7584525d18026836af2a1e31b2188 (release/1.2.26) CVE-2023-48704 (ClickHouse is an open-source column-oriented database management syste ...) - clickhouse (bug #1059367) [bookworm] - clickhouse (Minor issue) @@ -10806,7 +10811,7 @@ CVE-2023-49086 (Cacti is a robust performance and fault management framework and CVE-2023-49084 (Cacti is a robust performance and fault management framework and a fro ...) - cacti 1.2.26+ds1-1 (bug #1059254) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp - NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc + NOTE: https://github.com/Cacti/cacti/commit/5f451bc680d7584525d18026836af2a1e31b2188 (release/1.2.26) CVE-2023-48723 REJECTED CVE-2023-48722 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) @@ -20638,11 +20643,12 @@ CVE-2023-46490 (SQL Injection vulnerability in Cacti v1.2.25 allows a remote att - cacti 1.2.26+ds1-1 (bug #1059286) [bookworm] - cacti (Revisit when more details are available) [bullseye] - cacti (Revisit when more details are available) + [buster] - cacti (Vulnerable code introduced later; Fix for CVE-2023-30534 not applied) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-f4r3-53jr-654c (not public yet) NOTE: https://gist.github.com/ISHGARD-2/a9563238fcd7ccf7432ccb145b53 - NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc - NOTE: https://github.com/Cacti/cacti/commit/73d9a60e24d6d826e6343b94d833b48c28b68643 - NOTE: Potentially overlapping with CVE-2023-49084 and CVE-2023-49086 + NOTE: Checking the above link, this is probably a duplicate
[Git][security-tracker-team/security-tracker][master] dla: update cacti status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 23fa34c5 by Sylvain Beucler at 2024-02-19T11:22:35+01:00 dla: update cacti status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -46,6 +46,7 @@ cacti (Sylvain Beucler) NOTE: 20240112: No progress as I've been busy on other tasks, but all bugs are minor so far (Beuc) NOTE: 20240123: Backport patches, report duplicate to MITRE (CVE-2023-50569) (Beuc) NOTE: 20240131: Tidy https://salsa.debian.org/debian/cacti/-/tree/buster?ref_type=heads (Beuc) + NOTE: 20240219: Backport patches, update patch commits (Beuc) -- cairosvg NOTE: 20230323: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23fa34c55e30baa5a17bcafd3399ff7c0afebd5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23fa34c55e30baa5a17bcafd3399ff7c0afebd5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2023-49086/cacti: fix patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 02a813f5 by Sylvain Beucler at 2024-02-03T12:51:45+01:00 CVE-2023-49086/cacti: fix patch - - - - - d4bc509a by Sylvain Beucler at 2024-02-03T12:51:47+01:00 CVE-2023-49088/cacti: reference patch - - - - - 99492343 by Sylvain Beucler at 2024-02-03T12:51:49+01:00 CVE-2023-50569/cacti: reference MITRE duplicate request - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7503,6 +7503,7 @@ CVE-2023-50569 (Reflected Cross Site Scripting (XSS) vulnerability in Cacti v1.2 NOTE: https://gist.github.com/ISHGARD-2/a6b57de899f977e2af41780e7428b4bf NOTE: Introduced by: https://github.com/Cacti/cacti/commit/27a36d48e1cea172b0750c970324208b39d2bec5 (release/1.2.23) NOTE: Exact same text as GHSA-xwqc-7jc4-xm73 / CVE-2023-50250. + NOTE: Duplicate reported at MITRE 2024-01-18 (CVE Request 1589347) CVE-2023-50259 (Medusa is an automatic video library manager for TV shows. Versions pr ...) NOT-FOR-US: Medusa (not same as src:medusa) CVE-2023-50258 (Medusa is an automatic video library manager for TV shows. Versions pr ...) @@ -7534,6 +7535,7 @@ CVE-2023-49088 (Cacti is an open source operational monitoring and fault managem NOTE: Caused by an incomplete fix for CVE-2023-39515 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-q7g7-gcf6-wh4x NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-hrg9-qqqx-wc4h (CVE-2023-39515) + NOTE: https://github.com/Cacti/cacti/commit/56f9d99e6e5ab434ea18fa344236f41e78f99c59 (1.2.x) CVE-2023-49085 (Cacti provides an operational monitoring and fault management framewor ...) - cacti 1.2.26+ds1-1 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855 @@ -7653,7 +7655,7 @@ CVE-2023-49677 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL In CVE-2023-49086 (Cacti is a robust performance and fault management framework and a fro ...) - cacti 1.2.26+ds1-1 (bug #1059254) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr - NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc + NOTE: https://github.com/Cacti/cacti/commit/56f9d99e6e5ab434ea18fa344236f41e78f99c59 (1.2.x) CVE-2023-49084 (Cacti is a robust performance and fault management framework and a fro ...) - cacti 1.2.26+ds1-1 (bug #1059254) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ee909d6caf9a47b7eaffd69491f5bc87f0c3a28a...994923433124524845df850fb0f1624d7a73ac3c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ee909d6caf9a47b7eaffd69491f5bc87f0c3a28a...994923433124524845df850fb0f1624d7a73ac3c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update cacti status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: f8b9b7f8 by Sylvain Beucler at 2024-01-31T22:10:37+01:00 dla: update cacti status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -40,7 +40,8 @@ cacti (Sylvain Beucler) NOTE: 20231218: Keep triaging CVEs backlog (Beuc) NOTE: 20240102: Triage more CVEs backlog, fix a couple bullseye triage, sync with maintainer (Beuc) NOTE: 20240112: No progress as I've been busy on other tasks, but all bugs are minor so far (Beuc) - NOTE: 20240123: Backport patches, report duplicate to MITRE (Beuc) + NOTE: 20240123: Backport patches, report duplicate to MITRE (CVE-2023-50569) (Beuc) + NOTE: 20240131: Tidy https://salsa.debian.org/debian/cacti/-/tree/buster?ref_type=heads (Beuc) -- cairosvg NOTE: 20230323: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8b9b7f86888cbd34e3feb42c84770fbf27c1e52 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8b9b7f86888cbd34e3feb42c84770fbf27c1e52 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: mathtex: follow bullseye triage for buster
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f29a01e by Sylvain Beucler at 2024-01-27T16:14:19+01:00 mathtex: follow bullseye triage for buster - - - - - cc3aee24 by Sylvain Beucler at 2024-01-27T16:27:31+01:00 mbedtls: follow bullseye triage for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -546,26 +546,31 @@ CVE-2023-51889 (Stack Overflow vulnerability in the validate() function in Matht - mathtex (bug #1061520) [bookworm] - mathtex (Minor issue) [bullseye] - mathtex (Minor issue) + [buster] - mathtex (Minor issue) NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/ CVE-2023-51888 (Buffer Overflow vulnerability in the nomath() function in Mathtex v.1. ...) - mathtex (bug #1061520) [bookworm] - mathtex (Minor issue) [bullseye] - mathtex (Minor issue) + [buster] - mathtex (Minor issue) NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/ CVE-2023-51887 (Command Injection vulnerability in Mathtex v.1.05 and before allows a ...) - mathtex (bug #1061520) [bookworm] - mathtex (Minor issue) [bullseye] - mathtex (Minor issue) + [buster] - mathtex (Minor issue) NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/ CVE-2023-51886 (Buffer Overflow vulnerability in the main() function in Mathtex 1.05 a ...) - mathtex (bug #1061520) [bookworm] - mathtex (Minor issue) [bullseye] - mathtex (Minor issue) + [buster] - mathtex (Minor issue) NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/ CVE-2023-51885 (Buffer Overflow vulnerability in Mathtex v.1.05 and before allows a re ...) - mathtex (bug #1061520) [bookworm] - mathtex (Minor issue) [bullseye] - mathtex (Minor issue) + [buster] - mathtex (Minor issue) NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/ CVE-2023-51702 (Since version 5.2.0, when using deferrable mode with the path of a Kub ...) - airflow (bug #819700) @@ -1167,8 +1172,10 @@ CVE-2024-23744 (An issue was discovered in Mbed TLS 3.5.1. There is persistent h - mbedtls [bookworm] - mbedtls (Minor issue) [bullseye] - mbedtls (Minor issue) + [buster] - mbedtls (Minor issue) NOTE: https://github.com/Mbed-TLS/mbedtls/issues/8694 NOTE: https://github.com/Mbed-TLS/mbedtls/pull/8595 + NOTE: Likely specific to 3.5.1: https://github.com/Mbed-TLS/mbedtls/issues/8694#issuecomment-1889411367 CVE-2024-22113 (Open redirect vulnerability in Access analysis CGI An-Analyzer release ...) NOT-FOR-US: Access analysis CGI An-Analyzer CVE-2024-21484 (Versions of the package jsrsasign before 11.0.0 are vulnerable to Obse ...) @@ -1195,6 +1202,7 @@ CVE-2023-52353 (An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ss - mbedtls [bookworm] - mbedtls (Minor issue) [bullseye] - mbedtls (Minor issue) + [buster] - mbedtls (Minor issue) NOTE: https://github.com/Mbed-TLS/mbedtls/issues/8654 CVE-2023-47352 (Technicolor TC8715D devices have predictable default WPA2 security pas ...) NOT-FOR-US: Technicolor View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0bccd6ab6277b6ff6be6504fef604e8a3662e8b1...cc3aee24a8fb0168bfb5a7708b16ee881408d94d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0bccd6ab6277b6ff6be6504fef604e8a3662e8b1...cc3aee24a8fb0168bfb5a7708b16ee881408d94d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-52355,CVE-2023-52356/tiff: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 0bccd6ab by Sylvain Beucler at 2024-01-27T16:04:25+01:00 CVE-2023-52355,CVE-2023-52356/tiff: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -442,6 +442,7 @@ CVE-2023-52356 (A segment fault (SEGV) flaw was found in libtiff that could be t - tiff 4.5.1+git230720-4 (bug #1061524) [bookworm] - tiff (Minor issue) [bullseye] - tiff (Minor issue) + [buster] - tiff (Minor issue, DoS) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/622 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/546 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a @@ -449,6 +450,7 @@ CVE-2023-52355 (An out-of-memory flaw was found in libtiff that could be trigger - tiff 4.5.1+git230720-4 [bookworm] - tiff (Minor issue) [bullseye] - tiff (Minor issue) + [buster] - tiff (Minor issue, DoS) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/621 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/553 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bccd6ab6277b6ff6be6504fef604e8a3662e8b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bccd6ab6277b6ff6be6504fef604e8a3662e8b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-0444/gst-plugins-bad1.0: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a804687d by Sylvain Beucler at 2024-01-27T15:35:17+01:00 CVE-2024-0444/gst-plugins-bad1.0: buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48,6 +48,7 @@ CVE-2023-48201 (Cross Site Scripting (XSS) vulnerability in Sunlight CMS v.8.0.1 NOT-FOR-US: Sunlight CMS CVE-2024-0444 [GStreamer-SA-2024-0001: AV1 codec parser potential buffer overflow during tile list parsing] - gst-plugins-bad1.0 1.22.9-1 + [buster] - gst-plugins-bad1.0 (AV1 parser introduced in 1.17.1) - gst-plugins-bad0.10 NOTE: https://gstreamer.freedesktop.org/security/sa-2024-0001.html NOTE: https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/5970 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a804687deaca873d7c823828f5c40fb43291c51b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a804687deaca873d7c823828f5c40fb43291c51b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-22725/orthanc: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a0ebe7d7 by Sylvain Beucler at 2024-01-26T21:03:47+01:00 CVE-2024-22725/orthanc: buster postponed - - - - - 34dafc5c by Sylvain Beucler at 2024-01-26T21:03:47+01:00 ela: update salt status - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -284,6 +284,7 @@ CVE-2024-22725 (Orthanc versions before 1.12.2 are affected by a reflected cross - orthanc 1.12.2+dfsg-1 [bookworm] - orthanc (Minor issue) [bullseye] - orthanc (Minor issue) + [buster] - orthanc (Minor issue, XSS) NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/505416b269a0 CVE-2024-22720 (Kanboard 1.2.34 is vulnerable to Html Injection in the group managemen ...) - kanboard = data/dla-needed.txt = @@ -250,6 +250,7 @@ salt NOTE: 20230928: will need python3-saltfactories >= 0.907 (that need python3-setuptools (>= 50.3.2), python3-setuptools-scm (>= 3.4) to be investigated) NOTE: 20230928: will need python3-attr (>= 19.1) may from buster-backport ? or vendored ? NOTE: 20230928: see https://lists.debian.org/debian-lts/2023/09/msg00033.html + NOTE: 20240126: santiago in the process of EOLing the package (Beuc/front-desk) -- samba NOTE: 20230918: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3c24a26cb9c7a9f0dd6b44ebedac5c57d7c3cf26...34dafc5c5e93096da4eeaf6a736269c46781a700 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/3c24a26cb9c7a9f0dd6b44ebedac5c57d7c3cf26...34dafc5c5e93096da4eeaf6a736269c46781a700 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-0914/opencryptoki: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9599d1bd by Sylvain Beucler at 2024-01-26T20:47:57+01:00 CVE-2024-0914/opencryptoki: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -113,6 +113,7 @@ CVE-2024-0914 - opencryptoki [bookworm] - opencryptoki (Minor issue) [bullseye] - opencryptoki (Minor issue) + [buster] - opencryptoki (Minor issue) NOTE: https://github.com/opencryptoki/opencryptoki/issues/731 NOTE: https://github.com/opencryptoki/opencryptoki/pull/737 NOTE: https://github.com/opencryptoki/opencryptoki/commit/2ea019ee2b09f15724d808382d53baca03403288 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9599d1bd15d6def148093cfa95a1989529948f47 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9599d1bd15d6def148093cfa95a1989529948f47 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-22636/pluxml: buster end-of-life
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: dd3564ae by Sylvain Beucler at 2024-01-26T13:31:37+01:00 CVE-2024-22636/pluxml: buster end-of-life - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48,6 +48,7 @@ CVE-2024-22637 (Form Tools v3.1.1 was discovered to contain a reflected cross-si NOT-FOR-US: Form Tools CVE-2024-22636 (PluXml Blog v5.8.9 was discovered to contain a remote code execution ( ...) - pluxml + [buster] - pluxml (EOL in buster LTS) CVE-2024-22635 (WebCalendar v1.3.0 was discovered to contain a reflected cross-site sc ...) - webcalendar CVE-2024-22545 (TRENDnet TEW-824DRU version 1.04b01 is vulnerable to Command Injection ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd3564aec43b57c03c45ff161513df13c645ee53 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd3564aec43b57c03c45ff161513df13c645ee53 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2024-22749/gpac: buster end-of-life
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: eca6e58b by Sylvain Beucler at 2024-01-25T22:55:18+01:00 CVE-2024-22749/gpac: buster end-of-life - - - - - 3b1c9bfe by Sylvain Beucler at 2024-01-25T22:55:19+01:00 CVE-2023-52354/chasquid: buster postponed - - - - - dbf2e8c9 by Sylvain Beucler at 2024-01-25T22:55:19+01:00 CVE-2024-22563/openvswitch: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,6 +23,7 @@ CVE-2024-23655 (Tuta is an encrypted email service. Starting in version 3.118.12 NOT-FOR-US: Tuta CVE-2024-22749 (GPAC v2.3 was detected to contain a buffer overflow via the function g ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2713 NOTE: https://github.com/gpac/gpac/commit/7aef8038c6bdd310e65000704e39afaa0e721048 CVE-2024-22729 (NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command i ...) @@ -821,6 +822,7 @@ CVE-2023-52354 (chasquid before 1.13 allows SMTP smuggling because LF-terminated - chasquid 1.13-1 [bookworm] - chasquid (Minor issue) [bullseye] - chasquid (Minor issue) + [buster] - chasquid (Minor issue, request smuggling) NOTE: https://blitiri.com.ar/p/chasquid/relnotes/#113-2023-12-24 CVE-2023-52353 (An issue was discovered in Mbed TLS through 3.5.1. In mbedtls_ssl_sess ...) - mbedtls @@ -967,6 +969,7 @@ CVE-2024-22876 (StrangeBee TheHive 5.1.0 to 5.1.9 and 5.2.0 to 5.2.8 is vulnerab CVE-2024-22563 (openvswitch 2.17.8 was discovered to contain a memory leak via the fun ...) - openvswitch 2.17.2-4 [bullseye] - openvswitch (Minor issue) + [buster] - openvswitch (Minor issue, memory leak) NOTE: https://github.com/openvswitch/ovs-issues/issues/315 NOTE: https://github.com/openvswitch/ovs/commit/3168f328c78cf6e4b3022940452673b0e49f7620 (v2.17.0) CVE-2024-22562 (swftools 0.9.2 was discovered to contain a Stack Buffer Underflow via ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fd1078ed4f3c7d09292a71b0fe09ffa002e421d4...dbf2e8c9de5e552bb184c44a2a56607393ce3844 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fd1078ed4f3c7d09292a71b0fe09ffa002e421d4...dbf2e8c9de5e552bb184c44a2a56607393ce3844 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: tidy golang triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e6e7c86 by Sylvain Beucler at 2024-01-25T22:20:28+01:00 dla: tidy golang triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9724,7 +9724,7 @@ CVE-2023-39326 (A malicious HTTP sender can use chunk extensions to cause a rece - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 - [buster] - golang-1.11 (Minor issue) + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/64433 NOTE: https://github.com/golang/go/commit/ec8c526e4be720e94b98ca509e6364f0efaf28f7 (go1.21.5) NOTE: https://github.com/golang/go/commit/6446af942e2e2b161c4ec1b60d9703a2b55dc4dd (go1.20.12) @@ -9736,7 +9736,7 @@ CVE-2023-45285 (Using go get to fetch a module with the ".git" suffix may unexpe - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 - [buster] - golang-1.11 (Minor issue) + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/63845 NOTE: https://github.com/golang/go/commit/23c943e5296c6fa3a6f9433bd929306c4dbf2aa3 (go1.21.5) NOTE: https://github.com/golang/go/commit/46bc33819ac86a9596b8059235842f0e0c7469bd (go1.20.12) @@ -9803,7 +9803,7 @@ CVE-2023-45287 (Before Go 1.20, the RSA based TLS key exchanges used the math/bi - golang-1.15 [bullseye] - golang-1.15 (Minor issue; intrusive backport) - golang-1.11 - [buster] - golang-1.11 (Minor issue) + [buster] - golang-1.11 (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://go.dev/issue/20654 NOTE: https://go.dev/cl/326012/26 NOTE: https://groups.google.com/g/golang-announce/c/QMK8IQALDvA View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e6e7c86c3c664bbf5cc952ccc177444ed4d2aef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e6e7c86c3c664bbf5cc952ccc177444ed4d2aef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-0727/openssl: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e12e02b1 by Sylvain Beucler at 2024-01-25T21:38:28+01:00 CVE-2024-0727/openssl: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -72,6 +72,7 @@ CVE-2024-0727 [Add NULL checks where ContentInfo data can be NULL] - openssl [bookworm] - openssl (Minor issue) [bullseye] - openssl (Minor issue) + [buster] - openssl (Minor issue, DoS, Low severity) NOTE: https://www.openssl.org/news/secadv/20240125.txt NOTE: https://github.com/openssl/openssl/commit/041962b429ebe748c8b6b7922980dfb6decfef26 (master) NOTE: https://github.com/openssl/openssl/commit/8a85df7c60ba1372ee98acc5982e902d75f52130 (master) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e12e02b10902cfbc165d850af6c1198834181c17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e12e02b10902cfbc165d850af6c1198834181c17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-4969/firmware-nonfree: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 006a456c by Sylvain Beucler at 2024-01-24T13:33:46+01:00 CVE-2023-4969/firmware-nonfree: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1506,6 +1506,7 @@ CVE-2023-4969 (A GPU kernel can read sensitive data from another GPU kernel (eve - firmware-nonfree [bookworm] - firmware-nonfree (Minor issue, revisit when updates are available) [bullseye] - firmware-nonfree (Non-free not supported) + [buster] - firmware-nonfree (Minor issue, revisit when updates are available) NOTE: https://blog.trailofbits.com/2024/01/16/leftoverlocals-listening-to-llm-responses-through-leaked-gpu-local-memory/ NOTE: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6010.html CVE-2023-4797 (The Newsletters WordPress plugin before 4.9.3 does not properly escape ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/006a456c7811d95c691fb697c0b1aec1bd8c7237 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/006a456c7811d95c691fb697c0b1aec1bd8c7237 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-6693/qemu: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 67c1cf09 by Sylvain Beucler at 2024-01-24T12:40:17+01:00 CVE-2023-6693/qemu: buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4332,6 +4332,7 @@ CVE-2023-6693 (A stack based buffer overflow was found in the virtio-net device - qemu 1:8.2.0+ds-3 [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) + [buster] - qemu (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2254580 NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/e22f0603fb2fc274920a9e3a1d1306260b9a4cc4 (v5.1.0-rc0) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg00045.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67c1cf09ee66f8ad448d02b2a05a007b5c85c76a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67c1cf09ee66f8ad448d02b2a05a007b5c85c76a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update cacti status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: cafee77e by Sylvain Beucler at 2024-01-23T12:02:00+01:00 dla: update cacti status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -43,6 +43,7 @@ cacti (Sylvain Beucler) NOTE: 20231218: Keep triaging CVEs backlog (Beuc) NOTE: 20240102: Triage more CVEs backlog, fix a couple bullseye triage, sync with maintainer (Beuc) NOTE: 20240112: No progress as I've been busy on other tasks, but all bugs are minor so far (Beuc) + NOTE: 20240123: Backport patches, report duplicate to MITRE (Beuc) -- cairosvg NOTE: 20230323: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cafee77eee377c40dd51915b3492dd67838e6084 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cafee77eee377c40dd51915b3492dd67838e6084 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add gnutls28
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: f0c93d91 by Sylvain Beucler at 2024-01-22T14:26:01+01:00 dla: add gnutls28 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -90,6 +90,10 @@ freeimage frr (Abhijith PA) NOTE: 20231119: Added by Front-Desk (apo) -- +gnutls28 + NOTE: 20240122: Added by Front-Desk (Beuc) + NOTE: 20240122: Incomplete fix for CVE-2023-5981/DLA-3660-1 (Beuc/front-desk) +-- golang-go.crypto NOTE: 20231219: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0c93d91b6af42db18e3b3d4cae771cf57d239ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0c93d91b6af42db18e3b3d4cae771cf57d239ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-51448/cacti: harmonize buster triage
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: afb820f5 by Sylvain Beucler at 2024-01-18T20:07:11+01:00 CVE-2023-51448/cacti: harmonize buster triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4514,7 +4514,7 @@ CVE-2023-51448 (Cacti provides an operational monitoring and fault management fr - cacti 1.2.26+ds1-1 [bookworm] - cacti (Vulnerable code introduced later; Fix for CVE-2023-30534 not applied) [bullseye] - cacti (Vulnerable code introduced later; Fix for CVE-2023-30534 not applied) - [buster] - cacti (Vulnerable code introduced later) + [buster] - cacti (Vulnerable code introduced later; Fix for CVE-2023-30534 not applied) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-w85f-7c4w-7594 NOTE: Introduced by: https://github.com/Cacti/cacti/commit/7b1ae5bcab3caca020da0080e19ac51c2743adfe (release/1.2.25, CVE-2023-30534) CVE-2023-51035 (TOTOLINK EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary com ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afb820f562f59a6f1b0042b273985d78eef85f1b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afb820f562f59a6f1b0042b273985d78eef85f1b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39354,CVE-2023-40188: clarify context and commits
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fb6ecdc by Sylvain Beucler at 2024-01-15T17:50:28+01:00 CVE-2023-39354,CVE-2023-40188: clarify context and commits DLA-3606-1 incorporated the 2 patches, no changes. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23305,7 +23305,6 @@ CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop Protocol [bullseye] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c3r2-pxxp-f8r6 NOTE: https://github.com/FreeRDP/FreeRDP/commit/82ac0164f330c08ddd9a6ef6f3dbf846c4b79def (2.11.0) - NOTE: https://github.com/FreeRDP/FreeRDP/commit/9a1ee1bae5a9561f5031a7b69129f10458b62d4a (2.11.0) CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) {DLA-3606-1} - freerdp2 2.11.2+dfsg1-1 (bug #1051638) @@ -23542,11 +23541,8 @@ CVE-2023-40188 (FreeRDP is a free implementation of the Remote Desktop Protocol [bookworm] - freerdp2 (Minor issue) [bullseye] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9w28-wwj5-p4xq - NOTE: Upstream reported the following fix through https://salsa.debian.org/-/snippets/662: - NOTE: https://github.com/FreeRDP/FreeRDP/commit/bdb3909a7713fb0b3d94c9676fe44d19de80eb4b (2.11.0) - NOTE: But, the advisory is inconsistent: it references 'general_LumaToYUV444' and 'in', while the code - NOTE: excerpt and stack trace (which is strikingly similar to CVE-2023-39354) are focused on 'rsc_rle_decode'. - NOTE: The commit bdb3909a above looks unrelated. Ubuntu used one of CVE-2023-39354's patches: + NOTE: Upstream mentioned on #freerdp that the advisory title/summary + NOTE: should reference `nsc_rle_decode` instead of `general_LumaToYUV444`. NOTE: https://github.com/FreeRDP/FreeRDP/commit/9a1ee1bae5a9561f5031a7b69129f10458b62d4a (2.11.0) CVE-2023-40187 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 (Vulnerable code introduced in 3.0.0-beta1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fb6ecdcdf2e087a134ec90edfa21c17507e85f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fb6ecdcdf2e087a134ec90edfa21c17507e85f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update cacti status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 907e4210 by Sylvain Beucler at 2024-01-12T18:41:47+01:00 dla: update cacti status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -38,6 +38,7 @@ cacti (Sylvain Beucler) NOTE: 20231205: Triaging CVEs backlog (Beuc) NOTE: 20231218: Keep triaging CVEs backlog (Beuc) NOTE: 20240102: Triage more CVEs backlog, fix a couple bullseye triage, sync with maintainer (Beuc) + NOTE: 20240112: No progress as I've been busy on other tasks, but all bugs are minor so far (Beuc) -- cairosvg NOTE: 20230323: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/907e421042189e8e36a9305dd31ee78b4bd2c063 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/907e421042189e8e36a9305dd31ee78b4bd2c063 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-1311/xerces-c: further detail on recent new fix
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 31af2465 by Sylvain Beucler at 2024-01-02T12:08:01+01:00 CVE-2018-1311/xerces-c: further detail on recent new fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -406604,7 +406604,7 @@ CVE-2018-1311 (The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-afte NOTE: http://vault.centos.org/7.7.1908/updates/Source/SPackages/xerces-c-3.1.1-10.el7_7.src.rpm (fix with memory leak, applied in DLA-2498-1 and DSA-4814-1) NOTE: Mitigation by setting the XERCES_DISABLE_DTD environment variable NOTE: Fixed by: https://github.com/apache/xerces-c/commit/e0024267504188e42ace4dd9031d936786914835 (v3.2.5) - NOTE: Fix replaced with upstream vetted patch (without introducing memory leak) in 3.2.4+debian-1.1 + NOTE: Fix replaced with upstream-vetted patch (without introducing memory leak and binary-compatible) in 3.2.4+debian-1.1 CVE-2018-1310 (Apache NiFi JMS Deserialization issue because of ActiveMQ client vulne ...) NOT-FOR-US: Apache NiFi CVE-2018-1309 (Apache NiFi External XML Entity issue in SplitXML processor. Malicious ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31af2465e82556b91f269cfdc113f86c86d10730 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31af2465e82556b91f269cfdc113f86c86d10730 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update cacti status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 86cc61ac by Sylvain Beucler at 2024-01-02T10:31:04+01:00 dla: update cacti status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -39,6 +39,7 @@ cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) NOTE: 20231205: Triaging CVEs backlog (Beuc) NOTE: 20231218: Keep triaging CVEs backlog (Beuc) + NOTE: 20240102: Triage more CVEs backlog, fix a couple bullseye triage, sync with maintainer (Beuc) -- cairosvg NOTE: 20230323: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86cc61ac4b648e63bad679d0a6b15a8407314857 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86cc61ac4b648e63bad679d0a6b15a8407314857 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-39360/cacti: buster vulnerable
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ff79ebb by Sylvain Beucler at 2023-12-23T11:41:03+01:00 CVE-2023-39360/cacti: buster vulnerable Partially reverts c2cd83ada63557101b824353810914de3f0106b0 - - - - - c9c83c7f by Sylvain Beucler at 2023-12-23T11:41:50+01:00 CVE-2023-39360/cacti: clarify links - - - - - 2 changed files: - data/CVE/list - + data/CVE/list.orig Changes: = data/CVE/list = @@ -18695,11 +18695,10 @@ CVE-2023-39360 (Cacti is an open source operational monitoring and fault managem - cacti 1.2.25+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u1 [bullseye] - cacti (Vulnerable code not present) - [buster] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4 - NOTE: https://github.com/cacti/cacti/commit/9696bbd8060c7332b11b709f4dd17e6c3776bba2 (release/1.2.25) - NOTE: https://github.com/cacti/cacti/commit/bc6dc996745ef0dee3427178c8d87a6402f3fefa (release/1.2.25) - NOTE: Introduced by: https://github.com/cacti/cacti/commit/bf292d5d57c2afa108f65198074cd82a40c13fd3 (release/1.2.17) + NOTE: Initial fix: https://github.com/cacti/cacti/commit/9696bbd8060c7332b11b709f4dd17e6c3776bba2 (release/1.2.25) + NOTE: Final fix: https://github.com/cacti/cacti/commit/bc6dc996745ef0dee3427178c8d87a6402f3fefa (release/1.2.25) + NOTE: Attack is usually blocked by browser CORS/CSP policies. CVE-2023-39359 (Cacti is an open source operational monitoring and fault management fr ...) {DSA-5550-1} - cacti 1.2.25+ds1-1 = data/CVE/list.orig = The diff for this file was not included because it is too large. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/700ff44c5c12cbb4024757854242d4e86b400bb3...c9c83c7fbdbab5c0692f5685c00276615bee1af7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/700ff44c5c12cbb4024757854242d4e86b400bb3...c9c83c7fbdbab5c0692f5685c00276615bee1af7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-51448/cacti: reference introductory commit / previous CVE fix
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 700ff44c by Sylvain Beucler at 2023-12-23T10:25:02+01:00 CVE-2023-51448/cacti: reference introductory commit / previous CVE fix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -50,7 +50,9 @@ CVE-2023-51649 (Nautobot is a Network Source of Truth and Network Automation Pla NOT-FOR-US: Nautobot CVE-2023-51448 (Cacti provides an operational monitoring and fault management framewor ...) - cacti + [buster] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-w85f-7c4w-7594 + NOTE: Introduced by: https://github.com/Cacti/cacti/commit/7b1ae5bcab3caca020da0080e19ac51c2743adfe (release/1.2.25, CVE-2023-30534) CVE-2023-51035 (TOTOLINK EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary com ...) NOT-FOR-US: TOTOLINK CVE-2023-51034 (TOTOlink EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary com ...) @@ -36408,6 +36410,7 @@ CVE-2023-30534 (Cacti is an open source operational monitoring and fault managem NOTE: https://github.com/Cacti/cacti/commit/6d22e0623dfbc5d687d8f61e683173d0d625f3a7 (release/1.2.25) NOTE: https://github.com/Cacti/cacti/commit/7b1ae5bcab3caca020da0080e19ac51c2743adfe (release/1.2.25) NOTE: https://github.com/Cacti/cacti/commit/35d76a87d10ffeec483c768663013746624cecbf (release/1.2.25) + NOTE: Be careful. Introduces CVE-2023-51448. CVE-2023-30533 (SheetJS Community Edition before 0.19.3 allows Prototype Pollution via ...) NOT-FOR-US: SheetJS CVE-2023-2011 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/700ff44c5c12cbb4024757854242d4e86b400bb3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/700ff44c5c12cbb4024757854242d4e86b400bb3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-50250/cacti: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d800e5e6 by Sylvain Beucler at 2023-12-23T09:48:25+01:00 CVE-2023-50250/cacti: buster not-affected - - - - - a65dc34d by Sylvain Beucler at 2023-12-23T09:49:01+01:00 CVE-2023-50569/cacti: most likely duplicate of CVE-2023-50250 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -104,6 +104,7 @@ CVE-2023-50708 (yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 CVE-2023-50569 (Reflected Cross Site Scripting (XSS) vulnerability in Cacti v1.2.25, a ...) - cacti NOTE: https://gist.github.com/ISHGARD-2/a6b57de899f977e2af41780e7428b4bf + NOTE: Exact same text as GHSA-xwqc-7jc4-xm73 / CVE-2023-50250. CVE-2023-50259 (Medusa is an automatic video library manager for TV shows. Versions pr ...) TODO: check CVE-2023-50258 (Medusa is an automatic video library manager for TV shows. Versions pr ...) @@ -112,7 +113,9 @@ CVE-2023-50254 (Deepin Linux's default document reader `deepin-reader` software - deepin-reader (bug #970218) CVE-2023-50250 (Cacti is an open source operational monitoring and fault management fr ...) - cacti + [buster] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-xwqc-7jc4-xm73 + NOTE: Introduced by: https://github.com/Cacti/cacti/commit/27a36d48e1cea172b0750c970324208b39d2bec5 (release/1.2.23) CVE-2023-50147 (There is an arbitrary command execution vulnerability in the setDiagno ...) NOT-FOR-US: TOTOLINK CVE-2023-49792 (Nextcloud Server provides data storage for Nextcloud, an open source c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/78055871a641cd52c6b9248fa85330068f6e10b1...a65dc34d41a35fd4229e03ad1e7682609d53ae34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/78055871a641cd52c6b9248fa85330068f6e10b1...a65dc34d41a35fd4229e03ad1e7682609d53ae34 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-49088/cacti: clarify link
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 78055871 by Sylvain Beucler at 2023-12-23T09:32:35+01:00 CVE-2023-49088/cacti: clarify link - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -130,7 +130,7 @@ CVE-2023-49356 (A stack buffer overflow vulnerability in MP3Gain v1.6.2 allows a CVE-2023-49088 (Cacti is an open source operational monitoring and fault management fr ...) - cacti NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-q7g7-gcf6-wh4x - NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-hrg9-qqqx-wc4h + NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-hrg9-qqqx-wc4h (CVE-2023-39515) CVE-2023-49085 (Cacti provides an operational monitoring and fault management framewor ...) - cacti NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-vr3c-38wh-g855 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78055871a641cd52c6b9248fa85330068f6e10b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78055871a641cd52c6b9248fa85330068f6e10b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-39320/freerdp: fix introductory commit
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a4129d51 by Sylvain Beucler at 2023-12-22T18:27:36+01:00 CVE-2022-39320/freerdp: fix introductory commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -91142,7 +91142,7 @@ CVE-2022-39320 (FreeRDP is a free remote desktop protocol library and clients. A [buster] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qfq2-82qr-7f4j NOTE: https://github.com/FreeRDP/FreeRDP/commit/68c6a8c1878b5294aecb04d5e27531a720b3793f (2.9.0) - NOTE: Introduced by: https://github.com/FreeRDP/FreeRDP/commit/68c6a8c1878b5294aecb04d5e27531a720b3793f (2.0.0) + NOTE: Introduced by: https://github.com/FreeRDP/FreeRDP/commit/0927d7aa50c76b671b55c33e0f06c950d1f08e9a (2.0.0) CVE-2022-39319 (FreeRDP is a free remote desktop protocol library and clients. Affecte ...) {DLA-3654-1} - freerdp2 2.9.0+dfsg1-1 (bug #1024511) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4129d51bb1c7e5fc1a233d3028fb73e97c8f77d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4129d51bb1c7e5fc1a233d3028fb73e97c8f77d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits