[Git][security-tracker-team/security-tracker][master] Reserve DLA-3808-1 for intel-microcode

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b2394717 by Tobias Frost at 2024-05-04T17:15:59+02:00
Reserve DLA-3808-1 for intel-microcode

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -17884,35 +17884,30 @@ CVE-2023-43490 (Incorrect calculation in microcode 
keying mechanism for some Int
- intel-microcode 3.20240312.1 (bug #1066108)
[bookworm] - intel-microcode  (Decide after exposure on 
unstable for update)
[bullseye] - intel-microcode  (Decide after exposure on 
unstable for update)
-   [buster] - intel-microcode  (Decide after exposure on 
unstable for update)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01045.html
NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
 CVE-2023-39368 (Protection mechanism failure of bus lock regulator for some 
Intel(R) P ...)
- intel-microcode 3.20240312.1 (bug #1066108)
[bookworm] - intel-microcode  (Decide after exposure on 
unstable for update)
[bullseye] - intel-microcode  (Decide after exposure on 
unstable for update)
-   [buster] - intel-microcode  (Decide after exposure on 
unstable for update)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00972.html
NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
 CVE-2023-38575 (Non-transparent sharing of return predictor targets between 
contexts i ...)
- intel-microcode 3.20240312.1 (bug #1066108)
[bookworm] - intel-microcode  (Decide after exposure on 
unstable for update)
[bullseye] - intel-microcode  (Decide after exposure on 
unstable for update)
-   [buster] - intel-microcode  (Decide after exposure on 
unstable for update)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00982.html
NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
 CVE-2023-22655 (Protection mechanism failure in some 3rd and 4th Generation 
Intel(R) X ...)
- intel-microcode 3.20240312.1 (bug #1066108)
[bookworm] - intel-microcode  (Decide after exposure on 
unstable for update)
[bullseye] - intel-microcode  (Decide after exposure on 
unstable for update)
-   [buster] - intel-microcode  (Decide after exposure on 
unstable for update)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00960.html
NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240312
 CVE-2023-28746 (Information exposure through microarchitectural state after 
transient  ...)
- intel-microcode 3.20240312.1 (bug #1066108)
[bookworm] - intel-microcode  (Decide after exposure on 
unstable for update)
[bullseye] - intel-microcode  (Decide after exposure on 
unstable for update)
-   [buster] - intel-microcode  (Decide after exposure on 
unstable for update)
- linux 6.7.9-2
[bookworm] - linux 6.1.82-1
- xen 


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[04 May 2024] DLA-3808-1 intel-microcode - security update
+   {CVE-2023-22655 CVE-2023-28746 CVE-2023-38575 CVE-2023-39368 
CVE-2023-43490}
+   [buster] - intel-microcode 3.20240312.1~deb10u1
 [04 May 2024] DLA-3807-1 glibc - security update
{CVE-2024-2961}
[buster] - glibc 2.28-10+deb10u3


=
data/dla-needed.txt
=
@@ -105,12 +105,6 @@ i2p
   NOTE: 20230809: Added by Front-Desk (Beuc)
   NOTE: 20230809: Experimental issue-based workflow: please self-assign and 
follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28
 --
-intel-microcode (tobi)
-  NOTE: 20240502: Added by Front-Desk (Beuc)
-  NOTE: 20240502: Update being tested in unstable,
-  NOTE: 20240502: (CVE-2023-22655 CVE-2023-28746 CVE-2023-38575 CVE-2023-39368 
CVE-2023-43490)
-  NOTE: 20240502: Follow PU: #1068082 and #1068084 (Beuc/front-desk)
---
 jenkins-htmlunit-core-js
   NOTE: 20231231: Added by Front-Desk (lamby)
   NOTE: 20231231: Needs checking that this is definitely vulnerable: a quick 
glance



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b23947176c7ede9a9b9260cbea8ad041a135fe44

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b23947176c7ede9a9b9260cbea8ad041a135fe44
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3797-1 for frr

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
60da1161 by Tobias Frost at 2024-04-28T08:09:24+02:00
Reserve DLA-3797-1 for frr

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -129198,7 +129198,6 @@ CVE-2022-37036
 CVE-2022-37035 (An issue was discovered in bgpd in FRRouting (FRR) 8.3. In 
bgp_notify_ ...)
- frr 8.4.1-1 (bug #1016978)
[bullseye] - frr  (Minor issue)
-   [buster] - frr  (Minor issue)
NOTE: https://github.com/FRRouting/frr/issues/11698
NOTE: https://github.com/FRRouting/frr/pull/11926
NOTE: 
https://github.com/FRRouting/frr/commit/71ca5b09bc71e8cbe38177cf41e83fe164e52eee
@@ -160582,31 +160581,26 @@ CVE-2020-36516 (An issue was discovered in the 
Linux kernel through 5.16.11. The
 CVE-2022-26129 (Buffer overflow vulnerabilities exist in FRRouting through 
8.1.0 due t ...)
- frr 8.4.1-1 (bug #1008010)
[bullseye] - frr  (Minor issue)
-   [buster] - frr  (Minor issue)
NOTE: https://github.com/FRRouting/frr/issues/10503
NOTE: Fixed by https://github.com/FRRouting/frr/issues/10504 (together 
with CVE-2022-26128)
 CVE-2022-26128 (A buffer overflow vulnerability exists in FRRouting through 
8.1.0 due  ...)
- frr 8.4.1-1 (bug #1008010)
[bullseye] - frr  (Minor issue)
-   [buster] - frr  (Minor issue)
NOTE: https://github.com/FRRouting/frr/issues/10502
NOTE: Fixed by https://github.com/FRRouting/frr/issues/10504 (together 
with CVE-2022-26129)
 CVE-2022-26127 (A buffer overflow vulnerability exists in FRRouting through 
8.1.0 due  ...)
- frr 8.4.1-1 (bug #1008010)
[bullseye] - frr  (Minor issue)
-   [buster] - frr  (Minor issue)
NOTE: https://github.com/FRRouting/frr/issues/10487
NOTE: Fixed by https://github.com/FRRouting/frr/pull/10494
 CVE-2022-26126 (Buffer overflow vulnerabilities exist in FRRouting through 
8.1.0 due t ...)
- frr 8.4.1-1 (bug #1008010)
[bullseye] - frr  (Minor issue)
-   [buster] - frr  (Minor issue)
NOTE: https://github.com/FRRouting/frr/issues/10505
NOTE: Fixed by https://github.com/FRRouting/frr/pull/10566
 CVE-2022-26125 (Buffer overflow vulnerabilities exist in FRRouting through 
8.1.0 due t ...)
- frr 8.4.1-1 (bug #1008010)
[bullseye] - frr  (Minor issue)
-   [buster] - frr  (Minor issue)
NOTE: https://github.com/FRRouting/frr/issues/10507
NOTE: Fix (8.2): https://github.com/FRRouting/frr/pull/10542
NOTE: Fix (8.3): https://github.com/FRRouting/frr/pull/10517


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[28 Apr 2024] DLA-3797-1 frr - security update
+   {CVE-2022-26125 CVE-2022-26126 CVE-2022-26127 CVE-2022-26128 
CVE-2022-26129 CVE-2022-37035 CVE-2023-38406 CVE-2023-38407 CVE-2023-46752 
CVE-2023-46753 CVE-2023-47234 CVE-2023-47235 CVE-2024-31948 CVE-2024-31949}
+   [buster] - frr 7.5.1-1.1+deb10u2
 [27 Apr 2024] DLA-3796-1 mediawiki - security update
{CVE-2023-51704}
[buster] - mediawiki 1:1.31.16-1+deb10u8


=
data/dla-needed.txt
=
@@ -98,11 +98,6 @@ freeimage
   NOTE: 20240412: ELTS also have a need to update this package.
   NOTE: 20240412: We should open upstream bug reports and push fixes. See 
above email discussion. (ola)
 --
-frr (tobi)
-  NOTE: 20231119: Added by Front-Desk (apo)
-  NOTE: 20240206: Continuing fixing the remaining issues (abhijith)
-  NOTE: 20240301: continue work (abhijith)
---
 glibc (Adrian Bunk)
   NOTE: 20240419: Added by coordinator (santiago)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60da116140b9f4d3feddb3db505704a7f53b544a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60da116140b9f4d3feddb3db505704a7f53b544a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2024-31951/frr buster and bullseye is not affected

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dff6b48e by Tobias Frost at 2024-04-27T18:00:31+02:00
CVE-2024-31951/frr buster and bullseye is not affected

Vulnerable feature (Link State Data Base) has been introduced in 8.0 (first 
version containing commit f173deb35206a0)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5961,8 +5961,11 @@ CVE-2024-3430 (A vulnerability was found in QKSMS up to 
3.9.4 on Android. It has
NOT-FOR-US: QKSMS
 CVE-2024-31951 (In the Opaque LSA Extended Link parser in FRRouting (FRR) 
through 9.1, ...)
- frr 
+   [bullseye] - frr  (Vulnerable code not present)
+   [buster] - frr  (Vulnerable code not present)
NOTE: https://github.com/FRRouting/frr/pull/15674/
NOTE: Proposed fix: 
https://github.com/FRRouting/frr/pull/15674/commits/344fb4be2bc27316c74b17003c05ea40be395836
+   NOTE: vulnerable feature introduced in 
https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5
 (first shipped with 8.0)
 CVE-2024-31950 (In FRRouting (FRR) through 9.1, there can be a buffer overflow 
and dae ...)
- frr 
[bullseye] - frr  (Vulnerable code not present)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dff6b48ec9a1809716df457fe97ed989cfb533b0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dff6b48ec9a1809716df457fe97ed989cfb533b0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2024-31950/frr buster and bullseye is not affected

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0fad262c by Tobias Frost at 2024-04-27T12:17:47+02:00
CVE-2024-31950/frr buster and bullseye is not affected

Vulnerable feature (Link State Data Base) has been introduced in 8.0 (first 
version containing commit f173deb35206a0)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5965,8 +5965,11 @@ CVE-2024-31951 (In the Opaque LSA Extended Link parser 
in FRRouting (FRR) throug
NOTE: Proposed fix: 
https://github.com/FRRouting/frr/pull/15674/commits/344fb4be2bc27316c74b17003c05ea40be395836
 CVE-2024-31950 (In FRRouting (FRR) through 9.1, there can be a buffer overflow 
and dae ...)
- frr 
+   [bullseye] - frr  (Vulnerable code not present)
+   [buster] - frr  (Vulnerable code not present)
NOTE: https://github.com/FRRouting/frr/pull/15674/
NOTE: Proposed fix: 
https://github.com/FRRouting/frr/pull/15674/commits/6b84541df71772f697a7f9e6b2aaf72536aab775
+   NOTE: vulnerable feature introduced in 
https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5
 (first shipped with 8.0)
 CVE-2024-31949 (In FRRouting (FRR) through 9.1, an infinite loop can occur 
when receiv ...)
- frr 
NOTE: https://github.com/FRRouting/frr/pull/15640



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fad262cd443e115aa0cb853829adda60229f5d6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fad262cd443e115aa0cb853829adda60229f5d6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2024-27913/frr buster and bullseye is not affected

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9fe826e2 by Tobias Frost at 2024-04-27T10:56:43+02:00
CVE-2024-27913/frr buster and bullseye is not affected

Vulnerable feature has been introduced in 8.0 (first version containing commit 
f173deb35206a0)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -17485,8 +17485,11 @@ CVE-2023-51786 (An issue was discovered in Lustre 
versions 2.13.x, 2.14.x, and 2
NOTE: 
http://lists.lustre.org/pipermail/lustre-announce-lustre.org/2024/000270.html
 CVE-2024-27913 (ospf_te_parse_te in ospfd/ospf_te.c in FRRouting (FRR) through 
9.1 all ...)
- frr 9.1-0.1 (bug #1065144)
+   [bullseye] - frr  (Vulnerable code not present)
+   [buster] - frr  (Vulnerable code not present)
NOTE: https://github.com/FRRouting/frr/pull/15431
-   NOTE: stable/9.0: 
https://github.com/FRRouting/frr/commit/aae54e20498974cb026bd0e2649ca3e753090492
 (
+   NOTE: stable/9.0: 
https://github.com/FRRouting/frr/commit/aae54e20498974cb026bd0e2649ca3e753090492
+   NOTE: vulnerable feature introduced in 
https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5
 (first shipped with 8.0)
 CVE-2024-26542 (Cross Site Scripting vulnerability in Bonitasoft, S.A v.7.14. 
and fixe ...)
NOT-FOR-US: Bonitasoft
 CVE-2024-26302 (A vulnerability in the web-based management interface of 
ClearPass Pol ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fe826e21eab6cef321cb83c6d10cd44eb65271e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fe826e21eab6cef321cb83c6d10cd44eb65271e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-47235/frr add reference to upstream pull requests.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9d557633 by Tobias Frost at 2024-04-27T10:21:11+02:00
CVE-2023-47235/frr add reference to upstream pull requests.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -39748,6 +39748,9 @@ CVE-2023-47272 (Roundcube 1.5.x before 1.5.6 and 1.6.x 
before 1.6.5 allows XSS v
 CVE-2023-47235 (An issue was discovered in FRRouting FRR through 9.0.1. A 
crash can oc ...)
- frr 9.1-0.1 (bug #1055852)
NOTE: 
https://github.com/FRRouting/frr/commit/6814f2e0138a6ea5e1f83bdd9085d9a7700b
+   NOTE: https://github.com/FRRouting/frr/pull/14716
+   NOTE: https://github.com/FRRouting/frr/pull/14861 (backport to 9.0)
+   NOTE: https://github.com/FRRouting/frr/pull/14735 (backport to 9.1)
 CVE-2023-47234 (An issue was discovered in FRRouting FRR through 9.0.1. A 
crash can oc ...)
- frr 9.1-0.1 (bug #1055852)
NOTE: 
https://github.com/FRRouting/frr/commit/c37119df45bbf4ef713bc10475af2ee06e12f3bf



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d557633cfd15b3bcffe40cf15806501bf4eb729

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d557633cfd15b3bcffe40cf15806501bf4eb729
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add MR reference for CVE-2022-26128/frr and CVE-2022-26129/frr

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3c8638eb by Tobias Frost at 2024-04-21T20:33:05+02:00
Add MR reference for CVE-2022-26128/frr and CVE-2022-26129/frr

They are both fixed by the same patch.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -159231,11 +159231,13 @@ CVE-2022-26129 (Buffer overflow vulnerabilities 
exist in FRRouting through 8.1.0
[bullseye] - frr  (Minor issue)
[buster] - frr  (Minor issue)
NOTE: https://github.com/FRRouting/frr/issues/10503
+   NOTE: Fixed by https://github.com/FRRouting/frr/issues/10504 (together 
with CVE-2022-26128)
 CVE-2022-26128 (A buffer overflow vulnerability exists in FRRouting through 
8.1.0 due  ...)
- frr 8.4.1-1 (bug #1008010)
[bullseye] - frr  (Minor issue)
[buster] - frr  (Minor issue)
NOTE: https://github.com/FRRouting/frr/issues/10502
+   NOTE: Fixed by https://github.com/FRRouting/frr/issues/10504 (together 
with CVE-2022-26129)
 CVE-2022-26127 (A buffer overflow vulnerability exists in FRRouting through 
8.1.0 due  ...)
- frr 8.4.1-1 (bug #1008010)
[bullseye] - frr  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c8638ebfd548cf541488bf514cbfe71bf21b223

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c8638ebfd548cf541488bf514cbfe71bf21b223
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2022-26127/frr add PR that fixes the issue.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e7d6304e by Tobias Frost at 2024-04-21T20:09:56+02:00
CVE-2022-26127/frr add PR that fixes the issue.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -159241,6 +159241,7 @@ CVE-2022-26127 (A buffer overflow vulnerability 
exists in FRRouting through 8.1.
[bullseye] - frr  (Minor issue)
[buster] - frr  (Minor issue)
NOTE: https://github.com/FRRouting/frr/issues/10487
+   NOTE: Fixed by https://github.com/FRRouting/frr/pull/10494
 CVE-2022-26126 (Buffer overflow vulnerabilities exist in FRRouting through 
8.1.0 due t ...)
- frr 8.4.1-1 (bug #1008010)
[bullseye] - frr  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7d6304ec3af44ab86027662c593c2e116330def

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7d6304ec3af44ab86027662c593c2e116330def
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2022-26126/frr - add upstream PR fix.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3556f07b by Tobias Frost at 2024-04-21T19:55:30+02:00
CVE-2022-26126/frr - add upstream PR fix.

This time adding to the correct CVE, c49e7ebcbdc95ccda3200e3831b29b84d4f5ef38
accidentially added it to CVE-2022-2612*7*, which is obviously wrong (as
it did not match the commit message.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -159223,6 +159223,7 @@ CVE-2022-26126 (Buffer overflow vulnerabilities exist 
in FRRouting through 8.1.0
[bullseye] - frr  (Minor issue)
[buster] - frr  (Minor issue)
NOTE: https://github.com/FRRouting/frr/issues/10505
+   NOTE: Fixed by https://github.com/FRRouting/frr/pull/10566
 CVE-2022-26125 (Buffer overflow vulnerabilities exist in FRRouting through 
8.1.0 due t ...)
- frr 8.4.1-1 (bug #1008010)
[bullseye] - frr  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3556f07b235e814ddc044c2bd0ce0d64185e2574

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3556f07b235e814ddc044c2bd0ce0d64185e2574
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2022-26126/frr - add upstream PR fix.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c49e7ebc by Tobias Frost at 2024-04-21T10:18:29+02:00
CVE-2022-26126/frr - add upstream PR fix.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -159213,6 +159213,7 @@ CVE-2022-26127 (A buffer overflow vulnerability 
exists in FRRouting through 8.1.
[bullseye] - frr  (Minor issue)
[buster] - frr  (Minor issue)
NOTE: https://github.com/FRRouting/frr/issues/10487
+   NOTE: Fixed by https://github.com/FRRouting/frr/pull/10566
 CVE-2022-26126 (Buffer overflow vulnerabilities exist in FRRouting through 
8.1.0 due t ...)
- frr 8.4.1-1 (bug #1008010)
[bullseye] - frr  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c49e7ebcbdc95ccda3200e3831b29b84d4f5ef38

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c49e7ebcbdc95ccda3200e3831b29b84d4f5ef38
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2022-26125/frr add link to PR fixing issue.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
797a96c1 by Tobias Frost at 2024-04-20T17:16:52+02:00
CVE-2022-26125/frr add link to PR fixing issue.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -159198,6 +159198,8 @@ CVE-2022-26125 (Buffer overflow vulnerabilities exist 
in FRRouting through 8.1.0
[bullseye] - frr  (Minor issue)
[buster] - frr  (Minor issue)
NOTE: https://github.com/FRRouting/frr/issues/10507
+   NOTE: Fix (8.2): https://github.com/FRRouting/frr/pull/10542
+   NOTE: Fix (8.3): https://github.com/FRRouting/frr/pull/10517
 CVE-2022-26122 (An insufficient verification of data authenticity 
vulnerability [CWE-3 ...)
NOT-FOR-US: FortiGuard
 CVE-2022-26121 (An exposure of resource to wrong sphere vulnerability 
[CWE-668] in For ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/797a96c1b3c51416374081e6428a7d7a9138e5d8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/797a96c1b3c51416374081e6428a7d7a9138e5d8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim frr in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1cf89abb by Tobias Frost at 2024-04-13T17:46:24+02:00
LTS: claim frr in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -87,7 +87,7 @@ freeimage
   NOTE: 20240412: ELTS also have a need to update this package.
   NOTE: 20240412: We should open upstream bug reports and push fixes. See 
above email discussion. (ola)
 --
-frr
+frr (tobi)
   NOTE: 20231119: Added by Front-Desk (apo)
   NOTE: 20240206: Continuing fixing the remaining issues (abhijith)
   NOTE: 20240301: continue work (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cf89abbe30d34b3284f931400cf77596ccfb643

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cf89abbe30d34b3284f931400cf77596ccfb643
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3783-1 for expat

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
22b0e152 by Tobias Frost at 2024-04-07T09:14:11+02:00
Reserve DLA-3783-1 for expat

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[07 Apr 2024] DLA-3783-1 expat - security update
+   {CVE-2023-52425}
+   [buster] - expat 2.2.6-2+deb10u7
 [07 Apr 2024] DLA-3782-1 util-linux - security update
{CVE-2021-37600 CVE-2024-28085}
[buster] - util-linux 2.33.1-0.1+deb10u1


=
data/dla-needed.txt
=
@@ -75,10 +75,6 @@ emacs (Sean Whitton)
   NOTE: 20240403: for example, CVE-2024-30202. But I think it is vulnerable
   NOTE: 20240403: to CVE-2024-30203. (lamby)
 --
-expat (tobi)
-  NOTE: 20240306: Added by Front-Desk (opal)
-  NOTE: 20230324: slowly making progress, seems that I've just defeated 
CVE-2023-52425 :) (tobi)
---
 freeimage
   NOTE: 20240320: Added by Front-Desk (ta)
   NOTE: 20240320: lots of postponed issue could be fixed as well



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22b0e152708267c9c1136ca94b0bb6a09662d17c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22b0e152708267c9c1136ca94b0bb6a09662d17c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2013-0340/expat add upstream reference to PR fixing the issue.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a5496f2d by Tobias Frost at 2024-03-27T07:08:16+01:00
CVE-2013-0340/expat add upstream reference to PR fixing the issue.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -581688,6 +581688,7 @@ CVE-2013-0340 (expat 2.1.0 and earlier does not 
properly handle entities expansi
- expat 2.4.1-2 (unimportant; bug #1001864)
NOTE: Expat provides API to mitigate expansion attacks, ultimately 
under control of the app using Expat
NOTE: 
https://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-0340.html
+   NOTE: Fixed by https://github.com/libexpat/libexpat/pull/466 and 
https://github.com/libexpat/libexpat/pull/484
 CVE-2013-0339 (libxml2 through 2.9.1 does not properly handle external 
entities expan ...)
{DSA-2652-1}
- libxml2 2.8.0+dfsg1-7+nmu1 (bug #702260)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5496f2dd9d757844bc337afbfa65ca9b0c549df

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5496f2dd9d757844bc337afbfa65ca9b0c549df
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Progress note on expat.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
94412bd7 by Tobias Frost at 2024-03-25T17:29:25+01:00
Progress note on expat.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -74,6 +74,7 @@ edk2
 --
 expat (tobi)
   NOTE: 20240306: Added by Front-Desk (opal)
+  NOTE: 20230324: slowly making progress, seems that I've just defeated 
CVE-2023-52425 :) (tobi)
 --
 freeimage
   NOTE: 20240320: Added by Front-Desk (ta)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94412bd75f775feff9c839750a08fc3ef769f1e3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94412bd75f775feff9c839750a08fc3ef769f1e3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim expat in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
60343264 by Tobias Frost at 2024-03-10T20:13:31+01:00
LTS: claim expat in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -74,7 +74,7 @@ edk2
   NOTE: 20231230: Added by Front-Desk (lamby)
   NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release 
(lamby)
 --
-expat
+expat (tobi)
   NOTE: 20240306: Added by Front-Desk (opal)
 --
 freeipa (Chris Lamb)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60343264de9b5ae2294112b1a1605b5fa3e4f495

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60343264de9b5ae2294112b1a1605b5fa3e4f495
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: release claim on nss in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
62d36b43 by Tobias Frost at 2024-03-10T18:59:30+01:00
LTS: release claim on nss in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -164,7 +164,7 @@ nova
   NOTE: 20230302: zigo currently has no time and requests the LTS team to do 
it (IRC #debian-lts 2023-03-02). (Beuc/front-desk)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, 
python-os-brick, nova and cinder. (lamby)
 --
-nss (tobi)
+nss
   NOTE: 20240121: Added by Front-Desk (apo)
   NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a 
patch for 3.90 (their LTS version) available and backport from there.
   NOTE: 20230310: see also: Message-ID: 




View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62d36b4369c4fa2b2d3d7076c9a9d534a2b5b01d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62d36b4369c4fa2b2d3d7076c9a9d534a2b5b01d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3757-1 for nss.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e494cd25 by Tobias Frost at 2024-03-10T18:58:45+01:00
Reserve DLA-3757-1 for nss.

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -27496,7 +27496,6 @@ CVE-2023-5388
- nss 2:3.98-1 (bug #1056284)
[bookworm] - nss  (Minor issue)
[bullseye] - nss  (Minor issue)
-   [buster] - nss  (Minor issue)
NOTE: https://people.redhat.com/~hkario/marvin/
NOTE: Vendor patch (Rocky Linux, not upstreamed): 
https://git.rockylinux.org/staging/rpms/nss/-/commit/1f7f7523b61a2ada2f461548c4160fbbf979c5dd
NOTE: Fixed by: 
https://hg.mozilla.org/projects/nss/rev/196716d8377ab427e326f20bff2d026e90ac69e2


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[10 Mar 2024] DLA-3757-1 nss - security update
+   {CVE-2023-5388 CVE-2024-0743}
+   [buster] - nss 2:3.42.1-1+deb10u8
 [10 Mar 2024] DLA-3756-1 wordpress - security update
[buster] - wordpress 5.0.21+dfsg1-0+deb10u1
 [09 Mar 2024] DLA-3755-1 tar - security update


=
data/dla-needed.txt
=
@@ -166,12 +166,8 @@ nova
 --
 nss (tobi)
   NOTE: 20240121: Added by Front-Desk (apo)
-  NOTE: 20240209:  There is currently no (public) patch for 
CVE-2023-5388 - RedHat seems to have one in private… (tobi)
-  NOTE: 20240209: Tried to backport patches for CVE-2023-6135, however it is 
unclear which bits are required or if the
-  NOTE: 20240209: fix would be to backport nss to utilize HACL*. The version 
in buster does not have the NIST ciphers
-  NOTE: 20240209: in the files touched by the upstream patch. TL;DR: I'm 
unsure if the prepared patches are fixing the vulnerabilty.
-  NOTE: 20240209: The backported patches are in the LTS repository, 
CVE-2023-6135*.patch 
-  NOTE: 20230227: Upstream suggests to wait until they have a patch for 3.90 
(their LTS version) available and backport from there.
+  NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a 
patch for 3.90 (their LTS version) available and backport from there.
+  NOTE: 20230310: see also: Message-ID: 

 --
 nvidia-graphics-drivers
   NOTE: 20240303: Added by Front-Desk (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e494cd253be892f0ab8bd86e86074788f6b9cc01

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e494cd253be892f0ab8bd86e86074788f6b9cc01
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla-needed.txt: Add upstream response for CVE-2023-6135/nss

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4ed4d895 by Tobias Frost at 2024-02-27T21:19:17+01:00
dla-needed.txt: Add upstream response for CVE-2023-6135/nss

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -194,6 +194,7 @@ nss (tobi)
   NOTE: 20240209: fix would be to backport nss to utilize HACL*. The version 
in buster does not have the NIST ciphers
   NOTE: 20240209: in the files touched by the upstream patch. TL;DR: I'm 
unsure if the prepared patches are fixing the vulnerabilty.
   NOTE: 20240209: The backported patches are in the LTS repository, 
CVE-2023-6135*.patch 
+  NOTE: 20230227: Upstream suggests to wait until they have a patch for 3.90 
(their LTS version) available and backport from there.
 --
 nvidia-cuda-toolkit
   NOTE: 20230514: Added by Front-Desk (utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ed4d89534cc8c01ed5827301a86b32a29fd96b5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ed4d89534cc8c01ed5827301a86b32a29fd96b5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim nss in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3e5b31b1 by Tobias Frost at 2024-02-27T06:24:25+01:00
LTS: claim nss in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -188,7 +188,7 @@ nova
   NOTE: 20230302: zigo currently has no time and requests the LTS team to do 
it (IRC #debian-lts 2023-03-02). (Beuc/front-desk)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, 
python-os-brick, nova and cinder. (lamby)
 --
-nss
+nss (tobi)
   NOTE: 20240121: Added by Front-Desk (apo)
   NOTE: 20240209:  There is currently no (public) patch for 
CVE-2023-5388 - RedHat seems to have one in private… (tobi)
   NOTE: 20240209: Tried to backport patches for CVE-2023-6135, however it is 
unclear which bits are required or if the



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e5b31b1d336c29d5c71a96d7e86ceea1db24982

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e5b31b1d336c29d5c71a96d7e86ceea1db24982
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-5388/nss Add upstream patch reference.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dcbb8807 by Tobias Frost at 2024-02-19T20:56:17+01:00
CVE-2023-5388/nss Add upstream patch reference.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21838,6 +21838,7 @@ CVE-2023-5388
[buster] - nss  (Minor issue)
NOTE: https://people.redhat.com/~hkario/marvin/
NOTE: Vendor patch (Rocky Linux, not upstreamed): 
https://git.rockylinux.org/staging/rpms/nss/-/commit/1f7f7523b61a2ada2f461548c4160fbbf979c5dd
+   NOTE: Upstream patch: 
https://hg.mozilla.org/projects/nss/rev/196716d8377ab427e326f20bff2d026e90ac69e2
 CVE-2023-5551 (Separate Groups mode restrictions were not honoured in the 
forum summa ...)
- moodle 
 CVE-2023-5550 (In a shared hosting environment that has been misconfigured to 
allow a ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcbb8807d29463a00abc65b5e8d85a626f94d2fe

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dcbb8807d29463a00abc65b5e8d85a626f94d2fe
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3734-1 for openvswitch

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3926f7c1 by Tobias Frost at 2024-02-17T16:13:47+01:00
Reserve DLA-3734-1 for openvswitch

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -24970,7 +24970,6 @@ CVE-2023-5366 (A flaw was found in Open vSwitch that 
allows ICMPv6 Neighbor Adve
- openvswitch 3.1.2-1
[bookworm] - openvswitch  (Minor issue)
[bullseye] - openvswitch  (Minor issue)
-   [buster] - openvswitch  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2006347
NOTE: 
https://github.com/openvswitch/ovs/commit/694c7b4e097c4d89e23ea9b3c7b677b4fcbe0459
 (v3.1.2)
NOTE: 
https://github.com/openvswitch/ovs/commit/489553b1c21692063931a9f50b6849b23128443c
 (v3.2.0)


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[17 Feb 2024] DLA-3734-1 openvswitch - security update
+   {CVE-2023-5366}
+   [buster] - openvswitch 2.10.7+ds1-0+deb10u5
 [03 Feb 2024] DLA-3733-1 rear - security update
{CVE-2024-23301}
[buster] - rear 2.4+dfsg-1+deb10u1


=
data/dla-needed.txt
=
@@ -193,9 +193,6 @@ nvidia-cuda-toolkit
   NOTE: 20230610: Details: 
https://lists.debian.org/debian-lts/2023/06/msg00032.html
   NOTE: 20230610: my recommendation would be to put the package on the 
"not-supported" list. (tobi)
 --
-openvswitch (tobi)
-  NOTE: 20240209: Added by Front-Desk (utkarsh)
---
 putty
   NOTE: 20231224: Added by Front-Desk (ta)
   NOTE: 20230104: massive code change against bullseye. May be better to 
backport bullseye (rouca)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3926f7c1b720db3bdf27bc746f1a2b231f775878

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3926f7c1b720db3bdf27bc746f1a2b231f775878
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2024-22563/openvswitch buster is not vulnerable.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f508ab99 by Tobias Frost at 2024-02-10T09:35:14+01:00
CVE-2024-22563/openvswitch buster is not vulnerable.

The memory leak was introduced with commit 
https://github.com/openvswitch/ovs/commit/b6e840aed03e3f6d1aa726b482140d895f60f90f,
first appearing in tag v2.11.0.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3912,9 +3912,10 @@ CVE-2024-22876 (StrangeBee TheHive 5.1.0 to 5.1.9 and 
5.2.0 to 5.2.8 is vulnerab
 CVE-2024-22563 (openvswitch 2.17.8 was discovered to contain a memory leak via 
the fun ...)
- openvswitch 2.17.2-4
[bullseye] - openvswitch  (Minor issue)
-   [buster] - openvswitch  (Minor issue, memory leak)
+   [buster] - openvswitch  (Vulnerable code introduced later)
NOTE: https://github.com/openvswitch/ovs-issues/issues/315
NOTE: 
https://github.com/openvswitch/ovs/commit/3168f328c78cf6e4b3022940452673b0e49f7620
 (v2.17.0)
+   NOTE: Introduced with: 
https://github.com/openvswitch/ovs/commit/b6e840aed03e3f6d1aa726b482140d895f60f90f
 (v2.11.0)
 CVE-2024-22562 (swftools 0.9.2 was discovered to contain a Stack Buffer 
Underflow via  ...)
- swftools 
NOTE: https://github.com/matthiaskramm/swftools/issues/210



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f508ab997796385f4abb5fc9ed80250d15cc6ffc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f508ab997796385f4abb5fc9ed80250d15cc6ffc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-3966/openvswitch - buster is not affected

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
abbf2a15 by Tobias Frost at 2024-02-10T08:49:58+01:00
CVE-2023-3966/openvswitch - buster is not affected

Vulnerable code introduced in 2.11.0, buster is at 2.10.7.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -203,6 +203,7 @@ CVE-2023-4639 [Cookie Smuggling/Spoofing]
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2166022
 CVE-2023-3966 [Invalid memory access in Geneve with HW offload]
- openvswitch  (bug #1063492)
+   [buster] - openvswitch  (Vulnerable feature introduced 
later)
NOTE: https://www.openwall.com/lists/oss-security/2024/02/08/3
NOTE: Introduced by: 
https://github.com/openvswitch/ovs/commit/a468645c6d330943dbe0c8d466e05b9af2d7df0c
 (v2.11.0)
NOTE: Fixed by: 
https://github.com/openvswitch/ovs/commit/2cfbcd5247ed0fd941c1ebb9f4adb952b67fe13a
 (v3.2.2)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abbf2a1514bb0ddd3d9fe721665a44f91172e883

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abbf2a1514bb0ddd3d9fe721665a44f91172e883
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim openvswitch in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
367677e5 by Tobias Frost at 2024-02-10T07:47:30+01:00
LTS: claim openvswitch in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -178,7 +178,7 @@ nvidia-cuda-toolkit
   NOTE: 20230610: Details: 
https://lists.debian.org/debian-lts/2023/06/msg00032.html
   NOTE: 20230610: my recommendation would be to put the package on the 
"not-supported" list. (tobi)
 --
-openvswitch
+openvswitch (tobi)
   NOTE: 20240209: Added by Front-Desk (utkarsh)
 --
 putty (santiago)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/367677e55c7fbf8b83c2834885a1b4c22a08eb86

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/367677e55c7fbf8b83c2834885a1b4c22a08eb86
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Document progress on nss:

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
19b117a2 by Tobias Frost at 2024-02-09T20:25:59+01:00
Document progress on nss:

  NOTE: 20240209: Tried to backport patches for CVE-2023-6135, however it is 
unclear which bits are required or if the
  NOTE: 20240209: fix would be to backport nss to utilize HACL*. The version in 
buster does not have the NIST ciphers
  NOTE: 20240209: in the files touched by the upstream patch. TL;DR: Im 
unsure if the prepared patches are fixing the vulnerabilty.
  NOTE: 20240209: The backported patches are in the LTS repository, 
CVE-2023-6135*.patch /tobi

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -165,6 +165,11 @@ nova
 --
 nss (tobi)
   NOTE: 20240121: Added by Front-Desk (apo)
+  NOTE: 20240209:  There is currently no (public) patch for 
CVE-2023-5388 - RedHat seems to have one in private… (tobi)
+  NOTE: 20240209: Tried to backport patches for CVE-2023-6135, however it is 
unclear which bits are required or if the
+  NOTE: 20240209: fix would be to backport nss to utilize HACL*. The version 
in buster does not have the NIST ciphers
+  NOTE: 20240209: in the files touched by the upstream patch. TL;DR: I'm 
unsure if the prepared patches are fixing the vulnerabilty.
+  NOTE: 20240209: The backported patches are in the LTS repository, 
CVE-2023-6135*.patch 
 --
 nvidia-cuda-toolkit
   NOTE: 20230514: Added by Front-Desk (utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19b117a202dea1a2def53936ef1b42a498c46f84

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19b117a202dea1a2def53936ef1b42a498c46f84
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim nss in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e643f071 by Tobias Frost at 2024-02-04T11:42:15+01:00
LTS: claim nss in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -159,7 +159,7 @@ nova
   NOTE: 20230302: zigo currently has no time and requests the LTS team to do 
it (IRC #debian-lts 2023-03-02). (Beuc/front-desk)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, 
python-os-brick, nova and cinder. (lamby)
 --
-nss
+nss (tobi)
   NOTE: 20240121: Added by Front-Desk (apo)
 --
 nvidia-cuda-toolkit



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e643f07164a4f2ddd60d3f729c078424acbb2e68

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e643f07164a4f2ddd60d3f729c078424acbb2e68
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3717-1 for zabbix

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7eaa9a46 by Tobias Frost at 2024-01-24T22:06:55+01:00
Reserve DLA-3717-1 for zabbix

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[24 Jan 2024] DLA-3717-1 zabbix - security update
+   {CVE-2023-32721 CVE-2023-32723 CVE-2023-32726}
+   [buster] - zabbix 1:4.0.4+dfsg-1+deb10u4
 [23 Jan 2024] DLA-3716-1 ruby-httparty - security update
{CVE-2024-22049}
[buster] - ruby-httparty 0.16.2+dfsg1-3+deb10u1


=
data/dla-needed.txt
=
@@ -310,9 +310,6 @@ wireshark
 xorg-server (Markus Koschany)
   NOTE: 20240117: Added by Front-Desk (lamby)
 --
-zabbix (tobi)
-  NOTE: 20231015: Added by Front-Desk (ta)
---
 zfs-linux (Utkarsh)
   NOTE: 20231127: Added by Front-Desk (Beuc)
   NOTE: 20240801: the fix for other CVE wasn't obvious but about to be ready; 
D/ELA to be out soon. (utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eaa9a46676b26bec145429e8fb1437060cfa791

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eaa9a46676b26bec145429e8fb1437060cfa791
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] s/ttps/https

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
016eb657 by Tobias Frost at 2024-01-23T20:14:20+01:00
s/ttps/https

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -6435,7 +6435,7 @@ CVE-2023-32727 (An attacker who has the privilege to 
configure Zabbix items can
NOTE: https://support.zabbix.com/browse/ZBX-23857
NOTE: 
https://github.com/zabbix/zabbix/commit/93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34
 (6.0.23rc1)
NOTE: 
https://github.com/zabbix/zabbix/commit/610f9fdbb86667f4094972547deb936c6cdfc6d5
 (6.0.23rc1)
-NOTE: introduced in 
ttps://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464
 (4.4.0alpha3)
+NOTE: introduced in 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464
 (4.4.0alpha3)
 CVE-2023-32726 (The vulnerability is caused by improper check for check if 
RDLENGTH do ...)
- zabbix 1:6.0.24+dfsg-1
NOTE: https://support.zabbix.com/browse/ZBX-23855



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/016eb657b4453e3becdfa55ebbdfa411c0f313f1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/016eb657b4453e3becdfa55ebbdfa411c0f313f1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-32727/zabbix - buster is not affected.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
36e9a771 by Tobias Frost at 2024-01-23T20:13:31+01:00
CVE-2023-32727/zabbix - buster is not affected.

The vulnerability is a format-string vulnerability, a user provided input
(dst - intented to be a target host for fping) is passed to a shell
without saniziting.

the key line for the patch for CVE-2023-32727 is in function 
get_interval_option():

-   zbx_snprintf(tmp, sizeof(tmp), %s -c1 -t50 -i%u %s, 
fping, intervals[j], dst);
+   zbx_snprintf(tmp, sizeof(tmp), %s -c1 -t50 -i%u, 
fping, intervals[j]);

dst is the ping target, and the resulting tmp is the complete 
command to be executed in the vulnerable
version. (via execl(/bin/sh, sh, -c, 
command, (char *)NULL); in zbx_execute())

Bisecting upstream brings the following commits introducing this:

Commit: 57abe5a1f2c208d05cc59029026098c2f13ed464 [1]
+   zbx_snprintf(tmp, sizeof(tmp), %s -c1 -t50 -i0 %s, fping, 
dst);

[1] 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464#src/libs/zbxicmpping/icmpping.c
line 102

List of affected versions, where the commit is seen first time:

git tag --contains 57abe5a1f2c208d05cc59029026098c2f13ed464  (manually
filtered to show only first tag of every affected version)
4.4.0alpha3
5.0.0alpha1
5.2.0alpha1
5.4.0alpha1
6.0.0alpha1
6.2.0alpha1
6.4.0alpha1
7.0.0alpha1

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -6428,12 +6428,14 @@ CVE-2023-32728 (The Zabbix Agent 2 item key 
smart.disk.get does not sanitize its
NOTE: 
https://github.com/zabbix/zabbix/commit/09fa80bb16b094e4c17c036868c817f411efe4a0
 (6.0.24rc1)
NOTE: 
https://github.com/zabbix/zabbix/commit/7c00b48ab998066962e5275efa50007cb72ea1ac
 (6.0.24rc1)
NOTE: 
https://github.com/zabbix/zabbix/commit/245fbae6039ebfbd720ab33c0349c82bae242fc9
 (6.0.24rc1)
-NOTE: Vulnerable feature introduced with version 5.0.9rc1 resp. 
5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339
+NOTE: Vulnerable feature introduced with versions 5.0.9rc1, 5.3.5rc1 
and 5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339
 CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items 
can use fu ...)
- zabbix 1:6.0.23+dfsg-1
+[buster] - zabbix  (Vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-23857
NOTE: 
https://github.com/zabbix/zabbix/commit/93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34
 (6.0.23rc1)
NOTE: 
https://github.com/zabbix/zabbix/commit/610f9fdbb86667f4094972547deb936c6cdfc6d5
 (6.0.23rc1)
+NOTE: introduced in 
ttps://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464
 (4.4.0alpha3)
 CVE-2023-32726 (The vulnerability is caused by improper check for check if 
RDLENGTH do ...)
- zabbix 1:6.0.24+dfsg-1
NOTE: https://support.zabbix.com/browse/ZBX-23855
@@ -6442,7 +6444,7 @@ CVE-2023-32725 (The website configured in the URL widget 
will receive a session
- zabbix 1:6.0.23+dfsg-1
[bullseye] - zabbix  (Vulnerable code not present)
[buster] - zabbix  (vulnerable code introduced later)
-   NOTE: https://support.zabbix.com/browse/ZBX-23854
+   NOTE: https://support.zabbix.com/browse/ZBX-2354
NOTE: 
https://github.com/zabbix/zabbix/commit/89e0cd6ea93a097671d6bcfbfa674047a3096b26
 (6.0.22rc1)
NOTE: report_manager introduced with: 
https://github.com/zabbix/zabbix/commit/a06a08111546081e8256267bc0062cbd74dc3309
 (6.0.0alpha1)
 CVE-2023-32230 (An improper handling of a malformed API request to an API 
server in Bo ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36e9a77145dd28bbc338686e27d75ada2c9f7279

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36e9a77145dd28bbc338686e27d75ada2c9f7279
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-32728/zabbix (buster) vulnerable code introduced later.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c7631825 by Tobias Frost at 2024-01-23T18:59:00+01:00
CVE-2023-32728/zabbix (buster) vulnerable code introduced later.

Vulnerable feature was introduced with this ticket: 
https://support.zabbix.com/browse/ZBXNEXT-6339

Quote:
 Available in:

 5.0.9rc1 1ee48854146
 5.2.5rc1 68cf640f12d
 5.4.0alpha2 (master) 434243ef35a

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -6419,6 +6419,7 @@ CVE-2023-33214 (Cross-Site Request Forgery (CSRF) 
vulnerability in Tagbox Tagbox
NOT-FOR-US: WordPress plugin
 CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize 
its param ...)
- zabbix 1:6.0.24+dfsg-1
+[buster] - zabbix  (Vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-23858
NOTE: 
https://github.com/zabbix/zabbix/commit/51ee1af626f93c1656ee2e37aa3d611b0292c1d8
 (6.0.24rc1)
NOTE: 
https://github.com/zabbix/zabbix/commit/f4557473616f455eefe8f303721b4cec473ece4c
 (6.0.24rc1)
@@ -6427,6 +6428,7 @@ CVE-2023-32728 (The Zabbix Agent 2 item key 
smart.disk.get does not sanitize its
NOTE: 
https://github.com/zabbix/zabbix/commit/09fa80bb16b094e4c17c036868c817f411efe4a0
 (6.0.24rc1)
NOTE: 
https://github.com/zabbix/zabbix/commit/7c00b48ab998066962e5275efa50007cb72ea1ac
 (6.0.24rc1)
NOTE: 
https://github.com/zabbix/zabbix/commit/245fbae6039ebfbd720ab33c0349c82bae242fc9
 (6.0.24rc1)
+NOTE: Vulnerable feature introduced with version 5.0.9rc1 resp. 
5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339
 CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items 
can use fu ...)
- zabbix 1:6.0.23+dfsg-1
NOTE: https://support.zabbix.com/browse/ZBX-23857



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7631825c06eb9331e5fcc22abdf7fe9e749b7cb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7631825c06eb9331e5fcc22abdf7fe9e749b7cb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim zabbix in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a116f30b by Tobias Frost at 2024-01-22T20:09:30+01:00
LTS: claim zabbix in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -314,7 +314,7 @@ wireshark
 xorg-server (Markus Koschany)
   NOTE: 20240117: Added by Front-Desk (lamby)
 --
-zabbix
+zabbix (tobi)
   NOTE: 20231015: Added by Front-Desk (ta)
 --
 zfs-linux (Utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a116f30bb7aec9b67f2405de65dacc46d3604f90

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a116f30bb7aec9b67f2405de65dacc46d3604f90
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-32725/zabbix not affecting buster

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
43cb8dd4 by Tobias Frost at 2024-01-21T17:36:17+01:00
CVE-2023-32725/zabbix not affecting buster

The vulnerable report_manager has been first part of a release with version 
6.0.0alpha,
The buster version does not have the go implentations.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -6100,8 +6100,10 @@ CVE-2023-32726 (The vulnerability is caused by improper 
check for check if RDLEN
NOTE: 
https://github.com/zabbix/zabbix/commit/53ef2b7119f57f4140e6bd9c5cd2d3c6af228179
 (6.0.24rc1)
 CVE-2023-32725 (The website configured in the URL widget will receive a 
session cookie ...)
- zabbix 1:6.0.23+dfsg-1
+[buster] - zabbix  (vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-23854
NOTE: 
https://github.com/zabbix/zabbix/commit/89e0cd6ea93a097671d6bcfbfa674047a3096b26
 (6.0.22rc1)
+NOTE: report_manager introduced with commit 
https://github.com/zabbix/zabbix/commit/a06a0811154 (first released with 
6.0.0alpha1)
 CVE-2023-32230 (An improper handling of a malformed API request to an API 
server in Bo ...)
NOT-FOR-US: Bosch
 CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, 
found in O ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43cb8dd43a8e9544383107231fb22c91c2a42f4f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43cb8dd43a8e9544383107231fb22c91c2a42f4f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove paramiko from dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1cb1b17e by Tobias Frost at 2024-01-16T06:03:39+01:00
Remove paramiko from dla-needed.txt

   CVE-2023-48795/paramiko buster is not vulnerable.

Confirmed by upstream:
https://github.com/paramiko/paramiko/issues/2337#issuecomment-1880185735

paramiko 2.4.2 does neither implement ETM-Mac modes nor ChaCha20.
It also has no EXT_INFO support, which might be a factor for
exploitability.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -165,9 +165,6 @@ nvidia-cuda-toolkit
   NOTE: 20230610: Details: 
https://lists.debian.org/debian-lts/2023/06/msg00032.html
   NOTE: 20230610: my recommendation would be to put the package on the 
"not-supported" list. (tobi)
 --
-paramiko (tobi)
-  NOTE: 20231225: Added by Front-Desk (ta)
---
 php-phpseclib (guilhem)
   NOTE: 20240114: Added by Front-Desk (apo)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cb1b17e6728cb9da9a0a3a77f80bb3a18f9d1ab

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cb1b17e6728cb9da9a0a3a77f80bb3a18f9d1ab
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Fix entry for CVE-2023-36464/pypdf (bookworm)

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ee075469 by Tobias Frost at 2024-01-16T06:01:28+01:00
Fix entry for CVE-2023-36464/pypdf (bookworm)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -32179,7 +32179,7 @@ CVE-2023-3327
REJECTED
 CVE-2023-36464 (pypdf is an open source, pure-python PDF library. In affected 
versions ...)
- pypdf 3.17.4-1 (bug #1040338)
-   [bookworm] - pypdf 3.4.1-1+deb12u1  (Minor issue)
+   [bookworm] - pypdf 3.4.1-1+deb12u1
- pypdf2  (bug #1040339)
[bookworm] - pypdf2  (Minor issue)
[bullseye] - pypdf2  (Vulnerable code not present)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee075469a408af6e89d222ba3ffcff79d9c03f23

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee075469a408af6e89d222ba3ffcff79d9c03f23
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-48795/paramiko buster is not vulnerable.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ff3a5576 by Tobias Frost at 2024-01-14T17:29:22+01:00
CVE-2023-48795/paramiko buster is not vulnerable.

Confirmed by upstream:
https://github.com/paramiko/paramiko/issues/2337#issuecomment-1880185735

paramiko 2.4.2 does neither implement ETM-Mac modes nor ChaCha20.
It also has no EXT_INFO support, which might be a factor for
exploitability.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4829,6 +4829,7 @@ CVE-2023-48795 (The SSH transport protocol with certain 
OpenSSH extensions, foun
- paramiko  (bug #1059006)
[bookworm] - paramiko  (Minor issue)
[bullseye] - paramiko  (Minor issue)
+[buster] - paramiko  (ChaCha20-Poly1305 and CBC-EtM 
support not present)
- phpseclib 1.0.22-1
- php-phpseclib 2.0.46-1
- php-phpseclib3 3.0.35-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff3a5576ad64f41ba1a5fd2d07492c582ef5aa80

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff3a5576ad64f41ba1a5fd2d07492c582ef5aa80
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim paramiko in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ad1739ca by Tobias Frost at 2024-01-07T08:42:12+01:00
LTS: claim paramiko in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -163,7 +163,7 @@ nvidia-cuda-toolkit
   NOTE: 20230610: Details: 
https://lists.debian.org/debian-lts/2023/06/msg00032.html
   NOTE: 20230610: my recommendation would be to put the package on the 
"not-supported" list. (tobi)
 --
-paramiko
+paramiko (tobi)
   NOTE: 20231225: Added by Front-Desk (ta)
 --
 postfix (Markus Koschany)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad1739ca1ee620cf686e6a64ca171f0f31241c79

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad1739ca1ee620cf686e6a64ca171f0f31241c79
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim zabbix in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
94b52c9f by Tobias Frost at 2024-01-07T08:42:23+01:00
LTS: claim zabbix in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -268,7 +268,7 @@ wireshark (Adrian Bunk)
   NOTE: 20231204: DLA pending (bunk)
   NOTE: 20231218: Debugging a problem with the update. (bunk)
 --
-zabbix
+zabbix (tobi)
   NOTE: 20231015: Added by Front-Desk (ta)
 --
 zfs-linux



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94b52c9f8f1b9f59a964f13cdf60fe0c506188b6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94b52c9f8f1b9f59a964f13cdf60fe0c506188b6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim haproxy in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
edcd64ff by Tobias Frost at 2023-12-24T12:05:17+01:00
LTS: claim haproxy in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -79,7 +79,7 @@ frr
 golang-go.crypto
   NOTE: 20231219: Added by Front-Desk (ta)
 --
-haproxy
+haproxy (tobi)
   NOTE: 20231217: Added by Front-Desk (utkarsh)
 --
 i2p



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edcd64ff395e3353a68e0a1909c77429d961720a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edcd64ff395e3353a68e0a1909c77429d961720a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3693-1 for osslsigncode

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4b3918fb by Tobias Frost at 2023-12-23T08:34:22+01:00
Reserve DLA-3693-1 for osslsigncode

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[23 Dec 2023] DLA-3693-1 osslsigncode - security update
+   {CVE-2023-36377}
+   [buster] - osslsigncode 2.0+really2.5-4+deb10u1
 [19 Dec 2023] DLA-3692-1 curl - security update
{CVE-2023-28322 CVE-2023-46218}
[buster] - curl 7.64.0-4+deb10u8


=
data/dla-needed.txt
=
@@ -161,10 +161,6 @@ nvidia-cuda-toolkit
 openssh (santiago)
   NOTE: 20231219: Added by Front-Desk (ta)
 --
-osslsigncode (tobi)
-  NOTE: 20230925: Added by Front-Desk (apo)
-  NOTE: 20230925: Maybe a new upstream release should just do the trick here.
---
 python-django (Chris Lamb)
   NOTE: 20231006: Added by Front-Desk (Beuc)
   NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists 
(Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b3918fb8d76ce9eda1bb3b5228351e4b669261b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b3918fb8d76ce9eda1bb3b5228351e4b669261b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim osslsigncode in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f0ad6d03 by Tobias Frost at 2023-12-21T20:42:27+01:00
LTS: claim osslsigncode in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -161,7 +161,7 @@ nvidia-cuda-toolkit
 openssh
   NOTE: 20231219: Added by Front-Desk (ta)
 --
-osslsigncode
+osslsigncode (tobi)
   NOTE: 20230925: Added by Front-Desk (apo)
   NOTE: 20230925: Maybe a new upstream release should just do the trick here.
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0ad6d0317828680ed3414843a1a08b85c748c9d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0ad6d0317828680ed3414843a1a08b85c748c9d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3690-1 for intel-microcode

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
966fb609 by Tobias Frost at 2023-12-16T18:29:35+01:00
Reserve DLA-3690-1 for intel-microcode

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -6105,7 +6105,6 @@ CVE-2023-5528 (A security issue was discovered in 
Kubernetes where a user that c
 CVE-2023-23583 (Sequence of processor instructions leads to unexpected 
behavior for so ...)
{DSA-5563-1}
- intel-microcode 3.20231114.1 (bug #1055962)
-   [buster] - intel-microcode  (Minor issue for older releases. 
Affects only newer CPU features.)
NOTE: 
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html
NOTE: 
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20231114
NOTE: https://lock.cmpxchg8b.com/reptar.html


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[16 Dec 2023] DLA-3690-1 intel-microcode - security update
+   {CVE-2023-23583}
+   [buster] - intel-microcode 3.20231114.1~deb10u1
 [14 Dec 2023] DLA-3689-1 bluez - security update
{CVE-2023-45866}
[buster] - bluez 5.50-1.2~deb10u4


=
data/dla-needed.txt
=
@@ -82,10 +82,6 @@ imagemagick
   NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs 
(Beuc/front-desk)
   NOTE: 20231014: Some work under git branch debian/buster but unease
 --
-intel-microcode (tobi)
-  NOTE: 20231201: Added by Front-Desk (Beuc)
-  NOTE: 20231201: Follow DSA-5563-1 (1 CVE) (Beuc/front-desk)
---
 keystone
   NOTE: 20231102: Added by Front-Desk (lamby)
   NOTE: 20231102: Sync (eg. CVE-2021-38155) with stable etc. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/966fb6094966c82600c698486bc4df449d808ef3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/966fb6094966c82600c698486bc4df449d808ef3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim intel-microcode in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a48de1ef by Tobias Frost at 2023-12-16T09:24:00+01:00
LTS: claim intel-microcode in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -82,7 +82,7 @@ imagemagick
   NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs 
(Beuc/front-desk)
   NOTE: 20231014: Some work under git branch debian/buster but unease
 --
-intel-microcode
+intel-microcode (tobi)
   NOTE: 20231201: Added by Front-Desk (Beuc)
   NOTE: 20231201: Follow DSA-5563-1 (1 CVE) (Beuc/front-desk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a48de1ef8cbcde225409b21afc331b41565b93b4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a48de1ef8cbcde225409b21afc331b41565b93b4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3681-1 for amanda

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ad87ff39 by Tobias Frost at 2023-12-03T10:45:09+01:00
Reserve DLA-3681-1 for amanda

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -91381,7 +91381,6 @@ CVE-2022-37706 (enlightenment_sys in Enlightenment 
before 0.25.4 allows local us
 CVE-2022-37705 (A privilege escalation flaw was found in Amanda 3.5.1 in which 
the bac ...)
- amanda 1:3.5.1-10 (bug #1029829)
[bullseye] - amanda  (Minor issue)
-   [buster] - amanda  (Minor issue)
NOTE: https://github.com/MaherAzzouzi/CVE-2022-37705
NOTE: https://github.com/zmanda/amanda/issues/192
NOTE: https://marc.info/?l=amanda-hackers=167437716918603=2
@@ -91400,7 +91399,6 @@ CVE-2022-37704 (Amanda 3.5.1 allows privilege 
escalation from the regular user b
 CVE-2022-37703 (In Amanda 3.5.1, an information leak vulnerability was found 
in the ca ...)
- amanda 1:3.5.1-10 (bug #1021017)
[bullseye] - amanda  (Minor issue)
-   [buster] - amanda  (Minor issue)
NOTE: https://github.com/MaherAzzouzi/CVE-2022-37703
NOTE: https://github.com/zmanda/amanda/issues/192
NOTE: https://github.com/zmanda/amanda/pull/198


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[03 Dec 2023] DLA-3681-1 amanda - security update
+   {CVE-2022-37703 CVE-2022-37705 CVE-2023-30577}
+   [buster] - amanda 1:3.5.1-2+deb10u2
 [03 Dec 2023] DLA-3680-1 opendkim - security update
{CVE-2022-48521}
[buster] - opendkim 2.11.0~alpha-12+deb10u1


=
data/dla-needed.txt
=
@@ -20,9 +20,6 @@ 
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
 To make it easier to see the entire history of an update, please append notes
 rather than remove/replace existing ones.
 
---
-amanda (tobi)
-  NOTE: 20230730: Added by Front-Desk (apo)
 --
 ansible
   NOTE: 20231202: Added by Front-Desk (Beuc)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad87ff395b6f6ef97070cd9d94b344de2127586f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad87ff395b6f6ef97070cd9d94b344de2127586f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2016-10729/amanda fixed with 1:3.3.9-1

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ccd23215 by Tobias Frost at 2023-12-03T10:42:18+01:00
CVE-2016-10729/amanda fixed with 1:3.3.9-1

This vulnerability was fixed with the introduction of the security file, (man 
amanda-security.conf). The
said version is the first version in Debian that has this feature.

Verfified on buster and stretch that the PoC does not work, but bail out with:
e.g
security file /etc/amanda-security.conf do not allow to run 
/tmp/runme.sh as root for amstar:star_path
when trying to run
/usr/lib/amanda/application/amstar restore --star-path=/tmp/runme.sh

(PoC is from https://www.exploit-db.com/exploits/39217/, as linked already in 
the tracker.)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -352270,7 +352270,7 @@ CVE-2016-10730 (An issue was discovered in Amanda 
3.3.1. A user with backup priv
NOTE: /usr/lib/amanda/application/amstar can only be run by members of 
the backup
NOTE: group (which is root-equivalent due to being able to perform 
restores e.g.)
 CVE-2016-10729 (An issue was discovered in Amanda 3.3.1. A user with backup 
privileges ...)
-   - amanda  (unimportant)
+   - amanda 1:3.3.9-1 (unimportant)
NOTE: https://www.exploit-db.com/exploits/39217/
NOTE: /usr/lib/amanda/runtar can only be run by members of the backup
NOTE: group (which is root-equivalent due to being able to perform 
restores e.g.)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccd232156b6a0011e6b43973dd827cf74f5700d1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ccd232156b6a0011e6b43973dd827cf74f5700d1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2016-10730/amanda fixed with 1:3.3.9-1

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4198326a by Tobias Frost at 2023-12-03T10:40:00+01:00
CVE-2016-10730/amanda fixed with 1:3.3.9-1

This vulnerability was fixed with the introduction of the security file, (man 
amanda-security.conf). The
said version is the first version in Debian that has this feature.

Verfified on buster and stretch that the PoC does not work, but bail out with:
e.g
security file /etc/amanda-security.conf do not allow to run 
/tmp/runme.sh as root for amstar:star_path
when trying to run
/usr/lib/amanda/application/amstar restore --star-path=/tmp/runme.sh

(PoC is from https://www.exploit-db.com/exploits/39244/, as linked already in 
the tracker.)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -352265,7 +352265,7 @@ CVE-2018-18633
 CVE-2018-18632
RESERVED
 CVE-2016-10730 (An issue was discovered in Amanda 3.3.1. A user with backup 
privileges ...)
-   - amanda  (unimportant)
+   - amanda 1:3.3.9-1 (unimportant)
NOTE: https://www.exploit-db.com/exploits/39244/
NOTE: /usr/lib/amanda/application/amstar can only be run by members of 
the backup
NOTE: group (which is root-equivalent due to being able to perform 
restores e.g.)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4198326a4f1dcfd8ab5329eddc25042fe190b9b5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4198326a4f1dcfd8ab5329eddc25042fe190b9b5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3680-1 for opendkim

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
392af420 by Tobias Frost at 2023-12-03T09:29:06+01:00
Reserve DLA-3680-1 for opendkim

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[03 Dec 2023] DLA-3680-1 opendkim - security update
+   {CVE-2022-48521}
+   [buster] - opendkim 2.11.0~alpha-12+deb10u1
 [30 Nov 2023] DLA-3679-1 vlc - security update
{CVE-2023-47359 CVE-2023-47360}
[buster] - vlc 3.0.20-0+deb10u1


=
data/dla-needed.txt
=
@@ -143,11 +143,6 @@ nvidia-cuda-toolkit
   NOTE: 20230610: Details: 
https://lists.debian.org/debian-lts/2023/06/msg00032.html
   NOTE: 20230610: my recommendation would be to put the package on the 
"not-supported" list. (tobi)
 --
-opendkim (tobi)
-  NOTE: 20230821: Added by Front-Desk (ta)
-  NOTE: 20231006: Unfixed upstream as of today. (spwhitton)
-  NOTE: 20231125: RFS with fix #1056285 - asked sponsoree about quality of 
patch. (tobi)
---
 osslsigncode
   NOTE: 20230925: Added by Front-Desk (apo)
   NOTE: 20230925: Maybe a new upstream release should just do the trick here.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/392af4206af14da776f038fba6fa00d78aef197b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/392af4206af14da776f038fba6fa00d78aef197b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] opendkim has a RFS fixing the CVE - asked sponsoree details about confidence.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0c2de437 by Tobias Frost at 2023-11-25T15:49:07+01:00
opendkim has a RFS fixing the CVE - asked sponsoree details about confidence.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -152,6 +152,7 @@ nvidia-cuda-toolkit
 opendkim (tobi)
   NOTE: 20230821: Added by Front-Desk (ta)
   NOTE: 20231006: Unfixed upstream as of today. (spwhitton)
+  NOTE: 20231125: RFS with fix #1056285 - asked sponsoree about quality of 
patch. (tobi)
 --
 opensc (guilhem)
   NOTE: 20231119: Added by Front-Desk (apo)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c2de4371b59e440db456084bb2922c0374b418c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0c2de4371b59e440db456084bb2922c0374b418c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim opendkim in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e3ef3824 by Tobias Frost at 2023-11-25T15:35:22+01:00
LTS: claim opendkim in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -104,7 +104,7 @@ libstb
   NOTE: 20231029: A lot of open CVEs. Maybe duplicates.
   NOTE: 20231029: If you take a package, please evaluate it as well as its 
importance.
   NOTE: 20221119: None of the new CVE fixes has been reviewed by upstream so 
far,
-  NOTE: 20221119: and in the past CVE fixes have caused regressions. 
+  NOTE: 20221119: and in the past CVE fixes have caused regressions.
   NOTE: 20221119: Wait for upstream merge of fixes (and fixing in unstable). 
(bunk)
 --
 linux (Ben Hutchings)
@@ -149,7 +149,7 @@ nvidia-cuda-toolkit
   NOTE: 20230610: Details: 
https://lists.debian.org/debian-lts/2023/06/msg00032.html
   NOTE: 20230610: my recommendation would be to put the package on the 
"not-supported" list. (tobi)
 --
-opendkim
+opendkim (tobi)
   NOTE: 20230821: Added by Front-Desk (ta)
   NOTE: 20231006: Unfixed upstream as of today. (spwhitton)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3ef3824bebce20c2f92839136dd73912a1ae6c9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3ef3824bebce20c2f92839136dd73912a1ae6c9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim amanda in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a63f0bd4 by Tobias Frost at 2023-11-19T20:26:07+01:00
LTS: claim amanda in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -21,7 +21,7 @@ To make it easier to see the entire history of an update, 
please append notes
 rather than remove/replace existing ones.
 
 --
-amanda
+amanda (tobi)
   NOTE: 20230730: Added by Front-Desk (apo)
 --
 bind9 (Thorsten Alteholz)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a63f0bd4c850a26163e9b075a8c3f5894a7eeaf5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a63f0bd4c850a26163e9b075a8c3f5894a7eeaf5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3655-1 for lwip

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5e7c4ebe by Tobias Frost at 2023-11-18T22:38:14+01:00
Reserve DLA-3655-1 for lwip

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -233674,7 +233674,6 @@ CVE-2020-22284 (A buffer overflow vulnerability in 
the zepif_linkoutput() functi
 CVE-2020-22283 (A buffer overflow vulnerability in the 
icmp6_send_response_with_addrs_ ...)
- lwip 2.1.3+dfsg1-1 (bug #991645)
[bullseye] - lwip 2.1.2+dfsg1-8+deb11u1
-   [buster] - lwip  (Minor issue)
NOTE: https://savannah.nongnu.org/bugs/index.php?58553
NOTE: Pre-requisite: 
http://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=d843e47a1d65451bd7f7aaa5017b408bd108be88
 (master)
NOTE: Fixed by: 
https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=489405839ae0fea8b99c4896f632eb688dc8a19a
 (master)


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[18 Nov 2023] DLA-3655-1 lwip - security update
+   {CVE-2020-22283}
+   [buster] - lwip 2.0.3-3+deb10u2
 [17 Nov 2023] DLA-3654-1 freerdp2 - security update
{CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39283 
CVE-2022-39316 CVE-2022-39318 CVE-2022-39319 CVE-2022-39347 CVE-2022-41877}
[buster] - freerdp2 2.3.0+dfsg1-2+deb10u4


=
data/dla-needed.txt
=
@@ -125,10 +125,6 @@ linux (Ben Hutchings)
 linux-5.10
   NOTE: 20231005: perma-added for LTS package-specific delegation (bwh)
 --
-lwip (tobi)
-  NOTE: 20231101: Added by Front-Desk (lamby)
-  NOTE: 20231101: Sync with bullseye (CVE-2020-22283 & CVE-2020-22284). (lamby)
---
 mediawiki (guilhem)
   NOTE: 20231011: Added by Front-Desk (ta)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e7c4ebee2fc91d6ba8f647454321230491e2474

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e7c4ebee2fc91d6ba8f647454321230491e2474
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2020-22284/lwip buster not affected

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
db650aba by Tobias Frost at 2023-11-18T18:06:18+01:00
CVE-2020-22284/lwip buster not affected

The vulnerable code is in the 6LowPAN encapsulation for ZEP (ZigBee 
Enxapsulation Protocol),
which as been introduced with commit 43a55003da622851b1c1677c8e7cb75e9430300f,
first seen in tag STABLE-2_1_0_RC1. Buster does not have that feature.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -233657,10 +233657,11 @@ CVE-2020-22285
 CVE-2020-22284 (A buffer overflow vulnerability in the zepif_linkoutput() 
function of  ...)
- lwip 2.1.3+dfsg1-1 (bug #991646)
[bullseye] - lwip 2.1.2+dfsg1-8+deb11u1
-   [buster] - lwip  (Minor issue)
+   [buster] - lwip  (vulnerable code is not present)
NOTE: https://savannah.nongnu.org/bugs/index.php?58554
NOTE: 
https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=8363c24e45a32728e385cfc2c3c36d88a8a9e70b
 (master)
NOTE: 
https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=379d55044e9181533f1fd4d0e0cf89bc01cb9b8b
 (STABLE-2_1_3_RC1)
+   NOTE: Vulnerable feature introduced with 
https://git.savannah.nongnu.org/cgit/lwip.git/commit/?id=43a55003da622851b1c1677c8e7cb75e9430300f
 (first contained in STABLE-2_1_0_RC1)
 CVE-2020-22283 (A buffer overflow vulnerability in the 
icmp6_send_response_with_addrs_ ...)
- lwip 2.1.3+dfsg1-1 (bug #991645)
[bullseye] - lwip 2.1.2+dfsg1-8+deb11u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db650aba4558a355d1cf9ab82dd2212622b63d78

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db650aba4558a355d1cf9ab82dd2212622b63d78
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim lwip in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f8f15618 by Tobias Frost at 2023-11-18T13:11:58+01:00
LTS: claim lwip in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -125,7 +125,7 @@ linux (Ben Hutchings)
 linux-5.10
   NOTE: 20231005: perma-added for LTS package-specific delegation (bwh)
 --
-lwip
+lwip (tobi)
   NOTE: 20231101: Added by Front-Desk (lamby)
   NOTE: 20231101: Sync with bullseye (CVE-2020-22283 & CVE-2020-22284). (lamby)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8f15618ac2f01dfa9c56e8d3de82809445124e2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8f15618ac2f01dfa9c56e8d3de82809445124e2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Fix typo in list of affected CVEs for DLA-3654-1

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9cdaaddf by Tobias Frost at 2023-11-17T18:28:16+01:00
Fix typo in list of affected CVEs for DLA-3654-1

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,5 +1,5 @@
 [17 Nov 2023] DLA-3654-1 freerdp2 - security update
-   {CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39316 
CVE-2022-39318 CVE-2022-39319 CVE-2022-39347 CVE-2022-41877 CVE-2023-39283}
+   {CVE-2021-41160 CVE-2022-24883 CVE-2022-39282 CVE-2022-39283 
CVE-2022-39316 CVE-2022-39318 CVE-2022-39319 CVE-2022-39347 CVE-2022-41877}
[buster] - freerdp2 2.3.0+dfsg1-2+deb10u4
 [15 Nov 2023] DLA-3653-1 libclamunrar - security update
{CVE-2023-40477}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9cdaaddff6245cce3d06259a0079896f98227d8a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9cdaaddff6245cce3d06259a0079896f98227d8a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3654-1 for freerdp2

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a1595abf by Tobias Frost at 2023-11-17T18:17:04+01:00
Reserve DLA-3654-1 for freerdp2

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -77973,7 +77973,6 @@ CVE-2022-41878 (Parse Server is an open source backend 
that can be deployed to a
 CVE-2022-41877 (FreeRDP is a free remote desktop protocol library and clients. 
Affecte ...)
- freerdp2 2.9.0+dfsg1-1 (bug #1024511)
[bullseye] - freerdp2  (Minor issue)
-   [buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pmv3-wpw4-pw5h
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/6655841cf2a00b764f855040aecb8803cfc5eaba
 CVE-2022-41876 (ezplatform-graphql is a GraphQL server implementation for 
Ibexa DXP an ...)
@@ -84411,7 +84410,6 @@ CVE-2022-39348 (Twisted is an event-based framework for 
internet applications. S
 CVE-2022-39347 (FreeRDP is a free remote desktop protocol library and clients. 
Affecte ...)
- freerdp2 2.9.0+dfsg1-1 (bug #1024511)
[bullseye] - freerdp2  (Minor issue)
-   [buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c5xq-8v35-pffg
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/027424c2c6c0991cb9c22f9511478229c9b17e5d
 CVE-2022-39346 (Nextcloud server is an open source personal cloud server. 
Affected ver ...)
@@ -84501,13 +84499,11 @@ CVE-2022-39320 (FreeRDP is a free remote desktop 
protocol library and clients. A
 CVE-2022-39319 (FreeRDP is a free remote desktop protocol library and clients. 
Affecte ...)
- freerdp2 2.9.0+dfsg1-1 (bug #1024511)
[bullseye] - freerdp2  (Minor issue)
-   [buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mvxm-wfj2-5fvh
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/11555828d2cf289b350baba5ad1f462f10b80b76
 CVE-2022-39318 (FreeRDP is a free remote desktop protocol library and clients. 
Affecte ...)
- freerdp2 2.9.0+dfsg1-1 (bug #1024511)
[bullseye] - freerdp2  (Minor issue)
-   [buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-387j-8j96-7q35
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/80adde17ddc4b596ed1dae0922a0c54ab3d4b8ea
 CVE-2022-39317 (FreeRDP is a free remote desktop protocol library and clients. 
Affecte ...)
@@ -84518,7 +84514,6 @@ CVE-2022-39317 (FreeRDP is a free remote desktop 
protocol library and clients. A
 CVE-2022-39316 (FreeRDP is a free remote desktop protocol library and clients. 
In affe ...)
- freerdp2 2.9.0+dfsg1-1 (bug #1024511)
[bullseye] - freerdp2  (Minor issue)
-   [buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-5w4j-mrrh-jjrm
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/e865c24efc40ebc52e75979c94cdd4ee2c1495b0
 CVE-2022-39315 (Kirby is a Content Management System. Prior to versions 
3.5.8.2, 3.6.6 ...)
@@ -84613,7 +84608,6 @@ CVE-2022-39283 (FreeRDP is a free remote desktop 
protocol library and clients. A
 CVE-2022-39282 (FreeRDP is a free remote desktop protocol library and clients. 
FreeRDP ...)
- freerdp2 2.8.1+dfsg1-1 (bug #1021659)
[bullseye] - freerdp2  (Minor issue)
-   [buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq
NOTE: patch likely: 
https://github.com/FreeRDP/FreeRDP/commit/60aac2abf0740dd36b62712fba91498fd6e055fe
 (not confirmed by upstream)
 CVE-2022-39281 (fat_free_crm is a an open source, Ruby on Rails customer 
relationship  ...)
@@ -126065,7 +126059,6 @@ CVE-2022-24884 (ecdsautils is a tiny collection of 
programs used for ECDSA (keyg
 CVE-2022-24883 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP). ...)
- freerdp2 2.7.0+dfsg1-1
[bullseye] - freerdp2  (Minor issue)
-   [buster] - freerdp2  (Minor issue)
- freerdp 
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qxm3-v2r6-vmwf
NOTE: Fixed by: 
https://github.com/FreeRDP/FreeRDP/commit/4661492e5a617199457c8074bad22f766a116cdc
@@ -154250,7 +154243,6 @@ CVE-2021-41161 (Combodo iTop is a web based IT 
Service Management tool. In versi
 CVE-2021-41160 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.4.1+dfsg1-1 (bug #1001062)
[bullseye] - freerdp2  (Minor issue)
-   [buster] - freerdp2  (Minor issue)
- freerdp 
[stretch] - freerdp  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7c9r-6r2q-93qg


=

[Git][security-tracker-team/security-tracker][master] CVE-2022-39282 and CVE-2022-39283 (freerdp2) - link to likely patch

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
818ee323 by Tobias Frost at 2023-11-12T12:47:57+01:00
CVE-2022-39282 and CVE-2022-39283 (freerdp2) - link to likely patch

Note: It has not been confirmed if this is the correct patch, but comparing 
2.8.0 and 2.8.1 identifies this commit
as the very likely patch.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -83283,11 +83283,13 @@ CVE-2022-39283 (FreeRDP is a free remote desktop 
protocol library and clients. A
[bullseye] - freerdp2  (Minor issue)
[buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6cf9-3328-qrvh
+   NOTE: patch likely: 
https://github.com/FreeRDP/FreeRDP/commit/be793c3bb776c1bbda9156b427408d5a5eb00f70
 (not confirmed by upstream)
 CVE-2022-39282 (FreeRDP is a free remote desktop protocol library and clients. 
FreeRDP ...)
- freerdp2 2.8.1+dfsg1-1 (bug #1021659)
[bullseye] - freerdp2  (Minor issue)
[buster] - freerdp2  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq
+   NOTE: patch likely: 
https://github.com/FreeRDP/FreeRDP/commit/60aac2abf0740dd36b62712fba91498fd6e055fe
 (not confirmed by upstream)
 CVE-2022-39281 (fat_free_crm is a an open source, Ruby on Rails customer 
relationship  ...)
NOT-FOR-US: fat_free_crm
 CVE-2022-39280 (dparse is a parser for Python dependency files. dparse in 
versions bef ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/818ee3236b99ff1208e49754ca1793ea72a8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/818ee3236b99ff1208e49754ca1793ea72a8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2021-41160/freerdp2 - buster backport is not feasible, setting to ignored.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
54629370 by Tobias Frost at 2023-11-12T11:57:42+01:00
CVE-2021-41160/freerdp2 - buster backport is not feasible, setting to ignored.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -152928,10 +152928,11 @@ CVE-2021-41160 (FreeRDP is a free implementation of 
the Remote Desktop Protocol
 CVE-2021-41159 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.4.1+dfsg1-1 (bug #1001061)
[bullseye] - freerdp2  (Minor issue)
-   [buster] - freerdp2  (Minor issue)
+   [buster] - freerdp2  (Patch is too instrusive to backport)
- freerdp 
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vh34-m9h7-95xq
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/d39a7ba5c38e3ba3b99b1558dc2ab0970cbfb0c5
 (Stable 2.0 backports)
+   NOTE: The RFC gateway parsing code has been completly refactored, 
backporting to 2.3.x is not feasible.
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/f0b44da67c09488178000725ff9f2729ccfdf9fe
 CVE-2021-41158 (FreeSWITCH is a Software Defined Telecom Stack enabling the 
digital tr ...)
- freeswitch  (bug #389591)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54629370e010f1a589026e4e865bad921b90f933

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54629370e010f1a589026e4e865bad921b90f933
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] relcaim freerdp2, update status.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ca3230ff by Tobias Frost at 2023-11-07T07:16:37+01:00
relcaim freerdp2, update status.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -72,11 +72,12 @@ freeimage (gladk)
   NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should 
roll
   NOTE: 20230826: out the DLA/ELA now. (utkarsh)
 --
-freerdp2
+freerdp2 (tobi)
   NOTE: 20230924: Added by Front-Desk (apo)
   NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo)
   NOTE: 20231007: First round done, unfortunatly missed a few CVES while 
updating, will do an follow up.
   NOTE: 20231023: Will continue working on package next weekend. (tobi)
+  NOTE: 20231107: 80% ready, waiting for upstream feedback about remaining 
CVEs which have not indicated the patch needed. (tobi)
 --
 galera-3 (Adrian Bunk)
   NOTE: 20231028: Added by Front-Desk (gladk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca3230ffcc6005fd7c628e1d74e28699a05598c5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca3230ffcc6005fd7c628e1d74e28699a05598c5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] document embedded-code copy of enet in assaultcube.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f9985ab0 by Tobias Frost at 2023-11-01T08:19:49+01:00
document embedded-code copy of enet in assaultcube.

- - - - -


1 changed file:

- data/embedded-code-copies


Changes:

=
data/embedded-code-copies
=
@@ -1473,6 +1473,7 @@ libparagui1.1
 
 enet
- sauerbraten  (embed; #497194)
+   - assaultcube  (embed; #1018947, uses version 1.3.6, slightly 
modified)
 
 eglibc
- glibc  (old-version)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9985ab0a4f983544996e7a5ac50017a1cfe461f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9985ab0a4f983544996e7a5ac50017a1cfe461f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add note that I'm still wokring on the package.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c8f919ca by Tobias Frost at 2023-10-22T10:55:04+02:00
Add note that Im still wokring on the package.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -80,6 +80,7 @@ freerdp2 (tobi)
   NOTE: 20230924: Added by Front-Desk (apo)
   NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo)
   NOTE: 20231007: First round done, unfortunatly missed a few CVES while 
updating, will do an follow up.
+  NOTE: 20231023: Will continue working on package next weekend. (tobi)
 --
 gst-plugins-bad1.0 (Thorsten Alteholz)
   NOTE: 20230928: Added by Frond-Desk (ola)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8f919caea4dda6d416f9be30ab0e3788d45

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8f919caea4dda6d416f9be30ab0e3788d45
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-29454/zabbix - buster does not have the affected Go agent.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4e3e9192 by Tobias Frost at 2023-10-22T10:28:58+02:00
CVE-2023-29454/zabbix - buster does not have the affected Go agent.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -27422,6 +27422,7 @@ CVE-2023-29454 (Stored or persistent cross-site 
scripting (XSS) is a type of XSS
NOTE: https://support.zabbix.com/browse/ZBX-22985
 CVE-2023-29453 (Templates do not properly consider backticks (`) as Javascript 
string  ...)
- zabbix 
+   [buster] - zabbix  (buster does not have the Go agent)
NOTE: https://support.zabbix.com/browse/ZBX-23388
 CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> 
Geograph ...)
- zabbix 



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e3e91925055b29316040bded4f041f767d4dab0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e3e91925055b29316040bded4f041f767d4dab0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-32721/zabbix, add potential upstream fix.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2a359dd4 by Tobias Frost at 2023-10-22T10:18:13+02:00
CVE-2023-32721/zabbix, add potential upstream fix.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1550,6 +1550,7 @@ CVE-2023-32722 (The zabbix/src/libs/zbxjson module is 
vulnerable to a buffer ove
 CVE-2023-32721 (A stored XSS has been found in the Zabbix web application in 
the Maps  ...)
- zabbix  (bug #1053877)
NOTE: https://support.zabbix.com/browse/ZBX-23389
+   NOTE: possible upstream fix (4.0.x) 
https://github.com/zabbix/zabbix/commit/d05854bc0e638bbc0c2077ded09797648dba0911
 CVE-2023-5535 (Use After Free in GitHub repository vim/vim prior to v9.0.2010.)
- vim 2:9.0.2018-1 (unimportant)
NOTE: https://huntr.dev/bounties/2c2d85a7-1171-4014-bf7f-a2451745861f



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a359dd453e99b677ae2846c8f7af413f4de8361

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a359dd453e99b677ae2846c8f7af413f4de8361
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-32723/zabbix, identified upstream fix.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7661cd41 by Tobias Frost at 2023-10-22T09:52:56+02:00
CVE-2023-32723/zabbix, identified upstream fix.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1525,6 +1525,7 @@ CVE-2023-32724 (Memory pointer is in a property of the 
Ducktape object. This lea
 CVE-2023-32723 (Request to LDAP is sent before user permissions are checked.)
- zabbix  (bug #1053877)
NOTE: https://support.zabbix.com/browse/ZBX-23230
+   NOTE: very likely commit 
https://github.com/zabbix/zabbix/commit/3576afe9b87d8ad1ba92a13c28ba904671087688
 (for 4.0.x)
 CVE-2023-32722 (The zabbix/src/libs/zbxjson module is vulnerable to a buffer 
overflow  ...)
- zabbix  (bug #1053877)
[buster] - zabbix  (vulnerable code introduced later)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7661cd41edc8758ba26754e32d6c3a2da902ace4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7661cd41edc8758ba26754e32d6c3a2da902ace4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add version for DLA-3538-2

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2b1225ec by Tobias Frost at 2023-10-21T12:25:50+02:00
Add version for DLA-3538-2

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,4 +1,5 @@
 [21 Oct 2023] DLA-3538-2 zabbix - regression update
+   [buster] - zabbix 1:4.0.4+dfsg-1+deb10u3
 [20 Oct 2023] DLA-3624-1 zookeeper - security update
{CVE-2023-44981}
[buster] - zookeeper 3.4.13-2+deb10u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b1225ec4d0dc92b32b91231b4aa414ac729fbcf

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b1225ec4d0dc92b32b91231b4aa414ac729fbcf
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] DLA-3538-2 zabbix - regression update.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2fff31fc by Tobias Frost at 2023-10-21T12:09:11+02:00
DLA-3538-2 zabbix - regression update.

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,3 +1,4 @@
+[21 Oct 2023] DLA-3538-2 zabbix - regression update
 [20 Oct 2023] DLA-3624-1 zookeeper - security update
{CVE-2023-44981}
[buster] - zookeeper 3.4.13-2+deb10u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fff31fc5df89b601421ee65398dba3af5f2ac1c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fff31fc5df89b601421ee65398dba3af5f2ac1c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Readd freerdp2, missed a few CVEs.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3444d5a6 by Tobias Frost at 2023-10-07T20:14:56+02:00
Readd freerdp2, missed a few CVEs.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -83,6 +83,11 @@ freeimage (gladk)
   NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should 
roll
   NOTE: 20230826: out the DLA/ELA now. (utkarsh)
 --
+freerdp2 (tobi)
+  NOTE: 20230924: Added by Front-Desk (apo)
+  NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo)
+  NOTE: 20231007: First round done, unfortunatly missed a few CVES while 
updating, will do an follow up.
+--
 gst-plugins-bad1.0 (Thorsten Alteholz)
   NOTE: 20230928: Added by Frond-Desk (ola)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3444d5a6def9296e8850bbd238a395e894d40930

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3444d5a6def9296e8850bbd238a395e894d40930
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] DLA-3606-1 Fix wrong number in CVE, paste error

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a2b73022 by Tobias Frost at 2023-10-07T20:12:43+02:00
DLA-3606-1 Fix wrong number in CVE, paste error

s/CVE-2023-39357/CVE-2023-40567/

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -3,7 +3,7 @@
 [07 Oct 2023] DLA-3607-1 gnome-boxes - security update
[buster] - gnome-boxes 3.30.3-2+deb10u1
 [07 Oct 2023] DLA-3606-1 freerdp2 - security update
-   {CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033 CVE-2020-11017 
CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 CVE-2020-11039 CVE-2020-11040 
CVE-2020-11041 CVE-2020-11042 CVE-2020-11043 CVE-2020-11044 CVE-2020-11045 
CVE-2020-11046 CVE-2020-11047 CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 
CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 CVE-2020-11088 CVE-2020-11089 
CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098 CVE-2020-11099 
CVE-2020-13396 CVE-2020-13397 CVE-2020-13398 CVE-2020-15103 CVE-2023-39350 
CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 
CVE-2023-39356 CVE-2023-39357 CVE-2023-40181 CVE-2023-40186 CVE-2023-40188 
CVE-2023-40569 CVE-2023-40589}
+   {CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033 CVE-2020-11017 
CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 CVE-2020-11039 CVE-2020-11040 
CVE-2020-11041 CVE-2020-11042 CVE-2020-11043 CVE-2020-11044 CVE-2020-11045 
CVE-2020-11046 CVE-2020-11047 CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 
CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 CVE-2020-11088 CVE-2020-11089 
CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098 CVE-2020-11099 
CVE-2020-13396 CVE-2020-13397 CVE-2020-13398 CVE-2020-15103 CVE-2023-39350 
CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 
CVE-2023-39356 CVE-2023-40567 CVE-2023-40181 CVE-2023-40186 CVE-2023-40188 
CVE-2023-40569 CVE-2023-40589}
[buster] - freerdp2 2.3.0+dfsg1-2+deb10u3
 [06 Oct 2023] DLA-3605-1 grub2 - security update
{CVE-2023-4692 CVE-2023-4693}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2b73022165519a316d238c97c4edd2e0bf1952c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2b73022165519a316d238c97c4edd2e0bf1952c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3608-1 for vinagre

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c0436bd8 by Tobias Frost at 2023-10-07T19:35:16+02:00
Reserve DLA-3608-1 for vinagre

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[07 Oct 2023] DLA-3608-1 vinagre - security update
+   [buster] - vinagre 3.22.0-6+deb10u1
 [07 Oct 2023] DLA-3607-1 gnome-boxes - security update
[buster] - gnome-boxes 3.30.3-2+deb10u1
 [07 Oct 2023] DLA-3606-1 freerdp2 - security update



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0436bd84fdbee04476a2e3ee22cf1cb8ff043e4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0436bd84fdbee04476a2e3ee22cf1cb8ff043e4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3607-1 for gnome-boxes

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9fad6642 by Tobias Frost at 2023-10-07T19:34:57+02:00
Reserve DLA-3607-1 for gnome-boxes

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[07 Oct 2023] DLA-3607-1 gnome-boxes - security update
+   [buster] - gnome-boxes 3.30.3-2+deb10u1
 [07 Oct 2023] DLA-3606-1 freerdp2 - security update
{CVE-2020-4030 CVE-2020-4031 CVE-2020-4032 CVE-2020-4033 CVE-2020-11017 
CVE-2020-11018 CVE-2020-11019 CVE-2020-11038 CVE-2020-11039 CVE-2020-11040 
CVE-2020-11041 CVE-2020-11042 CVE-2020-11043 CVE-2020-11044 CVE-2020-11045 
CVE-2020-11046 CVE-2020-11047 CVE-2020-11048 CVE-2020-11049 CVE-2020-11058 
CVE-2020-11085 CVE-2020-11086 CVE-2020-11087 CVE-2020-11088 CVE-2020-11089 
CVE-2020-11095 CVE-2020-11096 CVE-2020-11097 CVE-2020-11098 CVE-2020-11099 
CVE-2020-13396 CVE-2020-13397 CVE-2020-13398 CVE-2020-15103 CVE-2023-39350 
CVE-2023-39351 CVE-2023-39352 CVE-2023-39353 CVE-2023-39354 CVE-2023-39355 
CVE-2023-39356 CVE-2023-39357 CVE-2023-40181 CVE-2023-40186 CVE-2023-40188 
CVE-2023-40569 CVE-2023-40589}
[buster] - freerdp2 2.3.0+dfsg1-2+deb10u3



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fad6642f5b4c4f089948350d5cce45e2302f0d4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9fad6642f5b4c4f089948350d5cce45e2302f0d4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3606-1 for freerdp2

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
39e68e24 by Tobias Frost at 2023-10-07T19:34:11+02:00
Reserve DLA-3606-1 for freerdp2

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -242062,7 +242062,6 @@ CVE-2020-15104 (In Envoy before versions 1.12.6, 
1.13.4, 1.14.4, and 1.15.0 when
- envoyproxy  (bug #987544)
 CVE-2020-15103 (In FreeRDP less than or equal to 2.1.2, an integer overflow 
exists due ...)
- freerdp2 2.2.0+dfsg1-1 (bug #965979)
-   [buster] - freerdp2  (Minor issue)
- freerdp 
[stretch] - freerdp  (Vulnerable gfx code not present)
NOTE: https://github.com/FreeRDP/FreeRDP/pull/6381
@@ -246924,19 +246923,16 @@ CVE-2020-13399
 CVE-2020-13398 (An issue was discovered in FreeRDP before 2.1.1. An 
out-of-bounds (OOB ...)
{DLA-2356-1}
- freerdp2 2.1.1+dfsg1-1
-   [buster] - freerdp2  (Minor issue)
- freerdp 
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/8305349a943c68b1bc8c158f431dc607655aadea
 CVE-2020-13397 (An issue was discovered in FreeRDP before 2.1.1. An 
out-of-bounds (OOB ...)
{DLA-2356-1}
- freerdp2 2.1.1+dfsg1-1
-   [buster] - freerdp2  (Minor issue)
- freerdp 
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/d6cd14059b257318f176c0ba3ee0a348826a9ef8
 CVE-2020-13396 (An issue was discovered in FreeRDP before 2.1.1. An 
out-of-bounds (OOB ...)
{DLA-2356-1}
- freerdp2 2.1.1+dfsg1-1
-   [buster] - freerdp2  (Minor issue)
- freerdp 
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/48361c411e50826cb602c7aab773a8a20e1da6bc
 CVE-2020-13395
@@ -254026,29 +254022,24 @@ CVE-2016-11023 (odata4j 0.7.0 allows 
ExecuteCountQueryCommand.java SQL injection
NOT-FOR-US: odata4j
 CVE-2020-11099 (In FreeRDP before version 2.1.2, there is an out of bounds 
read in lic ...)
- freerdp2 2.1.2+dfsg1-1
-   [buster] - freerdp2  (Minor issue)
- freerdp 
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-977w-866x-4v5h
 CVE-2020-11098 (In FreeRDP before version 2.1.2, there is an out-of-bound read 
in glyp ...)
- freerdp2 2.1.2+dfsg1-1
-   [buster] - freerdp2  (Minor issue)
- freerdp 
[stretch] - freerdp  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-jr57-f58x-hjmv
 CVE-2020-11097 (In FreeRDP before version 2.1.2, an out of bounds read occurs 
resultin ...)
- freerdp2 2.1.2+dfsg1-1
-   [buster] - freerdp2  (Minor issue)
- freerdp 
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c8x2-c3c9-9r3f
 CVE-2020-11096 (In FreeRDP before version 2.1.2, there is a global OOB read in 
update_ ...)
- freerdp2 2.1.2+dfsg1-1
-   [buster] - freerdp2  (Minor issue)
- freerdp 
[stretch] - freerdp  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mjw7-3mq2-996x
 CVE-2020-11095 (In FreeRDP before version 2.1.2, an out of bound reads occurs 
resultin ...)
- freerdp2 2.1.2+dfsg1-1
-   [buster] - freerdp2  (Minor issue)
- freerdp 
[stretch] - freerdp  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-563r-pvh7-4fw2
@@ -254064,30 +254055,25 @@ CVE-2020-11090 (In Indy Node 1.12.2, there is an 
Uncontrolled Resource Consumpti
NOT-FOR-US: Indy Node
 CVE-2020-11089 (In FreeRDP before 2.1.0, there is an out-of-bound read in irp 
function ...)
- freerdp2 2.1.1+dfsg1-1
-   [buster] - freerdp2  (Minor issue)
- freerdp 
[stretch] - freerdp  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hfc7-c5gv-8c2h
 CVE-2020-11088 (In FreeRDP less than or equal to 2.0.0, there is an 
out-of-bound read  ...)
- freerdp2 2.1.1+dfsg1-1
-   [buster] - freerdp2  (Minor issue)
- freerdp 
[stretch] - freerdp  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xh4f-fh87-43hp
 CVE-2020-11087 (In FreeRDP less than or equal to 2.0.0, there is an 
out-of-bound read  ...)
- freerdp2 2.1.1+dfsg1-1
-   [buster] - freerdp2  (Minor issue)
- freerdp 
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-84vj-g73m-chw7
 CVE-2020-11086 (In FreeRDP less than or equal to 2.0.0, there is an 
out-of-bound read  ...)
- freerdp2 2.1.1+dfsg1-1
-   [buster] - freerdp2  (Minor issue)
- freerdp 
[stretch] - freerdp  (Minor issue)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fg8v-w34r-c974
 CVE-2020-11085 (In FreeRDP before 2.1.0, there is an out-of-bounds read in 
cliprdr_rea ...)
- freerdp2 2.1.1+dfsg1-1
-  

[Git][security-tracker-team/security-tracker][master] Fix typo in version for CVE-2023-39356/freerdp2

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
04a56826 by Tobias Frost at 2023-10-07T12:15:20+02:00
Fix typo in version for CVE-2023-39356/freerdp2

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5208,7 +5208,7 @@ CVE-2023-39356 (FreeRDP is a free implementation of the 
Remote Desktop Protocol
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5v5-qhj5-mh6m
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/889348a86e49bc8f1351ed6496d847b32db5f86e
 (2.11.0)
-   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/23db2f4e6ba71f1c10c543f24de595d7340adb46
 (2.11.1)
+   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/23db2f4e6ba71f1c10c543f24de595d7340adb46
 (2.11.0)
 CVE-2023-39355 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2  (Vulnerable code not present)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hvwj-vmg6-2f5h



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04a568264120bc97b1ca29977b4ed8f15f22ed95

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04a568264120bc97b1ca29977b4ed8f15f22ed95
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] swap order of patches for CVE-2023-39353, as they have to be applied in that order.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
54c94596 by Tobias Frost at 2023-10-07T12:12:59+02:00
swap order of patches for CVE-2023-39353, as they have to be applied in that 
order.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5210,8 +5210,8 @@ CVE-2023-39354 (FreeRDP is a free implementation of the 
Remote Desktop Protocol
 CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f
-   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/9ed6d6baede27d5006e0e4c9bec8e506f695cb6a
 (2.11.0)
NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/efa0567c027239b901ccdc590b9e229e0111c68b
 (2.11.0)
+   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/9ed6d6baede27d5006e0e4c9bec8e506f695cb6a
 (2.11.0)
 CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54c945966670557a4e3d7310a23e52e417dd6fde

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54c945966670557a4e3d7310a23e52e417dd6fde
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] freerdp2: Add patches fixing CVEs (see complete commit message for details)

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
677ea8f5 by Tobias Frost at 2023-10-04T19:35:11+02:00
freerdp2: Add patches fixing CVEs (see complete commit message for details)

Asked Upstream to associate CVEs with commit ids (via IRC,
 #debian-remote), received the following information:

CVE-2023-39350
7ece410ce5b5660b9191e1ccb6835158afa11822

CVE-2023-39351
99e243cdbc31f66b5c917452c8fed3276e8bdcd5

CVE-2023-39352
6a63441e4ee8e2bf61f5d24156a183b14ecd

CVE-2023-39353
9ed6d6baede27d5006e0e4c9bec8e506f695cb6a
efa0567c027239b901ccdc590b9e229e0111c68b

CVE-2023-39354
82ac0164f330c08ddd9a6ef6f3dbf846c4b79def
9a1ee1bae5a9561f5031a7b69129f10458b62d4a

CVE-2023-39356
23db2f4e6ba71f1c10c543f24de595d7340adb46
889348a86e49bc8f1351ed6496d847b32db5f86e

CVE-2023-40567
bacb8c016ef72aa767760b6b01d15500aee9d59a

CVE-2023-40569
23c3daeca1598393f8c93f563f7847a4d67919f1

CVE-2023-40181
c23cbdc4a5756bd723223c7139654de7439fdcc0

CVE-2023-40186
d8a1ac342ae375644c70579c33b5cf38fb43b083

CVE-2023-40188
bdb3909a7713fb0b3d94c9676fe44d19de80eb4b

CVE-2023-40589
c659973bb4cd65c065f2fe1a807dbc6805c684c6

(Information available on: https://salsa.debian.org/-/snippets/662)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4736,10 +4736,13 @@ CVE-2023-41034 (Eclipse Leshan is a device management 
server and client Java imp
 CVE-2023-40589 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gc34-mw6m-g42x
-   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/16141a30f983dd6f7a6e5b0356084171942c9416
+   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/16141a30f983dd6f7a6e5b0356084171942c9416
 (3.0.0-beta3)
+   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/c659973bb4cd65c065f2fe1a807dbc6805c684c6
 (2.11.0)
 CVE-2023-39356 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5v5-qhj5-mh6m
+   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/23db2f4e6ba71f1c10c543f24de595d7340adb46
 (2.11.0)
+   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/889348a86e49bc8f1351ed6496d847b32db5f86e
 (2.11.0)
 CVE-2023-39355 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hvwj-vmg6-2f5h
@@ -4747,21 +4750,25 @@ CVE-2023-39355 (FreeRDP is a free implementation of the 
Remote Desktop Protocol
 CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c3r2-pxxp-f8r6
-   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/cd1da25a87358eb3b5512fd259310e95b19a05ec
+   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/82ac0164f330c08ddd9a6ef6f3dbf846c4b79def
 (2.11.0)
+   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/9a1ee1bae5a9561f5031a7b69129f10458b62d4a
 (2.11.0)
 CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f
+   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/9ed6d6baede27d5006e0e4c9bec8e506f695cb6a
 (2.11.0)
+   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/efa0567c027239b901ccdc590b9e229e0111c68b
 (2.11.0)
 CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj
+   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/6a63441e4ee8e2bf61f5d24156a183b14ecd
 (2.11.0)
 CVE-2023-39351 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q9x9-cqjc-rgwq
-   NOTE: Potential patch: 
https://github.com/FreeRDP/FreeRDP/commit/99e243cdbc31f66b5c917452c8fed3276e8bdcd5
 (2.11.0)
+   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/99e243cdbc31f66b5c917452c8fed3276e8bdcd5
 (2.11.0)
 CVE-2023-39350 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrrv-3w42-pffh
-   NOTE: 
https://github.com/FreeRDP/FreeRDP/commit/e204fc8be5a372626b13f66daf2abafe71dbc2dc
+   NOTE: 

[Git][security-tracker-team/security-tracker][master] Revert "identified potential patch for CVE-2023-39353/freerdp2"

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
35c2267b by Tobias Frost at 2023-10-03T13:01:28+02:00
Revert identified potential patch for CVE-2023-39353/freerdp2

This reverts commit e345b33f305d9f11ad03283806e743dc8039e7a5.

(I think this was a wrong call…)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4484,7 +4484,6 @@ CVE-2023-39354 (FreeRDP is a free implementation of the 
Remote Desktop Protocol
 CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f
-   NOTE: likely this patch: 
https://github.com/FreeRDP/FreeRDP/commit/efa0567c02
 CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35c2267b5f2aa4d267ebaa6bdb8a5d5bc49d8dcc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35c2267b5f2aa4d267ebaa6bdb8a5d5bc49d8dcc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: identified potential patch for CVE-2023-39353/freerdp2

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e345b33f by Tobias Frost at 2023-10-03T12:42:05+02:00
identified potential patch for CVE-2023-39353/freerdp2

- - - - -
21a3763b by Tobias Frost at 2023-10-03T12:48:48+02:00
Potential patch for CVE-2023-39350/freerdp2

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4484,12 +4484,14 @@ CVE-2023-39354 (FreeRDP is a free implementation of the 
Remote Desktop Protocol
 CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f
+   NOTE: likely this patch: 
https://github.com/FreeRDP/FreeRDP/commit/efa0567c02
 CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj
 CVE-2023-39351 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q9x9-cqjc-rgwq
+   NOTE: Potential patch: https://github.com/FreeRDP/FreeRDP/commit/99e243c
 CVE-2023-39350 (FreeRDP is a free implementation of the Remote Desktop 
Protocol (RDP), ...)
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
NOTE: 
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrrv-3w42-pffh



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c2b71f3c44137ae6d6ac58d22dbfcb84c574dae7...21a3763b73989d103f2ed6d6b4524bfa8a9c98d7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c2b71f3c44137ae6d6ac58d22dbfcb84c574dae7...21a3763b73989d103f2ed6d6b4524bfa8a9c98d7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2022-29654 the same at its duplicate, CVE-2022-44370

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6e4431cb by Tobias Frost at 2023-10-01T20:59:15+02:00
Mark CVE-2022-29654 the same at its duplicate, CVE-2022-44370

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -103395,6 +103395,7 @@ CVE-2022-29656 (Wedding Management System v1.0 was 
discovered to contain a SQL i
 CVE-2022-29655 (An arbitrary file upload vulnerability in the Upload Photos 
module of  ...)
NOT-FOR-US: Wedding Management System
 CVE-2022-29654 (Buffer overflow vulnerability in quote_for_pmake in asm/nasm.c 
in nasm ...)
+   - nasm 2.16.01-1 (unimportant)
NOTE: Duplicate of CVE-2022-44370
 CVE-2022-29653 (OFCMS v1.1.4 was discovered to contain a cross-site scripting 
(XSS) vu ...)
NOT-FOR-US: OFCMS



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e4431cb118b3814724bdbb5c1efea0d8accb8ba

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e4431cb118b3814724bdbb5c1efea0d8accb8ba
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2022-40626/zabbix : Mark no-dsa for buster as well, for consitency.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c85b6e56 by Tobias Frost at 2023-10-01T20:19:43+02:00
CVE-2022-40626/zabbix : Mark no-dsa for buster as well, for consitency.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -72738,6 +72738,7 @@ CVE-2022-40627
 CVE-2022-40626 (An unauthenticated user can create a link with reflected 
Javascript co ...)
- zabbix 1:6.0.7+dfsg-2
[bullseye] - zabbix  (Minor issue)
+   [buster] - zabbix  (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-21350
NOTE: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/55eb14d0a394b362d5df00ed9e06a3918472deec
 (6.0.7rc1)
 CVE-2022-40625



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c85b6e5685c1c71f0c58f48da0845a4249246f64

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c85b6e5685c1c71f0c58f48da0845a4249246f64
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Unclaim and remove nasm from dla-needed.txt, as suggested by rouca to me via...

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ede66f4a by Tobias Frost at 2023-10-01T11:29:48+02:00
Unclaim and remove nasm from dla-needed.txt, as suggested by rouca to me via 
IRC. (documenation part)

- - - - -
4234bbc9 by Tobias Frost at 2023-10-01T11:29:59+02:00
Unclaim and remove nasm from dla-needed.txt, as suggested by rouca to me via 
IRC. (removal from dla-needed.txt part)

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -101,11 +101,6 @@ linux (Ben Hutchings)
 mosquitto (Markus Koschany)
   NOTE: 20230924: Added by Front-Desk (apo)
 --
-nasm (tobi)
-  NOTE: 20230907: Added by Front-Desk (lamby)
-  NOTE: 20230907: Added due to CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686,
-  NOTE: 20230907: but some of these may require some investigation. (lamby)
---
 nova
   NOTE: 20230302: Re-add, request by maintainer (Beuc)
   NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific 
CVE-2022-47951 backport that introduces regression



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/07563feb18f75f9418760697b1ebd4737ed3c2e9...4234bbc989cb18697f70d80ffeb68079d8803f24

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/07563feb18f75f9418760697b1ebd4737ed3c2e9...4234bbc989cb18697f70d80ffeb68079d8803f24
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim freerdp2 in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7bc895d4 by Tobias Frost at 2023-09-30T21:58:31+02:00
LTS: claim freerdp2 in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -69,7 +69,7 @@ freeimage (gladk)
   NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should 
roll
   NOTE: 20230826: out the DLA/ELA now. (utkarsh)
 --
-freerdp2
+freerdp2 (tobi)
   NOTE: 20230924: Added by Front-Desk (apo)
   NOTE: 20230924: Too many unresolved issues have piled up. High popcon. (apo)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bc895d43aeeb1ef5b5728a8fd27dec13606a7e1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bc895d43aeeb1ef5b5728a8fd27dec13606a7e1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3596-1 for firmware-nonfree

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8b749e7e by Tobias Frost at 2023-09-30T21:09:40+02:00
Reserve DLA-3596-1 for firmware-nonfree

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[30 Sep 2023] DLA-3596-1 firmware-nonfree - security update
+   {CVE-2022-27635 CVE-2022-36351 CVE-2022-38076 CVE-2022-40964 
CVE-2022-46329}
+   [buster] - firmware-nonfree 20190114+really20220913-0+deb10u2
 [30 Sep 2023] DLA-3595-1 trafficserver - security update
{CVE-2022-47185 CVE-2023-33934}
[buster] - trafficserver 8.1.7-0+deb10u2


=
data/dla-needed.txt
=
@@ -63,9 +63,6 @@ dogecoin
 exim4
   NOTE: 20230928: Added by Front-Desk (ola)
 --
-firmware-nonfree (tobi)
-  NOTE: 20230820: Added by Front-Desk (ta)
---
 freeimage (gladk)
   NOTE: 20230826: Added by Front-Desk (utkarsh)
   NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about 
the



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b749e7e1fd7df332c64f5a41a1d676eedcdd393

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b749e7e1fd7df332c64f5a41a1d676eedcdd393
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim firmware-nonfree in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a6ae9e9c by Tobias Frost at 2023-09-24T13:44:30+02:00
LTS: claim firmware-nonfree in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -63,7 +63,7 @@ exempi
 exiv2
   NOTE: 20230906: Added by Front-Desk (lamby)
 --
-firmware-nonfree
+firmware-nonfree (tobi)
   NOTE: 20230820: Added by Front-Desk (ta)
 --
 flac (Sean Whitton)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6ae9e9ccb364d49fb2f3f50f53252b441200ec7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6ae9e9ccb364d49fb2f3f50f53252b441200ec7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim nasm in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
487d8afa by Tobias Frost at 2023-09-24T09:41:12+02:00
LTS: claim nasm in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -109,7 +109,7 @@ libreswan
 linux (Ben Hutchings)
   NOTE: 20230111: perma-added for LTS package-specific delegation (bwh)
 --
-nasm
+nasm (tobi)
   NOTE: 20230907: Added by Front-Desk (lamby)
   NOTE: 20230907: Added due to CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686,
   NOTE: 20230907: but some of these may require some investigation. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/487d8afa73415d6174d8ddfaa2579693846af098

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/487d8afa73415d6174d8ddfaa2579693846af098
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim suricata in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d5b5bbc0 by Tobias Frost at 2023-09-24T09:40:46+02:00
LTS: claim suricata in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -74,7 +74,7 @@ freeimage (gladk)
   NOTE: 20230826: Added by Front-Desk (utkarsh)
   NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about 
the
   NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should 
roll
-  NOTE: 20230826: out the DLA/ELA now. (utkarsh)  
+  NOTE: 20230826: out the DLA/ELA now. (utkarsh)
 --
 gerbv (Adrian Bunk)
   NOTE: 20230903: Added by Front-Desk (gladk)
@@ -200,7 +200,7 @@ salt
 samba
   NOTE: 20230918: Added by Front-Desk (apo)
 --
-suricata
+suricata (tobi)
   NOTE: 20230620: Added by Front-Desk (Beuc)
   NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with 
last LTS update in Jessie,
   NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage 
(postponed/ignored),



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5b5bbc0161a3a47e70496f93f9fd9fa95096aca

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d5b5bbc0161a3a47e70496f93f9fd9fa95096aca
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Revert 535390052, CVE-2022-40626/zabbix after revisting patch for jessie I'm...

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
74756a30 by Tobias Frost at 2023-09-10T16:16:23+02:00
Revert 535390052, CVE-2022-40626/zabbix after revisting patch for jessie 
Im not sure anymore if it has been introduced later
and re-evaluation for buster might be necessary.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -69658,7 +69658,6 @@ CVE-2022-40627
 CVE-2022-40626 (An unauthenticated user can create a link with reflected 
Javascript co ...)
- zabbix 1:6.0.7+dfsg-2
[bullseye] - zabbix  (Minor issue)
-   [buster] - zabbix  (Vulnerable backurl code introduced 
later)
NOTE: https://support.zabbix.com/browse/ZBX-21350
NOTE: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/55eb14d0a394b362d5df00ed9e06a3918472deec
 (6.0.7rc1)
 CVE-2022-40625



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74756a30740aaf3e164057f406b5076e65e0b2d6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74756a30740aaf3e164057f406b5076e65e0b2d6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Drop CVE-2022-35229 from data/DLA/list, as it had been fixed (security wise)...

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
70191a27 by Tobias Frost at 2023-08-23T10:23:08+02:00
Drop CVE-2022-35229 from data/DLA/list, as it had been fixed (security wise) in 
the previous upload already.

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -5,7 +5,7 @@
{CVE-2021-3481 CVE-2021-45930 CVE-2023-32573 CVE-2023-32763 
CVE-2023-34410 CVE-2023-37369 CVE-2023-38197}
[buster] - qt4-x11 4:4.8.7+dfsg-18+deb10u2
 [22 Aug 2023] DLA-3538-1 zabbix - security update
-   {CVE-2013-7484 CVE-2019-17382 CVE-2022-35229 CVE-2022-43515 
CVE-2023-29450 CVE-2023-29451 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 
CVE-2023-29457}
+   {CVE-2013-7484 CVE-2019-17382 CVE-2022-43515 CVE-2023-29450 
CVE-2023-29451 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 CVE-2023-29457}
[buster] - zabbix 1:4.0.4+dfsg-1+deb10u2
 [22 Aug 2023] DLA-3537-1 intel-microcode - security update
{CVE-2022-40982 CVE-2022-41804 CVE-2023-23908}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70191a27fe054c9db2be786b3aa144c425a4762c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70191a27fe054c9db2be786b3aa144c425a4762c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3538-1 for zabbix

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ef3a2751 by Tobias Frost at 2023-08-22T15:20:30+02:00
Reserve DLA-3538-1 for zabbix

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -58556,7 +58556,6 @@ CVE-2022-43516 (A Firewall Rule which allows all 
incoming TCP connections to all
 CVE-2022-43515 (Zabbix Frontend provides a feature that allows admins to 
maintain the  ...)
- zabbix 1:6.0.13+dfsg-1 (bug #1026847)
[bullseye] - zabbix  (Minor issue)
-   [buster] - zabbix  (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-22050
NOTE: Fixed by: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa58889ba54b2350e211a5f315baabbaf7228045
 (4.0.45rc1)
NOTE: Fixed by: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e
 (5.0.30rc1)
@@ -272022,7 +272021,6 @@ CVE-2019-19395
RESERVED
 CVE-2013-7484 (Zabbix before 5.0 represents passwords in the users table with 
unsalte ...)
- zabbix 1:5.0.0+dfsg-1
-   [buster] - zabbix  (Minor issue)
[stretch] - zabbix  (Minor issue)
[jessie] - zabbix  (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-16551
@@ -281206,7 +281204,6 @@ CVE-2019-17383 (The netaddr gem before 2.0.4 for Ruby 
has misconfigured file per
- ruby-netaddr  (Upstream packaging issue)
 CVE-2019-17382 (An issue was discovered in 
zabbix.php?action=dashboard.view ...)
- zabbix 1:5.0.0+dfsg-1
-   [buster] - zabbix  (Minor issue, no patch, guest accounts can 
be disabled)
[stretch] - zabbix  (Minor issue, no patch, guest accounts can 
be disabled)
[jessie] - zabbix  (Minor issue, guest accounts can be disabled)
NOTE: https://support.zabbix.com/browse/ZBX-16789


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[22 Aug 2023] DLA-3538-1 zabbix - security update
+   {CVE-2013-7484 CVE-2019-17382 CVE-2022-35229 CVE-2022-43515 
CVE-2023-29450 CVE-2023-29451 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 
CVE-2023-29457}
+   [buster] - zabbix 1:4.0.4+dfsg-1+deb10u2
 [22 Aug 2023] DLA-3537-1 intel-microcode - security update
{CVE-2022-40982 CVE-2022-41804 CVE-2023-23908}
[buster] - intel-microcode 3.20230808.1~deb10u1


=
data/dla-needed.txt
=
@@ -230,7 +230,3 @@ w3m (Sylvain Beucler)
   NOTE: 20230812: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk)
   NOTE: 20230819: No ASAN errors with the PoCs, but the backported fixes do 
bring some (!), more testing needed. (Beuc)
 --
-zabbix (tobi)
-  NOTE: 20230731: Added by Front-Desk (apo)
-  NOTE: 20230812: WIP, patches backported but largerly untested. Will continue 
after VAC. (tobi)
---



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef3a2751215bea0070824c5f96a3630a465170ff

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef3a2751215bea0070824c5f96a3630a465170ff
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Document zabbix state before VAC.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
81868f3b by Tobias Frost at 2023-08-12T07:09:05+02:00
Document zabbix state before VAC.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -237,4 +237,5 @@ unrar-nonfree (Markus Koschany)
 --
 zabbix (tobi)
   NOTE: 20230731: Added by Front-Desk (apo)
+  NOTE: 20230812: WIP, patches backported but largerly untested. Will continue 
after VAC. (tobi)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81868f3b11d3aee9f678151589af329adb78c33e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81868f3b11d3aee9f678151589af329adb78c33e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add links to patches for CVE-2023-29450/zabbix

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ffcfffec by Tobias Frost at 2023-08-11T10:38:36+02:00
Add links to patches for CVE-2023-29450/zabbix

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -16818,6 +16818,8 @@ CVE-2023-29451 (Specially crafted string can cause a 
buffer overrun in the JSON
 CVE-2023-29450 (JavaScript pre-processing can be used by the attacker to gain 
access t ...)
- zabbix 
NOTE: https://support.zabbix.com/browse/ZBX-22588
+   NOTE: Patch for 5.0.32rc1: 
https://github.com/zabbix/zabbix/commit/c3f1543e4
+   NOTE: Patch for 6.0.14rc2: 
https://github.com/zabbix/zabbix/commit/76f6a80cb
 CVE-2023-29449 (JavaScript preprocessing, webhooks and global scripts can 
cause uncont ...)
- zabbix 
[buster] - zabbix  (vulnerable code introduced later)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffcfffec048a36ea8886e04511bfea1301a09da0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffcfffec048a36ea8886e04511bfea1301a09da0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-29449/zabbix does not affect buster.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
df2eb1ce by Tobias Frost at 2023-08-11T09:35:28+02:00
CVE-2023-29449/zabbix does not affect buster.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -16738,7 +16738,11 @@ CVE-2023-29450 (JavaScript pre-processing can be used 
by the attacker to gain ac
NOTE: https://support.zabbix.com/browse/ZBX-22588
 CVE-2023-29449 (JavaScript preprocessing, webhooks and global scripts can 
cause uncont ...)
- zabbix 
+   [buster] - zabbix  (vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-22589
+   NOTE: Upstream patch for 5.0.32: 
https://github.com/zabbix/zabbix/commit/e90b8a3c62
+   NOTE: applied in upstream release/5.0 branch: 
https://github.com/zabbix/zabbix/commit/c21cf2fa656b75733e3abc09d8f20690735b3f22
+   NOTE: vulnerable module introduced in 
https://github.com/zabbix/zabbix/commit/18d2abfc40 (5.0.0alpha1)
 CVE-2023-29448
RESERVED
 CVE-2023-29447



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df2eb1ce7c1a337f6b1fb91ff5706afac8865501

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df2eb1ce7c1a337f6b1fb91ff5706afac8865501
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Triaging zabbix with focus LTS/buster

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4b21c5fb by Tobias Frost at 2023-08-09T18:42:38+02:00
Triaging zabbix with focus LTS/buster

CVE-2023-29458: duktape library only introduced in 5.0.0alpha1
CVE-2023-29452: geomap widget only introduced in 6.0.0alpha6

add links to patch for: CVE-2023-29451 CVE-2013-7484 CVE-2019-17382

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -16321,8 +16321,10 @@ CVE-2023-29459 (The laola.redbull application through 
5.1.9-R for Android expose
NOT-FOR-US: laola.redbull
 CVE-2023-29458 (Duktape is an 3rd-party embeddable JavaScript engine, with a 
focus on  ...)
- zabbix 
+   [buster] - zabbix  (vulnerable code introduced later)
NOTE: This appears to be bug in Zabbix's use of duktape, not an issue 
in src:duktape per se
NOTE: https://support.zabbix.com/browse/ZBX-22989
+   NOTE: duktape library introduced with 
https://github.com/zabbix/zabbix/commit/d43b04665c1ade5b4a9f49db750b8ca6c82e9de2
 (5.0.0alpha1)
 CVE-2023-29457 (Reflected XSS attacks, occur when a malicious script is 
reflected off  ...)
- zabbix 
NOTE: https://support.zabbix.com/browse/ZBX-22988
@@ -16339,8 +16341,11 @@ CVE-2023-29453
RESERVED
 CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> 
Geograph ...)
- zabbix 
-   [bullseye] - zabbix  (5.x not affected)
+   [bullseye] - zabbix  (vulnerable code introduced later)
+   [buster] - zabbix  (vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-22981
+   NOTE: Patches links: https://support.zabbix.com/browse/ZBX-22720
+   NOTE: vulnerable geopmap widget introduced in version 6.0.0alpha6 with 
https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2
 CVE-2023-29451 (Specially crafted string can cause a buffer overrun in the 
JSON parser ...)
- zabbix 
[bullseye] - zabbix  (5.x not affected)
@@ -56908,6 +56913,8 @@ CVE-2022-43515 (Zabbix Frontend provides a feature that 
allows admins to maintai
[bullseye] - zabbix  (Minor issue)
[buster] - zabbix  (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-22050
+   NOTE: Patches: for 4.0.45rc1 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/aa58889ba54b2350e211a5f315baabbaf7228045
+   NOTE: for 5.0.30rc1 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/50668e9d64af32cdc67a45082c556699ff86565e
 CVE-2022-43514 (A vulnerability has been identified in Automation License 
Manager V5 ( ...)
NOT-FOR-US: Automation License Manager
 CVE-2022-43513 (A vulnerability has been identified in Automation License 
Manager V5 ( ...)
@@ -270306,6 +270313,7 @@ CVE-2013-7484 (Zabbix before 5.0 represents passwords 
in the users table with un
NOTE: https://support.zabbix.com/browse/ZBX-16551
NOTE: https://support.zabbix.com/browse/ZBXNEXT-1898
NOTE: 
https://www.zabbix.com/documentation/5.0/manual/introduction/whatsnew500#stronger_cryptography_for_passwords
+   NOTE: patch for 5.0.0: 
https://github.com/zabbix/zabbix/commit/3c4b81c66da
 CVE-2020-1784
RESERVED
 CVE-2020-1783
@@ -279482,6 +279490,8 @@ CVE-2019-17382 (An issue was discovered in 
zabbix.php?action=dashboard.view
NOTE: Disputed by upstream, closed as not a security bug.
NOTE: Guest account is disabled by default starting in 4.0.15rc1, 
4.4.2rc1 and
NOTE: 5.0.0alpha1 (Cf. https://support.zabbix.com/browse/ZBXNEXT-5532)
+   NOTE: Patch to disable default user by default, for 5.0.0alpha1: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/9fd6f1c35
+   NOTE: and for 4.0.15rc: 
https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/cd3921882
 CVE-2019-17381
RESERVED
 CVE-2019-17380 (cPanel before 82.0.15 allows self XSS in the WHM Update 
Preferences in ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b21c5fbfaebdf2d20fc5eb1d3de973f86bcdf5e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b21c5fbfaebdf2d20fc5eb1d3de973f86bcdf5e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim zabbix in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
01ca788f by Tobias Frost at 2023-08-02T15:31:55+02:00
LTS: claim zabbix in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -202,6 +202,6 @@ xqilla
   NOTE: 20230706: Added by Front-Desk (gladk)
   NOTE: 20230715: not vulnerable, the embedded yajl is ancient (around 0.2.2), 
not having the vulnerable code.
 --
-zabbix
+zabbix (tobi)
   NOTE: 20230731: Added by Front-Desk (apo)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01ca788ffc89e06c0baeffe96c7a834e5a753696

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/01ca788ffc89e06c0baeffe96c7a834e5a753696
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3501-1 for renderdoc

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
061d1368 by Tobias Frost at 2023-07-25T06:51:25+02:00
Reserve DLA-3501-1 for renderdoc

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -5511,7 +5511,6 @@ CVE-2020-36705 (The Adning Advertising plugin for 
WordPress is vulnerable to arb
NOT-FOR-US: Adning Advertising plugin for WordPress
 CVE-2023-33865 (RenderDoc before 1.27 allows local privilege escalation via a 
symlink  ...)
- renderdoc  (bug #1037208)
-   [buster] - renderdoc  (Can wait for next update)
NOTE: https://www.openwall.com/lists/oss-security/2023/06/06/3
NOTE: 
https://github.com/baldurk/renderdoc/commit/601ed56111ce3803d8476d438ade1c92d6092856
 (v1.27)
NOTE: 
https://github.com/baldurk/renderdoc/commit/e0464fea4f9a7f149c4ee1d84e5ac57839a4a862
 (v1.27)


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[25 Jul 2023] DLA-3501-1 renderdoc - security update
+   {CVE-2023-33863 CVE-2023-33864 CVE-2023-33865}
+   [buster] - renderdoc 1.2+dfsg-2+deb10u1
 [19 Jul 2023] DLA-3500-1 python-django - security update
{CVE-2023-36053}
[buster] - python-django 1:1.11.29-1+deb10u9


=
data/dla-needed.txt
=
@@ -154,12 +154,6 @@ rails
   NOTE: 20221024: to break thrice in less than 2 month.
   NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the 
possible path forward. (utkarsh)
 --
-renderdoc (tobi)
-  NOTE: 20230620: Added by Front-Desk (Beuc)
-  NOTE: 20230620: See discussion at 
https://lists.debian.org/debian-lts/2023/06/msg00049.html
-  NOTE: 20230620: Summary: try to backport fixes; otherwise, since this is a 
end-user app with no rdeps,
-  NOTE: 20230620: coordinate with maintainer to try and bump to 1.27 
across all dists (Beuc/front-desk)
---
 ring (Thorsten Alteholz)
   NOTE: 20221120: Added by Front-Desk (ta)
   NOTE: 20230507: testing package



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/061d1368bc35dd7b325d02e35e660cfad3879a08

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/061d1368bc35dd7b325d02e35e660cfad3879a08
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] xqilla's embedded yajl is not affected by CVE-2017-16516 and CVE-2022-24795

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d9e204ad by Tobias Frost at 2023-07-19T15:58:31+02:00
xqillas embedded yajl is not affected by CVE-2017-16516 and CVE-2022-24795

(The embedded yajl version is around 0.2.2.)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -106924,6 +106924,8 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL 
JSON parsing and generation
[bookworm] - r-cran-jsonlite  (Minor issue)
[bullseye] - r-cran-jsonlite  (Minor issue)
[buster] - r-cran-jsonlite  (Minor issue)
+   - xqilla  (Vulnerable code not present; embeds 
not-affected ancientyajl version)
+   NOTE: xqilla's embedded yajl is ancient (around 0.2.2), not having the 
vulnerable code
NOTE: 
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
NOTE: 
https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6
NOTE: 
https://github.com/brianmario/yajl-ruby/commit/e8de283a6d64f0902740fd09e858fc3d7d803161
@@ -384692,6 +384694,8 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, 
when a crafted JSON file is
[bookworm] - r-cran-jsonlite  (Minor issue)
[bullseye] - r-cran-jsonlite  (Minor issue)
[buster] - r-cran-jsonlite  (Minor issue)
+   - xqilla  (Vulnerable code not present; embeds 
not-affected ancientyajl version)
+   NOTE: xqilla's embedded yajl is ancient (around 0.2.2), not having the 
vulnerable code
NOTE: https://github.com/brianmario/yajl-ruby/issues/176
NOTE: 
https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
 CVE-2017-16515



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9e204ad0cc182762985067e31d8ccfe6bec689c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9e204ad0cc182762985067e31d8ccfe6bec689c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] fix data/dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
860b1155 by Tobias Frost at 2023-07-18T16:50:04+02:00
fix data/dla-needed.txt

stray ^S broke lts tool.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -208,4 +208,4 @@ tiff (Adrian Bunk)
 xqilla (tobi)
   NOTE: 20230706: Added by Front-Desk (gladk)
   NOTE: 20230715: not vulnerable, the embedded yajl is ancient (around 0.2.2), 
not having the vulnerable code.
---
+--



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/860b115593876887543ab0a3320e1856ee39ef85

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/860b115593876887543ab0a3320e1856ee39ef85
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Document xqilla triage for buster. (embedded yajl ancient, not vulnerable to this CVEs.)

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2172c314 by Tobias Frost at 2023-07-15T15:25:50+02:00
Document xqilla triage for buster. (embedded yajl ancient, not vulnerable to 
this CVEs.)

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -202,4 +202,5 @@ tiff (Adrian Bunk)
 --
 xqilla (tobi)
   NOTE: 20230706: Added by Front-Desk (gladk)
---
+  NOTE: 20230715: not vulnerable, the embedded yajl is ancient (around 0.2.2), 
not having the vulnerable code.
+--



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2172c314d144f7659d02a6866ef932a9208c6e24

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2172c314d144f7659d02a6866ef932a9208c6e24
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] xqilla's yajl is ancienct, around 0.2.2 and is not vulnerable to CVE-2017-16516 and CVE-2022-24795.

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c254af04 by Tobias Frost at 2023-07-15T15:23:12+02:00
xqillas yajl is ancienct, around 0.2.2 and is not vulnerable to 
CVE-2017-16516 and CVE-2022-24795.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -106402,12 +106402,13 @@ CVE-2022-24795 (yajl-ruby is a C binding to the 
YAJL JSON parsing and generation
[bookworm] - r-cran-jsonlite  (Minor issue)
[bullseye] - r-cran-jsonlite  (Minor issue)
[buster] - r-cran-jsonlite  (Minor issue)
-   - xqilla  (bug #1040164)
+   - xqilla  (embeds ancient yajl without the vulnerable 
code)
[bullseye] - xqilla  (Minor issue)
NOTE: 
https://github.com/brianmario/yajl-ruby/security/advisories/GHSA-jj47-x69x-mxrm
NOTE: 
https://github.com/brianmario/yajl-ruby/commit/7168bd79b888900aa94523301126f968a93eb3a6
NOTE: 
https://github.com/brianmario/yajl-ruby/commit/e8de283a6d64f0902740fd09e858fc3d7d803161
NOTE: https://github.com/lloyd/yajl/issues/239
+   NOTE: xquilla embeds ancient yail, likely 0.2.2 
https://github.com/lloyd/yajl/tree/6efc79a
 CVE-2022-24794 (Express OpenID Connect is an Express JS middleware 
implementing sign o ...)
NOT-FOR-US: Express OpenID Connect
 CVE-2022-24793 (PJSIP is a free and open source multimedia communication 
library writt ...)
@@ -384163,11 +384164,11 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for 
Ruby, when a crafted JSON file is
[bookworm] - r-cran-jsonlite  (Minor issue)
[bullseye] - r-cran-jsonlite  (Minor issue)
[buster] - r-cran-jsonlite  (Minor issue)
-   - xqilla  (bug #1040164)
+   - xqilla  (embeds ancient yajl without the vulnerable 
code)
[bullseye] - xqilla  (Minor issue)
NOTE: https://github.com/brianmario/yajl-ruby/issues/176
NOTE: 
https://github.com/brianmario/yajl-ruby/commit/a8ca8f476655adaa187eedc60bdc770fff3c51ce
-   NOTE: yail: https://github.com/lloyd/yajl/issues/248
+   NOTE: xquilla embeds ancient yail, likely 0.2.2 
https://github.com/lloyd/yajl/tree/6efc79a
 CVE-2017-16515
RESERVED
 CVE-2017-16514 (Multiple persistent stored Cross-Site-Scripting (XSS) 
vulnerabilities  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c254af048d08433624f3c634462f0450aa2ce9a1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c254af048d08433624f3c634462f0450aa2ce9a1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3492-1 for yajl

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
51e0b152 by Tobias Frost at 2023-07-11T19:45:57+02:00
Reserve DLA-3492-1 for yajl

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[11 Jul 2023] DLA-3492-1 yajl - security update
+   {CVE-2017-16516 CVE-2022-24795 CVE-2023-33460}
+   [buster] - yajl 2.1.0-3+deb10u2
 [11 Jul 2023] DLA-3491-1 erlang - security update
{CVE-2022-37026}
[buster] - erlang 1:22.2.7+dfsg-1+deb10u1


=
data/dla-needed.txt
=
@@ -217,6 +217,3 @@ tiff (Adrian Bunk)
 xqilla (tobi)
   NOTE: 20230706: Added by Front-Desk (gladk)
 --
-yajl (tobi)
-  NOTE: 20230702: Added by Front-Desk (ta)
---



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51e0b1521dc827d30e3dd99db12ac26d0fe12d16

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51e0b1521dc827d30e3dd99db12ac26d0fe12d16
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim xqilla in dla-needed.txt

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
579fcfc2 by Tobias Frost at 2023-07-11T18:29:14+02:00
LTS: claim xqilla in dla-needed.txt
- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -214,7 +214,7 @@ symfony (guilhem)
 tiff (Adrian Bunk)
   NOTE: 20230702: Added by Front-Desk (ta)
 --
-xqilla
+xqilla (tobi)
   NOTE: 20230706: Added by Front-Desk (gladk)
 --
 yajl (tobi)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/579fcfc2e7a3125b6b826ddb75c344629d9186f0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/579fcfc2e7a3125b6b826ddb75c344629d9186f0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3487-1 for fusiondirectory

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
13fdba2a by Tobias Frost at 2023-07-08T15:51:42+02:00
Reserve DLA-3487-1 for fusiondirectory

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[08 Jul 2023] DLA-3487-1 fusiondirectory - security update
+   {CVE-2022-36179 CVE-2022-36180}
+   [buster] - fusiondirectory 1.2.3-4+deb10u2
 [08 Jul 2023] DLA-3486-1 ocsinventory-server - security update
[buster] - ocsinventory-server 2.5+dfsg1-1+deb10u1
 [08 Jul 2023] DLA-3485-1 php-cas - security update


=
data/dla-needed.txt
=
@@ -54,16 +54,6 @@ flatpak
   NOTE: 20230620: Added by Front-Desk (Beuc)
   NOTE: 20230620: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk)
 --
-fusiondirectory (Abhijith PA)
-  NOTE: 20221203: Added by Front-Desk (gladk)
-  NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk).
-  NOTE: 20221203: Two CVEs have only mitigation, fix in a new version (gladk).
-  NOTE: 20221203: Also the package was removed from sid recently (gladk).
-  NOTE: 20221203: Feel free to marke both CVEs as , if they are not 
too serious (gladk).
-  NOTE: 20230523: Added upstream commit references to security tracker. 
Patched our version, testing (abhijith)
-  NOTE: 20230627: Coordinate with upload of php-cas as php-cas will break 
fusiondirectory. (tobi)
-  NOTE: 20230627: See: 
https://lists.debian.org/debian-lts/2023/06/msg00058.html
---
 glib2.0 (santiago)
   NOTE: 20230612: Added by Front-Desk (apo)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13fdba2af151853d5ea27c5b872fd51bb81e746a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13fdba2af151853d5ea27c5b872fd51bb81e746a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3486-1 for ocsinventory-server

[Tobias Frost (@tobi)]

Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e352c46c by Tobias Frost at 2023-07-08T15:47:39+02:00
Reserve DLA-3486-1 for ocsinventory-server

- - - - -


1 changed file:

- data/DLA/list


Changes:

=
data/DLA/list
=
@@ -1,3 +1,5 @@
+[08 Jul 2023] DLA-3486-1 ocsinventory-server - security update
+   [buster] - ocsinventory-server 2.5+dfsg1-1+deb10u1
 [08 Jul 2023] DLA-3485-1 php-cas - security update
{CVE-2022-39369}
[buster] - php-cas 1.3.6-1+deb10u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e352c46c7138113fe549e2e9029ddaf6a5721570

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e352c46c7138113fe549e2e9029ddaf6a5721570
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits