[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9060e04b by Moritz Muehlenhoff at 2024-05-29T19:39:42+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20265,7 +20265,7 @@ CVE-2024-25690 (There is an HTML injection vulnerability in Esri Portal for ArcG CVE-2024-25007 (Ericsson Network Manager (ENM), versions prior to 23.1, contains a vul ...) NOT-FOR-US: Ericsson Network Manager CVE-2024-22189 (quic-go is an implementation of the QUIC protocol in Go. Prior to vers ...) - - golang-github-lucas-clemente-quic-go + - golang-github-lucas-clemente-quic-go (bug #1072180) [bookworm] - golang-github-lucas-clemente-quic-go (Minor issue) [bullseye] - golang-github-lucas-clemente-quic-go (Minor issue) NOTE: https://github.com/quic-go/quic-go/security/advisories/GHSA-c33x-xqrf-c478 @@ -26253,7 +26253,7 @@ CVE-2021-47157 (The Kossy module before 0.60 for Perl allows JSON hijacking beca CVE-2021-47156 (The Net::IPAddress::Util module before 5.000 for Perl does not properl ...) NOT-FOR-US: Net::IPAddress::Util Perl module CVE-2021-47155 (The Net::IPV4Addr module 0.10 for Perl does not properly consider extr ...) - - libnetwork-ipv4addr-perl + - libnetwork-ipv4addr-perl (bug #1072178) [bookworm] - libnetwork-ipv4addr-perl (Minor issue) [bullseye] - libnetwork-ipv4addr-perl (Minor issue) [buster] - libnetwork-ipv4addr-perl (Minor issue, revisit when fix is available) @@ -92257,7 +92257,7 @@ CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses e-m - python2.7 [bullseye] - python2.7 (Unsupported in Bullseye, only included to build a few applications) [buster] - python2.7 (Minor issue, wait until upstream has decided whether to backport to older branches) - - pypy3 + - pypy3 (bug #1072179) [bookworm] - pypy3 (Minor issue, wait until upstream has decided whether to backport to older branches) [bullseye] - pypy3 (Minor issue, wait until upstream has decided whether to backport to older branches) [buster] - pypy3 (Minor issue, wait until upstream has decided whether to backport to older branches) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9060e04b3db8dc720ac690cb137ff0030c11a7b6 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9060e04b3db8dc720ac690cb137ff0030c11a7b6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 00508eba by Moritz Muehlenhoff at 2024-05-28T23:40:20+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,7 +23,7 @@ CVE-2024-3657 (A flaw was found in 389-ds-base. A specially-crafted LDAP query c NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274401 TODO: check provided details CVE-2024-36472 (In GNOME Shell through 45.7, a portal helper can be launched automatic ...) - - gnome-shell + - gnome-shell (bug #1072124) NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688 CVE-2024-36110 (ansibleguy-webui is an open source WebUI for using Ansible. Multiple f ...) TODO: check @@ -19552,7 +19552,7 @@ CVE-2024-3431 (A vulnerability was found in EyouCMS 1.6.5. It has been declared CVE-2024-3430 (A vulnerability was found in QKSMS up to 3.9.4 on Android. It has been ...) NOT-FOR-US: QKSMS CVE-2024-31951 (In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, ...) - - frr + - frr (bug #1070377) [bullseye] - frr (Vulnerable code not present) [buster] - frr (Vulnerable code not present) NOTE: https://github.com/FRRouting/frr/pull/15674/ @@ -19562,7 +19562,7 @@ CVE-2024-31951 (In the Opaque LSA Extended Link parser in FRRouting (FRR) throug NOTE: https://github.com/FRRouting/frr/commit/e08495a4a8ad4d2050691d9e5e13662d2635b2e0 NOTE: vulnerable feature introduced in https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5 (first shipped with 8.0) CVE-2024-31950 (In FRRouting (FRR) through 9.1, there can be a buffer overflow and dae ...) - - frr + - frr (bug #1070377) [bullseye] - frr (Vulnerable code not present) [buster] - frr (Vulnerable code not present) NOTE: https://github.com/FRRouting/frr/pull/15674/ @@ -19573,13 +19573,12 @@ CVE-2024-31950 (In FRRouting (FRR) through 9.1, there can be a buffer overflow a NOTE: vulnerable feature introduced in https://github.com/FRRouting/frr/commit/f173deb35206a09e8dc22828cb08638e289b72a5 (first shipped with 8.0) CVE-2024-31949 (In FRRouting (FRR) through 9.1, an infinite loop can occur when receiv ...) {DLA-3797-1} - - frr + - frr (bug #1072125) NOTE: https://github.com/FRRouting/frr/pull/15640 - NOTE: https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b NOTE: Fixed by: https://github.com/FRRouting/frr/commit/30a332dad86fafd2b0b6c61d23de59ed969a219b CVE-2024-31948 (In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix S ...) {DLA-3797-1} - - frr + - frr (bug #1072126) NOTE: https://github.com/FRRouting/frr/pull/15628 NOTE: Fixed by: https://github.com/FRRouting/frr/commit/ba6a8f1a31e1a88df2de69ea46068e8bd9b97138 NOTE: Fixed by: https://github.com/FRRouting/frr/commit/babb23b74855e23c987a63f8256d24e28c044d07 @@ -43959,7 +43958,7 @@ CVE-2023-51079 (A long execution time can occur in the ParseTools.subCompileExpr CVE-2023-51075 (hutool-core v5.8.23 was discovered to contain an infinite loop in the ...) NOT-FOR-US: Hutool CVE-2023-51074 (json-path v2.8.0 was discovered to contain a stack overflow via the Cr ...) - - jayway-jsonpath + - jayway-jsonpath (bug #1072123) [bookworm] - jayway-jsonpath (Minor issue) [bullseye] - jayway-jsonpath (Minor issue) [buster] - jayway-jsonpath (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00508eba7d5c3741fecf3ed8077b4bf9c86d8293 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00508eba7d5c3741fecf3ed8077b4bf9c86d8293 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f38ac6d0 by Moritz Muehlenhoff at 2024-05-28T22:45:23+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -300,7 +300,6 @@ CVE-2023-6349 (A heap overflow vulnerability exists in libvpx -Encoding a frame NOTE: Same upstream commit as CVE-2023-44488 CVE-2023-50977 REJECTED - NOTE: Disputed GNOME Shell issue CVE-2022-4969 (A vulnerability, which was classified as critical, has been found in b ...) NOT-FOR-US: rockhopper Python library (different from src:rockhopper) CVE-2024-5403 (ASKEY 5G NR Small Cell fails to properly filter user input for certain ...) @@ -536,7 +535,7 @@ CVE-2024-33470 (An issue in the SMTP Email Settings of AVTECH Room Alert 4E v4.4 CVE-2024-33427 REJECTED CVE-2024-31510 (An issue in Open Quantum Safe liboqs v.10.0 allows a remote attacker t ...) - - liboqs + - liboqs (bug #1072118) NOTE: https://github.com/liang-junkai/Fault-injection-of-ML-DSA CVE-2024-22588 (Kwik commit 745fd4e2 does not discard unused encryption keys.) NOT-FOR-US: Kwik @@ -4650,11 +4649,10 @@ CVE-2024-3745 (MSI Afterburner v4.6.6.16381 Beta 3 is vulnerable to an ACL Bypas NOT-FOR-US: MSI Afterburner CVE-2024-3658 REJECTED - NOT-FOR-US: WordPress plugin CVE-2024-36043 (question_image.ts in SurveyJS Form Library before 1.10.4 allows conten ...) NOT-FOR-US: SurveyJS Form Library CVE-2024-34083 (aiosmptd is a reimplementation of the Python stdlib smtpd.py based on ...) - - python-aiosmtpd + - python-aiosmtpd (bug #1072119) [bookworm] - python-aiosmtpd (Minor issue) [bullseye] - python-aiosmtpd (Minor issue) NOTE: https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8 @@ -5452,7 +5450,7 @@ CVE-2024-22145 (Improper Privilege Management vulnerability in InstaWP Team Inst CVE-2024-22139 (Authentication Bypass by Spoofing vulnerability in Filipe Seabra WordP ...) NOT-FOR-US: WordPress plugin CVE-2024-22120 (Zabbix server can perform command execution for configured scripts. Af ...) - - zabbix + - zabbix (bug #1072120) NOTE: https://support.zabbix.com/browse/ZBX-24505 CVE-2024-21746 (Authentication Bypass by Spoofing vulnerability in Wpmet Wp Ultimate R ...) NOT-FOR-US: WordPress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f38ac6d0236380de377bbc03963ad6707c3ed5f4 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f38ac6d0236380de377bbc03963ad6707c3ed5f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a2e8f18 by Moritz Muehlenhoff at 2024-05-24T17:00:36+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6610,7 +6610,7 @@ CVE-2023-52655 (In the Linux kernel, the following vulnerability has been resolv [bullseye] - linux 5.10.205-1 NOTE: https://git.kernel.org/linus/ccab434e674ca95d483788b1895a70c21b7f016a (6.7-rc3) CVE-2024-25581 (When incoming DNS over HTTPS support is enabled using the nghttp2 prov ...) - - dnsdist + - dnsdist (bug #1071750) [bookworm] - dnsdist (Vulnerable code not present) [bullseye] - dnsdist (Vulnerable code not present) [buster] - dnsdist (Vulnerable code not present) @@ -6649,7 +6649,7 @@ CVE-2024-2299 (A stored Cross-Site Scripting (XSS) vulnerability exists in the p CVE-2024-29212 (Due to an unsafe de-serialization method used by the Veeam Service Pr ...) NOT-FOR-US: Veeam CVE-2024-26306 (iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server wi ...) - - iperf3 + - iperf3 (bug #1071751) [bookworm] - iperf3 (Minor issue) [bullseye] - iperf3 (Minor issue) [buster] - iperf3 (Minor issue; can be fixed in next update) @@ -8989,7 +8989,7 @@ CVE-2024-31963 (A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones CVE-2024-31673 (Kliqqi-CMS 2.0.2 is vulnerable to SQL Injection in load_data.php via t ...) NOT-FOR-US: Kliqqi-CMS CVE-2024-31636 (An issue in LIEF v.0.14.1 allows a local attacker to obtain sensitive ...) - - lief + - lief (bug #1071743) [bookworm] - lief (Minor issue) [bullseye] - lief (Minor issue) [buster] - lief (Minor issue) @@ -12761,7 +12761,7 @@ CVE-2024-32406 (Server-Side Template Injection (SSTI) vulnerability in inducer r CVE-2024-32404 (Server-Side Template Injection (SSTI) vulnerability in inducer relate ...) NOT-FOR-US: inducer relate CVE-2024-31755 (cJSON v1.7.17 was discovered to contain a segmentation violation, whic ...) - - cjson + - cjson (bug #1071742) [bookworm] - cjson (Minor issue) [bullseye] - cjson (Minor issue) [buster] - cjson (Sefault only; can be piggy-backed with future DLAs) @@ -27042,7 +27042,7 @@ CVE-2024-2364 (A vulnerability classified as problematic has been found in Music CVE-2024-2363 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in AOL AIM T ...) NOT-FOR-US: AOL AIM Triton CVE-2024-2314 (If kernel headers need to be extracted, bcc will attempt to load them ...) - - bpfcc + - bpfcc (bug #1071747) [bookworm] - bpfcc (Minor issue) [bullseye] - bpfcc (Minor issue) [buster] - bpfcc (Vulnerable code introduced later) @@ -27051,7 +27051,7 @@ CVE-2024-2314 (If kernel headers need to be extracted, bcc will attempt to load NOTE: Attempt to mitigate in https://bugs.debian.org/1028479 (applied in 0.25.0+ds-2), and NOTE: resulting in the additional problem in https://bugs.debian.org/1068297 CVE-2024-2313 (If kernel headers need to be extracted, bpftrace will attempt to load ...) - - bpftrace + - bpftrace (bug #1071748) [bookworm] - bpftrace (Minor issue) [bullseye] - bpftrace (Minor issue) [buster] - bpftrace (Vulnerable code introduced later) @@ -29661,7 +29661,7 @@ CVE-2024-23302 (Couchbase Server before 7.2.4 has a private key leak in goxdcr.l CVE-2024-22983 (SQL injection vulnerability in Projectworlds Visitor Management System ...) NOT-FOR-US: Projectworlds Visitor Management System CVE-2024-22871 (An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker ...) - - clojure + - clojure (bug #1071746) NOTE: https://github.com/advisories/GHSA-vr64-r9qj-h27f NOTE: https://hackmd.io/@fe1w0/rymmJGida CVE-2024-22532 (Buffer Overflow vulnerability in XNSoft NConvert 7.163 (for Windows x8 ...) @@ -36191,7 +36191,7 @@ CVE-2024-24569 (The Pixee Java Code Security Toolkit is a set of security APIs m CVE-2024-24561 (Vyper is a pythonic Smart Contract Language for the ethereum virtual m ...) NOT-FOR-US: Vyper CVE-2024-24557 (Moby is an open-source project created by Docker to enable software co ...) - - docker.io + - docker.io (bug #1071745) [bookworm] - docker.io (Minor issue) [bullseye] - docker.io (Minor issue) [buster] - docker.io (Minor issue with workarounds) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a2e8f18e760db5951a641560bdf259098dcde85 -- This project does not include diff previews in email notifications. View it on GitLab:
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d0e106d4 by Moritz Muehlenhoff at 2024-05-22T17:23:03+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -447,7 +447,7 @@ CVE-2024-3268 (The YouTube Video Gallery by YouTube Showcase \u2013 Video Galler CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows, allows attackers to spoof the s ...) NOT-FOR-US: WinRAR CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON ...) - - python-pymysql + - python-pymysql (bug #1071628) NOTE: https://github.com/advisories/GHSA-v9hf-5j83-6xpp NOTE: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c (v1.1.1) CVE-2024-35386 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) @@ -4869,8 +4869,8 @@ CVE-2024-35184 (Paperless-ngx is a document management system that transforms ph CVE-2024-35183 (wolfictl is a command line tool for working with Wolfi. A git authenti ...) TODO: check CVE-2024-35176 (REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a den ...) - - ruby3.2 - - ruby3.1 + - ruby3.2 (bug #1071627) + - ruby3.1 (bug #1071626) [bookworm] - ruby3.1 (Minor issue) - ruby2.7 - ruby2.5 @@ -5919,13 +5919,13 @@ CVE-2024-4813 (A vulnerability classified as critical has been found in Ruijie R CVE-2024-4747 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: WordPress plugin CVE-2024-4068 (The NPM package `braces` fails to limit the number of characters it ca ...) - - node-braces + - node-braces (bug #1071632) [bookworm] - node-braces (Minor issue) [bullseye] - node-braces (Minor issue) [buster] - node-braces (Minor issue) NOTE: https://github.com/micromatch/braces/issues/35 CVE-2024-4067 (The NPM package `micromatch` is vulnerable to Regular Expression Denia ...) - - node-micromatch + - node-micromatch (bug #1071631) [bookworm] - node-micromatch (Minor issue) [bullseye] - node-micromatch (Minor issue) [buster] - node-micromatch (Minor issue) @@ -7146,7 +7146,7 @@ CVE-2024-34257 (TOTOLINK EX1800T V9.1.0cu.2112_B20220316 has a vulnerability in CVE-2024-34255 (jizhicms v2.5.1 contains a Cross-Site Scripting(XSS) vulnerability in ...) NOT-FOR-US: jizhicms CVE-2024-34244 (libmodbus v3.1.10 is vulnerable to Buffer Overflow via the modbus_writ ...) - - libmodbus + - libmodbus (bug #1071633) [bookworm] - libmodbus (Minor issue) [bullseye] - libmodbus (Minor issue) [buster] - libmodbus (Minor issue; out-of-bounds read, DoS) @@ -8048,7 +8048,7 @@ CVE-2024-4492 (A vulnerability, which was classified as critical, has been found CVE-2024-4491 (A vulnerability classified as critical was found in Tenda i21 1.0.0.14 ...) NOT-FOR-US: Tenda CVE-2024-34490 (In Maxima through 5.47.0 before 51704c, the plotting facilities make u ...) - - maxima + - maxima (bug #1071630) [bookworm] - maxima (Minor issue) [bullseye] - maxima (Minor issue) [buster] - maxima (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0e106d41947da7c67df7bbf0fd5f85c734f459c -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0e106d41947da7c67df7bbf0fd5f85c734f459c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f475b9aa by Moritz Muehlenhoff at 2024-05-10T19:34:29+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117,7 +117,7 @@ CVE-2024-3807 (The Porto theme for WordPress is vulnerable to Local File Inclusi CVE-2024-3806 (The Porto theme for WordPress is vulnerable to Local File Inclusion in ...) NOT-FOR-US: WordPress theme CVE-2024-3727 (A flaw was found in the github.com/containers/image library. This flaw ...) - - golang-github-opencontainers-go-digest + - golang-github-opencontainers-go-digest (bug #1070858) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274767 CVE-2024-3722 (The Swift Performance Lite plugin for WordPress is vulnerable to unaut ...) NOT-FOR-US: WordPress plugin @@ -289,7 +289,7 @@ CVE-2024-32717 (Missing Authorization vulnerability in WPDeveloper SchedulePress CVE-2024-32712 (Missing Authorization vulnerability in Podlove Podlove Podcast Publish ...) NOT-FOR-US: WordPress plugin CVE-2024-32655 (Npgsql is the .NET data provider for PostgreSQL. In 8.0.2 and earlier, ...) - - npgsql + - npgsql (bug #1070859) NOTE: https://github.com/npgsql/npgsql/security/advisories/GHSA-x9vc-6hfv-hg8c NOTE: https://github.com/npgsql/npgsql/commit/f7e7ead0702d776a8f551f5786c4cac2d65c4bc6 CVE-2024-32624 (HDF5 Library through 1.14.3 contains a heap-based buffer overflow in H ...) @@ -2502,7 +2502,7 @@ CVE-2023-44430 (Bentley View SKP File Parsing Use-After-Free Remote Code Executi NOT-FOR-US: Bentley CVE-2023-44428 (MuseScore CAP File Parsing Heap-based Buffer Overflow Remote Code Exec ...) - musescore2 - - musescore3 + - musescore3 (bug #1070860) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1526/ CVE-2023-44427 (D-Link DIR-X3260 SetSysEmailSettings SMTPServerAddress Command Injecti ...) NOT-FOR-US: D-Link View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f475b9aa1d4e9c0b83c7a6ac3753cd9c2895a671 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f475b9aa1d4e9c0b83c7a6ac3753cd9c2895a671 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ef852fb3 by Moritz Muehlenhoff at 2024-05-04T20:46:09+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2252,10 +2252,10 @@ CVE-2024-0334 (The Jeg Elementor Kit plugin for WordPress is vulnerable to Store CVE-2023-7241 (Privilege Escalationin WRSA.EXE in Webroot Antivirus 8.0.1X- 9.0.35.12 ...) NOT-FOR-US: Webroot Antivirus CVE-2023-49606 (A use-after-free vulnerability exists in the HTTP Connection Headers p ...) - - tinyproxy + - tinyproxy (bug #1070395) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889 CVE-2023-47212 (A heap-based buffer overflow vulnerability exists in the comment funct ...) - - libstb + - libstb (bug #1070394) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1846 CVE-2023-47166 (A firmware update vulnerability exists in the luci2-io file-import fun ...) NOT-FOR-US: Milesight UR32L @@ -2264,7 +2264,7 @@ CVE-2023-46295 (An issue was discovered in Teledyne FLIR M300 2.00-19. Unauthent CVE-2023-46294 (An issue was discovered in Teledyne FLIR M300 2.00-19. User account pa ...) NOT-FOR-US: Teledyne FLIR M300 CVE-2023-40533 (An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1 w ...) - - tinyproxy + - tinyproxy (bug #1070395) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1902 CVE-2024-27392 (In the Linux kernel, the following vulnerability has been resolved: n ...) - linux (Vulnerable code not present) @@ -3409,7 +3409,7 @@ CVE-2023-48684 (Sensitive information disclosure and manipulation due to missing CVE-2023-48683 (Sensitive information disclosure and manipulation due to missing autho ...) NOT-FOR-US: Acronis Cyber Protect Cloud Agent CVE-2023-46565 (Buffer Overflow vulnerability in osrg gobgp commit 419c50dfac578daa4d1 ...) - - gobgp + - gobgp (bug #1070393) NOTE: https://github.com/osrg/gobgp/issues/2725 CVE-2023-46270 (MacPaw The Unarchiver before 4.3.6 contains vulnerability related to m ...) NOT-FOR-US: MacPaw The Unarchiver @@ -22042,7 +22042,7 @@ CVE-2024-25909 (Unrestricted Upload of File with Dangerous Type vulnerability in CVE-2024-25770 (libming 0.4.8 contains a memory leak vulnerability in /libming/src/act ...) - ming CVE-2024-25768 (OpenDMARC 1.4.2 contains a null pointer dereference vulnerability in / ...) - - opendmarc + - opendmarc (bug #1070390) [bookworm] - opendmarc (Minor issue) [bullseye] - opendmarc (Minor issue) [buster] - opendmarc (Minor issue) @@ -25146,7 +25146,7 @@ CVE-2024-25360 (A hidden interface in Motorola CX2L Router firmware v1.0.1 leaks NOT-FOR-US: Motorola CVE-2024-25112 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) [experimental] - exiv2 0.28.2+dfsg-1 - - exiv2 + - exiv2 (bug #1070392) [bookworm] - exiv2 (Minor issue) [bullseye] - exiv2 (Minor issue) [buster] - exiv2 (Minor issue) @@ -25174,7 +25174,7 @@ CVE-2024-24875 (Cross-Site Request Forgery (CSRF) vulnerability in Yannick Lefeb NOT-FOR-US: WordPress plugin CVE-2024-24826 (Exiv2 is a command-line utility and C++ library for reading, writing, ...) [experimental] - exiv2 0.28.2+dfsg-1 - - exiv2 + - exiv2 (bug #1070392) [bookworm] - exiv2 (Minor issue) [bullseye] - exiv2 (Minor issue) [buster] - exiv2 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef852fb39e30f07a3c0071ee27a717b2881f7300 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef852fb39e30f07a3c0071ee27a717b2881f7300 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ca651d1e by Moritz Muehlenhoff at 2024-05-04T19:56:24+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4240,7 +4240,7 @@ CVE-2024-25917 (Exposure of Sensitive Information to an Unauthorized Actor vulne CVE-2024-25624 (Iris is a web collaborative platform aiming to help incident responder ...) NOT-FOR-US: Iris CVE-2024-25569 (An out-of-bounds read vulnerability exists in the RAWCodec::DecodeByte ...) - - gdcm + - gdcm (bug #1070387) [bookworm] - gdcm (Minor issue) [bullseye] - gdcm (Minor issue) [buster] - gdcm (Minor issue, follow bullseye) @@ -4249,14 +4249,14 @@ CVE-2024-25569 (An out-of-bounds read vulnerability exists in the RAWCodec::Deco CVE-2024-25026 (IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Applicatio ...) NOT-FOR-US: IBM CVE-2024-22391 (A heap-based buffer overflow vulnerability exists in the LookupTable:: ...) - - gdcm + - gdcm (bug #1070387) [bookworm] - gdcm (Minor issue) [bullseye] - gdcm (Minor issue) [buster] - gdcm (Minor issue, follow bullseye) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1924 NOTE: https://github.com/malaterre/GDCM/commit/21a793095ab3aecb794c56439873e5b181ea9d91 (v3.0.24) CVE-2024-22373 (An out-of-bounds write vulnerability exists in the JPEG2000Codec::Deco ...) - - gdcm + - gdcm (bug #1070387) [bookworm] - gdcm (Minor issue) [bullseye] - gdcm (Minor issue) [buster] - gdcm (Minor issue, follow bullseye) @@ -13399,7 +13399,7 @@ CVE-2024-28784 (IBM QRadar SIEM 7.5 is vulnerable to cross-site scripting. This CVE-2024-28247 (The Pi-hole is a DNS sinkhole that protects your devices from unwanted ...) NOT-FOR-US: Pi-Hole CVE-2024-28233 (JupyterHub is an open source multi-user server for Jupyter notebooks. ...) - - jupyterhub + - jupyterhub (bug #1070388) [bookworm] - jupyterhub (Minor issue) NOTE: https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-7r3h-4ph8-w38g NOTE: https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca651d1e695f017ed2808bfde57ea63d09d4a695 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca651d1e695f017ed2808bfde57ea63d09d4a695 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 62d476ff by Moritz Muehlenhoff at 2024-05-04T18:15:00+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -237,11 +237,11 @@ CVE-2024-34408 (Tencent libpag through 4.3.51 has an integer overflow in DecodeS CVE-2024-34404 (A vulnerability was discovered in the Alta Recovery Vault feature of V ...) NOT-FOR-US: Veritas NetBackup CVE-2024-34403 (An issue was discovered in uriparser through 0.9.7. ComposeQueryMalloc ...) - - uriparser + - uriparser (bug #1070376) NOTE: https://github.com/uriparser/uriparser/issues/183 NOTE: https://github.com/uriparser/uriparser/pull/186 CVE-2024-34402 (An issue was discovered in uriparser through 0.9.7. ComposeQueryEngine ...) - - uriparser + - uriparser (bug #1070376) NOTE: https://github.com/uriparser/uriparser/pull/185 NOTE: https://github.com/uriparser/uriparser/issues/183 CVE-2024-34401 (Savsoft Quiz 6.0 allows stored XSS via the index.php/quiz/insert_quiz/ ...) @@ -269,7 +269,7 @@ CVE-2024-34066 (Pterodactyl wings is the server control plane for Pterodactyl Pa CVE-2024-34063 (vodozemac is an implementation of Olm and Megolm in pure Rust. Version ...) TODO: check CVE-2024-34062 (tqdm is an open source progress bar for Python and CLI. Any optional n ...) - - tqdm + - tqdm (bug #1070372) NOTE: https://github.com/tqdm/tqdm/security/advisories/GHSA-g7vv-2v7x-gj9p NOTE: Fixed by: https://github.com/tqdm/tqdm/commit/b53348c73080b4edeb30b4823d1fa0d8d2c06721 (v4.66.3) CVE-2024-34061 (changedetection.io is a free open source web page change detection, we ...) @@ -3101,7 +3101,7 @@ CVE-2024-3411 (Implementations of IPMI Authenticated sessions does not provide e CVE-2024-3072 (The ACF Front End Editor plugin for WordPress is vulnerable to unautho ...) NOT-FOR-US: WordPress plugin CVE-2024-34088 (In FRRouting (FRR) through 9.1, it is possible for the get_edge() func ...) - - frr + - frr (bug #1070377) [bullseye] - frr (Vulnerable code introduced later) [buster] - frr (Vulnerable code introduced later) NOTE: https://github.com/FRRouting/frr/pull/15674 @@ -3243,7 +3243,7 @@ CVE-2024-33401 (Cross Site Scripting vulnerability in DedeCMS v.5.7.113 allows a CVE-2024-33350 (Directory Traversal vulnerability in TaoCMS v.3.0.2 allows a remote at ...) NOT-FOR-US: TaoCMS CVE-2024-31837 (DMitry (Deepmagic Information Gathering Tool) 1.3a has a format-string ...) - - dmitry + - dmitry (bug #1070370) [bookworm] - dmitry (Minor issue) [bullseye] - dmitry (Minor issue) [buster] - dmitry (Minor issue, crash in CLI tool, requires malicious parameter) @@ -3889,7 +3889,7 @@ CVE-2024-33343 (D-Link DIR-822+ V1.0.5 was found to contain a command injection CVE-2024-33342 (D-Link DIR-822+ V1.0.5 was found to contain a command injection in Set ...) NOT-FOR-US: D-Link CVE-2024-33263 (QuickJS commit 3b45d15 was discovered to contain an Assertion Failure ...) - - quickjs + - quickjs (bug #1070373) NOTE: https://github.com/bellard/quickjs/issues/277 CVE-2024-33260 (Jerryscript commit cefd391 was discovered to contain a segmentation vi ...) - iotjs @@ -4033,11 +4033,11 @@ CVE-2024-33666 (An issue was discovered in Zammad before 6.3.0. Users with custo CVE-2024-33665 (angular-translate through 2.19.1 allows XSS via a crafted key that is ...) NOT-FOR-US: angular-translate CVE-2024-33664 (python-jose through 3.3.0 allows attackers to cause a denial of servic ...) - - python-jose + - python-jose (bug #1070375) NOTE: https://github.com/mpdavis/python-jose/issues/344 NOTE: https://github.com/mpdavis/python-jose/pull/345 CVE-2024-33663 (python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA k ...) - - python-jose + - python-jose (bug #1070375) NOTE: https://github.com/mpdavis/python-jose/issues/346 CVE-2024-33661 (Portainer before 2.20.0 allows redirects when the target is not index. ...) NOT-FOR-US: Portainer @@ -4403,7 +4403,7 @@ CVE-2024-32948 (Missing Authorization vulnerability in Repute Infosystems ARMemb CVE-2024-32947 (Cross-Site Request Forgery (CSRF) vulnerability in AlumniOnline Web Se ...) NOT-FOR-US: WordPress plugin CVE-2024-32879 (Python Social Auth is a social authentication/registration mechanism. ...) - - social-auth-app-django + - social-auth-app-django (bug #1070374) [bookworm] - social-auth-app-django (Minor issue) [bullseye] - social-auth-app-django (Minor issue) [buster] - social-auth-app-django (Minor issue) @@ -4958,7 +4958,7 @@ CVE-2024-31992 (Mealie is a self
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ac1e8043 by Moritz Muehlenhoff at 2024-04-24T15:06:19+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -68,7 +68,7 @@ CVE-2024-32258 (The network server of fceux 2.7.0 has a path traversal vulnerabi CVE-2024-31804 (An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.2 ...) NOT-FOR-US: Terratec CVE-2024-31208 (Synapse is an open-source Matrix homeserver. A remote Matrix user with ...) - - matrix-synapse + - matrix-synapse (bug #1069763) NOTE: https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v NOTE: https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a (v1.105.1) CVE-2024-30800 (PX4 Autopilot v.1.14 allows an attacker to fly the drone into no-fly z ...) @@ -550,7 +550,7 @@ CVE-2024-21872 (The device allows an unauthenticated attacker to bypass authenti CVE-2024-21846 (An unauthenticated attacker can reset the board and stop transmitter ...) NOT-FOR-US: Electrolink CVE-2024-1681 (corydolphin/flask-cors is vulnerable to log injection when the log lev ...) - - python-flask-cors + - python-flask-cors (bug #1069764) NOTE: https://huntr.com/bounties/25a7a0ba-9fa2-4777-acb6-03e5539bb644 NOTE: https://github.com/corydolphin/flask-cors/issues/349 CVE-2024-1491 (The devices allow access to an unprotected endpoint that allows MPFS ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac1e8043aa4c5c51116bfda1be3737947b1b550c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac1e8043aa4c5c51116bfda1be3737947b1b550c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b3748e5 by Moritz Muehlenhoff at 2024-04-22T16:49:52+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -136,7 +136,7 @@ CVE-2024-32683 (Authorization Bypass Through User-Controlled Key vulnerability i CVE-2024-32652 (The adapter @hono/node-server allows you to run your Hono application ...) NOT-FOR-US: @hono/node-server CVE-2024-32650 (Rustls is a modern TLS library written in Rust. `rustls::ConnectionCom ...) - - rust-rustls + - rust-rustls (bug #1069677) NOTE: github.com: https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj NOTE: github.com: https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d (v/0.23.5) NOTE: github.com: https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e (v/0.23.5) @@ -1716,7 +1716,7 @@ CVE-2024-21096 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-21095 (Vulnerability in the Primavera P6 Enterprise Project Portfolio Managem ...) NOT-FOR-US: Oracle CVE-2024-21094 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - - openjdk-8 + - openjdk-8 (bug #1069678) - openjdk-11 11.0.23+9-1 - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 @@ -1738,7 +1738,7 @@ CVE-2024-21087 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-21086 (Vulnerability in the Oracle CRM Technical Foundation product of Oracle ...) NOT-FOR-US: Oracle CVE-2024-21085 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - - openjdk-8 + - openjdk-8 (bug #1069678) - openjdk-11 11.0.23+9-1 CVE-2024-21084 (Vulnerability in the Oracle BI Publisher product of Oracle Analytics ( ...) NOT-FOR-US: Oracle @@ -1773,7 +1773,7 @@ CVE-2024-21070 (Vulnerability in the PeopleSoft Enterprise PeopleTools product o CVE-2024-21069 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 (bug #1069189) CVE-2024-21068 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - - openjdk-8 + - openjdk-8 (bug #1069678) - openjdk-11 11.0.23+9-1 - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 @@ -1892,7 +1892,7 @@ CVE-2024-21012 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Ora - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 CVE-2024-21011 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - - openjdk-8 + - openjdk-8 (bug #1069678) - openjdk-11 11.0.23+9-1 - openjdk-17 17.0.11+9-1 - openjdk-21 21.0.3+9-1 @@ -3510,7 +3510,7 @@ CVE-2023-6916 (Audit records for OpenAPI requests may include sensitive informat CVE-2023-52070 (JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBo ...) NOT-FOR-US: Disputed JFreeChart issue CVE-2023-2794 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - - ofono + - ofono (bug #1069679) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255387 NOTE: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682 NOTE: https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae824f8e2c3ae86a3f51da31ee400 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b3748e5ed9d52fa24b774406cb5ef50750cfa99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b3748e5ed9d52fa24b774406cb5ef50750cfa99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 518daeec by Moritz Muehlenhoff at 2024-04-11T17:49:05+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -120,7 +120,7 @@ CVE-2024-3569 (A Denial of Service (DoS) vulnerability exists in the mintplex-la CVE-2024-3568 (The huggingface/transformers library is vulnerable to arbitrary code e ...) NOT-FOR-US: huggingface/transformers CVE-2024-3567 (A flaw was found in QEMU. An assertion failure was present in the upda ...) - - qemu + - qemu (bug #1068822) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274339 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2273 CVE-2024-3566 (A command inject vulnerability allows an attacker to perform command i ...) @@ -535,7 +535,7 @@ CVE-2024-26815 (In the Linux kernel, the following vulnerability has been resolv [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/343041b59b7810f9cdca371f445dd43b35c740b1 (6.9-rc1) CVE-2024-3447 - - qemu + - qemu (bug #1068821) NOTE: https://patchew.org/QEMU/20240404085549.16987-1-phi...@linaro.org/ NOTE: https://patchew.org/QEMU/20240409145524.27913-1-phi...@linaro.org/ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 @@ -594,10 +594,10 @@ CVE-2024-3235 (The Essential Grid Gallery WordPress Plugin plugin for WordPress CVE-2024-3210 (The Paid Membership Plugin, Ecommerce, User Registration Form, Login F ...) NOT-FOR-US: WordPress plugin CVE-2024-3120 (A stack-buffer overflow vulnerability exists in all versions of sngrep ...) - - sngrep + - sngrep (bug #1068818) NOTE: https://github.com/irontec/sngrep/commit/f3f8ed8ef38748e6d61044b39b0dabd7e37c6809 (v1.8.1) CVE-2024-3119 (A buffer overflow vulnerability exists in all versions of sngrep since ...) - - sngrep + - sngrep (bug #1068818) NOTE: https://github.com/irontec/sngrep/commit/dd5fec92730562af6f96891291cd4e102b80bfcc (v1.8.1) CVE-2024-3020 (The plugin is vulnerable to PHP Object Injection in versions up to and ...) NOT-FOR-US: WordPress plugin @@ -696,7 +696,7 @@ CVE-2024-3514 (The Responsive Tabs plugin for WordPress is vulnerable to Stored CVE-2024-3512 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for WordPre ...) NOT-FOR-US: WordPress plugin CVE-2024-3446 (A double free vulnerability was found in QEMU virtio devices (virtio-g ...) - - qemu + - qemu (bug #1068820) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274211 NOTE: https://patchew.org/QEMU/20240409105537.18308-1-phi...@linaro.org/ CVE-2024-3281 (A vulnerability was discovered in the firmware builds after 8.0.2.3267 ...) @@ -15356,7 +15356,7 @@ CVE-2023-44308 (Open redirect vulnerability in adaptive media administration pag CVE-2022-48625 (Yealink Config Encrypt Tool add RSA before 1.2 has a built-in RSA key ...) NOT-FOR-US: Yealink CVE-2024-1635 (A vulnerability was found in Undertow. This vulnerability impacts a se ...) - - undertow + - undertow (bug #1068817) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2264928 CVE-2024-25983 (Insufficient checks in a web service made it possible to add comments ...) - moodle @@ -15431,14 +15431,14 @@ CVE-2024-23114 (Deserialization of Untrusted Data vulnerability in Apache Camel CVE-2024-22369 (Deserialization of Untrusted Data vulnerability in Apache Camel SQL Co ...) NOT-FOR-US: Apache Camel CVE-2024-26328 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) - - qemu + - qemu (bug #1068819) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Vulnerable code introduced later) [buster] - qemu (Vulnerable code introduced later) NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0) NOTE: https://lore.kernel.org/all/20240213055345-mutt-send-email-mst%40kernel.org CVE-2024-26327 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) - - qemu + - qemu (bug #1068819) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Vulnerable code introduced later) [buster] - qemu (Vulnerable code introduced later) @@ -16938,7 +16938,7 @@ CVE-2022-48623 (The Cpanel::JSON::XS package before 4.33 for Perl performs out-o CVE-2021-4437 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: lambda-middleware frameguard CVE-2024-1459 (A path traversal vulnerability was found in Undertow. This issue may a ...) - - undertow + - undertow (bug #1068816) NOTE:
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 448af4d0 by Moritz Muehlenhoff at 2024-04-05T17:16:16+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66,8 +66,8 @@ CVE-2024-3299 (Out-Of-Bounds Write, Use of Uninitialized Resource and Use-After- CVE-2024-3298 (Out-Of-Bounds Write and Type Confusion vulnerabilities exist in the fi ...) NOT-FOR-US: Solidworks CVE-2024-3262 (Information exposure vulnerability in RT software affecting version 4. ...) - - request-tracker4 - - request-tracker5 + - request-tracker4 (bug #1068452) + - request-tracker5 (bug #1068453) NOTE: https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a NOTE: https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe CVE-2024-3250 (It was discovered that Canonical's Pebble service manager read-file AP ...) @@ -3641,7 +3641,7 @@ CVE-2024-29199 (Nautobot is a Network Source of Truth and Network Automation Pla CVE-2024-29196 (phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, ...) NOT-FOR-US: phpMyFAQ CVE-2024-29195 (The azure-c-shared-utility is a C library for AMQP/MQTT communication ...) - - azure-uamqp-python + - azure-uamqp-python (bug #1068457) NOTE: https://github.com/Azure/azure-c-shared-utility/security/advisories/GHSA-m8wp-hc7w-x4xg NOTE: https://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2 CVE-2024-29189 (PyAnsys Geometry is a Python client library for the Ansys Geometry ser ...) @@ -4054,14 +4054,14 @@ CVE-2024-27280 [Buffer overread vulnerability in StringIO] NOTE: https://www.ruby-lang.org/en/news/2024/03/21/buffer-overread-cve-2024-27280/ TODO: check details CVE-2024-30161 (In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component may acce ...) - - qt6-base + - qt6-base (bug #1068454) - qtbase-opensource-src - qtbase-opensource-src-gles NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/544314 NOTE: https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=a5b00cefef12999e9a213943855abe6bc0ab5365 TODO: check details CVE-2024-30156 (Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 L ...) - - varnish + - varnish (bug #1068455) [bookworm] - varnish (Minor issue, too intrusive to backport) [bullseye] - varnish (Minor issue, too intrusive to backport) NOTE: https://varnish-cache.org/security/VSV00014.html @@ -4593,7 +4593,7 @@ CVE-2024-29032 (Qiskit IBM Runtime is an environment that streamlines quantum co CVE-2024-29026 (Owncast is an open source, self-hosted, decentralized, single user liv ...) NOT-FOR-US: Owncast CVE-2024-29018 (Moby is an open source container framework that is a key component of ...) - - docker.io + - docker.io (bug #1068460) NOTE: https://github.com/moby/moby/security/advisories/GHSA-mq39-4gv4-mvpx NOTE: https://github.com/moby/moby/pull/46609 CVE-2024-28916 (Xbox Gaming Services Elevation of Privilege Vulnerability) @@ -4863,117 +4863,117 @@ CVE-2024-2124 (The Translate WordPress and go Multilingual \u2013 Weglot plugin CVE-2024-28715 (Cross Site Scripting vulnerability in DOraCMS v.2.18 and before allows ...) NOT-FOR-US: DOraCMS CVE-2024-28584 (Null Pointer Dereference vulnerability in open source FreeImage v.3.19 ...) - - freeimage + - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28583 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - - freeimage + - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28582 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - - freeimage + - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28581 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - - freeimage + - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) NOTE:
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 64410bc8 by Moritz Muehlenhoff at 2024-04-04T21:00:17+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,11 @@ CVE-2024-24795 - - apache2 + - apache2 (bug #1068412) NOTE: https://www.openwall.com/lists/oss-security/2024/04/04/5 CVE-2023-38709 - - apache2 + - apache2 (bug #1068412) NOTE: https://www.openwall.com/lists/oss-security/2024/04/04/3 CVE-2024-27316 - - apache2 + - apache2 (bug #1068412) NOTE: https://www.kb.cert.org/vuls/id/421644 NOTE: https://www.openwall.com/lists/oss-security/2024/04/04/4 CVE-2024-3296 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64410bc895f2f8a9a8234dfd7fda9fd7c3cfb8ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64410bc895f2f8a9a8234dfd7fda9fd7c3cfb8ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2fef23bf by Moritz Muehlenhoff at 2024-03-21T20:29:38+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -207,7 +207,7 @@ CVE-2023-51445 (GeoServer is an open source software server written in Java that CVE-2023-51444 (GeoServer is an open source software server written in Java that allow ...) NOT-FOR-US: GeoServer CVE-2023-50967 (latchset jose through version 11 allows attackers to cause a denial of ...) - - jose + - jose (bug #1067457) NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/latch-jose.md CVE-2023-45177 (IBM MQ 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.3 LTS and 9.3 CD is vulnerable to ...) NOT-FOR-US: IBM @@ -622,7 +622,7 @@ CVE-2023-6597 (An issue was found in the CPython `tempfile.TemporaryDirectory` c NOTE: https://github.com/python/cpython/commit/d54e22a669ae6e987199bb5d2c69bb5a46b0083b (v3.9.19) NOTE: https://mail.python.org/archives/list/security-annou...@python.org/thread/Q5C6ATFC67K53XFV4KE45325S7NS62LD/ CVE-2023-50966 (erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow atta ...) - - erlang-jose + - erlang-jose (bug #1067456) NOTE: https://github.com/potatosalad/erlang-jose/issues/156 NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/erlang-jose.md CVE-2023-4426 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fef23bf21d6c2b34806f3f469841754b6f26344 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fef23bf21d6c2b34806f3f469841754b6f26344 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 428e67d0 by Moritz Muehlenhoff at 2024-02-28T15:49:06+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -546,7 +546,7 @@ CVE-2024-26471 (A reflected cross-site scripting (XSS) vulnerability in zhimengz CVE-2024-26470 (A host header injection vulnerability in the forgot password function ...) NOT-FOR-US: FullStackHero's WebAPI Boilerplate CVE-2024-26464 (net-snmp 5.9.4 contains a memory leak vulnerability in /net-snmp/apps/ ...) - - net-snmp + - net-snmp (bug #1064968) NOTE: https://github.com/LuMingYinDetect/net-snmp_defects/blob/main/net-snmp_detect_1.md CVE-2024-26143 (Rails is a web-application framework. There is a possible XSS vulnerab ...) - rails (Vulnerable code not present) @@ -578,7 +578,7 @@ CVE-2024-24323 (SQL injection vulnerability in linlinjava litemall v.1.8.0 allow CVE-2024-22251 (VMware Workstation and Fusion contain an out-of-bounds read vulnerabil ...) NOT-FOR-US: VMware CVE-2024-21742 (Improper input validation allows for header injection in MIME4J librar ...) - - apache-mime4j + - apache-mime4j (bug #1064966) [bookworm] - apache-mime4j (Minor issue) [bullseye] - apache-mime4j (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/02/27/5 @@ -906,17 +906,14 @@ CVE-2024-26466 (A DOM based cross-site scripting (XSS) vulnerability in the comp CVE-2024-26465 (A DOM based cross-site scripting (XSS) vulnerability in the component ...) NOT-FOR-US: beep.js CVE-2024-26462 (Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in / ...) - - krb5 + - krb5 (bug #1064965) NOTE: https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_3.md - TODO: check, unclear upstream report status CVE-2024-26461 (Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in / ...) - - krb5 + - krb5 (bug #1064965) NOTE: https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md - TODO: check, unclear upstream report status CVE-2024-26458 (Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/r ...) - - krb5 + - krb5 (bug #1064965) NOTE: https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md - NOTE: check, unclear upstream report status CVE-2024-26455 (fluent-bit 2.2.2 contains a Use-After-Free vulnerability in /fluent-bi ...) NOT-FOR-US: Fluent Bit CVE-2024-25925 (Unrestricted Upload of File with Dangerous Type vulnerability in SYSBA ...) @@ -945,11 +942,11 @@ CVE-2024-25410 (flusity-CMS 2.33 is vulnerable to Unrestricted Upload of File wi CVE-2024-25344 (Cross Site Scripting vulnerability in ITFlow.org before commit v.43248 ...) NOT-FOR-US: ITFlow.org CVE-2024-25082 (Splinefont in FontForge through 20230101 allows command injection via ...) - - fontforge + - fontforge (bug #1064967) NOTE: https://github.com/fontforge/fontforge/pull/5367 NOTE: https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429 CVE-2024-25081 (Splinefont in FontForge through 20230101 allows command injection via ...) - - fontforge + - fontforge (bug #1064967) NOTE: https://github.com/fontforge/fontforge/pull/5367 NOTE: https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429 CVE-2024-24714 (Unrestricted Upload of File with Dangerous Type vulnerability in bPlug ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/428e67d081211dac256fed6c3f20f773242bf585 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/428e67d081211dac256fed6c3f20f773242bf585 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e5ac7fb by Moritz Muehlenhoff at 2024-02-23T16:35:04+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -128,14 +128,14 @@ CVE-2023-44379 (baserCMS is a website development framework. Prior to version 5. CVE-2023-37540 (Sametime Connect desktop chat client includes, but does not use or req ...) NOT-FOR-US: Sametime Connect CVE-2024-26141 [Reject Range headers which are too large] - - ruby-rack + - ruby-rack (bug #1064516) NOTE: https://github.com/rack/rack/releases/tag/v2.2.8.1 NOTE: https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b (v2.2.8.1) CVE-2024-25126 [Fixed ReDoS in Content Type header parsing] - - ruby-rack + - ruby-rack (bug #1064516) NOTE: https://github.com/rack/rack/releases/tag/v2.2.8.1 CVE-2024-26146 [Fixed ReDoS in Accept header parsing] - - ruby-rack + - ruby-rack (bug #1064516) NOTE: https://github.com/rack/rack/releases/tag/v2.2.8.1 NOTE: https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd (v2.2.8.1) CVE-2024-26592 (In the Linux kernel, the following vulnerability has been resolved: k ...) @@ -384,7 +384,7 @@ CVE-2024-24476 (A buffer overflow in Wireshark before 4.2.0 allows a remote atta NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19344 NOTE: https://github.com/wireshark/wireshark/commit/108217f4bb1afb8b25fc705c2722b3e328b1ad78 CVE-2024-23346 (Pymatgen (Python Materials Genomics) is an open-source Python library ...) - - pymatgen + - pymatgen (bug #1064514) NOTE: https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f NOTE: https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a CVE-2024-22778 (HackMD CodiMD <2.5.2 is vulnerable to Denial of Service.) @@ -697,7 +697,7 @@ CVE-2024-25366 (Buffer Overflow vulnerability in mz-automation.de libiec61859 v. CVE-2024-25274 (An arbitrary file upload vulnerability in the component /sysFile/uploa ...) NOT-FOR-US: Novel-Plus CVE-2024-25262 (texlive-bin commit c515e was discovered to contain heap buffer overflo ...) - - texlive-bin + - texlive-bin (bug #1064517) NOTE: https://tug.org/svn/texlive/trunk/Build/source/texk/ttfdump/ChangeLog?revision=69605=co NOTE: https://bugs.launchpad.net/ubuntu/+source/texlive-bin/+bug/2047912 NOTE: https://github.com/TeX-Live/texlive-source/pull/63 @@ -1200,7 +1200,7 @@ CVE-2024-1344 (Encrypted database credentials in LaborOfficeFree affecting versi CVE-2024-1343 (A weak permission was found in the backup directory in LaborOfficeFree ...) NOT-FOR-US: LaborOfficeFree CVE-2023-50257 (eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the ...) - - fastdds + - fastdds (bug #1064515) NOTE: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-v5r6-8mvh-cp98 NOTE: https://github.com/eProsima/Fast-DDS/commit/f2e5ceae8fbea0a6c9445a366faaca0b98a8ef86 CVE-2024-26308 (Allocation of Resources Without Limits or Throttling vulnerability in ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e5ac7fb85f4e8f137d729647bdffe296a985610 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e5ac7fb85f4e8f137d729647bdffe296a985610 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8300f1e5 by Moritz Muehlenhoff at 2024-02-16T16:10:06+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,9 +8,9 @@ CVE-2023-52161 CVE-2024-0793 NOT-FOR-US: kube-controller-manager CVE-2024-25580 [QT KTX buffer overflow] - - qt6-base - - qtbase-opensource-src - - qtbase-opensource-src-gles + - qt6-base (bug #1064052) + - qtbase-opensource-src (bug #1064053) + - qtbase-opensource-src-gles (bug #1064054) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2264423 NOTE: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=28ecb523ce8490bff38b251b3df703c72e057519 NOTE: https://download.qt.io/official_releases/qt/5.15/CVE-2024-25580-qtbase-5.15.diff @@ -85,7 +85,7 @@ CVE-2024-21891 - nodejs (Only affects 20.x and later) NOTE: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#multiple-permission-model-bypasses-due-to-improper-path-traversal-sequence-sanitization-cve-2024-21891---medium CVE-2023-46809 - - nodejs + - nodejs (bug #1064055) NOTE: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#nodejs-is-vulnerable-to-the-marvin-attack-timing-variant-of-the-bleichenbacher-attack-against-pkcs1-v15-padding-cve-2023-46809---medium CVE-2024-22017 [experimental] - nodejs @@ -96,10 +96,10 @@ CVE-2024-21896 - nodejs (Only affects 20.x and later) NOTE: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#path-traversal-by-monkey-patching-buffer-internals-cve-2024-21896---high CVE-2024-22019 - - nodejs + - nodejs (bug #1064055) NOTE: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#reading-unprocessed-http-request-with-unbounded-chunk-extension-allows-dos-attacks-cve-2024-22019---high CVE-2024-21892 - - nodejs + - nodejs (bug #1064055) NOTE: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#code-injection-and-privilege-escalation-through-linux-capabilities-cve-2024-21892---high CVE-2024-25502 (Directory Traversal vulnerability in flusity CMS v.2.4 allows a remote ...) NOT-FOR-US: flusity CMS @@ -969,7 +969,7 @@ CVE-2024-25112 (Exiv2 is a command-line utility and C++ library for reading, wri NOTE: Fixed by: https://github.com/Exiv2/exiv2/commit/355afea485550e8214ac6b449fb210a7efb71365 (v0.28.2) TODO: unclear range of affected versions: while the report claims it is new in v0.28.0 the QuickTimeVideo::multipleEntriesDecoder is present earlier CVE-2024-25110 (The UAMQP is a general purpose C library for AMQP 1.0. During a call t ...) - - azure-uamqp-python + - azure-uamqp-python (bug #1064051) NOTE: https://github.com/Azure/azure-uamqp-c/commit/30865c9ccedaa32ddb036e87a8ebb52c3f18f695 NOTE: https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-c646-4whf-r67v CVE-2024-25108 (Pixelfed is an open source photo sharing platform. When processing req ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8300f1e57a8ef713b12f8053c6c964c26e15cdae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8300f1e57a8ef713b12f8053c6c964c26e15cdae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a75fc461 by Moritz Muehlenhoff at 2024-02-09T16:52:18+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -99,7 +99,7 @@ CVE-2023-32341 (IBM Sterling B2B Integrator 6.0.0.0 through 6.0.3.8 and 6.1.0.0 CVE-2023-31506 (A cross-site scripting (XSS) vulnerability in Grav versions 1.7.44 and ...) NOT-FOR-US: Grav CMS CVE-2023-4639 [Cookie Smuggling/Spoofing] - - undertow + - undertow (bug #1063539) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2166022 CVE-2023-3966 [Invalid memory access in Geneve with HW offload] - openvswitch (bug #1063492) @@ -115,7 +115,7 @@ CVE-2024-25191 (php-jwt 1.0.0 uses strcmp (which is not constant time) to verify CVE-2024-25190 (l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify authe ...) NOT-FOR-US: l8w8jwt CVE-2024-25189 (libjwt 1.15.3 uses strcmp (which is not constant time) to verify authe ...) - - libjwt + - libjwt (bug #1063534) NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/benmcollins%3Alibjwt.md NOTE: https://github.com/benmcollins/libjwt/commit/f73bac57c5bece16ac24f1a70022aa34355fc1bf NOTE: https://github.com/benmcollins/libjwt/commit/a5d61ef4f1b383876e0a78534383f38159471fd6 @@ -191,7 +191,7 @@ CVE-2023-50061 (PrestaShop Op'art Easy Redirect >= 1.3.8 and <= 1.3.12 is vulner CVE-2023-47020 (Multiple Cross-Site Request Forgery (CSRF) chaining in NCR Terminal Ha ...) NOT-FOR-US: NCR Terminal Handler CVE-2023-42282 (An issue in NPM IP Package v.1.1.8 and before allows an attacker to ex ...) - - node-ip + - node-ip (bug #1063535) NOTE: https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ NOTE: https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html CVE-2024-0985 (Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in Postg ...) @@ -295,14 +295,14 @@ CVE-2024-24823 (Graylog is a free and open log management platform. Starting in CVE-2024-24822 (Pimcore's Admin Classic Bundle provides a backend user interface for P ...) NOT-FOR-US: Pimcore's Admin Classic Bundle CVE-2024-24816 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - - ckeditor - - ckeditor3 + - ckeditor (bug #1063536) + - ckeditor3 (bug #1063537) [buster] - ckeditor3 (No longer supported in LTS) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-mw2c-vx6j-mg76 NOTE: https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb CVE-2024-24815 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - - ckeditor - - ckeditor3 + - ckeditor (bug #1063536) + - ckeditor3 (bug #1063537) [buster] - ckeditor3 (No longer supported in LTS) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-fq6h-4g8v-qqvm NOTE: https://github.com/ckeditor/ckeditor4/commit/8ed1a3c93d0ae5f49f4ecff5738ab8a2972194cb @@ -925,7 +925,7 @@ CVE-2023-32451 (Dell Display Manager application, version 2.1.1.17, contains a v CVE-2024-24768 (1Panel is an open source Linux server operation and maintenance manage ...) NOT-FOR-US: 1Panel CVE-2024-24762 (FastAPI is a web framework for building APIs with Python 3.8+ based on ...) - - python-multipart + - python-multipart (bug #1063538) NOTE: Original report at fastapi: https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389 NOTE: But the fix is within python-multipart: NOTE: https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4 @@ -47916,7 +47916,7 @@ CVE-2023-1933 RESERVED CVE-2023-1932 [rendering of invalid html with SafeHTML leads to HTML injection and XSS] RESERVED - - libhibernate-validator-java + - libhibernate-validator-java (bug #1063540) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1809444 CVE-2023-1931 (The WP Fastest Cache plugin for WordPress is vulnerable to unauthorize ...) NOT-FOR-US: WP Fastest Cache plugin for WordPress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a75fc461305358644dc5b420e2d9e5630977ddaa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a75fc461305358644dc5b420e2d9e5630977ddaa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a46de165 by Moritz Muehlenhoff at 2024-01-15T20:54:12+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,7 +8,7 @@ CVE-2023-6237 [openssl: Checking excessively long invalid RSA public keys may ta NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a830f551557d3d66a84bbb18a5b889c640c36294 (openssl-3.1) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=18c02492138d1eb8b6548cb26e7b625fb2414a2a (openssl-3.0) CVE-2024- [RUSTSEC-2023-0078] - - rust-tracing + - rust-tracing (bug #1060861) [bookworm] - rust-tracing (Vulnerable code not present) NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0078.html NOTE: https://github.com/tokio-rs/tracing/pull/2765 @@ -2487,7 +2487,7 @@ CVE-2023-6436 (Improper Neutralization of Special Elements used in an SQL Comman CVE-2023-51652 (OWASP AntiSamy .NET is a library for performing cleansing of HTML comi ...) NOT-FOR-US: OWASP AntiSamy .NET library CVE-2023-50711 (vmm-sys-util is a collection of modules that provides helpers and util ...) - - rust-vmm-sys-util + - rust-vmm-sys-util (bug #1060860) NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0002.html NOTE: https://github.com/advisories/GHSA-875g-mfp6-g7f9 NOTE: https://github.com/rust-vmm/vmm-sys-util/commit/30172fca2a8e0a38667d934ee56682247e13f167 (v0.12.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a46de165aa55c1f7666a5711fb56e620f15b330b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a46de165aa55c1f7666a5711fb56e620f15b330b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f7fa5caa by Moritz Mühlenhoff at 2024-01-12T23:17:14+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -223,7 +223,7 @@ CVE-2022-4960 (A vulnerability, which was classified as problematic, has been fo CVE-2022-4959 (A vulnerability classified as problematic was found in qkmc-rk redbbs ...) NOT-FOR-US: qkmc-rk redbbs CVE-2022-48620 (uev (aka libuev) before 2.4.1 has a buffer overflow in epoll_wait if m ...) - - libuev + - libuev (bug #1060692) [bookworm] - libuev (Minor issue) [bullseye] - libuev (Minor issue) NOTE: https://github.com/troglobit/libuev/issues/27 @@ -703,7 +703,7 @@ CVE-2023-50916 (Kyocera Device Manager before 3.1.1213.0 allows NTLM credential CVE-2023-50172 (A recovery notification bypass vulnerability exists in the userRecover ...) NOT-FOR-US: WWBN AVideo CVE-2023-50120 (MP4Box GPAC version 2.3-DEV-rev636-gfbd7e13aa-master was discovered to ...) - - gpac + - gpac (bug #1060696) [bullseye] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/issues/2698 NOTE: https://github.com/gpac/gpac/commit/b655955b840ccd7c7198bb15375aa510e76208eb @@ -860,28 +860,23 @@ CVE-2023-50136 (Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allo CVE-2023-48864 (SEMCMS v4.8 was discovered to contain a SQL injection vulnerability vi ...) NOT-FOR-US: SEMCMS CVE-2023-47997 (An issue discovered in BitmapAccess.cpp::FreeImage_AllocateBitmap in F ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47997 - TODO: check upstream reporting status CVE-2023-47996 (An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir in F ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47996 - TODO: check upstream reporting status CVE-2023-47995 (Buffer Overflow vulnerability in BitmapAccess.cpp::FreeImage_AllocateB ...) - - freeimage - TODO: check no sensible references in CVE entry + - freeimage + NOTE: no sensible references in CVE entry CVE-2023-47994 (An integer overflow vulnerability in LoadPixelDataRLE4 function in Plu ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47994 - TODO: check upstream reporting status CVE-2023-47993 (A Buffer out-of-bound read vulnerability in Exif.cpp::ReadInt32 in Fre ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47993 - TODO: check upstream reporting status CVE-2023-47992 (An integer overflow vulnerability in FreeImageIO.cpp::_MemoryReadProc ...) - - freeimage + - freeimage (bug #1060691) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47992 - TODO: check upstream reporting status CVE-2023-41781 (There is a Cross-sitescripting (XSS) vulnerability in ZTE MF258. Due t ...) NOT-FOR-US: ZTE CVE-2023-3043 (AMI\u2019s SPx contains a vulnerability in the BMC where an Attacker m ...) @@ -3275,13 +3270,13 @@ CVE-2023-51772 (One Identity Password Manager before 5.13.1 allows Kiosk Escape. CVE-2023-51771 (In MicroHttpServer (aka Micro HTTP Server) through a8ab029, _ParseHead ...) NOT-FOR-US: MicroHttpServer CVE-2023-51714 (An issue was discovered in the HTTP2 implementation in Qt before 5.15. ...) - - qt6-base + - qt6-base (bug #1060693) [bookworm] - qt6-base (Minor issue) - - qtbase-opensource-src + - qtbase-opensource-src (bug #1060694) [bookworm] - qtbase-opensource-src (Minor issue) [bullseye] - qtbase-opensource-src (Minor issue) [buster] - qtbase-opensource-src (Minor issue) - - qtbase-opensource-src-gles + - qtbase-opensource-src-gles (bug #1060695) [bookworm] - qtbase-opensource-src-gles (Minor issue) [bullseye] - qtbase-opensource-src-gles (Minor issue) NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/524864 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7fa5caae260334245d5e88d0a692d462d8bcfc8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7fa5caae260334245d5e88d0a692d462d8bcfc8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ceecb73f by Moritz Muehlenhoff at 2023-12-22T15:03:39+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2376,7 +2376,7 @@ CVE-2023-43813 (GLPI is a free asset and IT management software package. Startin CVE-2023-42495 (Dasan Networks - W-Web versions 1.22-1.27 - CWE-78: Improper Neutraliz ...) NOT-FOR-US: Dasan Networks W-Web CVE-2023-34194 (StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in TinyXML ...) - - tinyxml + - tinyxml (bug #1059315) NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities CVE-2023-6707 (Use after free in CSS in Google Chrome prior to 120.0.6099.109 allowed ...) {DSA-5577-1} @@ -3938,7 +3938,7 @@ CVE-2023-40464 (Several versions of ALEOS, including ALEOS 4.16.0, use a hardcod CVE-2023-40463 (When configured in debugging mode by an authenticated user withadm ...) NOT-FOR-US: ALEOS CVE-2023-40462 (The ACEManager component of ALEOS 4.16 and earlier does not perform ...) - - tinyxml + - tinyxml (bug #1059315) NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities CVE-2023-40461 (The ACEManager component of ALEOS 4.16 and earlier allows an authen ...) NOT-FOR-US: ALEOS @@ -4960,7 +4960,7 @@ CVE-2023-47463 (Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0 CVE-2023-47418 (Remote Code Execution (RCE) vulnerability in o2oa version 8.1.2 and be ...) NOT-FOR-US: p2pa CVE-2023-40458 (Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability i ...) - - tinyxml + - tinyxml (bug #1059315) NOTE: https://www.forescout.com/resources/sierra21-vulnerabilities CVE-2023-3741 (An OS Command injection vulnerability in NEC Platforms DT900 and DT900 ...) NOT-FOR-US: NEC @@ -30542,10 +30542,10 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse NOTE: https://github.com/lloyd/yajl/issues/250 NOTE: Introduced with: https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb (2.0.0) NOTE: The original fix uploaded as 2.1.0-3.1 was incomplete. - - epics-base + - epics-base (bug #1059316) [bookworm] - epics-base (Minor issue) [buster] - epics-base (Minor issue; fix only after newer releases got a fix) - - r-cran-jsonlite + - r-cran-jsonlite (bug #1059317) [bookworm] - r-cran-jsonlite (Minor issue) [bullseye] - r-cran-jsonlite (Minor issue) [buster] - r-cran-jsonlite (Minor issue; fix only after newer releases got a fix) @@ -169626,15 +169626,15 @@ CVE-2021-37819 (PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite [bullseye] - pdftk-java (Minor issue) [buster] - pdftk-java (Minor issue) - pdftk 2.02-5 - - libitext-java + - libitext-java (bug #1059318) [bookworm] - libitext-java (Minor issue) [bullseye] - libitext-java (Minor issue) [buster] - libitext-java (Minor issue) - - libitext1-java + - libitext1-java (bug #1059319) [bookworm] - libitext1-java (Minor issue) [bullseye] - libitext1-java (Minor issue) [buster] - libitext1-java (Minor issue) - - libitext5-java + - libitext5-java (bug #1059320) [bookworm] - libitext5-java (Minor issue) [bullseye] - libitext5-java (Minor issue) [buster] - libitext5-java (Minor issue) @@ -196775,7 +196775,7 @@ CVE-2021-27206 RESERVED CVE-2013-20001 (An issue was discovered in OpenZFS through 2.0.3. When an NFS share is ...) [experimental] - zfs-linux 2.2.0-1~exp1 - - zfs-linux + - zfs-linux (bug #1059322) [bookworm] - zfs-linux (contrib not supported) [bullseye] - zfs-linux (contrib not supported) NOTE: https://github.com/openzfs/zfs/commit/6cb5e1e7591da20af3a15793e022345a73e40fb7 (zfs-2.2.0-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceecb73f9e3d7915bd927ad0d226409b4b3a213c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceecb73f9e3d7915bd927ad0d226409b4b3a213c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f496e701 by Moritz Muehlenhoff at 2023-12-22T14:49:22+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1099,14 +1099,13 @@ CVE-2023-6903 (A vulnerability classified as critical has been found in Netentse CVE-2023-6483 (The vulnerability exists in ADiTaaS (Allied Digital Integrated Tool-as ...) NOT-FOR-US: ADiTaaS (Allied Digital Integrated Tool-as-a-Service) CVE-2023-50981 (ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows atta ...) - - libcrypto++ + - libcrypto++ (bug #1059312) NOTE: https://github.com/weidai11/cryptopp/issues/1249 CVE-2023-50980 (gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to ...) - - libcrypto++ + - libcrypto++ (bug #1059311) NOTE: https://github.com/weidai11/cryptopp/issues/1248 - TODO: check details about mitigation applied, but issue in per se "unfixed" CVE-2023-50979 (Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during ...) - - libcrypto++ + - libcrypto++ (bug #1059310) NOTE: https://github.com/weidai11/cryptopp/issues/1247 CVE-2023-50976 (Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authoriz ...) NOT-FOR-US: Redpanda @@ -1982,7 +1981,7 @@ CVE-2023-40628 (A reflected XSS vulnerability was discovered in the Extplorer co CVE-2023-40627 (A reflected XSS vulnerability was discovered in the LivingWord compone ...) NOT-FOR-US: Joomla module CVE-2023-37457 (Asterisk is an open source private branch exchange and telephony toolk ...) - - asterisk + - asterisk (bug #1059303) NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh NOTE: https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa CVE-2023-3904 (An issue has been discovered in GitLab EE affecting all versions start ...) @@ -2140,7 +2139,7 @@ CVE-2023-40921 (SQL Injection vulnerability in functions/point_list.php in Commo CVE-2023-31546 (Cross Site Scripting (XSS) vulnerability in DedeBIZ v6.0.3 allows atta ...) NOT-FOR-US: DedeBIZ CVE-2023-50782 [Bleichenbacher timing oracle attack against RSA decryption - incomplete fix for CVE-2020-25659] - - python-cryptography + - python-cryptography (bug #1059308) [buster] - python-cryptography (Minor issue; it's an incomplete fix of CVE-2020-25659) NOTE: https://github.com/pyca/cryptography/issues/9785 NOTE: https://people.redhat.com/~hkario/marvin/ @@ -11235,7 +11234,7 @@ CVE-2023-45805 (pdm is a Python package and dependency manager supporting the la NOTE: https://github.com/pdm-project/pdm/security/advisories/GHSA-j44v-mmf2-xvm9 NOTE: https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831 CVE-2023-44483 (All versions of Apache Santuario - XML Security for Java prior to 2.2. ...) - - libxml-security-java + - libxml-security-java (bug #1059313) NOTE: https://www.openwall.com/lists/oss-security/2023/10/20/5 NOTE: https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55 NOTE: https://santuario.apache.org/secadv.data/CVE-2023-44483.txt.asc @@ -13938,9 +13937,9 @@ CVE-2023-40008 (Cross-Site Request Forgery (CSRF) vulnerability in Gangesh Matta CVE-2023-3725 (Potential buffer overflow vulnerability in the Zephyr CAN bus subsyste ...) NOT-FOR-US: Zephyr RTOS (unrelated to src:zephyr) CVE-2023-38703 (PJSIP is a free and open source multimedia communication library writt ...) - - asterisk + - asterisk (bug #1059303) - pjproject - - ring + - ring (bug #1059307) NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66 NOTE: https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0d (2.14) CVE-2023-36465 (Decidim is a participatory democracy framework, written in Ruby on Rai ...) @@ -19701,7 +19700,7 @@ CVE-2023-3251 (A pass-back vulnerability exists where an authenticated, remote a CVE-2023-39678 (A cross-site scripting (XSS) vulnerability in the device web interface ...) NOT-FOR-US: BDCOM OLT P3310D-2AC CVE-2023-39663 (Mathjax up to v2.7.9 was discovered to contain two Regular expression ...) - - mathjax + - mathjax (bug #1059304) [bookworm] - mathjax (Minor issue) [bullseye] - mathjax (Minor issue) [buster] - mathjax (Minor issue) @@ -20263,11 +20262,11 @@ CVE-2023-40036 (Notepad++ is a free and open-source source code editor. Versions CVE-2023-40031 (Notepad++ is a free and open-source source code editor. Versions 8.5.6 ...) NOT-FOR-US: Notepad++ CVE-2023-40030 (Cargo downloads a
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 32e9a182 by Moritz Muehlenhoff at 2023-12-22T14:22:18+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1039,7 +1039,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - putty 0.80-1 - python-asyncssh (bug #1059007) - tinyssh 20230101-4 (bug #1059058; unimportant) - - trilead-ssh2 + - trilead-ssh2 (bug #1059294) NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 NOTE: dropbear: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 @@ -2147,7 +2147,7 @@ CVE-2023-50782 [Bleichenbacher timing oracle attack against RSA decryption - inc NOTE: https://github.com/openssl/openssl/pull/13817 NOTE: CVE is for incomplete fix of CVE-2020-25659 CVE-2023-50781 [Bleichenbacher timing attacks in the RSA decryption API - incomplete fix for CVE-2020-25657] - - m2crypto + - m2crypto (bug #1059292) [buster] - m2crypto (Minor issue; it's an incomplete fix of CVE-2020-25657) NOTE: https://gitlab.com/m2crypto/m2crypto/-/issues/342 NOTE: https://people.redhat.com/~hkario/marvin/ @@ -17201,7 +17201,7 @@ CVE-2023-37755 (i-doit pro 25 and below and I-doit open 25 and below are configu CVE-2023-37739 (i-doit Pro v25 and below was discovered to be vulnerable to path trave ...) NOT-FOR-US: I-doit pro CVE-2023-36250 (CSV Injection vulnerability in GNOME time tracker version 3.0.2, allow ...) - - hamster-time-tracker + - hamster-time-tracker (bug #1059296) NOTE: https://github.com/BrunoTeixeira1996/CVE-2023-36250/blob/main/README.md NOTE: Report sounds a little dubious, it's not really clear whether this cross any security boundary CVE-2023-2848 (Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hija ...) @@ -21134,7 +21134,7 @@ CVE-2023-39970 (Unrestricted Upload of File with Dangerous Type vulnerability in CVE-2023-39743 (lrzip-next LZMA v23.01 was discovered to contain an access violation v ...) - lrzip-next (bug #1042088) CVE-2023-39741 (lrzip v0.651 was discovered to contain a heap overflow via the libzpaq ...) - - lrzip + - lrzip (bug #1059293) [bookworm] - lrzip (Minor issue) [bullseye] - lrzip (Minor issue) [buster] - lrzip (Minor issue) @@ -24077,7 +24077,7 @@ CVE-2023-32427 (This issue was addressed by using HTTPS when sending information NOT-FOR-US: Apple CVE-2023-37369 (In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before ...) {DLA-3539-1} - - qt6-base + - qt6-base (bug #1059302) [bookworm] - qt6-base (Minor issue) - qtbase-opensource-src-gles 5.15.10+dfsg-2 [bookworm] - qtbase-opensource-src-gles (Minor issue) @@ -31766,7 +31766,7 @@ CVE-2023-28370 (Open redirect vulnerability in Tornado versions 6.3.1 and earlie [bookworm] - python-tornado (Minor issue) [bullseye] - python-tornado (Minor issue) [buster] - python-tornado (Minor issue) - - salt + - salt (bug #1059297) NOTE: https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f (v6.3.2) CVE-2023-27529 (Wacom Tablet Driver installer prior to 6.4.2-1 (for macOS) contains an ...) NOT-FOR-US: Wacom Tablet Driver installer @@ -42676,7 +42676,7 @@ CVE-2023-28439 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed [bookworm] - ckeditor (Minor issue) [bullseye] - ckeditor (Minor issue) [buster] - ckeditor (Minor issue) - - ckeditor3 + - ckeditor3 (bug #1059301) [bookworm] - ckeditor3 (Minor issue) [bullseye] - ckeditor3 (Minor issue) [buster] - ckeditor3 (No longer supported in LTS) @@ -47077,7 +47077,8 @@ CVE-2023-27045 CVE-2023-27044 RESERVED CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses e-mail ad ...) - - python3.11 + - python3.12 (bug #1059299) + - python3.11 (bug #1059298) [bookworm] - python3.11 (Minor issue) - python3.10 - python3.9 @@ -49404,7 +49405,7 @@ CVE-2023-26143 (Versions of the package blamer before 1.0.4 are vulnerable to Ar CVE-2023-26142 (All versions of the package crow are vulnerable to HTTP Response Split ...) NOT-FOR-US: Crow CVE-2023-26141 (Versions of the package sidekiq before 7.1.3 are vulnerable to Denial ...) - - ruby-sidekiq + - ruby-sidekiq (bug #1059300) [bookworm] - ruby-sidekiq (Minor issue) [bullseye] - ruby-sidekiq (Minor issue) [buster] - ruby-sidekiq (Minor issue, DoS still possible) View it
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 91d80e70 by Moritz Muehlenhoff at 2023-12-22T13:36:37+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -386,7 +386,7 @@ CVE-2023-41166 (An issue was discovered in Stormshield Network Security (SNS) 3. CVE-2023-7018 (Deserialization of Untrusted Data in GitHub repository huggingface/tra ...) NOT-FOR-US: Transformers CVE-2023-7008 [Unsigned name response in signed zone is not refused when DNSSEC=yes] - - systemd + - systemd (bug #1059278) [bookworm] - systemd (Minor issue) [bullseye] - systemd (Minor issue) [buster] - systemd (Minor issue, should be fixed after newer releases are done) @@ -1033,7 +1033,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - proftpd-dfsg 1.3.8.b+dfsg-1 (bug #1059144) [bookworm] - proftpd-dfsg (Minor issue) [bullseye] - proftpd-dfsg (Minor issue) - - proftpd-mod-proxy + - proftpd-mod-proxy (bug #1059290) - putty 0.80-1 - python-asyncssh (bug #1059007) - tinyssh 20230101-4 (bug #1059058; unimportant) @@ -1777,11 +1777,11 @@ CVE-2023-50564 (An arbitrary file upload vulnerability in the component /inc/mod CVE-2023-50563 (Semcms v4.8 was discovered to contain a SQL injection vulnerability vi ...) NOT-FOR-US: Semcms CVE-2023-50472 (cJSON v1.7.16 was discovered to contain a segmentation violation via t ...) - - cjson + - cjson (bug #1059287) NOTE: https://github.com/DaveGamble/cJSON/issues/803 NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8 CVE-2023-50471 (cJSON v1.7.16 was discovered to contain a segmentation violation via t ...) - - cjson + - cjson (bug #1059287) NOTE: https://github.com/DaveGamble/cJSON/issues/802 NOTE: Fixed by: https://github.com/DaveGamble/cJSON/commit/60ff122ef5862d04b39b150541459e7f5e35add8 CVE-2023-50371 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) @@ -1920,7 +1920,7 @@ CVE-2023-48631 (@adobe/css-tools versions 4.3.1 and earlier are affected by an I CVE-2023-47261 (Dokmee ECM 7.4.6 allows remote code execution because the response to ...) NOT-FOR-US: Dokmee ECM CVE-2023-46750 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability when ...) - - shiro + - shiro (bug #1059288) [bookworm] - shiro (Minor issue) [bullseye] - shiro (Minor issue) [buster] - shiro (Minor issue) @@ -3264,14 +3264,14 @@ CVE-2023-49493 (DedeCMS v5.7.111 was discovered to contain a reflective cross-si CVE-2023-49492 (DedeCMS v5.7.111 was discovered to contain a reflective cross-site scr ...) NOT-FOR-US: DedeCMS CVE-2023-49468 (Libde265 v1.0.14 was discovered to contain a global buffer overflow vu ...) - - libde265 + - libde265 (bug #1059275) NOTE: https://github.com/strukturag/libde265/issues/432 NOTE: Fixed by: https://github.com/strukturag/libde265/commit/3e822a3ccf88df1380b165d6ce5a00494a27ceeb CVE-2023-49467 (Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vuln ...) - - libde265 + - libde265 (bug #1059275) NOTE: https://github.com/strukturag/libde265/issues/434 CVE-2023-49465 (Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vuln ...) - - libde265 + - libde265 (bug #1059275) NOTE: https://github.com/strukturag/libde265/issues/435 CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - libheif (bug #1059151) @@ -7947,10 +7947,10 @@ CVE-2023-47005 (An issue in ASUS RT-AX57 v.3.0.0.4_386_52041 allows a remote att CVE-2023-46492 (Cross Site Scripting vulnerability in MLDB.ai v.2017.04.17.0 allows a ...) NOT-FOR-US: MLDB.ai CVE-2023-46363 (jbig2enc v0.28 was discovered to contain a SEGV via jbig2_add_page in ...) - - jbig2enc + - jbig2enc (bug #1059285) NOTE: https://github.com/agl/jbig2enc/issues/85 CVE-2023-46362 (jbig2enc v0.28 was discovered to contain a heap-use-after-free via jbi ...) - - jbig2enc + - jbig2enc (bug #1059284) NOTE: https://github.com/agl/jbig2enc/issues/84 CVE-2023-45875 (An issue was discovered in Couchbase Server 7.2.0. There is a private ...) NOT-FOR-US: Couchbase Server @@ -9720,7 +9720,7 @@ CVE-2023-46510 (An issue in ZIONCOM (Hong Kong) Technology Limited A7000R v.4.1c CVE-2023-46509 (An issue in Contec SolarView Compact v.6.0 and before allows an attack ...) NOT-FOR-US: Contec SolarView Compact CVE-2023-46490 (SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker ...) - - cacti + -
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c6312bf by Moritz Muehlenhoff at 2023-12-22T10:58:53+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -114,7 +114,7 @@ CVE-2023-48685 (Railway Reservation System v1.0 is vulnerable to multiple Unauth CVE-2023-48308 (Nextcloud/Cloud is a calendar app for Nextcloud. An attacker can gain ...) NOT-FOR-US: Nextcloud calendar app CVE-2023-48298 (ClickHouse\xae is an open-source column-oriented database management s ...) - - clickhouse + - clickhouse (bug #1059261) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938 NOTE: https://github.com/ClickHouse/ClickHouse/pull/56795 CVE-2023-46649 (A race condition in GitHub Enterprise Server was identified that could ...) @@ -231,7 +231,7 @@ CVE-2023-50119 CVE-2023-4256 (Within tcpreplay's tcprewrite, a double free vulnerability has been id ...) TODO: check CVE-2023-4255 (An out-of-bounds write issue has been discovered in the backspace hand ...) - - w3m + - w3m (bug #1059265) NOTE: https://github.com/tats/w3m/commit/edc602651c506aeeb60544b55534dd1722a340d3 NOTE: https://github.com/tats/w3m/issues/268 NOTE: https://github.com/tats/w3m/pull/273 @@ -459,7 +459,7 @@ CVE-2023-47507 (Deserialization of Untrusted Data vulnerability in Master Slider CVE-2023-47236 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: WordPress plugin CVE-2023-47118 (ClickHouse\xae is an open-source column-oriented database management s ...) - - clickhouse + - clickhouse (bug #1059261) NOTE: https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v CVE-2023-46311 (Authorization Bypass Through User-Controlled Key vulnerability in gVec ...) NOT-FOR-US: WordPress plugin @@ -4105,11 +4105,11 @@ CVE-2023-5332 (Patch in third party library Consul requires 'enable-script-check CVE-2023-49287 (TinyDir is a lightweight C directory and file reader. Buffer overflows ...) - falcosecurity-libs (bug #1059256) - gemmi (bug #1059257) - - lwip (bug #1059259) NOTE: https://www.openwall.com/lists/oss-security/2023/12/04/1 NOTE: https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf NOTE: https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d NOTE: https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt + NOTE: lwip embeds a copy of tinydir, but it's unused, see bug #1059259 CVE-2023-49108 (Path traversal vulnerability exists in RakRak Document Plus Ver.3.2.0. ...) NOT-FOR-US: RakRak Document Plus CVE-2023-49093 (HtmlUnit is a GUI-less browser for Java programs. HtmlUnit is vulnerab ...) @@ -76684,13 +76684,13 @@ CVE-2022-44013 (An issue was discovered in Simmeth Lieferantenmanager before 5.6 CVE-2022-44012 (An issue was discovered in /DS/LM_API/api/SelectionService/InsertQuery ...) NOT-FOR-US: Simmeth Lieferantenmanager CVE-2022-44011 (An issue was discovered in ClickHouse before 22.9.1.2603. An authentic ...) - - clickhouse + - clickhouse (bug #1059261) [bookworm] - clickhouse (Minor issue) [bullseye] - clickhouse (Minor issue) [buster] - clickhouse (Minor issue, DoS) NOTE: https://github.com/ClickHouse/ClickHouse/pull/40241 CVE-2022-44010 (An issue was discovered in ClickHouse before 22.9.1.2603. An attacker ...) - - clickhouse + - clickhouse (bug #1059261) [bookworm] - clickhouse (Minor issue) [bullseye] - clickhouse (Minor issue) [buster] - clickhouse (Minor issue, DoS) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c6312bf8952f907f089ed432925cc9708f92b56 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c6312bf8952f907f089ed432925cc9708f92b56 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b1cddff by Moritz Muehlenhoff at 2023-12-22T10:12:32+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78,11 +78,11 @@ CVE-2023-49678 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL In CVE-2023-49677 (Job Portal v1.0 is vulnerable to multiple Unauthenticated SQL Injectio ...) NOT-FOR-US: Job Portal CVE-2023-49086 (Cacti is a robust performance and fault management framework and a fro ...) - - cacti + - cacti (bug #1059254) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc CVE-2023-49084 (Cacti is a robust performance and fault management framework and a fro ...) - - cacti + - cacti (bug #1059254) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-pfh9-gwm6-86vp NOTE: https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc CVE-2023-48723 (Student Result Management System v1.0 is vulnerable to multiple Unauth ...) @@ -4100,7 +4100,9 @@ CVE-2023-5332 (Patch in third party library Consul requires 'enable-script-check NOTE: https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171 NOTE: https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations CVE-2023-49287 (TinyDir is a lightweight C directory and file reader. Buffer overflows ...) - TODO: potentally affects falcosecurity-libs, gemmi, lwip + - falcosecurity-libs (bug #1059256) + - gemmi (bug #1059257) + - lwip (bug #1059259) NOTE: https://www.openwall.com/lists/oss-security/2023/12/04/1 NOTE: https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf NOTE: https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b1cddffbc54494cbe40264420db250fd120019c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b1cddffbc54494cbe40264420db250fd120019c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 13215d71 by Moritz Muehlenhoff at 2023-12-20T17:00:33+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2728,7 +2728,7 @@ CVE-2023-49465 (Libde265 v1.0.14 was discovered to contain a heap-buffer-overflo - libde265 NOTE: https://github.com/strukturag/libde265/issues/435 CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - - libheif + - libheif (bug #1059151) [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) [buster] - libheif (Vulnerable code not present) @@ -2736,21 +2736,21 @@ CVE-2023-49464 (libheif v1.17.5 was discovered to contain a segmentation violati NOTE: https://github.com/strukturag/libheif/pull/1049 NOTE: https://github.com/strukturag/libheif/commit/2bf226a300951e6897ee7267d0dd379ba5ad7287 CVE-2023-49463 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - - libheif + - libheif (bug #1059151) [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1042 NOTE: https://github.com/strukturag/libheif/commit/26ec3953d46bb5756b97955661565bcbc6647abf CVE-2023-49462 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - - libheif + - libheif (bug #1059151) [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) [buster] - libheif (Vulnerable code not present) NOTE: https://github.com/strukturag/libheif/issues/1043 NOTE: https://github.com/strukturag/libheif/commit/730a9d80bea3434f75c79e721878cc67f3889969 CVE-2023-49460 (libheif v1.17.5 was discovered to contain a segmentation violation via ...) - - libheif + - libheif (bug #1059151) [bookworm] - libheif (Minor issue) [bullseye] - libheif (Minor issue) [buster] - libheif (Vulnerable code not present) @@ -235358,25 +235358,25 @@ CVE-2020-24297 (httpd on TP-Link TL-WPA4220 devices (versions 2 through 4) allow CVE-2020-24296 RESERVED CVE-2020-24295 (Buffer Overflow vulnerability in PSDParser.cpp::ReadImageLine() in Fre ...) - - freeimage + - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24294 (Buffer Overflow vulnerability in psdParser::UnpackRLE function in PSDP ...) - - freeimage + - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24293 (Buffer Overflow vulnerability in psdThumbnail::Read in PSDParser.cpp i ...) - - freeimage + - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24292 (Buffer Overflow vulnerability in load function in PluginICO.cpp in Fre ...) - - freeimage + - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) [buster] - freeimage (Revisit when patches are available) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13215d71ff790e689024c2d5d2afdcbefabc6412 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13215d71ff790e689024c2d5d2afdcbefabc6412 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e70d44cd by Moritz Muehlenhoff at 2023-12-19T22:28:47+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -195,7 +195,7 @@ CVE-2023-6856 (The WebGL `DrawElementsInstanced` method was susceptible to a hea NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-55/#CVE-2023-6856 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-54/#CVE-2023-6856 CVE-2023-6135 (Multiple NSS NIST curves were susceptible to a side-channel attack kno ...) - - nss + - nss (bug #1059054) - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6135 NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1853908 (not public) @@ -1826,9 +1826,8 @@ CVE-2023-36639 (A use of externally-controlled format string in Fortinet FortiPr CVE-2023-6710 (A flaw was found in the mod_proxy_cluster in the Apache server. This i ...) - libapache2-mod-cluster (bug #731410) CVE-2023-5379 (A flaw was found in Undertow. When an AJP request is sent that exceeds ...) - - undertow + - undertow (bug #1059055) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2242099 - TODO: check, insufficient information for Debian specific assessment CVE-2023-49921 - elasticsearch CVE-2023-6687 (An issue was discovered by Elastic whereby Elastic Agent would log a r ...) @@ -2371,7 +2370,7 @@ CVE-2023-48311 (dockerspawner is a tool to spawn JupyterHub single user servers CVE-2023-47722 (IBM API Connect V10.0.5.3 and V10.0.6.0 stores user credentials in bro ...) NOT-FOR-US: IBM CVE-2023-47465 (An issue in GPAC v.2.2.1 and before allows a local attacker to cause a ...) - - gpac + - gpac (bug #1059056) [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2652 NOTE: https://github.com/gpac/gpac/commit/a40a3b7ef7420c8df0a7d9411ab1fc267ca86c49 @@ -2379,7 +2378,7 @@ CVE-2023-47465 (An issue in GPAC v.2.2.1 and before allows a local attacker to c CVE-2023-47254 (An OS Command Injection in the CLI interface on DrayTek Vigor167 versi ...) NOT-FOR-US: DrayTek Vigor167 CVE-2023-46932 (Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV-rev617-g671 ...) - - gpac + - gpac (bug #1059056) [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2669 NOTE: https://github.com/gpac/gpac/commit/dfdf1681aae2f7b6265e58e97f8461a89825a74b @@ -2694,7 +2693,7 @@ CVE-2023-49403 (Tenda W30E V16.01.0.12(4843) was discovered to contain a command CVE-2023-49402 (Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflo ...) NOT-FOR-US: Tenda CVE-2023-48958 (gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in gf_mpd_ ...) - - gpac + - gpac (bug #1059056) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2689 @@ -2710,7 +2709,7 @@ CVE-2023-47440 (Gladys Assistant v4.27.0 and prior is vulnerable to Directory Tr CVE-2023-46974 (Cross Site Scripting vulnerability in Best Courier Management System v ...) NOT-FOR-US: Best Courier Management System CVE-2023-46871 (GPAC version 2.3-DEV-rev602-ged8424300-master in MP4Box contains a mem ...) - - gpac + - gpac (bug #1059056) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in Buster LTS) NOTE: https://github.com/gpac/gpac/issues/2658 @@ -4552,25 +4551,25 @@ CVE-2023-46355 (In the module "CSV Feeds PRO" (csvfeeds) < 2.6.1 from Bl Modules CVE-2023-46349 (In the module "Product Catalog (CSV, Excel) Export/Update" (updateprod ...) NOT-FOR-US: PrestaShop module CVE-2023-42366 (A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_ ...) - - busybox + - busybox (bug #1059053) [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) NOTE: https://bugs.busybox.net/show_bug.cgi?id=15874 CVE-2023-42365 (A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via ...) - - busybox + - busybox (bug #1059052) [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) NOTE: https://bugs.busybox.net/show_bug.cgi?id=15871 CVE-2023-42364 (A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to ...) - - busybox + - busybox (bug #1059051) [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) NOTE:
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ea1efad by Moritz Muehlenhoff at 2023-11-19T21:09:16+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -545,15 +545,15 @@ CVE-2023-48088 (xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) CVE-2023-48087 (xxl-job-admin 2.4.0 is vulnerable to Insecure Permissions via /xxl-job ...) NOT-FOR-US: XXL-Job CVE-2023-48014 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a sta ...) - - gpac + - gpac (bug #1056282) NOTE: https://github.com/gpac/gpac/issues/2613 NOTE: https://github.com/gpac/gpac/commit/66abf0887c89c29a484d9e65e70882794e9e3a1b CVE-2023-48013 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a dou ...) - - gpac + - gpac (bug #1056282) NOTE: https://github.com/gpac/gpac/issues/2612 NOTE: https://github.com/gpac/gpac/commit/cd8a95c1efb8f5bfc950b86c2ef77b4c76f6b893 CVE-2023-48011 (GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a hea ...) - - gpac + - gpac (bug #1056282) NOTE: https://github.com/gpac/gpac/issues/2611 NOTE: https://github.com/gpac/gpac/commit/c70f49dda4946d6db6aa55588f6a756b76bd84ea CVE-2023-47637 (Pimcore is an Open Source Data & Experience Management Platform. In af ...) @@ -857,7 +857,7 @@ CVE-2023-47554 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-47550 (Cross-Site Request Forgery (CSRF) vulnerability in RedNao Donations Ma ...) NOT-FOR-US: WordPress plugin CVE-2023-47384 (MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to contai ...) - - gpac + - gpac (bug #1056282) [bullseye] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/issues/2672 CVE-2023-47262 (In Abbott ID NOW before 7.1, settings can be modified via physical acc ...) @@ -1467,7 +1467,7 @@ CVE-2023-36027 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerabi CVE-2023-5870 {DSA-5554-1 DSA-5553-1 DLA-3651-1} - postgresql-16 16.1-1 - - postgresql-15 + - postgresql-15 (bug #1056283) - postgresql-13 - postgresql-11 NOTE: https://www.postgresql.org/support/security/CVE-2023-5870/ @@ -1475,7 +1475,7 @@ CVE-2023-5870 CVE-2023-5869 {DSA-5554-1 DSA-5553-1 DLA-3651-1} - postgresql-16 16.1-1 - - postgresql-15 + - postgresql-15 (bug #1056283) - postgresql-13 - postgresql-11 NOTE: https://www.postgresql.org/support/security/CVE-2023-5869/ @@ -1483,7 +1483,7 @@ CVE-2023-5869 CVE-2023-5868 {DSA-5554-1 DSA-5553-1 DLA-3651-1} - postgresql-16 16.1-1 - - postgresql-15 + - postgresql-15 (bug #1056283) - postgresql-13 - postgresql-11 NOTE: https://www.postgresql.org/support/security/CVE-2023-5868/ @@ -1946,7 +1946,7 @@ CVE-2023-46676 (Online Job Portal v1.0 is vulnerable to multiple Unauthenticated CVE-2023-46483 (Cross Site Scripting vulnerability in timetec AWDMS v.2.0 allows an at ...) NOT-FOR-US: timetec AWDMS CVE-2023-46001 (Buffer Overflow vulnerability in gpac MP4Box v.2.3-DEV-rev573-g2013208 ...) - - gpac + - gpac (bug #1056282) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2629 NOTE: https://github.com/gpac/gpac/commit/e79b0cf7e72404750630bc01340e999f3940dbc4 @@ -1987,7 +1987,7 @@ CVE-2023-45283 (The filepath package does not recognize paths with a \??\ prefix NOTE: https://github.com/golang/go/commit/46fb78168596f7ce8834f528bb0eb9555c08bcae (go1.20.11) NOTE: No security impact for Debian packages, only affects code running on Windows CVE-2023-5998 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3.0-DEV.) - - gpac + - gpac (bug #1056282) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.com/bounties/ea02a231-b688-422b-a881-ef415bcf6113 NOTE: https://github.com/gpac/gpac/commit/db74835944548fc3bdf03121b0e012373bdebb3e @@ -4721,7 +4721,7 @@ CVE-2023-39333 NOTE: https://nodejs.org/en/blog/vulnerability/october-2023-security-releases#code-injection-via-webassembly-export-names-low---cve-2023-39333 NOTE: https://github.com/nodejs/node/commit/eaf9083cf1e43bd897ac8244dcc0f4e3500150ca CVE-2023-5388 - - nss + - nss (bug #1056284) [bookworm] - nss (Minor issue, revisit once fixed upstream) [bullseye] - nss (Minor issue, revisit once fixed upstream) [buster] - nss (Minor issue) @@ -71656,9 +71656,8 @@ CVE-2023-20248 CVE-2023-20247 (A vulnerability in the remote access SSL VPN feature of Cisco Adaptive ...) NOT-FOR-US: Cisco CVE-2023-20246 (Multiple Cisco
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 116d03f4 by Moritz Muehlenhoff at 2023-11-12T20:37:33+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -973,7 +973,7 @@ CVE-2023-46802 (e-Tax software Version3.0.10 and earlier improperly restricts XM CVE-2023-40207 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: WordPress plugin CVE-2023-38407 (bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond ...) - - frr + - frr (bug #1055852) NOTE: https://github.com/FRRouting/frr/pull/12951 NOTE: https://github.com/FRRouting/frr/commit/7404a914b0cafe046703c8381903a80d3def8f8b (base_9.0) NOTE: https://github.com/FRRouting/frr/pull/12956 @@ -1045,10 +1045,10 @@ CVE-2023-47272 (Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS v - roundcube 1.6.5+dfsg-1 (bug #1055421) NOTE: https://github.com/roundcube/roundcubemail/commit/81ac3c342a4f288deb275590895b52ec3785cf8a (1.6.5) CVE-2023-47235 (An issue was discovered in FRRouting FRR through 9.0.1. A crash can oc ...) - - frr + - frr (bug #1055852) NOTE: https://github.com/FRRouting/frr/commit/6814f2e0138a6ea5e1f83bdd9085d9a7700b CVE-2023-47234 (An issue was discovered in FRRouting FRR through 9.0.1. A crash can oc ...) - - frr + - frr (bug #1055852) NOTE: https://github.com/FRRouting/frr/commit/c37119df45bbf4ef713bc10475af2ee06e12f3bf CVE-2023-47233 (The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf ...) - linux @@ -2414,11 +2414,11 @@ CVE-2023-5139 (Potential buffer overflow vulnerability at the following location CVE-2023-46754 (The admin panel for Obl.ong before 1.1.2 allows authorization bypass b ...) NOT-FOR-US: admin panel for Obl.ong CVE-2023-46753 (An issue was discovered in FRRouting FRR through 9.0.1. A crash can oc ...) - - frr + - frr (bug #1055852) NOTE: Fixed by: https://github.com/FRRouting/frr/commit/d8482bf011cb2b173e85b65b4bf3d5061250cdb9 (master) NOTE: Fixed by: https://github.com/FRRouting/frr/commit/21418d64af11553c402f932b0311c812d98ac3e4 (stable/8.5 branch) CVE-2023-46752 (An issue was discovered in FRRouting FRR through 9.0.1. It mishandles ...) - - frr + - frr (bug #1055852) NOTE: Fixed by: https://github.com/FRRouting/frr/commit/b08afc81c60607a4f736f418f2e3eb06087f1a35 (master) NOTE: Fixed by: https://github.com/FRRouting/frr/commit/30b5c2a434d25981e16792f6f50162beb517ae4d (stable/8.5 branch) CVE-2023-46668 (If Elastic Endpoint (v7.9.0 - v8.10.3) is configured to use a non-defa ...) @@ -3513,7 +3513,7 @@ CVE-2023-5688 (Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/mod CVE-2023-5687 (Cross-Site Request Forgery (CSRF) in GitHub repository mosparo/mosparo ...) NOT-FOR-US: mosparo CVE-2023-5686 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prio ...) - - radare2 + - radare2 (bug #1055854) NOTE: https://huntr.com/bounties/bbfe1f76-8fa1-4a8c-909d-65b16e970be0 NOTE: https://github.com/radareorg/radare2/commit/1bdda93e348c160c84e30da3637acef26d0348de CVE-2023-5618 (The Modern Footnotes plugin for WordPress is vulnerable to Stored Cros ...) @@ -9609,7 +9609,7 @@ CVE-2023-4914 (Relative Path Traversal in GitHub repository cecilapp/cecil prior CVE-2023-4913 (Cross-site Scripting (XSS) - Reflected in GitHub repository cecilapp/c ...) NOT-FOR-US: cecil.app CVE-2023-4759 (Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, al ...) - - jgit + - jgit (bug #1055853) [bookworm] - jgit (Minor issue) [bullseye] - jgit (Minor issue) [buster] - jgit (Minor issue. Only case-insensitive filesystems are affected) @@ -12034,7 +12034,7 @@ CVE-2023-41363 (In Cerebrate 1.14, a vulnerability in UserSettingsController all NOT-FOR-US: Cerebrate CVE-2023-41361 (An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does not ...) {DLA-3573-1} - - frr + - frr (bug #1055852) [bullseye] - frr (The vulnerable code was introduced later) NOTE: https://github.com/FRRouting/frr/pull/14241 NOTE: Fixed by: https://github.com/FRRouting/frr/commit/b4d09af9194d20a7f9f16995a062f5d8e3d32840 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/116d03f4bbd9d9bd37afb712b6022f76bcb88a34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/116d03f4bbd9d9bd37afb712b6022f76bcb88a34 You're receiving this email because of your account on salsa.debian.org. ___
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e6d56fea by Moritz Muehlenhoff at 2023-11-03T20:29:20+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -284,24 +284,24 @@ CVE-2023-5358 (Improper access control in Report log filters feature in Devoluti CVE-2023-4452 (A vulnerability has been identified in the EDR-810, EDR-G902, and EDR- ...) NOT-FOR-US: Moxa CVE-2023-46931 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow ...) - - gpac + - gpac (bug #1055298) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2664 NOTE: https://github.com/gpac/gpac/commit/671976fccc971b3dff8d3dcf6ebd600472ca64bf CVE-2023-46930 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box i ...) - - gpac + - gpac (bug #1055298) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2666 NOTE: https://github.com/gpac/gpac/commit/3809955065afa3da1ad580012ec43deadbb0f2c8 CVE-2023-46928 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box i ...) - - gpac + - gpac (bug #1055298) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2661 NOTE: https://github.com/gpac/gpac/commit/0753bf6d867343a80a044bf47a27d0b7accc8bf1 CVE-2023-46927 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow ...) - - gpac + - gpac (bug #1055298) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2657 NOTE: https://github.com/gpac/gpac/commit/a7b467b151d9b54badbc4dd71e7a366b7c391817 @@ -2008,7 +2008,7 @@ CVE-2023-46603 (In International Color Consortium DemoIccMAX 79ecb74, there is a CVE-2023-46602 (In International Color Consortium DemoIccMAX 79ecb74, there is a stack ...) NOT-FOR-US: International Color Consortium DemoIccMAX CVE-2023-46332 (WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write in DataS ...) - - wabt + - wabt (bug #1055299) NOTE: https://github.com/WebAssembly/wabt/issues/2311 CVE-2023-46331 (WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in in DataSegm ...) - wabt (unimportant) @@ -7783,7 +7783,7 @@ CVE-2023-38255 (A potential attacker with or without (cookie theft) access to th CVE-2023-37611 (Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allows a re ...) NOT-FOR-US: Neos CMS CVE-2023-4237 (A flaw was found in the Ansible Automation Platform. When creating a n ...) - - ansible + - ansible (bug #1055300) [buster] - ansible (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2229979 CVE-2023-42754 (A NULL pointer dereference flaw was found in the Linux kernel ipv4 sta ...) @@ -10963,7 +10963,7 @@ CVE-2023-40170 (jupyter-server is the backend for Jupyter web applications. Impr NOTE: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-64x5-55rw-9974 NOTE: https://github.com/jupyter-server/jupyter_server/commit/87a4927272819f0b1cae1afa4c8c86ee2da002fd (v2.7.2) CVE-2023-39810 (An issue in the CPIO command of Busybox v1.33.2 allows attackers to ex ...) - - busybox + - busybox (bug #1055307) [bookworm] - busybox (Minor issue) [bullseye] - busybox (Minor issue) [buster] - busybox (Minor issue) @@ -20097,7 +20097,7 @@ CVE-2023-3295 (The Unlimited Elements For Elementor (Free Widgets, Addons, Templ NOT-FOR-US: WordPress plugin CVE-2023-35790 (An issue was discovered in dec_patch_dictionary.cc in libjxl before 0. ...) [experimental] - jpeg-xl 0.8.2-1 - - jpeg-xl + - jpeg-xl (bug #1055306) [bookworm] - jpeg-xl (Minor issue) NOTE: https://github.com/libjxl/libjxl/pull/2551 NOTE: https://github.com/libjxl/libjxl/commit/d4e67a644d8babe7cb68de122d8b5ccb2ad8f226 @@ -154102,27 +154102,27 @@ CVE-2021-40268 CVE-2021-40267 RESERVED CVE-2021-40266 (FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp is vul ...) - - freeimage + - freeimage (bug #1055305) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/334/ CVE-2021-40265 (A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function ...) - - freeimage + - freeimage (bug #1055304) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/337/ CVE-2021-40264 (NULL pointer dereference vulnerability in
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 08a79f4a by Moritz Muehlenhoff at 2023-11-01T20:25:02+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -354,7 +354,7 @@ CVE-2019-25155 (DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks CVE-2015-20110 (JHipster generator-jhipster before 2.23.0 allows a timing attack again ...) NOT-FOR-US: JHipster generator-jhipster CVE-2023-34049 [allows an attacker to force Salt-SSH to run their script] - - salt + - salt (bug #1055179) NOTE: https://saltproject.io/security-announcements/2023-10-27-advisory/index.html CVE-2023-5844 (Unverified Password Change in GitHub repository pimcore/admin-ui-class ...) NOT-FOR-US: Pimcore admin-ui-classic-bundle @@ -4565,7 +4565,7 @@ CVE-2023-43810 (OpenTelemetry, also known as OTel for short, is a vendor-neutral CVE-2023-43058 (IBM Robotic Process Automation 23.0.9 is vulnerable to privilege escal ...) NOT-FOR-US: IBM CVE-2023-42445 (Gradle is a build tool with a focus on build automation and support fo ...) - - gradle + - gradle (bug #1055176) [bookworm] - gradle (Minor issue) [bullseye] - gradle (Minor issue) [buster] - gradle (Minor issue) @@ -4695,7 +4695,7 @@ CVE-2023-44828 (D-Link DIR-823G A1V1.0.2B05 was discovered to contain a buffer o CVE-2023-44390 (HtmlSanitizer is a .NET library for cleaning HTML fragments and docume ...) NOT-FOR-US: HtmlSanitizer .NET library CVE-2023-44387 (Gradle is a build tool with a focus on build automation and support fo ...) - - gradle + - gradle (bug #1055177) [bookworm] - gradle (Minor issue) [bullseye] - gradle (Minor issue) [buster] - gradle (Minor issue, requires local access to build machine) @@ -29366,7 +29366,7 @@ CVE-2023-29460 (An arbitrary code execution vulnerability contained in Rockwell CVE-2023-29459 (The laola.redbull application through 5.1.9-R for Android exposes the ...) NOT-FOR-US: laola.redbull CVE-2023-29458 (Duktape is an 3rd-party embeddable JavaScript engine, with a focus on ...) - - zabbix + - zabbix (bug #1055175) [bookworm] - zabbix (Minor issue) [bullseye] - zabbix (Minor issue) [buster] - zabbix (vulnerable code introduced later) @@ -29375,34 +29375,34 @@ CVE-2023-29458 (Duktape is an 3rd-party embeddable JavaScript engine, with a foc NOTE: duktape library introduced with https://github.com/zabbix/zabbix/commit/d43b04665c1ade5b4a9f49db750b8ca6c82e9de2 (5.0.0alpha1) CVE-2023-29457 (Reflected XSS attacks, occur when a malicious script is reflected off ...) {DLA-3538-1} - - zabbix + - zabbix (bug #1055175) [bookworm] - zabbix (Minor issue) [bullseye] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-22988 CVE-2023-29456 (URL validation scheme receives input from a user and then parses it to ...) {DLA-3538-1} - - zabbix + - zabbix (bug #1055175) [bookworm] - zabbix (Minor issue) [bullseye] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-22987 CVE-2023-29455 (Reflected XSS attacks, also known as non-persistent attacks, occur whe ...) {DLA-3538-1} - - zabbix + - zabbix (bug #1055175) [bookworm] - zabbix (Minor issue) [bullseye] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-22986 CVE-2023-29454 (Stored or persistent cross-site scripting (XSS) is a type of XSS where ...) {DLA-3538-1} - - zabbix + - zabbix (bug #1055175) [bookworm] - zabbix (Minor issue) [bullseye] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-22985 CVE-2023-29453 (Templates do not properly consider backticks (`) as Javascript string ...) - - zabbix + - zabbix (bug #1055175) [buster] - zabbix (buster does not have the Go agent) NOTE: https://support.zabbix.com/browse/ZBX-23388 CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> Geograph ...) - - zabbix + - zabbix (bug #1055175) [bookworm] - zabbix (Minor issue) [bullseye] - zabbix (vulnerable code introduced later) [buster] - zabbix (vulnerable code introduced later) @@ -29411,20 +29411,20 @@ CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> Ge NOTE: vulnerable geopmap widget introduced in version with https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2 (6.0.0alpha6) CVE-2023-29451 (Specially crafted string can cause a buffer overrun in the JSON parser ...) {DLA-3538-1} - - zabbix + - zabbix (bug
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b8b75ecc by Moritz Muehlenhoff at 2023-10-28T17:00:03+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1314,91 +1314,91 @@ CVE-2023-46054 (Cross Site Scripting (XSS) vulnerability in WBCE CMS v.1.6.1 and CVE-2023-46003 (I-doit pro 25 and below is vulnerable to Cross Site Scripting (XSS) vi ...) NOT-FOR-US: I-doit pro CVE-2023-45682 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 15) NOTE: https://github.com/nothings/stb/pull/1560 CVE-2023-45681 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 14) NOTE: https://github.com/nothings/stb/pull/1559 CVE-2023-45680 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 13) NOTE: https://github.com/nothings/stb/pull/1558 CVE-2023-45679 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 12) NOTE: https://github.com/nothings/stb/pull/1557 CVE-2023-45678 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 11) NOTE: https://github.com/nothings/stb/pull/1556 CVE-2023-45677 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 10) NOTE: https://github.com/nothings/stb/pull/1555 CVE-2023-45676 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 9) NOTE: https://github.com/nothings/stb/pull/1554 CVE-2023-45675 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 8) NOTE: https://github.com/nothings/stb/issues/1552 NOTE: https://github.com/nothings/stb/pull/1553 CVE-2023-45667 (stb_image is a single file MIT licensed library for processing images. ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 7) NOTE: https://github.com/nothings/stb/issues/1550 NOTE: https://github.com/nothings/stb/pull/1551 CVE-2023-45666 (stb_image is a single file MIT licensed library for processing images. ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 6) NOTE: https://github.com/nothings/stb/issues/1548 NOTE: https://github.com/nothings/stb/pull/1549 CVE-2023-45664 (stb_image is a single file MIT licensed library for processing images. ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE:
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 763c8647 by Moritz Muehlenhoff at 2023-10-28T16:46:20+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,11 +7,11 @@ CVE-2023-5830 (A vulnerability classified as critical has been found in Columbia CVE-2023-46587 (Buffer Overflow vulnerability in XnView Classic v.2.51.5 allows a loca ...) NOT-FOR-US: XnView CVE-2023-46570 (An out-of-bounds read in radare2 v.5.8.9 and before exists in the prin ...) - - radare2 + - radare2 (bug #1054908) NOTE: https://github.com/radareorg/radare2/issues/22333 NOTE: Fixed by: https://github.com/radareorg/radare2/commit/3e406459f163eba7672b3421c8a84b2c0e4ac0f8 CVE-2023-46569 (An out-of-bounds read in radare2 v.5.8.9 and before exists in the prin ...) - - radare2 + - radare2 (bug #1054908) NOTE: https://github.com/radareorg/radare2/issues/22334 NOTE: Fixed by: https://github.com/radareorg/radare2/commit/2e2f2a9b1800d09be09461e7536ac03a301f97f2 CVE-2023-46510 (An issue in ZIONCOM (Hong Kong) Technology Limited A7000R v.4.1cu.4154 ...) @@ -119,7 +119,7 @@ CVE-2023-46852 (In Memcached before 1.6.22, a buffer overflow exists when proces [bullseye] - memcached (Minor issue) NOTE: https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767 (1.6.22) CVE-2023-46604 (Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerabili ...) - - activemq + - activemq (bug #1054909) NOTE: https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt NOTE: http://www.openwall.com/lists/oss-security/2023/10/27/5 CVE-2023-46407 (FFmpeg prior to commit bf814 was discovered to contain an out of bound ...) @@ -2111,7 +2111,7 @@ CVE-2023-4215 (Advantech WebAccess version 9.1.3 contains an exposure of sensiti CVE-2023-4089 (On affected Wago products an remote attacker with administrative privi ...) NOT-FOR-US: Wago CVE-2023-45807 (OpenSearch is a community-driven, open source fork of Elasticsearch an ...) - - opensearch + - opensearch (bug #1054912) NOTE: https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv CVE-2023-45659 (Engelsystem is a shift planning system for chaos events. If a users' ...) NOT-FOR-US: Engelsystem @@ -23962,7 +23962,7 @@ CVE-2023-31143 (mage-ai is an open-source data pipeline tool for transforming an CVE-2023-31142 (Discourse is an open source discussion platform. Prior to version 3.0. ...) NOT-FOR-US: Discourse CVE-2023-31141 (OpenSearch is open-source software suite for search, analytics, and ob ...) - - opensearch + - opensearch (bug #1054912) NOTE: https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h28h CVE-2023-31140 (OpenProject is open source project management software. Starting with ...) NOT-FOR-US: OpenProject @@ -47056,10 +47056,10 @@ CVE-2023-23615 (Discourse is an open source discussion platform. The embeddable CVE-2023-23614 (Pi-hole\xae's Web interface (based off of AdminLTE) provides a central ...) NOT-FOR-US: Pi-Hole CVE-2023-23613 (OpenSearch is an open source distributed and RESTful search engine. In ...) - - opensearch + - opensearch (bug #1054912) NOTE: https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6 CVE-2023-23612 (OpenSearch is an open source distributed and RESTful search engine. Op ...) - - opensearch + - opensearch (bug #1054912) NOTE: https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj CVE-2023-23611 (LTI Consumer XBlock implements the consumer side of the LTI specificat ...) NOT-FOR-US: LTI View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/763c86473fae0c1f3d3457ca66d9195a496ead8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/763c86473fae0c1f3d3457ca66d9195a496ead8e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 66917506 by Moritz Muehlenhoff at 2023-10-27T23:01:36+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43,9 +43,10 @@ CVE-2023-46290 (Due to inadequate code logic, a previously unauthenticated threa CVE-2023-46289 (Rockwell Automation FactoryTalk View Site Edition insufficiently valid ...) NOT-FOR-US: Rockwell Automation CVE-2023-46246 (Vim is an improved version of the good old UNIX editor Vi. Heap-use-af ...) - - vim + - vim (unimportant) NOTE: https://github.com/vim/vim/security/advisories/GHSA-q22m-h7m2-9mgm NOTE: https://github.com/vim/vim/commit/9198c1f2b1ddecde22af918541e0de2a32f0f45a (v9.0.2068) + NOTE: Crash in CLI tool, no security impact CVE-2023-44377 (Online Art Gallery v1.0 is vulnerable to multiple Unauthenticated SQL ...) TODO: check CVE-2023-44376 (Online Art Gallery v1.0 is vulnerable to multiple Unauthenticated SQL ...) @@ -707,7 +708,7 @@ CVE-2023-34056 (vCenter Server contains a partial information disclosure vulnera CVE-2023-34048 (vCenter Server contains an out-of-bounds write vulnerability in the im ...) NOT-FOR-US: VMware CVE-2023-31582 (jose4j before v0.9.3 allows attackers to set a low iteration count of ...) - - libjose4j-java + - libjose4j-java (bug #1054872) NOTE: https://bitbucket.org/b_c/jose4j/issues/203/insecure-support-of-setting-pbe-less-then NOTE: Fixed by: https://bitbucket.org/b_c/jose4j/commits/1929fe3 (jose4j/0.9.3) CVE-2023-31581 (Dromara Sureness before v1.0.8 was discovered to use a hardcoded key.) @@ -1009,7 +1010,7 @@ CVE-2023-43065 (Dell Unity prior to 5.3 contains a Cross-site scripting vulnerab CVE-2023-43045 (IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 could ...) NOT-FOR-US: IBM CVE-2023-42295 (An issue in OpenImageIO oiio v.2.4.12.0 allows a remote attacker to ex ...) - - openimageio + - openimageio (bug #1054873) NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/issues/3947 NOTE: https://github.com/AcademySoftwareFoundation/OpenImageIO/pull/3948 NOTE: Fixed by: https://github.com/AcademySoftwareFoundation/OpenImageIO/commit/15750af31a5d130ea63ac133453eb5448cefa636 (v2.5.3.0-beta1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/669175063b7289eaa95425ff5f891e930f3685d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/669175063b7289eaa95425ff5f891e930f3685d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 59d04b1e by Moritz Muehlenhoff at 2023-10-27T18:26:57+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -75,10 +75,10 @@ CVE-2023-39726 (An issue in Mintty v.3.6.4 and before allows a remote attacker t CVE-2023-38328 (An issue was discovered in eGroupWare 17.1.20190111. An Improper Passw ...) - egroupware CVE-2023-34059 (open-vm-tools contains a file descriptor hijack vulnerability in the v ...) - - open-vm-tools + - open-vm-tools (bug #1054666) NOTE: https://www.openwall.com/lists/oss-security/2023/10/27/3 CVE-2023-34058 (VMware Tools contains a SAML token signature bypass vulnerability.A ma ...) - - open-vm-tools + - open-vm-tools (bug #1054666) NOTE: https://www.openwall.com/lists/oss-security/2023/10/27/1 NOTE: https://github.com/vmware/open-vm-tools/blob/CVE-2023-34058.patch/CVE-2023-34058.patch CVE-2023-34057 (VMware Tools contains a local privilege escalation vulnerability.A mal ...) @@ -161,7 +161,7 @@ CVE-2023-46435 (Sourcecodester Packers and Movers Management System v1.0 is vuln CVE-2023-46238 (ZITADEL is an identity infrastructure management system. ZITADEL users ...) NOT-FOR-US: ZITADEL CVE-2023-46234 (browserify-sign is a package to duplicate the functionality of node's ...) - - node-browserify-sign + - node-browserify-sign (bug #1054667) NOTE: https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw NOTE: https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30 CVE-2023-46094 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Conversi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59d04b1e269ad0f45309cb18904c59051eba589a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59d04b1e269ad0f45309cb18904c59051eba589a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 19aee39d by Moritz Muehlenhoff at 2023-10-23T20:47:06+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -306,7 +306,7 @@ CVE-2023-46287 (XSS exists in NagVis before 1.9.38 via the select function in sh CVE-2023-46117 (reconFTW is a tool designed to perform automated recon on a target dom ...) NOT-FOR-US: reconFTW CVE-2023-45805 (pdm is a Python package and dependency manager supporting the latest P ...) - - pdm + - pdm (bug #1054428) [bookworm] - pdm (Minor issue) NOTE: https://github.com/pdm-project/pdm/security/advisories/GHSA-j44v-mmf2-xvm9 NOTE: https://github.com/pdm-project/pdm/commit/6853e2642dfa281d4a9958fbc6c95b7e32d84831 @@ -1013,7 +1013,7 @@ CVE-2023-42459 (Fast DDS is a C++ implementation of the DDS (Data Distribution S NOTE: https://github.com/eProsima/Fast-DDS/pull/3824 NOTE: https://github.com/eProsima/Fast-DDS/commit/1e978c6f3d0ca1df6b323b37fd4902b0762ececb CVE-2023-41752 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - - trafficserver + - trafficserver (bug #1054427) NOTE: https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q NOTE: https://github.com/apache/trafficserver/commit/334839cb7a6724c71a5542e924251a8d931774b0 (8.1.x) NOTE: https://github.com/apache/trafficserver/commit/de7c8a78edd5b75e311561dfaa133e9d71ea8a5e (9.2.x) @@ -1028,7 +1028,7 @@ CVE-2023-40373 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server CVE-2023-40372 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 ...) NOT-FOR-US: IBM CVE-2023-39456 (Improper Input Validation vulnerability in Apache Traffic Server with ...) - - trafficserver + - trafficserver (bug #1054427) [bullseye] - trafficserver (Vulnerable code not present) [buster] - trafficserver (Vulnerable code not present) NOTE: https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19aee39d9c4b1536defb8882679e3308993eb142 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/19aee39d9c4b1536defb8882679e3308993eb142 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ce32759 by Moritz Muehlenhoff at 2023-10-13T16:18:35+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2023-5564 (Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/ CVE-2023-5563 (The SJA1000 CAN controller driver backend automatically attempt to rec ...) NOT-FOR-US: Zephyr RTOS (unrelated to src:zephyr) CVE-2023-5557 (A flaw was found in the tracker-miners package. A weakness in the sand ...) - - tracker-miners + - tracker-miners (bug #1053881) NOTE: https://gitlab.gnome.org/GNOME/tracker-miners/-/issues/277 NOTE: https://gitlab.gnome.org/GNOME/tracker-miners/-/merge_requests/480 CVE-2023-4562 (Improper Authentication vulnerability in Mitsubishi Electric Corporati ...) @@ -47,9 +47,9 @@ CVE-2023- (Cross-site Scripting (XSS) - Generic in GitHub repository frappe/ CVE-2023-5554 (Lack of TLS certificate verification in log transmission of a financia ...) NOT-FOR-US: LINE CVE-2023-5072 (Denial of Service in JSON-Java versions up to and including 20230618. ...) - - libjson-java - - jenkins-json - - libjettison-java + - libjson-java (bug #1053882) + - jenkins-json (bug #1053883) + - libjettison-java (bug #1053884) NOTE: https://github.com/stleary/JSON-java/issues/758 NOTE: https://github.com/stleary/JSON-java/issues/771 NOTE: https://github.com/stleary/JSON-java/pull/772/ @@ -58,7 +58,7 @@ CVE-2023-5046 (Improper Neutralization of Special Elements used in an SQL Comman CVE-2023-5045 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: Kayisi CVE-2023-45143 (Undici is an HTTP/1.1 client written from scratch for Node.js. Prior t ...) - - node-undici + - node-undici (bug #1053879) NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp NOTE: https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76 @@ -68,7 +68,7 @@ CVE-2023-45138 (Change Request is an pplication allowing users to request change NOT-FOR-US: XWiki addon CVE-2023-45133 (Babel is a compiler for writingJavaScript. In `@babel/traverse` prior ...) - node-babel - - node-babel7 + - node-babel7 (bug #1053880) NOTE: github.com: https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92 NOTE: github.com: https://github.com/babel/babel/pull/16033 NOTE: github.com: https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82 @@ -183,7 +183,7 @@ CVE-2023-44188 (A Time-of-check Time-of-use (TOCTOU) Race Condition vulnerabilit CVE-2023-44187 (An Exposure of Sensitive Information vulnerability in the 'file copy' ...) NOT-FOR-US: Juniper CVE-2023-42298 (An issue in GPAC GPAC v.2.2.1 and before allows a local attacker to ca ...) - - gpac + - gpac (bug #1053878) NOTE: https://github.com/gpac/gpac/issues/2567 NOTE: https://github.com/gpac/gpac/commit/16c4fafc2881112eba7051cac48f922eb2b94e06 CVE-2023-40833 (An issue in Thecosy IceCMS v.1.0.0 allows a remote attacker to gain pr ...) @@ -193,16 +193,16 @@ CVE-2023-40829 (There is an interface unauthorized access vulnerability in the b CVE-2023-3781 (there is a possible use-after-free write due to improper locking. This ...) NOT-FOR-US: Android CVE-2023-32724 (Memory pointer is in a property of the Ducktape object. This leads to ...) - - zabbix + - zabbix (bug #1053877) NOTE: https://support.zabbix.com/browse/ZBX-23391 CVE-2023-32723 (Request to LDAP is sent before user permissions are checked.) - - zabbix + - zabbix (bug #1053877) NOTE: https://support.zabbix.com/browse/ZBX-23230 CVE-2023-32722 (The zabbix/src/libs/zbxjson module is vulnerable to a buffer overflow ...) - - zabbix + - zabbix (bug #1053877) NOTE: https://support.zabbix.com/browse/ZBX-23390 CVE-2023-32721 (A stored XSS has been found in the Zabbix web application in the Maps ...) - - zabbix + - zabbix (bug #1053877) NOTE: https://support.zabbix.com/browse/ZBX-23389 CVE-2023-5535 (Use After Free in GitHub repository vim/vim prior to v9.0.2010.) - vim (unimportant) @@ -212,7 +212,7 @@ CVE-2023-5535 (Use After Free in GitHub repository vim/vim prior to v9.0.2010.) CVE-2023-5521 (Incorrect Authorization in GitHub repository tiann/kernelsu prior to v ...) NOT-FOR-US: KernelSU CVE-2023-5520 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.) - - gpac + - gpac (bug #1053878)
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a63fe79 by Moritz Muehlenhoff at 2023-10-10T21:38:38+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,10 +27,10 @@ CVE-2023-44487 - tomcat10 - trafficserver - haproxy 1.8.13-1 - - nginx + - nginx (bug #1053770) [bookworm] - nginx (Minor issue) [bullseye] - nginx (Minor issue) - - nghttp2 + - nghttp2 (bug #1053769) NOTE: Tomcat: https://github.com/apache/tomcat/commit/76bb4bfbfeae827dce896f650655bbf6e251ed49 (10.1.x) NOTE: Tomcat: https://github.com/apache/tomcat/commit/6d1a9fd6642387969e4410b9989c85856b74917a (9.0.x) NOTE: ATS: https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a63fe79c1e0c4aa2bf74210988fe810fa2f3f17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a63fe79c1e0c4aa2bf74210988fe810fa2f3f17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 553c4195 by Moritz Muehlenhoff at 2023-09-25T23:49:51+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -82281,7 +82281,7 @@ CVE-2022-36650 CVE-2022-36649 RESERVED CVE-2022-36648 (The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device ...) - - qemu + - qemu (bug #1052670) [bookworm] - qemu (Minor issue, revisit when fixed upstream) [bullseye] - qemu (Minor issue, revisit when fixed upstream) [buster] - qemu (Minor issue, revisit when fixed upstream) @@ -122061,7 +122061,7 @@ CVE-2021-46313 (The binary MP4Box in GPAC v1.0.1 was discovered to contain a seg NOTE: https://github.com/gpac/gpac/issues/2039 NOTE: https://github.com/gpac/gpac/commit/ee969d3c4c425ecb25999eb68ada616925b58eba (v2.0.0) CVE-2021-46312 (An issue was discovered IW44EncodeCodec.cpp in djvulibre 3.5.28 in all ...) - - djvulibre + - djvulibre (bug #1052669) [bookworm] - djvulibre (Minor issue) [bullseye] - djvulibre (Minor issue) [buster] - djvulibre (Minor issue) @@ -122074,7 +122074,7 @@ CVE-2021-46311 (A NULL pointer dereference vulnerability exists in GPAC v1.1.0 v NOTE: https://github.com/gpac/gpac/issues/2038 NOTE: https://github.com/gpac/gpac/commit/ad19e0c4504a89ca273442b1b1483ae7adfb9491 (v2.0.0) CVE-2021-46310 (An issue was discovered IW44Image.cpp in djvulibre 3.5.28 in allows at ...) - - djvulibre + - djvulibre (bug #1052668) [bookworm] - djvulibre (Minor issue) [bullseye] - djvulibre (Minor issue) [buster] - djvulibre (Minor issue) @@ -167449,7 +167449,7 @@ CVE-2021-32050 (Some MongoDB Drivers may erroneously publish events containing a - mongo-c-driver 1.18.0-1 [bullseye] - mongo-c-driver (Minor issue) [buster] - mongo-c-driver (Minor issue) - - node-mongodb + - node-mongodb (bug #1052663) [bookworm] - node-mongodb (Minor issue) [bullseye] - node-mongodb (Minor issue) [buster] - node-mongodb (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/553c41952bd09d4f7eb8d9cfed18f865f128c113 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/553c41952bd09d4f7eb8d9cfed18f865f128c113 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b7436bf6 by Moritz Muehlenhoff at 2023-09-11T21:24:19+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1616,13 +1616,11 @@ CVE-2023-41362 (MyBB before 1.8.36 allows Code Injection by users with certain h CVE-2023-41037 (OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. In ...) - node-openpgp (bug #787774) CVE-2023-40890 (A stack-based buffer overflow vulnerability exists in the lookup_seque ...) - - zbar + - zbar (bug #1051724) NOTE: https://hackmd.io/@cspl/H1PxPAUnn - TODO: check if reported upsream CVE-2023-40889 (A heap-based buffer overflow exists in the qr_reader_match_centers fun ...) - - zbar + - zbar (bug #1051724) NOTE: https://hackmd.io/@cspl/B1ZkFZv23 - TODO: check if reported upstream CVE-2023-40787 (In SpringBlade V3.6.0 when executing SQL query, the parameters submitt ...) NOT-FOR-US: SpringBlade CVE-2023-3646 (On affected platforms running Arista EOS with mirroring to multiple de ...) @@ -1902,9 +1900,8 @@ CVE-2023-4569 (A memory leak flaw was found in nft_set_catchall_flush in net/net - linux 6.4.13-1 NOTE: https://git.kernel.org/linus/90e5b3462efa37b8bba82d7c4e63683856e188af (6.5-rc7) CVE-2023-4567 - - ansible + - ansible (bug #1051725) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2235369 - TODO: check, no upstream information provided in RHBZ#2235369 CVE-2023-4563 [Use-after-free in nft_verdict_dump due to a race between set GC and transaction] - linux 6.4.13-1 NOTE: https://lore.kernel.org/netdev/20230810070830.24064-1-pa...@netfilter.org/ @@ -216055,11 +216052,10 @@ CVE-2020-24906 CVE-2020-24905 RESERVED CVE-2020-24904 (An issue was discovered in attach parameter in GNOME Gmail version 2.5 ...) - - gnome-gmail + - gnome-gmail (bug #1051726) [bullseye] - gnome-gmail (Minor issue) [buster] - gnome-gmail (Minor issue) NOTE: https://github.com/davesteele/gnome-gmail/issues/84 - TODO: check, might be an issue as well in src:viagee CVE-2020-24903 (Cute Editor for ASP.NET 6.4 is vulnerable to reflected cross-site scri ...) NOT-FOR-US: Cute Editor for ASP.NET CVE-2020-24902 (Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XS ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7436bf6a0b0a5b4a0594f1da124270f0fdf91f9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7436bf6a0b0a5b4a0594f1da124270f0fdf91f9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: eb7ca0fb by Moritz Muehlenhoff at 2023-08-29T23:02:42+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -169,20 +169,20 @@ CVE-2023-40997 (Buffer Overflow vulnerability in O-RAN Software Community ric-pl CVE-2023-40857 (Buffer Overflow vulnerability in VirusTotal yara v.4.3.2 allows a remo ...) NOTE: Non issue, untrusted yara rules not supported, see https://github.com/VirusTotal/yara/issues/1948 CVE-2023-40828 (An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to o ...) - - libpf4j-java + - libpf4j-java (bug #1050834) [bookworm] - libpf4j-java (Minor issue) NOTE: https://github.com/pf4j/pf4j/pull/537 NOTE: https://github.com/pf4j/pf4j/pull/538 NOTE: Fixed by: https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72 CVE-2023-40827 (An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to o ...) - - libpf4j-java + - libpf4j-java (bug #1050834) [bookworm] - libpf4j-java (Minor issue) NOTE: https://github.com/pf4j/pf4j/issues/536 NOTE: https://github.com/pf4j/pf4j/pull/537 NOTE: https://github.com/pf4j/pf4j/pull/538 NOTE: Fixed by: https://github.com/pf4j/pf4j/commit/8e0aa198c4e652cfc1eb9e05ca9b64397f67cc72 CVE-2023-40826 (An issue in pf4j pf4j v.3.9.0 and before allows a remote attacker to o ...) - - libpf4j-java + - libpf4j-java (bug #1050834) [bookworm] - libpf4j-java (Minor issue) NOTE: https://github.com/pf4j/pf4j/issues/536 NOTE: Duplicate/similar to: https://github.com/pf4j/pf4j/issues/526 @@ -19499,7 +19499,7 @@ CVE-2023-29339 CVE-2023-29338 (Visual Studio Code Information Disclosure Vulnerability) NOT-FOR-US: Microsoft CVE-2023-29337 (NuGet Client Remote Code Execution Vulnerability) - - nuget + - nuget (bug #1050835) [buster] - nuget (Can wait for next update) NOTE: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29337 CVE-2023-29336 (Win32k Elevation of Privilege Vulnerability) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb7ca0fbe9c30d1a868ff114bf690847076b1bf0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb7ca0fbe9c30d1a868ff114bf690847076b1bf0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e4a97a19 by Moritz Mühlenhoff at 2023-07-18T20:58:06+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1028,7 +1028,7 @@ CVE-2023-37374 (A vulnerability has been identified in Tecnomatix Plant Simulati CVE-2023-37280 (Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based o ...) NOT-FOR-US: Pimcore Admin Classic Bundle CVE-2023-37271 (RestrictedPython is a tool that helps to define a subset of the Python ...) - - restrictedpython + - restrictedpython (bug #1041429) NOTE: https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-wqc8-x2pr-7jqh NOTE: https://github.com/zopefoundation/RestrictedPython/commit/c8eca66ae49081f0016d2e1f094c3d72095ef531 (master) NOTE: https://github.com/zopefoundation/RestrictedPython/commit/d8c5aa72c5d0ec8eceab635d93d6bc8321116002 (5.3) @@ -1767,7 +1767,7 @@ CVE-2023-33008 (Deserialization of Untrusted Data vulnerability in Apache Softwa CVE-2023-3532 (Cross-site Scripting (XSS) - Stored in GitHub repository outline/outli ...) NOT-FOR-US: Outline CVE-2023-37192 (Memory management and protection issues in Bitcoin Core v22 allows att ...) - - bitcoin + - bitcoin (bug #1041427) CVE-2023-36859 (PiiGAB M-Bus SoftwarePack 900S does not correctly sanitize user inp ...) NOT-FOR-US: PiiGAB M-Bus CVE-2023-36829 (Sentry is an error tracking and performance monitoring platform. Start ...) @@ -1849,12 +1849,12 @@ CVE-2023-36969 (CMS Made Simple v2.2.17 is vulnerable to Remote Command Executio CVE-2023-36968 (A SQL Injection vulnerability detected in Food Ordering System v1.0 al ...) NOT-FOR-US: Food Ordering System CVE-2023-36830 (SQLFluff is a SQL linter. Prior to version 2.1.2, in environments wher ...) - - sqlfluff + - sqlfluff (bug #1041428) [bookworm] - sqlfluff (Minor issue) NOTE: https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-jqhc-m2j3-fjrx NOTE: https://github.com/sqlfluff/sqlfluff/pull/4925 CVE-2023-36823 (Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully ...) - - ruby-sanitize + - ruby-sanitize (bug #1041430) NOTE: https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220 (v6.0.2) NOTE: https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7 CVE-2023-36462 (Mastodon is a free, open-source social network server based on Activit ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4a97a1916ab4e2ca7714ebdd22be916803b66a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4a97a1916ab4e2ca7714ebdd22be916803b66a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 897de784 by Moritz Mühlenhoff at 2023-07-18T20:47:05+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -124,7 +124,7 @@ CVE-2023-37769 (stress-test master commit e4c878 was discovered to contain a FPE CVE-2023-37479 (Open Enclave is a hardware-agnostic open source library for developing ...) NOT-FOR-US: Open Enclave CVE-2023-37476 (OpenRefine is a free, open source tool for data processing. A carefull ...) - - openrefine + - openrefine (bug #1041422) NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq NOTE: https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e CVE-2023-37475 (Hamba avro is a go lang encoder/decoder implementation of the avro cod ...) @@ -318,7 +318,7 @@ CVE-2023-37793 (WAYOS FBM-291W 19.09.11V was discovered to contain a buffer over CVE-2023-37472 (Knowage is an open source suite for business analytics. The applicatio ...) NOT-FOR-US: Knowage CVE-2023-37464 (OpenIDC/cjose is a C library implementing the Javascript Object Signin ...) - - cjose + - cjose (bug #1041423) NOTE: https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj NOTE: https://github.com/OpenIDC/cjose/commit/7325e9a5e71e2fc0e350487ecac7d84acdf0ed5e (v0.6.2.2) CVE-2023-37462 (XWiki Platform is a generic wiki platform offering runtime services fo ...) @@ -885,19 +885,19 @@ CVE-2023-3019 [e1000e: heap use-after-free in e1000e_write_packet_to_guest()] CVE-2023-3011 (The ARMember plugin for WordPress is vulnerable to Cross-Site Request ...) NOT-FOR-US: ARMember plugin for WordPress CVE-2023-37767 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a seg ...) - - gpac + - gpac (bug #1041421) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2514 NOTE: https://github.com/gpac/gpac/commit/d414df635c773b21bbb3a9fbf17b101b1e8ea345 CVE-2023-37766 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a seg ...) - - gpac + - gpac (bug #1041421) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2516 NOTE: https://github.com/gpac/gpac/commit/a64c60ef0983be6db8ab1e4a663e0ce83ff7bf2c CVE-2023-37765 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a seg ...) - - gpac + - gpac (bug #1041421) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2515 @@ -913,7 +913,7 @@ CVE-2023-37197 (A CWE-89: Improper Neutralization of Special Elements vulnerabil CVE-2023-37196 (A CWE-89: Improper Neutralization of Special Elements vulnerability us ...) NOT-FOR-US: Schneider Electric CVE-2023-37174 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a seg ...) - - gpac + - gpac (bug #1041421) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2505 @@ -1797,7 +1797,7 @@ CVE-2023-3529 (A vulnerability classified as problematic has been found in Rotem CVE-2023-3528 (A vulnerability was found in ThinuTech ThinuCMS 1.5. It has been rated ...) NOT-FOR-US: ThinuTech ThinuCMS CVE-2023-3523 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.) - - gpac + - gpac (bug #1041421) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/57e0be03-8484-415e-8b5c-c1fe4546eaac/ @@ -2305,12 +2305,12 @@ CVE-2023-36812 (OpenTSDB is a open source, distributed, scalable Time Series Dat CVE-2023-36144 (An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1. ...) NOT-FOR-US: Intelbras CVE-2023-35947 (Gradle is a build tool with a focus on build automation and support fo ...) - - gradle + - gradle (bug #1041424) NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842 NOTE: https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879 (v8.2.0-RC3) NOTE: https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91 (v8.2.0-RC3) CVE-2023-35946 (Gradle is a build tool with a focus on build automation and support fo ...) - - gradle + - gradle (bug #1041424) NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v NOTE: https://github.com/gradle/gradle/commit/859eae2b2acf751ae7db3c9ffefe275aa5da0d5d
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 433b2294 by Moritz Muehlenhoff at 2023-07-14T23:51:27+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -75,13 +75,13 @@ CVE-2023-2975 (Issue summary: The AES-SIV cipher implementation contains a bug t CVE-2023-3668 (Improper Encoding or Escaping of Output in GitHub repository froxlor/f ...) - froxlor (bug #581792) CVE-2023-3649 (iSCSI dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial of ser ...) - - wireshark + - wireshark (bug #1041101) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-22.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19164 CVE-2023-3648 (Kafka dissector crash in Wireshark 4.0.0 to 4.0.6 and 3.6.0 to 3.6.14 ...) - - wireshark + - wireshark (bug #1041101) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-21.html @@ -97,13 +97,13 @@ CVE-2023-37849 (A DLL hijacking vulnerability in Panda Security VPN for Windows CVE-2023-37839 (An arbitrary file upload vulnerability in /dede/file_manage_control.ph ...) NOT-FOR-US: Dede CMS CVE-2023-37837 (libjpeg commit db33a6e was discovered to contain a heap buffer overflo ...) - - libjpeg + - libjpeg (bug #1041103) [bookworm] - libjpeg (Minor issue) [bullseye] - libjpeg (Minor issue) NOTE: https://github.com/thorfdbg/libjpeg/issues/87#BUG0 NOTE: Fixed by: https://github.com/thorfdbg/libjpeg/commit/9e0cea29d7ba7a2c1e763865391bc94b336da25e CVE-2023-37836 (libjpeg commit db33a6e was discovered to contain a reachable assertion ...) - - libjpeg + - libjpeg (bug #1041103) [bookworm] - libjpeg (Minor issue) [bullseye] - libjpeg (Minor issue) NOTE: https://github.com/thorfdbg/libjpeg/issues/87#BUG1 @@ -175,16 +175,16 @@ CVE-2023-37744 (Maid Hiring Management System v1.0 was discovered to contain a c CVE-2023-37743 (A cross-site scripting (XSS) vulnerability in Teacher Subject Allocati ...) NOT-FOR-US: Teacher Subject Allocation System CVE-2023-37463 (cmark-gfm is an extended version of the C reference implementation of ...) - - cmark-gfm + - cmark-gfm (bug #1041097) [bookworm] - cmark-gfm (Minor issue) [bullseye] - cmark-gfm (Minor issue) - - python-cmarkgfm + - python-cmarkgfm (bug #1041098) [bookworm] - python-cmarkgfm (Minor issue) [bullseye] - python-cmarkgfm (Minor issue) - - r-cran-commonmark + - r-cran-commonmark (bug #1041099) [bookworm] - r-cran-commonmark (Minor issue) [bullseye] - r-cran-commonmark (Minor issue) - - ruby-commonmarker + - ruby-commonmarker (bug #1041100) [bookworm] - ruby-commonmarker (Minor issue) [bullseye] - ruby-commonmarker (Minor issue) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-w4qg-3vf7-m9x5 @@ -231,18 +231,18 @@ CVE-2023-3342 (The User Registration plugin for WordPress is vulnerable to arbit CVE-2023-3319 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: PlatPlay DSr CVE-2023-38199 (coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 does n ...) - - modsecurity-crs + - modsecurity-crs (bug #1041109) NOTE: https://github.com/coreruleset/coreruleset/issues/3191 NOTE: https://github.com/coreruleset/coreruleset/pull/3237 CVE-2023-38198 (acme.sh before 3.0.6 runs arbitrary commands from a remote server via ...) NOT-FOR-US: acme.sh CVE-2023-38197 (An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6 ...) - - qt6-base + - qt6-base (bug #1041104) [bookworm] - qt6-base (Minor issue) - - qtbase-opensource-src-gles + - qtbase-opensource-src-gles (bug #1041106) [bookworm] - qtbase-opensource-src-gles (Minor issue) [bullseye] - qtbase-opensource-src-gles (Minor issue) - - qtbase-opensource-src + - qtbase-opensource-src (bug #1041105) [bookworm] - qtbase-opensource-src (Minor issue) [bullseye] - qtbase-opensource-src (Minor issue) - qt4-x11 @@ -529,7 +529,7 @@ CVE-2023-3080 (The WP Mail Catcher plugin for WordPress is vulnerable to Stored CVE-2023-3023 (The WP EasyCart plugin for WordPress is vulnerable to time-based SQL I ...) NOT-FOR-US: WP EasyCart plugin for WordPress CVE-2023-3019 [e1000e: heap use-after-free in e1000e_write_packet_to_guest()] - - qemu + - qemu (bug #1041102) NOTE:
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 999187a6 by Moritz Muehlenhoff at 2023-07-07T21:02:48+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -113,7 +113,7 @@ CVE-2023-35948 (Novu provides an API for sending notifications through multiple CVE-2023-35937 (Metersphere is an open source continuous testing platform. In versions ...) NOT-FOR-US: Metersphere CVE-2023-35934 (yt-dlp is a command-line program to download videos from video sites. ...) - - yt-dlp + - yt-dlp (bug #1040595) [bookworm] - yt-dlp (Minor issue) [bullseye] - yt-dlp (Minor issue) NOTE: https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj @@ -793,7 +793,7 @@ CVE-2023-34487 (itsourcecode Online Hotel Management System Project In PHP v1.0. CVE-2023-34486 (itsourcecode Online Hotel Management System Project In PHP v1.0.0 is v ...) NOT-FOR-US: itsourcecode Online Hotel Management System Project CVE-2023-33466 (Orthanc before 1.12.0 allows authenticated users with access to the Or ...) - - orthanc + - orthanc (bug #1040597) NOTE: https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568 CVE-2023-33277 (The web interface of Gira Giersiepen Gira KNX/IP-Router 3.1.3683.0 and ...) NOT-FOR-US: Gira Giersiepen Gira KNX/IP-Router @@ -9489,7 +9489,7 @@ CVE-2023-30364 CVE-2023-30363 (vConsole v3.15.0 was discovered to contain a prototype pollution due t ...) NOT-FOR-US: Tencent vConsole CVE-2023-30362 (Buffer Overflow vulnerability in coap_send function in libcoap library ...) - - libcoap3 + - libcoap3 (bug #1040594) [bookworm] - libcoap3 (Minor issue) NOTE: https://github.com/obgm/libcoap/issues/1063 NOTE: https://github.com/obgm/libcoap/commit/e242200f0af2a418dc9f69eee543feacc13cd851 @@ -9808,7 +9808,7 @@ CVE-2023-30209 CVE-2023-30208 RESERVED CVE-2023-30207 (A divide by zero issue discovered in Kodi Home Theater Software 19.5 a ...) - - kodi + - kodi (bug #1040593) [bookworm] - kodi (Minor issue) [bullseye] - kodi (Minor issue) NOTE: https://github.com/xbmc/xbmc/issues/22378 @@ -21972,7 +21972,7 @@ CVE-2023-26134 (Versions of the package git-commit-info before 2.0.2 are vulnera CVE-2023-26133 (All versions of the package progressbar.js are vulnerable to Prototype ...) NOT-FOR-US: progressbar.js CVE-2023-26132 (Versions of the package dottie before 2.0.4 are vulnerable to Prototyp ...) - - node-dottie + - node-dottie (bug #1040592) [bookworm] - node-dottie (Minor issue) [bullseye] - node-dottie (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/999187a68f74d68d881f38edd0cefa7ff2e3102a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/999187a68f74d68d881f38edd0cefa7ff2e3102a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e2485968 by Moritz Muehlenhoff at 2023-06-23T17:13:33+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,13 +25,13 @@ CVE-2023-35131 (Content on the groups page required additional sanitizing to pre CVE-2023-34553 (An issue was discovered in WAFU Keyless Smart Lock v1.0 allows attacke ...) NOT-FOR-US: WAFU Keyless Smart Lock CVE-2023-34462 (Netty is an asynchronous event-driven network application framework fo ...) - - netty + - netty (bug #1038947) [bookworm] - netty (Minor issue, fix along in future update) [bullseye] - netty (Minor issue, fix along in future update) NOTE: https://github.com/netty/netty/security/advisories/GHSA-6mjq-h674-j845 NOTE: https://github.com/netty/netty/commit/535da17e45201ae4278c0479e6162bb4127d4c32 CVE-2023-34110 (Flask-AppBuilder is an application development framework, built on top ...) - - flask-appbuilder + - flask-appbuilder (bug #1038948) NOTE: https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-jhpr-j7cq-3jp3 NOTE: https://github.com/dpgaspar/Flask-AppBuilder/commit/ae25ad4c87a9051ebe4a4e8f02aee73232642626 CVE-2023-33299 (A deserialization of untrusted data in Fortinet FortiNAC below 7.2.1, ...) @@ -1185,7 +1185,7 @@ CVE-2023-34334 (AMI BMC contains a vulnerability in the SPX REST API, where an a NOT-FOR-US: AMI BMC CVE-2023-34246 (Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. Prior to ...) [experimental] - ruby-doorkeeper 5.6.6-1 - - ruby-doorkeeper + - ruby-doorkeeper (bug #1038950) NOTE: https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-7w2c-w47h-789w NOTE: https://github.com/doorkeeper-gem/doorkeeper/issues/1589 NOTE: https://github.com/doorkeeper-gem/doorkeeper/pull/1646 @@ -1468,7 +1468,7 @@ CVE-2023-3142 (Cross-site Scripting (XSS) - Stored in GitHub repository microweb CVE-2023-3140 (Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNI ...) NOT-FOR-US: KNIME Business Hub CVE-2023-34237 (SABnzbd is an open source automated Usenet download tool. A design fla ...) - - sabnzbdplus + - sabnzbdplus (bug #1038949) NOTE: https://github.com/sabnzbd/sabnzbd/commit/422b4fce7bfd56e95a315be0400cdfdc585df7cc (4.0.2RC2) NOTE: https://github.com/sabnzbd/sabnzbd/commit/e3a722664819d1c7c8fab97144cc299b1c18b429 (4.0.2RC2) NOTE: https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-hhgh-xgh3-985r View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2485968a26afec7abc09305989d7b8765fe2b92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2485968a26afec7abc09305989d7b8765fe2b92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bbe1c48c by Moritz Mühlenhoff at 2023-05-24T16:01:48+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54,11 +54,15 @@ CVE-2023-31669 (WebAssembly wat2wasm v1.0.32 allows attackers to cause a libc++a NOTE: https://github.com/WebAssembly/wabt/issues/2165 NOTE: Crash in CLI tool, no security impact CVE-2023-31518 (A heap use-after-free in the component CDataFileReader::GetItem of tee ...) - - teeworlds + - teeworlds (bug #1036703) + [bookworm] - teeworlds (Minor issue) + [bullseye] - teeworlds (Minor issue) NOTE: https://gist.github.com/manba-bryant/9ca95d69c65f4d2c55946932c946fb9b NOTE: https://github.com/teeworlds/teeworlds/issues/2970 CVE-2023-31517 (Teeworlds v0.7.5 was discovered to contain memory leaks.) - - teeworlds + - teeworlds (bug #1036703) + [bookworm] - teeworlds (Minor issue) + [bullseye] - teeworlds (Minor issue) NOTE: https://gist.github.com/manba-bryant/9ca95d69c65f4d2c55946932c946fb9b CVE-2023-2703 (Exposure of Private Personal Information to an Unauthorized Actor vuln ...) NOT-FOR-US: Finex Media Competition Management System @@ -130,21 +134,25 @@ CVE-2023-31584 (GitHub repository cu/silicon commit a9ef36 was discovered to con NOT-FOR-US: cu/silicon CVE-2023-2840 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2 ...) - gpac + [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/21926fc2-6eb1-4e24-8a36-e60f487d0257/ NOTE: https://github.com/gpac/gpac/commit/ba59206b3225f0e8e95a27eff41cb1c49ddf9a37 CVE-2023-2839 (Divide By Zero in GitHub repository gpac/gpac prior to 2.2.2.) - gpac + [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/42dce889-f63d-4ea9-970f-1f20fc573d5f/ NOTE: https://github.com/gpac/gpac/commit/047f96fb39e6bf70cb9f344093f5886e51dce0ac CVE-2023-2838 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.) - gpac + [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/711e0988-5345-4c01-a2fe-1179604dd07f/ NOTE: https://github.com/gpac/gpac/commit/c88df2e202efad214c25b4e586f243b2038779ba CVE-2023-2837 (Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2. ...) - gpac + [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/a6bfd1b2-aba8-4c6f-90c4-e95b1831cb17/ NOTE: https://github.com/gpac/gpac/commit/6f28c4cd607d83ce381f9b4a9f8101ca1e79c611 @@ -323,7 +331,7 @@ CVE-2019-25137 (Umbraco CMS 4.11.8 through 7.15.10, and 7.12.4, allows Remote Co CVE-2023-32763 - qt6-base 6.4.2+dfsg-8 - qtbase-opensource-src 5.15.8+dfsg-10 - - qtbase-opensource-src-gles + - qtbase-opensource-src-gles (bug #1036702) NOTE: https://lists.qt-project.org/pipermail/announce/2023-May/000413.html NOTE: https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff NOTE: https://download.qt.io/official_releases/qt/6.5/CVE-2023-32763-qtbase-6.5.diff View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbe1c48c966eb3da57e8269550e7ab7a8960a088 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bbe1c48c966eb3da57e8269550e7ab7a8960a088 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 59aff79d by Moritz Mühlenhoff at 2023-05-24T15:36:18+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13017,7 +13017,7 @@ CVE-2023-27586 (CairoSVG is an SVG converter based on Cairo, a 2D graphics libra NOTE: Introduced in https://github.com/Kozea/CairoSVG/commit/1ee0889f4015ebaddcf9976d43222e673155797c (0.3) CVE-2023-27585 (PJSIP is a free and open source multimedia communication library writt ...) {DLA-3394-1} - - asterisk + - asterisk (bug #1036697) - pjproject - ring NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr @@ -16906,17 +16906,17 @@ CVE-2023-26120 (This affects all versions of the package com.xuxueli:xxl-job. HT CVE-2023-26119 (Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and b ...) NOT-FOR-US: net.sourceforge.htmlunit:htmlunit CVE-2023-26118 (Versions of the package angular from 1.4.9 are vulnerable to Regular E ...) - - angular.js + - angular.js (bug #1036694) [bookworm] - angular.js (Minor issue) [bullseye] - angular.js (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046 CVE-2023-26117 (Versions of the package angular from 1.0.0 are vulnerable to Regular E ...) - - angular.js + - angular.js (bug #1036694) [bookworm] - angular.js (Minor issue) [bullseye] - angular.js (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373045 CVE-2023-26116 (Versions of the package angular from 1.2.21 are vulnerable to Regular ...) - - angular.js + - angular.js (bug #1036694) [bookworm] - angular.js (Minor issue) [bullseye] - angular.js (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373044 @@ -19242,7 +19242,7 @@ CVE-2023-25442 (Auth. (admin+) Stored Cross-site Scripting (XSS) vulnerability i CVE-2023-25441 RESERVED CVE-2023-25440 (Stored Cross Site Scripting (XSS) vulnerability in the add contact fun ...) - - civicrm + - civicrm (bug #1036695) CVE-2023-25439 RESERVED CVE-2023-25438 (An issue was discovered in Genomedics MilleGP5 5.9.2, allows remote at ...) @@ -96125,7 +96125,7 @@ CVE-2022-25872 (All versions of package fast-string-search are vulnerable to Out CVE-2022-25871 (All versions of package querymen are vulnerable to Prototype Pollution ...) NOT-FOR-US: Node querymen CVE-2022-25869 (All versions of package angular are vulnerable to Cross-site Scripting ...) - - angular.js + - angular.js (bug #1036694) [bookworm] - angular.js (Minor issue) [bullseye] - angular.js (Minor issue) [buster] - angular.js (Minor issue) @@ -310062,7 +310062,7 @@ CVE-2018-20589 (Ivan Cordoba Generic Content Management System (CMS) through 201 CVE-2018-20588 (lib/support/unicodeconv/unicodeconv.c in libotfcc.a in otfcc v0.10.3-a ...) NOT-FOR-US: otfcc CVE-2018-20587 (Bitcoin Core 0.12.0 through 0.17.1 and Bitcoin Knots 0.12.0 through 0. ...) - - bitcoin + - bitcoin (bug #1036696) NOTE: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures#CVE-2018-20587 NOTE: Documentation of issue: https://github.com/bitcoin/bitcoin/pull/15223 CVE-2018-20586 (bitcoind and Bitcoin-Qt prior to 0.17.1 allow injection of arbitrary d ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59aff79d1245e6c96cb8d2a8f6e2becb4bd8c140 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59aff79d1245e6c96cb8d2a8f6e2becb4bd8c140 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 82ba798c by Moritz Muehlenhoff at 2023-05-18T15:27:24+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28,7 +28,7 @@ CVE-2023-32762 - qtbase-opensource-src-gles TODO: check for more details on actual fixes needed for network/access/qhsts.cpp CVE-2023- [XSS in RSS syntax] - - dokuwiki + - dokuwiki (bug #1036279) [bullseye] - dokuwiki (Minor issue) NOTE: https://github.com/dokuwiki/dokuwiki/pull/3967 NOTE: https://www.github.com/splitbrain/dokuwiki/commit/53df38b0e4465894a67a5890f74a6f5f82e827de @@ -143,7 +143,7 @@ CVE-2023-2739 (A vulnerability classified as problematic was found in Gira HomeS CVE-2023-2738 (A vulnerability classified as critical has been found in Tongda OA 11. ...) NOT-FOR-US: Tongda CVE-2023-2731 (A NULL pointer dereference flaw was found in Libtiff's LZWDecode() fun ...) - - tiff + - tiff (bug #1036282) [bullseye] - tiff (Minor issue) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/548 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/9be22b639ea69e102d3847dca4c53ef025e9527b @@ -642,13 +642,13 @@ CVE-2023-31568 (Podofo v0.10.0 was discovered to contain a heap buffer overflow NOTE: Fixed by: https://github.com/podofo/podofo/commit/29d59f604b37159e938a2f46acd4856cfd1e7bac NOTE: Introduced by: https://github.com/podofo/podofo/commit/a2eca000e5a4337fb79ee8215d06413785653184 CVE-2023-31567 (Podofo v0.10.0 was discovered to contain a heap buffer overflow via th ...) - - libpodofo + - libpodofo (bug #1036278) [bookworm] - libpodofo (Minor issue) [bullseye] - libpodofo (Minor issue) [buster] - libpodofo (Minor issue) NOTE: https://github.com/podofo/podofo/issues/71 CVE-2023-31566 (Podofo v0.10.0 was discovered to contain a heap-use-after-free via the ...) - - libpodofo + - libpodofo (bug #1036278) [bookworm] - libpodofo (Minor issue) [bullseye] - libpodofo (Minor issue) [buster] - libpodofo (Minor issue) @@ -7660,7 +7660,7 @@ CVE-2023-1731 (In LTOS versions prior to V7.06.013, the configuration file uploa CVE-2023-1730 (The SupportCandy WordPress plugin before 3.1.5 does not validate and e ...) NOT-FOR-US: WordPress plugin CVE-2023-1729 (A flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex() c ...) - - libraw + - libraw (bug #1036281) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2188240 NOTE: https://github.com/LibRaw/LibRaw/issues/557 NOTE: Fixed by: https://github.com/LibRaw/LibRaw/commit/9ab70f6dca19229cb5caad7cc31af4e7501bac93 (master) @@ -8682,7 +8682,7 @@ CVE-2023-28756 (A ReDoS issue was discovered in the Time component through 0.2.1 - ruby3.1 - ruby2.7 - ruby2.5 - - jruby + - jruby (bug #1036283) [bookworm] - jruby (Minor issue) NOTE: Fixed by: https://github.com/ruby/ruby/commit/957bb7cb81995f26c671afce0ee50a5c660e540e (v3_1_4) NOTE: Fixed by: https://github.com/ruby/time/commit/b57db51f577875d3e896dcd2ef1dcaf97f23e943 (v0.2.2) @@ -8694,7 +8694,7 @@ CVE-2023-28755 (A ReDoS issue was discovered in the URI component through 0.12.0 - ruby3.1 - ruby2.7 - ruby2.5 - - jruby + - jruby (bug #1036283) [bookworm] - jruby (Minor issue) NOTE: Fixed by: https://github.com/ruby/ruby/commit/8ce4ab146498879b65e22f1be951b25eebb79300 (v3_1_4) NOTE: Fixed by: https://github.com/ruby/uri/commit/eaf89cc31619d49e67c64d0b58ea9dc38892d175 (v0.12.1) @@ -31196,11 +31196,11 @@ CVE-2023-21969 (Vulnerability in Oracle SQL Developer (component: Installation). NOT-FOR-US: Oracle CVE-2023-21968 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u372-ga-1 - - openjdk-11 + - openjdk-11 (bug #1036280) - openjdk-17 (bug #1035957) CVE-2023-21967 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u372-ga-1 - - openjdk-11 + - openjdk-11 (bug #1036280) - openjdk-17 (bug #1035957) CVE-2023-21966 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 (bug #1034719) @@ -31228,7 +31228,7 @@ CVE-2023-21955 (Vulnerability in the MySQL Server product of Oracle MySQL (compo - mysql-8.0 (bug #1034719) CVE-2023-21954 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-8 8u372-ga-1 - - openjdk-11 + - openjdk-11 (bug #1036280) - openjdk-17 (bug #1035957) CVE-2023-21953 (Vulnerability in the MySQL Server product
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 11ec34cf by Moritz Muehlenhoff at 2023-04-26T19:46:17+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11924,7 +11924,7 @@ CVE-2023-1057 (A vulnerability was found in SourceCodester Doctors Appointment S CVE-2023-1056 (A vulnerability was found in SourceCodester Doctors Appointment System ...) NOT-FOR-US: SourceCodester Doctors Appointment System CVE-2023-1055 (A flaw was found in RHDS 11 and RHDS 12. While browsing entries LDAP t ...) - - 389-ds-base + - 389-ds-base (bug #1034891) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2173517 CVE-2023-1054 (A vulnerability was found in SourceCodester Music Gallery Site 1.0. It ...) NOT-FOR-US: SourceCodester Music Gallery Site @@ -15713,7 +15713,7 @@ CVE-2023-0842 (xml2js version 0.4.23 allows an external attacker to edit or add NOTE: https://github.com/Leonidas-from-XIV/node-xml2js/pull/603 NOTE: https://github.com/Leonidas-from-XIV/node-xml2js/commit/581b19a62d88f8a3c068b5a45f4542c2d6a495a5 CVE-2023-0841 (A vulnerability, which was classified as critical, has been found in G ...) - - gpac + - gpac (bug #1034890) CVE-2023-0840 (A vulnerability classified as problematic was found in PHPCrazy 1.1.1. ...) NOT-FOR-US: PHPCrazy CVE-2023-0839 (Improper Protection for Outbound Error Messages and Alert Signals vuln ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11ec34cf49ccc53f334320fcd09628aacecc32b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/11ec34cf49ccc53f334320fcd09628aacecc32b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2523fd1e by Moritz Muehlenhoff at 2023-04-26T19:45:15+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31493,7 +31493,7 @@ CVE-2022-47017 CVE-2022-47016 REJECTED CVE-2022-47015 (MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of S ...) - - mariadb + - mariadb (bug #1034889) [bookworm] - mariadb (Minor issue, wait for next point release) - mariadb-10.6 - mariadb-10.5 @@ -55853,11 +55853,11 @@ CVE-2022-39209 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and re - cmark-gfm 0.29.0.gfm.6-2 (bug #1020588) [bullseye] - cmark-gfm (Minor issue) [buster] - cmark-gfm (Minor issue) - - python-cmarkgfm + - python-cmarkgfm (bug #1034887) [bullseye] - python-cmarkgfm (Minor issue) [buster] - python-cmarkgfm (Minor issue) - ghostwriter 2.1.6+ds-1 (unimportant) - - ruby-commonmarker + - ruby-commonmarker (bug #1034888) [bullseye] - ruby-commonmarker (Minor issue) [buster] - ruby-commonmarker (Minor issue) - r-cran-commonmark 1.8.1-1 @@ -60295,9 +60295,8 @@ CVE-2022-37710 (Patterson Dental Eaglesoft 21 has AES-256 encryption but there a CVE-2022-37709 (Tesla Model 3 V11.0(2022.4.5.1 6b701552d7a6) Tesla mobile app v4.23 is ...) NOT-FOR-US: Tesla CVE-2022-37708 (Docker version 20.10.15, build fd82621 is vulnerable to Insecure Permi ...) - - docker.io + - docker.io (bug #1034886) NOTE: https://github.com/thekevinday/docker_lightman_exploit - TODO: check, seems like a negligible security impact issue, and might be marked unimportant CVE-2022-37707 RESERVED CVE-2022-37706 (enlightenment_sys in Enlightenment before 0.25.4 allows local users to ...) @@ -295105,7 +295104,7 @@ CVE-2019-8400 (ORY Hydra before v1.0.0-rc.3+oryOS.9 has Reflected XSS via the oa CVE-2019-8399 RESERVED CVE-2019-8398 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...) - - hdf5 (bug #1034838) + - hdf5 (bug #1034838) NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul6 NOTE: https://jira.hdfgroup.org/browse/HDFFV-10710 CVE-2019-8397 (An issue was discovered in the HDF HDF5 1.10.4 library. There is an ou ...) @@ -295117,7 +295116,7 @@ CVE-2019-8397 (An issue was discovered in the HDF HDF5 1.10.4 library. There is NOTE: issue in upstream bug tracker: https://jira.hdfgroup.org/browse/HDFFV-10711 NOTE: Negligible security impact, malicous scientific data has more issues than a crash CVE-2019-8396 (A buffer overflow in H5O__layout_encode in H5Olayout.c in the HDF HDF5 ...) - - hdf5 (bug #1034838) + - hdf5 (bug #1034838) NOTE: https://github.com/magicSwordsMan/PAAFS/tree/master/vul4 NOTE: https://jira.hdfgroup.org/browse/HDFFV-10712 NOTE: HDFFV-10712 is marked to be closed in a future 1.10.8 upstream release. @@ -326004,7 +326003,7 @@ CVE-2018-1000801 (okular version 18.08 and earlier contains a Directory Traversa CVE-2018-1000800 (zephyr-rtos version 1.12.0 contains a NULL base pointer reference vuln ...) NOT-FOR-US: zephyr-rtos CVE-2018-1000773 (WordPress version 4.9.8 and earlier contains a CWE-20 Input Validation ...) - - wordpress + NOTE: No actionable information NOTE: This CVE exists due to an incomplete fix in 4.9 for CVE-2017-1000600. CVE-2018-1000673 REJECTED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2523fd1e30844c7a58a627f9f35766ede2cf6ecd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2523fd1e30844c7a58a627f9f35766ede2cf6ecd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b2ad6fb by Moritz Mühlenhoff at 2023-04-25T21:02:32+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -58193,7 +58193,7 @@ CVE-2022-37408 CVE-2022-37343 RESERVED CVE-2022-36788 (A heap-based buffer overflow vulnerability exists in the TriangleMesh ...) - - slic3r + - slic3r (bug #1034848) [buster] - slic3r (Minor issue) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1593 CVE-2022-36420 @@ -116436,17 +116436,17 @@ CVE-2021-43520 CVE-2021-43519 (Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 a ...) - lua5.4 5.4.4-1 (bug #1000228) [bullseye] - lua5.4 (Minor issue) - - lua5.3 + - lua5.3 (bug #1034847) [bookworm] - lua5.3 (Minor issue) [bullseye] - lua5.3 (Minor issue) [buster] - lua5.3 (Minor issue) [stretch] - lua5.3 (Minor issue) - - lua5.2 + - lua5.2 (bug #1034846) [bookworm] - lua5.2 (Minor issue) [bullseye] - lua5.2 (Minor issue) [buster] - lua5.2 (Minor issue) [stretch] - lua5.2 (Minor issue) - - lua5.1 + - lua5.1 (bug #1034845) [bookworm] - lua5.1 (Minor issue) [bullseye] - lua5.1 (Minor issue) [buster] - lua5.1 (Minor issue) @@ -121133,10 +121133,10 @@ CVE-2021-42522 (There is a Information Disclosure vulnerability in anjuta/plugin CVE-2021-42521 (There is a NULL pointer dereference vulnerability in VTK before 9.2.5, ...) - vtk9 (bug #1031877) [bullseye] - vtk9 (Minor issue) - - vtk7 + - vtk7 (bug #1034844) [bullseye] - vtk7 (Minor issue) [buster] - vtk7 (Minor issue) - - vtk6 + - vtk6 (bug #1034843) [bullseye] - vtk6 (Minor issue) [buster] - vtk6 (Minor issue) NOTE: https://gitlab.kitware.com/vtk/vtk/-/issues/17818 @@ -123182,7 +123182,7 @@ CVE-2021-41805 (HashiCorp Consul Enterprise before 1.8.17, 1.9.x before 1.9.11, CVE-2021-41804 RESERVED CVE-2021-41803 (HashiCorp Consul 1.8.1 up to 1.11.8, 1.12.4, and 1.13.1 do not properl ...) - - consul + - consul (bug #1034841) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-19-consul-auto-config-jwt-authorization-missing-input-validation/44627 CVE-2021-41802 (HashiCorp Vault and Vault Enterprise through 1.7.4 and 1.8.3 allowed a ...) NOT-FOR-US: HashiCorp Vault @@ -157891,7 +157891,7 @@ CVE-2021-28237 (LibreDWG v0.12.3 was discovered to contain a heap-buffer overflo CVE-2021-28236 (LibreDWG v0.12.3 was discovered to contain a NULL pointer dereference ...) - libredwg (bug #595191) CVE-2021-28235 (Authentication vulnerability found in Etcd-io v.3.4.10 allows remote a ...) - - etcd + - etcd (bug #1034840) [buster] - etcd (Minor issue; only when debug is enabled) NOTE: https://github.com/etcd-io/etcd/pull/15648 NOTE: https://github.com/etcd-io/etcd/pull/15655 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2ad6fb4bd18c40a906deacebcfbb41dfb10b5d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2ad6fb4bd18c40a906deacebcfbb41dfb10b5d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f3c8a49b by Moritz Muehlenhoff at 2023-04-24T23:12:48+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1171,7 +1171,7 @@ CVE-2023-30772 (The Linux kernel before 6.2.9 has a race condition and resultant CVE-2023-30770 (A stack-based buffer overflow vulnerability was found in the ASUSTOR D ...) NOT-FOR-US: ASUSTOR Data Master (ADM) CVE-2023-30769 (Vulnerability discovered is related to the peer-to-peer (p2p) communic ...) - - dogecoin + - dogecoin (bug #1034806) NOTE: https://www.halborn.com/blog/post/halborn-discovers-zero-day-impacting-dogecoin-and-280-networks CVE-2023-30757 RESERVED @@ -65428,7 +65428,7 @@ CVE-2022-31471 (untangle is a python library to convert XML data to python objec NOTE: https://github.com/stchris/untangle/releases/tag/1.2.1 NOTE: https://github.com/stchris/untangle/pull/94 CVE-2022-2393 (A flaw was found in pki-core, which could allow a user to get a certif ...) - - dogtag-pki + - dogtag-pki (bug #1034802) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2101046 CVE-2022-2392 (The Lana Downloads Manager WordPress plugin before 1.8.0 is affected b ...) NOT-FOR-US: WordPress plugin @@ -111969,7 +111969,7 @@ CVE-2021-44505 (An issue was discovered in FIS GT.M through V7.0-000 (related to NOTE: http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 CVE-2021-44504 (An issue was discovered in FIS GT.M through V7.0-000 (related to the Y ...) - - fis-gtm + - fis-gtm (bug #1034805) [bookworm] - fis-gtm (Minor issue) [bullseye] - fis-gtm (Minor issue) [buster] - fis-gtm (Minor issue) @@ -112026,7 +112026,7 @@ CVE-2021-44497 (An issue was discovered in FIS GT.M through V7.0-000 (related to NOTE: http://tinco.pair.com/bhaskar/gtm/doc/articles/GTM_V7.0-002_Release_Notes.html NOTE: https://gitlab.com/YottaDB/DB/YDB/-/issues/828 CVE-2021-44496 (An issue was discovered in FIS GT.M through V7.0-000 (related to the Y ...) - - fis-gtm + - fis-gtm (bug #1034805) [bookworm] - fis-gtm (Minor issue) [bullseye] - fis-gtm (Minor issue) [buster] - fis-gtm (Minor issue) @@ -134115,7 +134115,7 @@ CVE-2021-37493 CVE-2021-37492 (An issue discovered in src/wallet/wallet.cpp in Ravencoin Core 4.3.2.1 ...) NOT-FOR-US: Ravencoin CVE-2021-37491 (An issue discovered in src/wallet/wallet.cpp in Dogecoin Project Dogec ...) - - dogecoin + - dogecoin (bug #1034806) NOTE: https://github.com/dogecoin/dogecoin/issues/2279 CVE-2021-37490 RESERVED @@ -257457,7 +257457,7 @@ CVE-2020-1696 (A flaw was found in the all pki-core 10.x.x versions, where Token [bullseye] - dogtag-pki (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1780707 CVE-2020-1695 (A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final ...) - - resteasy + - resteasy (bug #1034804) - resteasy3.0 3.0.26-2 [buster] - resteasy3.0 (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1730462 @@ -330630,7 +330630,7 @@ CVE-2018-14629 (A denial of service vulnerability was discovered in Samba's LDAP - samba 2:4.9.2+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2018-14629.html CVE-2018-14628 (An information leak vulnerability was discovered in Samba's LDAP serve ...) - - samba + - samba (bug #1034803) [bookworm] - samba (Minor issue, revisit when fixed upstream) [bullseye] - samba (Minor issue, revisit when fixed upstream) NOTE: https://bugzilla.samba.org/show_bug.cgi?id=13595 @@ -340055,7 +340055,7 @@ CVE-2018-11206 (An out of bounds read was discovered in H5O_fill_new_decode and NOTE: https://jira.hdfgroup.org/browse/HDFFV-10480 NOTE: https://bitbucket.hdfgroup.org/projects/HDFFV/repos/hdf5/commits/992a199f90fec31e0ad72ed76ed279a3ccea59e4 CVE-2018-11205 (A out of bounds read was discovered in H5VM_memcpyvv in H5VM.c in the ...) - - hdf5 + - hdf5 (bug #1034807) NOTE: https://jira.hdfgroup.org/browse/HDFFV-10479 CVE-2018-11204 (A NULL pointer dereference was discovered in H5O__chunk_deserialize in ...) - hdf5 1.10.4+repack-1 (low) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3c8a49b67620bf41015947c41e854a9daf239a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3c8a49b67620bf41015947c41e854a9daf239a7 You're receiving this email because of your account on salsa.debian.org.
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b7b544b6 by Moritz Muehlenhoff at 2023-04-22T19:37:50+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1742,15 +1742,15 @@ CVE-2023-1998 (The Linux kernel allows userspace processes to enable mitigations CVE-2023-1995 RESERVED CVE-2023-1994 (GQUIC dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6.12 ...) - - wireshark + - wireshark (bug #1034721) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18947 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-11.html CVE-2023-1993 (LISP dissector large loop in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6 ...) - - wireshark + - wireshark (bug #1034721) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18900 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-10.html CVE-2023-1992 (RPCoRDMA dissector crash in Wireshark 4.0.0 to 4.0.4 and 3.6.0 to 3.6. ...) - - wireshark + - wireshark (bug #1034721) NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18852 NOTE: https://www.wireshark.org/security/wnpa-sec-2023-09.html CVE-2023-1991 @@ -9414,7 +9414,7 @@ CVE-2023-1257 (An attacker with physical access to the affected Moxa UC Series d CVE-2023-1256 (The listed versions of AVEVA Plant SCADA and AVEVA Telemetry Server ar ...) NOT-FOR-US: AVEVA Plant SCADA and AVEVA Telemetry Server CVE-2023-1255 (Issue summary: The AES-XTS cipher decryption implementation for 64 bit ...) - - openssl + - openssl (bug #1034720) [bullseye] - openssl (Vulnerable code not present) [buster] - openssl (Vulnerable code not present) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=02ac9c9420275868472f33b01def01218742b8bb @@ -12023,7 +12023,7 @@ CVE-2023-26966 CVE-2023-26965 RESERVED CVE-2023-26964 (An issue was discovered in hyper v0.13.7. h2-0.2.4 Stream stacking occ ...) - - rust-h2 + - rust-h2 (bug #1034723) NOTE: https://github.com/hyperium/hyper/issues/2877 NOTE: https://github.com/hyperium/h2/commit/5bc8e72e5fcbd8ae2d3d9bc78a1c0ef0040bcc39 (v0.3.17) CVE-2023-26963 @@ -12126,7 +12126,7 @@ CVE-2023-26919 (delight-nashorn-sandbox 0.2.4 and 0.2.5 is vulnerable to sandbox CVE-2023-26918 (Diasoft File Replication Pro 7.5.0 allows attackers to escalate privil ...) NOT-FOR-US: Diasoft File Replication Pro CVE-2023-26917 (libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL poin ...) - - libyang2 + - libyang2 (bug #1034724) [bullseye] - libyang2 (Minor issue) NOTE: https://github.com/CESNET/libyang/issues/1987 NOTE: https://github.com/CESNET/libyang/commit/cfa1a965a429e4bfc5ae1539a8e87a9cf71c3090 (v2.1.55) @@ -17497,7 +17497,7 @@ CVE-2023-0647 (A vulnerability, which was classified as critical, has been found CVE-2023-0646 (A vulnerability classified as critical was found in dst-admin 1.5.0. A ...) NOT-FOR-US: dst-admin CVE-2023-0645 (An out of bounds read exists in libjxl. An attacker using a specifical ...) - - jpeg-xl + - jpeg-xl (bug #1034722) NOTE: https://github.com/libjxl/libjxl/commit/a7c8428b61299f3b055cbbdbba3fbcd8cb38d084 NOTE: https://github.com/libjxl/libjxl/issues/2100 NOTE: https://github.com/libjxl/libjxl/pull/2101 @@ -19259,7 +19259,7 @@ CVE-2023-0468 (A use-after-free flaw was found in io_uring/poll.c in io_poll_che CVE-2023-0467 (The WP Dark Mode WordPress plugin before 4.0.8 does not properly sanit ...) NOT-FOR-US: WordPress plugin CVE-2023-0466 (The function X509_VERIFY_PARAM_add0_policy() is documented to implicit ...) - - openssl + - openssl (bug #1034720) [bookworm] - openssl (Minor issue) [bullseye] - openssl (Minor issue) [buster] - openssl (Minor issue) @@ -19267,7 +19267,7 @@ CVE-2023-0466 (The function X509_VERIFY_PARAM_add0_policy() is documented to imp NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51e8a84ce742db0f6c70510d0159dad8f7825908 (openssl-3.0) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a (OpenSSL_1_1_1-stable) CVE-2023-0465 (Applications that use a non-default option when verifying certificates ...) - - openssl + - openssl (bug #1034720) [bookworm] - openssl (Minor issue) [bullseye] - openssl (Minor issue) [buster] - openssl (Minor issue) @@ -19275,7 +19275,7 @@ CVE-2023-0465 (Applications that use a non-default option when verifying certifi NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1dd43e0709fece299b15208f36cc7c76209ba0bb (openssl-3.0) NOTE:
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 73a6c318 by Moritz Muehlenhoff at 2023-04-13T21:02:41+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2426,7 +2426,7 @@ CVE-2023-29492 (Novi Survey before 8.9.43676 allows remote attackers to execute NOT-FOR-US: Novi Survey CVE-2023-29491 RESERVED - - ncurses + - ncurses (bug #1034372) NOTE: https://invisible-island.net/ncurses/NEWS.html#index-t20230408 CVE-2023-29490 RESERVED @@ -2658,7 +2658,7 @@ CVE-2023-1907 RESERVED CVE-2023-1906 RESERVED - - imagemagick + - imagemagick (bug #1034373) NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-35q2-86c7-9247 NOTE: https://github.com/ImageMagick/ImageMagick6/commit/e30c693b37c3b41723f1469d1226a2c814ca443d (ImageMagick 6.9.12-84) CVE-2023-1905 @@ -2668,7 +2668,7 @@ CVE-2015-10098 (A vulnerability was found in Broken Link Checker Plugin up to 1. CVE-2013-10023 (A vulnerability was found in Editorial Calendar Plugin up to 2.6. It h ...) NOT-FOR-US: WordPress plugin CVE-2023- [https://rustsec.org/advisories/RUSTSEC-2023-0031.html] - - rust-spin + - rust-spin (bug #1034374) [bullseye] - rust-spin (Introduced in 0.9.3) [buster] - rust-spin (Introduced in 0.9.3) NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0031.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73a6c3188e5b8366e728d608a9fe87864a00484d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73a6c3188e5b8366e728d608a9fe87864a00484d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c6e1434c by Moritz Muehlenhoff at 2023-04-10T19:51:03+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2249,22 +2249,22 @@ CVE-2023- [https://rustsec.org/advisories/RUSTSEC-2023-0031.html] NOTE: https://github.com/mvdnes/spin-rs/issues/148 CVE-2023-29421 (An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is ...) [experimental] - bzip3 1.2.3-1 - - bzip3 + - bzip3 (bug #1034177) NOTE: https://github.com/kspalaiologos/bzip3/issues/94 NOTE: https://github.com/kspalaiologos/bzip3/commit/33b1951f153c3c5dc8ed736b9110437e1a619b7d (1.2.3) CVE-2023-29420 (An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is ...) [experimental] - bzip3 1.2.3-1 - - bzip3 + - bzip3 (bug #1034177) NOTE: https://github.com/kspalaiologos/bzip3/commit/bb06deb85f1c249838eb938e0dab271d4194f8fa (1.2.3) NOTE: https://github.com/kspalaiologos/bzip3/issues/92 CVE-2023-29419 (An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is ...) [experimental] - bzip3 1.2.3-1 - - bzip3 + - bzip3 (bug #1034177) NOTE: https://github.com/kspalaiologos/bzip3/commit/8ec8ce7d3d58bf42dabc47e4cc53aa27051bd602 (1.2.3) NOTE: https://github.com/kspalaiologos/bzip3/issues/92 CVE-2023-29418 (An issue was discovered in libbzip3.a in bzip3 before 1.2.3. There is ...) [experimental] - bzip3 1.2.3-1 - - bzip3 + - bzip3 (bug #1034177) NOTE: https://github.com/kspalaiologos/bzip3/commit/aae16d107f804f69000c09cd92027a140968cc9d (1.2.3) NOTE: https://github.com/kspalaiologos/bzip3/issues/92 CVE-2023-29417 (** DISPUTED ** An issue was discovered in libbzip3.a in bzip3 1.2.2. T ...) @@ -2272,11 +2272,11 @@ CVE-2023-29417 (** DISPUTED ** An issue was discovered in libbzip3.a in bzip3 1. NOTE: https://github.com/kspalaiologos/bzip3/issues/97 NOTE: Issue between library and example code not correctly using the API CVE-2023-29416 (An issue was discovered in libbzip3.a in bzip3 before 1.3.0. A bz3_dec ...) - - bzip3 + - bzip3 (bug #1034177) NOTE: https://github.com/kspalaiologos/bzip3/commit/bfa5bf82b53715dfedf048e5859a46cf248668ff (1.3.0) NOTE: https://github.com/kspalaiologos/bzip3/issues/92 CVE-2023-29415 (An issue was discovered in libbzip3.a in bzip3 before 1.3.0. A denial ...) - - bzip3 + - bzip3 (bug #1034177) NOTE: https://github.com/kspalaiologos/bzip3/issues/95 NOTE: https://github.com/kspalaiologos/bzip3/commit/56c24ca1f8f25e648d42154369b6962600f76465 CVE-2023-29414 @@ -2573,7 +2573,7 @@ CVE-2023-29325 CVE-2023-29324 RESERVED CVE-2023-29323 (ascii_load_sockaddr in smtpd in OpenBSD before 7.1 errata 024 and 7.2 ...) - - opensmtpd + - opensmtpd (bug #1034178) NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/7.1/common/024_smtpd.patch.sig CVE-2023-29322 RESERVED @@ -3551,7 +3551,7 @@ CVE-2023-29000 (The Nextcloud Desktop Client is a tool to synchronize files from NOTE: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h82x-98q3-7534 NOTE: https://hackerone.com/reports/1679267 CVE-2023-28999 (Nextcloud is an open-source productivity platform. In Nextcloud Deskto ...) - - nextcloud-desktop + - nextcloud-desktop (bug #1034184) NOTE: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8875-wxww-3rr8 NOTE: https://github.com/nextcloud/desktop/pull/5560 CVE-2023-28998 (The Nextcloud Desktop Client is a tool to synchronize files from Nextc ...) @@ -3921,12 +3921,12 @@ CVE-2023-1657 CVE-2023-1656 (Cleartext Transmission of Sensitive Information vulnerability in Forge ...) NOT-FOR-US: ForgeRock CVE-2023-1655 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4 ...) - - gpac + - gpac (bug #1034187) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/05f1d1de-bbfd-43fe-bdf9-7f73419ce7c9 NOTE: https://github.com/gpac/gpac/commit/e7f96c2d3774e4ea25f952bcdf55af1dd6e919f4 CVE-2023-1654 (Denial of Service in GitHub repository gpac/gpac prior to 2.4.0. ...) - - gpac + - gpac (bug #1034187) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/33652b56-128f-41a7-afcc-10641f69ff14 NOTE: https://github.com/gpac/gpac/commit/2c055153d401b8c49422971e3a0159869652d3da @@ -4177,7 +4177,7 @@ CVE-2023-22308 CVE-2023-1625 [information leak in API] RESERVED [experimental] - heat 1:20.0.0~rc1-1 - - heat + - heat (bug #1034186) NOTE:
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 94342456 by Moritz Muehlenhoff at 2023-04-10T18:28:17+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11040,16 +11040,16 @@ CVE-2023-26487 (Vega is a visualization grammar, a declarative format for creati CVE-2023-26486 (Vega is a visualization grammar, a declarative format for creating, sa ...) NOT-FOR-US: Vega CVE-2023-26485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - - cmark-gfm + - cmark-gfm (bug #1034171) [bookworm] - cmark-gfm (Minor issue) [bullseye] - cmark-gfm (Minor issue) - - python-cmarkgfm + - python-cmarkgfm (bug #1034172) [bookworm] - python-cmarkgfm (Minor issue) [bullseye] - python-cmarkgfm (Minor issue) - - r-cran-commonmark + - r-cran-commonmark (bug #1034173) [bookworm] - r-cran-commonmark (Minor issue) [bullseye] - r-cran-commonmark (Minor issue) - - ruby-commonmarker + - ruby-commonmarker (bug #1034174) [bookworm] - ruby-commonmarker (Minor issue) [bullseye] - ruby-commonmarker (Minor issue) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-r8vr-c48j-fcc5 @@ -15902,16 +15902,16 @@ CVE-2023-24826 CVE-2023-24825 RESERVED CVE-2023-24824 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - - cmark-gfm + - cmark-gfm (bug #1034171) [bookworm] - cmark-gfm (Minor issue) [bullseye] - cmark-gfm (Minor issue) - - python-cmarkgfm + - python-cmarkgfm (bug #1034172) [bookworm] - python-cmarkgfm (Minor issue) [bullseye] - python-cmarkgfm (Minor issue) - - r-cran-commonmark + - r-cran-commonmark (bug #1034173) [bookworm] - r-cran-commonmark (Minor issue) [bullseye] - r-cran-commonmark (Minor issue) - - ruby-commonmarker + - ruby-commonmarker (bug #1034174) [bookworm] - ruby-commonmarker (Minor issue) [bullseye] - ruby-commonmarker (Minor issue) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-66g8-4hjf-77xh @@ -41285,7 +41285,7 @@ CVE-2022-43636 (This vulnerability allows network-adjacent attackers to bypass a CVE-2022-43635 (This vulnerability allows network-adjacent attackers to disclose sensi ...) NOT-FOR-US: TP-Link CVE-2022-43634 (This vulnerability allows remote attackers to execute arbitrary code o ...) - - netatalk + - netatalk (bug #1034170) NOTE: https://github.com/Netatalk/Netatalk/pull/186 NOTE: https://github.com/advisories/GHSA-fwj9-7qq8-jc93 NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-094/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94342456467a68b2aba2eb6c81c370fb00cd8883 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/94342456467a68b2aba2eb6c81c370fb00cd8883 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 69103dca by Moritz Muehlenhoff at 2023-03-17T15:37:04+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7119,7 +7119,7 @@ CVE-2023-0868 (Reflected cross-site scripting in graph results in multiple versi CVE-2023-0867 (Multiple stored and reflected cross-site scripting vulnerabilities in ...) NOT-FOR-US: OpenNMS CVE-2023-0866 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3 ...) - - gpac + - gpac (bug #1033116) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/7d3c5792-d20b-4cb6-9c6d-bb14f3430d7f @@ -7542,19 +7542,19 @@ CVE-2023-0821 (HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4. CVE-2023-0820 RESERVED CVE-2023-0819 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to v2. ...) - - gpac + - gpac (bug #1033116) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/35793610-dccc-46c8-9f55-6a24c621e4ef NOTE: https://github.com/gpac/gpac/commit/d067ab3ccdeaa340e8c045a0fd5bcfc22b809e8f CVE-2023-0818 (Off-by-one Error in GitHub repository gpac/gpac prior to v2.3.0-DEV. ...) - - gpac + - gpac (bug #1033116) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/038e7472-f3e9-46c2-9aea-d6dafb62a18a NOTE: https://github.com/gpac/gpac/commit/377ab25f3e502db2934a9cf4b54739e1c89a02ff CVE-2023-0817 (Buffer Over-read in GitHub repository gpac/gpac prior to v2.3.0-DEV. ...) - - gpac + - gpac (bug #1033116) [bullseye] - gpac (Vulnerable code not present) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/cb730bc5-d79c-4de6-9e57-10e8c3ce2cf3 @@ -8112,7 +8112,7 @@ CVE-2023-25642 CVE-2023-0771 (SQL Injection in GitHub repository ampache/ampache prior to 5.5.7,deve ...) - ampache CVE-2023-0770 (Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2. ...) - - gpac + - gpac (bug #1033116) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/e0fdeee5-7909-446e-9bd0-db80fd80e8dd @@ -8203,7 +8203,7 @@ CVE-2023-0762 CVE-2023-0761 RESERVED CVE-2023-0760 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to V2. ...) - - gpac + - gpac (bug #1033116) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/d06223df-a473-4c82-96d0-23726b844b21 @@ -13327,7 +13327,7 @@ CVE-2023-0360 (The Location Weather WordPress plugin before 1.3.4 does not valid CVE-2023-0359 RESERVED CVE-2023-0358 (Use After Free in GitHub repository gpac/gpac prior to 2.3.0-DEV. ...) - - gpac + - gpac (bug #1033116) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/93e128ed-253f-4c42-81ff-fbac7fd8f355 NOTE: https://github.com/gpac/gpac/commit/9971fb125cf91cefd081a080c417b90bbe4a467b @@ -15086,15 +15086,15 @@ CVE-2023-23147 CVE-2023-23146 RESERVED CVE-2023-23145 (GPAC version 2.2-rev0-gab012bbfb-master was discovered to contain a me ...) - - gpac + - gpac (bug #1033116) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/4ade98128cbc41d5115b97a41ca2e59529c8dd5f CVE-2023-23144 (Integer overflow vulnerability in function Q_DecCoordOnUnitSphere file ...) - - gpac + - gpac (bug #1033116) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/3a2458a49b3e6399709d456d7b35e7a6f50cfb86 CVE-2023-23143 (Buffer overflow vulnerability in function avc_parse_slice in file medi ...) - - gpac + - gpac (bug #1033116) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/af6a5e7a96ee01a139cce6c9e4edfc069aad17a6 CVE-2023-23142 @@ -17521,7 +17521,7 @@ CVE-2020-36638 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chr CVE-2020-36637 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chris92de ...) NOT-FOR-US: Chris92de AdminServ CVE-2018-25060 (A vulnerability was found in Macaron csrf and classified as problemati ...) - - golang-github-go-macaron-csrf + - golang-github-go-macaron-csrf (bug #1033115) [bullseye] - golang-github-go-macaron-csrf (Minor issue) [buster] - golang-github-go-macaron-csrf (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE:
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4595f08a by Moritz Muehlenhoff at 2023-03-17T15:09:07+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17590,22 +17590,30 @@ CVE-2023-22488 (Flarum is a forum software for building communities. Using the n CVE-2023-22487 (Flarum is a forum software for building communities. Using the mention ...) NOT-FOR-US: Flarum CVE-2023-22486 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - - cmark-gfm + - cmark-gfm (bug #1033110) + - python-cmarkgfm (bug #1033111) + - r-cran-commonmark (bug #1033112) + - ruby-commonmarker (bug #1033113) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p NOTE: https://github.com/github/cmark-gfm/commit/ece074cc3378f7a8dec0395f00123e9fa6981f7b (0.29.0.gfm.7) - TODO: check other codebase, python-cmarkgfm, ruby-commonmarker and r-cran-commonmark CVE-2023-22485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - - cmark-gfm + - cmark-gfm (bug #1033110) + - python-cmarkgfm (bug #1033111) + - r-cran-commonmark (bug #1033112) + - ruby-commonmarker (bug #1033113) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr - TODO: check other codebase, python-cmarkgfm, ruby-commonmarker and r-cran-commonmark CVE-2023-22484 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - - cmark-gfm + - cmark-gfm (bug #1033110) + - python-cmarkgfm (bug #1033111) + - r-cran-commonmark (bug #1033112) + - ruby-commonmarker (bug #1033113) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r - TODO: check other codebase, python-cmarkgfm, ruby-commonmarker and r-cran-commonmark CVE-2023-22483 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - - cmark-gfm + - cmark-gfm (bug #1033110) + - python-cmarkgfm (bug #1033111) + - r-cran-commonmark (bug #1033112) + - ruby-commonmarker (bug #1033113) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c - TODO: check other codebase, python-cmarkgfm, ruby-commonmarker and r-cran-commonmark CVE-2023-22482 (Argo CD is a declarative, GitOps continuous delivery tool for Kubernet ...) NOT-FOR-US: Argo CD CVE-2023-22481 (FreshRSS is a self-hosted RSS feed aggregator. When using the greader ...) @@ -208078,7 +208086,7 @@ CVE-2020-16156 (CPAN 2.28 allows Signature Verification Bypass. ...) NOTE: https://github.com/andk/cpanpm/commit/7d4d5e32bcd9b75f7bf70a395938a48ca4a06d25 (2.33-TRIAL) NOTE: https://github.com/andk/cpanpm/commit/89b13baf1d46e4fb10023af30ef305efec4fd603 (2.33-TRIAL) CVE-2020-16155 (The CPAN::Checksums package 2.12 for Perl does not uniquely define sig ...) - - libcpan-checksums-perl + - libcpan-checksums-perl (bug #1033109) [bookworm] - libcpan-checksums-perl (Minor issue) [bullseye] - libcpan-checksums-perl (Minor issue) [buster] - libcpan-checksums-perl (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4595f08a6df8c918b41b3f829d65f8cd4606f0c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4595f08a6df8c918b41b3f829d65f8cd4606f0c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a9780b83 by Moritz Muehlenhoff at 2023-03-10T20:17:49+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2580,28 +2580,28 @@ CVE-2023-27121 CVE-2023-27120 RESERVED CVE-2023-27119 (WebAssembly v1.0.29 was discovered to contain a segmentation fault via ...) - - wabt (unimportant) + - wabt (unimportant; bug #1032669) NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/WebAssembly/wabt/issues/1990 CVE-2023-27118 RESERVED CVE-2023-27117 (WebAssembly v1.0.29 was discovered to contain a heap overflow via the ...) - - wabt (unimportant) + - wabt (unimportant; bug #1032669) NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/WebAssembly/wabt/issues/1989 CVE-2023-27116 (WebAssembly v1.0.29 discovered to contain an abort in CWriter::MangleT ...) - - wabt (unimportant) + - wabt (unimportant; bug #1032669) NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/WebAssembly/wabt/issues/1984 NOTE: https://github.com/WebAssembly/wabt/pull/2119 NOTE: https://github.com/WebAssembly/wabt/commit/8a7b7497bdf78f9099f8d5a3a2c9bde87ddd52da CVE-2023-27115 (WebAssembly v1.0.29 was discovered to contain a segmentation fault via ...) - - wabt (unimportant) + - wabt (unimportant; bug #1032669) NOTE: Crash in CLI tool, no security impact NOTE: https://github.com/WebAssembly/wabt/issues/1938 NOTE: https://github.com/WebAssembly/wabt/issues/1992 CVE-2023-27114 (radare2 v5.8.3 was discovered to contain a segmentation fault via the ...) - - radare2 + - radare2 (bug #1032667) NOTE: https://github.com/radareorg/radare2/issues/21363 NOTE: https://github.com/radareorg/radare2/commit/13308c9aad79f9c7a3507ce549fe270103e8ceea CVE-2023-27113 @@ -14154,7 +14154,7 @@ CVE-2023-0198 CVE-2023-0197 RESERVED CVE-2023-0196 (NVIDIA CUDA Toolkit SDK contains a bug in cuobjdump, where a local use ...) - - nvidia-cuda-toolkit + - nvidia-cuda-toolkit (bug #1032668) [bullseye] - nvidia-cuda-toolkit (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5446 CVE-2023-0195 @@ -14163,7 +14163,7 @@ CVE-2023-0194 RESERVED CVE-2023-0193 RESERVED - - nvidia-cuda-toolkit + - nvidia-cuda-toolkit (bug #1032668) [bullseye] - nvidia-cuda-toolkit (Non-free not supported) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5446 CVE-2023-0192 @@ -126309,7 +126309,7 @@ CVE-2021-36491 CVE-2021-36490 RESERVED CVE-2021-36489 (Buffer Overflow vulnerability in Allegro through 5.2.6 allows attacker ...) - - allegro4.4 + - allegro4.4 (bug #1032670) - allegro5 2:5.2.8.0+dfsg-1 [bullseye] - allegro5 (Minor issue) NOTE: https://github.com/liballeg/allegro5/issues/1251 @@ -133889,7 +133889,7 @@ CVE-2021-33393 (lfs/backup in IPFire 2.25-core155 does not ensure that /var/ipfi CVE-2021-33392 RESERVED CVE-2021-33391 (An issue in HTACG HTML Tidy v5.7.28 allows attacker to execute arbitra ...) - - tidy-html5 + - tidy-html5 (bug #1032665) [bullseye] - tidy-html5 (Minor issue) NOTE: https://github.com/htacg/tidy-html5/issues/946 NOTE: https://github.com/htacg/tidy-html5/commit/efa61528aa500a1efbd2768121820742d3bb709b @@ -133940,7 +133940,7 @@ CVE-2021-33369 CVE-2021-33368 RESERVED CVE-2021-33367 (Buffer Overflow vulnerability in Freeimage v3.18.0 allows attacker to ...) - - freeimage + - freeimage (bug #1032666) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/discussion/36109/thread/1a4db03d58/ @@ -135336,7 +135336,7 @@ CVE-2021-32823 (In the bindata RubyGem before version 2.4.10 there is a potentia CVE-2021-32822 (The npm hbs package is an Express view engine wrapper for Handlebars. ...) NOT-FOR-US: Node hbs CVE-2021-32821 (MooTools is a collection of JavaScript utilities for JavaScript develo ...) - - mootols + - mootols (bug #1032664) NOTE: https://securitylab.github.com/advisories/GHSL-2020-345-redos-mootools/ CVE-2021-32820 (Express-handlebars is a Handlebars view engine for Express. Express-ha ...) NOT-FOR-US: Express-handlebars View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9780b83ea9b7efd0b49126113d4fff16484f0f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9780b83ea9b7efd0b49126113d4fff16484f0f4 You're receiving this email because of
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d243c45b by Moritz Muehlenhoff at 2023-02-27T23:20:28+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1880,7 +1880,7 @@ CVE-2023-22342 CVE-2023-22293 RESERVED CVE-2023-0996 (There is a vulnerability in the strided image data parsing code in the ...) - - libheif + - libheif (bug #1032101) NOTE: https://github.com/strukturag/libheif/pull/759 NOTE: https://govtech-csg.github.io/security-advisories/2023/02/24/CVE-2023-0996.html CVE-2023-0995 (Cross-site Scripting (XSS) - Stored in GitHub repository unilogies/bum ...) @@ -4252,7 +4252,7 @@ CVE-2023-0779 RESERVED CVE-2023-0778 RESERVED - - libpod + - libpod (bug #1032099) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2168256 NOTE: https://github.com/containers/podman/commit/6ca857feb07a5fdc96fd947afef03916291673d8 CVE-2023-25678 @@ -7599,7 +7599,7 @@ CVE-2023-0477 CVE-2023-0476 (A LDAP injection vulnerability exists in Tenable.sc due to improper va ...) NOT-FOR-US: Tenable CVE-2023-0475 (HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompressi ...) - - golang-github-hashicorp-go-getter + - golang-github-hashicorp-go-getter (bug #1032100) NOTE: https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125 CVE-2023-0474 (Use after free in GuestView in Google Chrome prior to 109.0.5414.119 a ...) {DSA-5328-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d243c45b3c2fc3a660137b364f47018dc9c9719b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d243c45b3c2fc3a660137b364f47018dc9c9719b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ae3324c by Moritz Muehlenhoff at 2023-02-27T20:52:48+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9554,7 +9554,7 @@ CVE-2011-10001 (A vulnerability was found in iamdroppy phoenixcf. It has been de CVE-2010-10008 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in simplesam ...) NOT-FOR-US: simplesamlphp-module-openidprovider CVE-2023- [RUSTSEC-2022-0078] - - rust-bumpalo + - rust-bumpalo (bug #1032088) [bullseye] - rust-bumpalo (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2022-0078.html NOTE: https://github.com/fitzgen/bumpalo/blob/main/CHANGELOG.md#3111 @@ -17631,8 +17631,8 @@ CVE-2022-4494 (A vulnerability, which was classified as critical, has been found CVE-2022-4493 (A vulnerability classified as critical was found in scifio. Affected b ...) NOT-FOR-US: SCIFIO (SCientific Image Format Input & Output) CVE-2022-4492 (The undertow client is not checking the server identity presented by t ...) - - undertow - TODO: check details, https://bugzilla.redhat.com/show_bug.cgi?id=2153260 has missing public details + - undertow (bug #1032087) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2153260 has missing public details CVE-2022-4491 (The WP-Table Reloaded WordPress plugin through 1.9.4 does not validate ...) NOT-FOR-US: WordPress plugin CVE-2022-4490 @@ -25277,7 +25277,7 @@ CVE-2022-44902 CVE-2022-44901 RESERVED CVE-2022-44900 (A directory traversal vulnerability in the SevenZipFile.extractall() f ...) - - py7zr + - py7zr (bug #1032091) NOTE: https://github.com/miurahr/py7zr/commit/1bb43f17515c7f69673a1c88ab9cc72a7bbef406 (v0.20.1) NOTE: https://lessonsec.com/cve/cve-2022-44900/ CVE-2022-44899 @@ -40711,7 +40711,7 @@ CVE-2022-40154 CVE-2022-40153 REJECTED CVE-2022-40152 (Those using Woodstox to parse XML data may be vulnerable to Denial of ...) - - libwoodstox-java + - libwoodstox-java (bug #1032089) [bullseye] - libwoodstox-java (Minor issue) [buster] - libwoodstox-java (Minor issue) NOTE: https://github.com/x-stream/xstream/issues/304 @@ -42831,7 +42831,7 @@ CVE-2022-39270 (DiscoTOC is a Discourse theme component that generates a table o NOT-FOR-US: DiscoTOC Discourse theme CVE-2022-39269 (PJSIP is a free and open source multimedia communication library writt ...) {DSA-5358-1 DLA-3335-1} - - asterisk + - asterisk (bug #1032092) - pjproject - ring 20230206.0~ds1-1 NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-wx5m-cj97-4wwg @@ -88826,14 +88826,14 @@ CVE-2022-23548 (Discourse is an option source discussion platform. Prior to vers NOT-FOR-US: Discourse CVE-2022-23537 (PJSIP is a free and open source multimedia communication library writt ...) {DSA-5358-1 DLA-3335-1} - - asterisk + - asterisk (bug #1032092) - ring 20230206.0~ds1-1 - pjproject NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w NOTE: https://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1 CVE-2022-23547 (PJSIP is a free and open source multimedia communication library writt ...) {DSA-5358-1 DLA-3335-1} - - asterisk + - asterisk (bug #1032092) - ring 20230206.0~ds1-1 - pjproject NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ae3324ced9499920d98bec6ebccbd9d1a4b6246 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ae3324ced9499920d98bec6ebccbd9d1a4b6246 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ea4b589 by Moritz Muehlenhoff at 2023-02-21T16:18:04+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31,7 +31,7 @@ CVE-2023-26255 CVE-2023-26254 RESERVED CVE-2023-26253 (In Gluster GlusterFS 11.0, there is an xlators/mount/fuse/src/fuse-bri ...) - - glusterfs + - glusterfs (bug #1031731) NOTE: https://github.com/gluster/glusterfs/issues/3954 CVE-2023-26252 RESERVED @@ -146,13 +146,13 @@ CVE-2022-48332 CVE-2022-48331 RESERVED CVE-2022-48339 (An issue was discovered in GNU Emacs through 28.2. htmlfontify.el has ...) - - emacs + - emacs (bug #1031730) NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c CVE-2022-48338 (An issue was discovered in GNU Emacs through 28.2. In ruby-mode.el, th ...) - - emacs + - emacs (bug #1031730) NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=9a3b08061feea14d6f37685ca1ab8801758bfd1c CVE-2022-48337 (GNU Emacs through 28.2 allows attackers to execute commands via shell ...) - - emacs + - emacs (bug #1031730) NOTE: https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=01a4035c869b91c153af9a9132c87adb7669ea1c CVE-2023-26213 RESERVED @@ -433,7 +433,7 @@ CVE-2023-26083 CVE-2023-26082 RESERVED CVE-2023-26081 (In Epiphany (aka GNOME Web) through 43.0, untrusted web content can tr ...) - - epiphany-browser + - epiphany-browser (bug #1031727) NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/merge_requests/1275 NOTE: https://gitlab.gnome.org/GNOME/epiphany/-/commit/53363c3c8178bf9193dad9fa3516f4e10cff0ffd CVE-2023-26080 @@ -527,7 +527,7 @@ CVE-2023-0913 (A vulnerability classified as critical was found in SourceCodeste CVE-2023-0912 (A vulnerability classified as critical has been found in SourceCodeste ...) NOT-FOR-US: SourceCodester Auto Dealer Management System CVE-2019-25104 (A vulnerability has been found in rtcwcoop 1.0.2 and classified as pro ...) - - iortcw + - iortcw (bug #1031732) NOTE: https://github.com/rtcwcoop/rtcwcoop/pull/45 NOTE: Reported against a version based on iortcw, but seems missing in iortcw CVE-2016-15026 (A vulnerability was found in 3breadt dd-plist 1.17 and classified as p ...) @@ -3622,7 +3622,7 @@ CVE-2023-25000 CVE-2023-24999 RESERVED CVE-2023-24998 (Apache Commons FileUpload before 1.5 does not limit the number of requ ...) - - libcommons-fileupload-java + - libcommons-fileupload-java (bug #1031733) [bullseye] - libcommons-fileupload-java (Minor issue) NOTE: https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17 NOTE: https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy @@ -5053,8 +5053,8 @@ CVE-2023-0484 CVE-2023-0483 RESERVED CVE-2023-0482 (In RESTEasy the insecure File.createTempFile() is used in the DataSour ...) - - resteasy - - resteasy3.0 + - resteasy (bug #1031728) + - resteasy3.0 (bug #1031729) [bullseye] - resteasy3.0 (Minor issue) [buster] - resteasy3.0 (Minor issue) NOTE: https://github.com/resteasy/resteasy/pull/3409/ @@ -75797,13 +75797,13 @@ CVE-2022-26892 CVE-2022-26891 (Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. ...) NOT-FOR-US: Microsoft CVE-2022-26061 (A heap-based buffer overflow vulnerability exists in the gif2h5 functi ...) - - hdf5 + - hdf5 (bug #1031726) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1487 CVE-2022-25972 (An out-of-bounds write vulnerability exists in the gif2h5 functionalit ...) - - hdf5 + - hdf5 (bug #1031726) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1485 CVE-2022-25942 (An out-of-bounds read vulnerability exists in the gif2h5 functionality ...) - - hdf5 + - hdf5 (bug #1031726) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1486 CVE-2022-0935 (Host Header injection in password Reset in GitHub repository livehelpe ...) NOT-FOR-US: livehelperchat View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ea4b58988b7cad5402ab0999b075811a1bb7f2d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ea4b58988b7cad5402ab0999b075811a1bb7f2d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e6d7b5b by Moritz Mühlenhoff at 2023-01-30T19:02:12+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3120,7 +3120,7 @@ CVE-2023-23629 (Metabase is an open source data analytics platform. Affected ver CVE-2023-23628 (Metabase is an open source data analytics platform. Affected versions ...) NOT-FOR-US: Metabase CVE-2023-23627 (Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 ...) - - ruby-sanitize + - ruby-sanitize (bug #1030047) NOTE: https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7 NOTE: https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22 (v6.0.1) CVE-2023-23626 @@ -5767,17 +5767,17 @@ CVE-2023-22797 NOTE: https://discuss.rubyonrails.org/t/cve-2023-22797-possible-open-redirect-vulnerability-in-action-pack/82120 CVE-2023-22796 RESERVED - - rails + - rails (bug #1030050) NOTE: https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116 NOTE: https://github.com/rails/rails/commit/4b383e6936d7a72b5dc839f526c9a9aeb280acae (6-1-stable) CVE-2023-22795 RESERVED - - rails + - rails (bug #1030050) NOTE: https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118 NOTE: https://github.com/rails/rails/commit/484fc9185db6c6a6a49ab458b11f9366da02bab2 (6-1-stable) CVE-2023-22794 RESERVED - - rails + - rails (bug #1030050) [buster] - rails (Only affects 6.x and later) NOTE: https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117 NOTE: https://github.com/rails/rails/commit/048e9fc05e18c91838a44e60175e475de8b2aad5 (6-1-stable) @@ -5785,7 +5785,7 @@ CVE-2023-22793 RESERVED CVE-2023-22792 RESERVED - - rails + - rails (bug #1030050) NOTE: https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115 NOTE: https://github.com/rails/rails/commit/7a7f37f146aa977350cf914eba20a95ce371485f (6-1-stable) CVE-2023-22791 @@ -7679,7 +7679,7 @@ CVE-2023-22335 CVE-2023-22333 (Cross-site scripting vulnerability in EasyMail 2.00.130 and earlier al ...) NOT-FOR-US: EasyMail CVE-2023-22332 (Information disclosure vulnerability exists in Pgpool-II 4.4.0 to 4.4. ...) - - pgpool2 + - pgpool2 (bug #1030048) NOTE: https://www.pgpool.net/mediawiki/index.php/Main_Page#News CVE-2023-22324 (SQL injection vulnerability in the CONPROSYS HMI System (CHS) Ver.3.5. ...) NOT-FOR-US: CONPROSYS @@ -12056,7 +12056,7 @@ CVE-2022-47023 CVE-2022-47022 RESERVED CVE-2022-47021 (A null pointer dereference issue was discovered in functions op_get_da ...) - - opusfile + - opusfile (bug #1030049) [bullseye] - opusfile (Minor issue) NOTE: https://github.com/xiph/opusfile/commit/0a4cd796df5b030cb866f3f4a5e41a4b92caddf5 NOTE: https://github.com/xiph/opusfile/issues/36 @@ -20541,7 +20541,7 @@ CVE-2022-44567 (A command injection vulnerability exists in Rocket.Chat-Desktop NOT-FOR-US: Rocket.Chat-Desktop CVE-2022-44566 RESERVED - - rails + - rails (bug #1030050) NOTE: https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119 NOTE: https://github.com/rails/rails/commit/414eb337d142a9c61d7723ceb9b7c1ab30dff3ed (6-1-stable) CVE-2022-44565 (An improper access validation vulnerability exists in airMAX AC 8. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e6d7b5be47c07b7f2fea1f2dd65c01a08f5edad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e6d7b5be47c07b7f2fea1f2dd65c01a08f5edad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 601f784f by Moritz Muehlenhoff at 2023-01-18T20:04:26+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -374,7 +374,7 @@ CVE-2023-0331 RESERVED CVE-2023-0330 RESERVED - - qemu + - qemu (bug #1029155) [bullseye] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2160151 NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html @@ -2497,7 +2497,7 @@ CVE-2023-22897 CVE-2023-22896 RESERVED CVE-2023-22895 (The bzip2 crate before 0.4.4 for Rust allow attackers to cause a denia ...) - - rust-bzip2 + - rust-bzip2 (bug #1029155) [bullseye] - rust-bzip2 (Minor issue) [buster] - rust-bzip2 (Minor issue) NOTE: https://github.com/alexcrichton/bzip2-rs/pull/86 @@ -4271,7 +4271,7 @@ CVE-2023-22468 CVE-2023-22467 (Luxon is a library for working with dates and times in JavaScript. On ...) NOT-FOR-US: Luxon CVE-2023-22466 (Tokio is a runtime for writing applications with Rust. Starting with v ...) - - rust-tokio + - rust-tokio (bug #1029155) [bullseye] - rust-tokio (Only affects 1.7.0 and later) NOTE: https://rustsec.org/advisories/RUSTSEC-2023-0001.html NOTE: https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7 @@ -5191,7 +5191,7 @@ CVE-2022-47951 RESERVED CVE-2022-47950 RESERVED - - swift + - swift (bug #1029154) NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/1 CVE-2022-47949 (The Nintendo NetworkBuffer class, as used in Animal Crossing: New Hori ...) NOT-FOR-US: Animal Crossing @@ -7332,9 +7332,9 @@ CVE-2023-21901 CVE-2023-21900 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) TODO: check CVE-2023-21899 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - - virtualbox + - virtualbox (bug #1029153) CVE-2023-21898 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - - virtualbox + - virtualbox (bug #1029153) CVE-2023-21897 RESERVED CVE-2023-21896 @@ -7352,51 +7352,51 @@ CVE-2023-21891 (Vulnerability in the Oracle Business Intelligence Enterprise Edi CVE-2023-21890 (Vulnerability in the Oracle Communications Converged Application Serve ...) TODO: check CVE-2023-21889 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - - virtualbox + - virtualbox (bug #1029153) CVE-2023-21888 (Vulnerability in the Primavera Gateway product of Oracle Construction ...) TODO: check CVE-2023-21887 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1029151) CVE-2023-21886 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - - virtualbox + - virtualbox (bug #1029153) CVE-2023-21885 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - - virtualbox + - virtualbox (bug #1029153) CVE-2023-21884 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - - virtualbox + - virtualbox (bug #1029153) CVE-2023-21883 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1029151) CVE-2023-21882 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1029151) CVE-2023-21881 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1029151) CVE-2023-21880 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1029151) CVE-2023-21879 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1029151) CVE-2023-21878 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1029151) CVE-2023-21877 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1029151) CVE-2023-21876 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1029151) CVE-2023-21875 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1029151) CVE-2023-21874 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.31-1
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ac7419ed by Moritz Mühlenhoff at 2023-01-16T20:36:38+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66,7 +66,7 @@ CVE-2023-23592 CVE-2023-23591 RESERVED CVE-2023-0302 (Failure to Sanitize Special Elements into a Different Plane (Special E ...) - - radare2 + - radare2 (bug #1029037) NOTE: https://huntr.dev/bounties/583133af-7ae6-4a21-beef-a4b0182cf82e/ NOTE: https://github.com/radareorg/radare2/commit/961f0e723903011d4f54c2396e44efa91fcc74ce CVE-2023-0301 (Cross-site Scripting (XSS) - Stored in GitHub repository alfio-event/a ...) @@ -1921,7 +1921,7 @@ CVE-2023-22901 CVE-2023-22900 RESERVED CVE-2023-22899 (Zip4j through 2.11.2, as used in Threema and other products, does not ...) - - zip4j + - zip4j (bug #1029038) NOTE: https://github.com/srikanth-lingala/zip4j/issues/485 NOTE: https://github.com/srikanth-lingala/zip4j/commit/597b31afb473a40e8252de5b5def1876bab198d3 CVE-2023-22898 (workers/extractor.py in Pandora (aka pandora-analysis/pandora) 1.3.0 a ...) @@ -3089,7 +3089,7 @@ CVE-2014-125039 (A vulnerability, which was classified as problematic, has been CVE-2010-10003 (A vulnerability classified as critical was found in gesellix titlelink ...) NOT-FOR-US: gesellix titlelink CVE-2023-22602 (When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, ...) - - shiro + - shiro (bug #1029039) NOTE: https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl CVE-2023-22601 (InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRo ...) NOT-FOR-US: InHand Networks InRouter View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac7419ed4bb4787d26f560c38157f839cde2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac7419ed4bb4787d26f560c38157f839cde2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ffc3664 by Moritz Muehlenhoff at 2023-01-03T17:45:50+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17898,7 +17898,7 @@ CVE-2022-43605 CVE-2022-43604 RESERVED CVE-2022-43603 (A denial of service vulnerability exists in the ZfileOutput::close() f ...) - - openimageio + - openimageio (bug #1027808) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1657 CVE-2022-43602 (Multiple code execution vulnerabilities exist in the IFFOutput::close( ...) - openimageio (bug #1027143) @@ -21078,7 +21078,7 @@ CVE-2022-42470 CVE-2022-42469 RESERVED CVE-2022-41999 (A denial of service vulnerability exists in the DDS native tile readin ...) - - openimageio + - openimageio (bug #1027808) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1635 CVE-2022-41991 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ffc3664f71d3a7969a6b8d99c40e3219ac50f34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ffc3664f71d3a7969a6b8d99c40e3219ac50f34 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 33ddb128 by Moritz Mühlenhoff at 2022-12-29T00:08:42+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17953,15 +17953,15 @@ CVE-2022-43253 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow - libde265 (bug #1025816) NOTE: https://github.com/strukturag/libde265/issues/348 CVE-2022-43252 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 + - libde265 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/347 CVE-2022-43251 RESERVED CVE-2022-43250 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 + - libde265 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/346 CVE-2022-43249 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 + - libde265 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/345 CVE-2022-43248 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - libde265 (bug #1025816) @@ -17971,37 +17971,37 @@ CVE-2022-43247 CVE-2022-43246 RESERVED CVE-2022-43245 (Libde265 v1.0.8 was discovered to contain a segmentation violation via ...) - - libde265 + - libde265 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/352 CVE-2022-43244 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 + - libde265 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/342 CVE-2022-43243 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - libde265 (bug #1025816) NOTE: https://github.com/strukturag/libde265/issues/339 CVE-2022-43242 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 + - libde265 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/340 CVE-2022-43241 (Libde265 v1.0.8 was discovered to contain an unknown crash via ff_hevc ...) - - libde265 + - libde265 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/338 CVE-2022-43240 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 + - libde265 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/335 CVE-2022-43239 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 + - libde265 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/341 CVE-2022-43238 (Libde265 v1.0.8 was discovered to contain an unknown crash via ff_hevc ...) - - libde265 + - libde265 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/338 CVE-2022-43237 (Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vuln ...) - - libde265 + - libde265 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/344 CVE-2022-43236 (Libde265 v1.0.8 was discovered to contain a stack-buffer-overflow vuln ...) - - libde265 + - libde265 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/343 CVE-2022-43235 (Libde265 v1.0.8 was discovered to contain a heap-buffer-overflow vulne ...) - - libde265 + - libde265 (bug #1027179) NOTE: https://github.com/strukturag/libde265/issues/337 CVE-2022-43234 (An arbitrary file upload vulnerability in the /attachments component o ...) NOT-FOR-US: Hoosk CMS @@ -21604,7 +21604,7 @@ CVE-2022-41916 (Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. V NOTE: https://github.com/heimdal/heimdal/security/advisories/GHSA-mgqr-gvh6-23cx NOTE: https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c (heimdal-7.7.1) CVE-2022-41915 (Netty project is an event-driven asynchronous network application fram ...) - - netty + - netty (bug #1027180) NOTE: https://github.com/netty/netty/security/advisories/GHSA-hh82-3pmq-7frp CVE-2022-41914 (Zulip is an open-source team collaboration tool. For organizations wit ...) NOT-FOR-US: Zulip @@ -21680,7 +21680,7 @@ CVE-2022-41882 (The Nextcloud Desktop Client is a tool to synchronize files from NOTE: https://github.com/nextcloud/server/pull/34559 TODO: check details, is owncloud-client similarly affected? CVE-2022-41881 (Netty project is an event-driven asynchronous network application fram ...) - - netty + - netty (bug #1027180) NOTE: https://github.com/netty/netty/security/advisories/GHSA-fx2c-96vj-985v CVE-2022-41880 (TensorFlow
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bb3db33c by Moritz Mühlenhoff at 2022-12-28T19:57:37+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8830,8 +8830,9 @@ CVE-2022-45463 CVE-2022-4056 RESERVED CVE-2022-4055 (When xdg-mail is configured to use thunderbird for mailto URLs, improp ...) - - xdg-utils + - xdg-utils (bug #1027160) NOTE: https://gitlab.freedesktop.org/xdg/xdg-utils/-/issues/205#note_1494267 + NOTE: https://gitlab.freedesktop.org/xdg/xdg-utils/-/merge_requests/58 CVE-2022-4054 RESERVED - gitlab @@ -24525,7 +24526,7 @@ CVE-2022-40718 CVE-2022-40717 RESERVED CVE-2022-40716 (HashiCorp Consul and Consul Enterprise up to 1.11.8, 1.12.4, and 1.13. ...) - - consul + - consul (bug #1027161) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628 CVE-2022-40715 (An issue was discovered in NOKIA 1350OMS R14.2. An Absolute Path Trave ...) NOT-FOR-US: NOKIA @@ -66079,7 +66080,7 @@ CVE-2022-24441 (The package snyk before 1.1064.0 are vulnerable to Code Injectio CVE-2022-24440 (The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1 ...) NOT-FOR-US: cocoapods-downloader CVE-2022-24439 (All versions of package gitpython are vulnerable to Remote Code Execut ...) - - python-git + - python-git (bug #1027163) [bullseye] - python-git (Minor issue) [buster] - python-git (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb3db33cd98415b3aa4723798a8c4bea4bb0acc6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb3db33cd98415b3aa4723798a8c4bea4bb0acc6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 96f9432b by Moritz Mühlenhoff at 2022-12-28T19:11:18+01:00 bugnums record protobuf fix in sid mark png report as non issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11178,7 +11178,7 @@ CVE-2022-3858 (The Floating Chat Widget: Contact Chat Icons, Telegram Chat, Line NOT-FOR-US: WordPress plugin CVE-2022-3857 [Null pointer dereference leads to segmentation fault] RESERVED - - libpng1.6 + NOTE: Unreproducible libpng issue NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2142600 NOTE: https://sourceforge.net/p/libpng/bugs/300/ CVE-2022-3856 (The Comic Book Management System WordPress plugin before 2.2.0 does no ...) @@ -12287,11 +12287,10 @@ CVE-2022-3855 RESERVED CVE-2022-3854 [possible DoS issue in ceph URL processing on RGW backends] RESERVED - - ceph + - ceph (bug #1027151) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2139925 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1205025 NOTE: https://tracker.ceph.com/issues/55765 - TODO: check details, none provided in RHBZ#2139925, SuSE contains excerpt from the closed bugzilla entry CVE-2022-44664 RESERVED CVE-2022-44663 @@ -18754,7 +18753,8 @@ CVE-2022-3512 (Using warp-cli command "add-trusted-ssid", a user was able to dis CVE-2022-3511 (The Awesome Support WordPress plugin before 6.1.2 does not ensure that ...) NOT-FOR-US: WordPress plugin CVE-2022-3510 (A parsing issue similar to CVE-2022-3171, but with Message-Type Extens ...) - - protobuf + [experimental] - protobuf 3.21.7-1 + - protobuf 3.21.9-3 [bullseye] - protobuf (Minor issue) NOTE: https://github.com/protocolbuffers/protobuf/commit/db7c17803320525722f45c1d26fc08bc41d1bf48 CVE-2022-3509 (A parsing issue similar to CVE-2022-3171, but with textformat in proto ...) @@ -23100,7 +23100,7 @@ CVE-2022-3278 (NULL Pointer Dereference in GitHub repository vim/vim prior to 9. NOTE: Crash in CLI toool, no security impact CVE-2022-3277 [unrestricted creation of security groups] RESERVED - - neutron + - neutron (bug #1027150) [bullseye] - neutron (Minor issue) [buster] - neutron (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2129193 @@ -23110,7 +23110,7 @@ CVE-2020-36604 (hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisonin NOTE: https://github.com/hapijs/hoek/issues/352 NOTE: Fixed by: https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90 (v9.0.3) CVE-2022-3276 (Command injection is possible in the puppetlabs-mysql module prior to ...) - - puppet-module-puppetlabs-mysql + - puppet-module-puppetlabs-mysql (bug #1027154) NOTE: https://puppet.com/security/cve/CVE-2022-3276 NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/f83792b256fa6acc1b1375b3bfed257629a5c02d (v13.0.0) NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/18813a151f150a374a52141db520ed2a8d38b071 (v13.0.0) @@ -73938,17 +73938,17 @@ CVE-2022-23522 CVE-2022-23521 RESERVED CVE-2022-23520 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - - ruby-rails-html-sanitizer + - ruby-rails-html-sanitizer (bug #1027153) NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8 CVE-2022-23519 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - - ruby-rails-html-sanitizer + - ruby-rails-html-sanitizer (bug #1027153) NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h CVE-2022-23518 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - - ruby-rails-html-sanitizer + - ruby-rails-html-sanitizer (bug #1027153) NOTE: https://github.com/rails/rails-html-sanitizer/issues/135 NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m CVE-2022-23517 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - - ruby-rails-html-sanitizer + - ruby-rails-html-sanitizer (bug #1027153) NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w NOTE: https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979 CVE-2022-23516 (Loofah is a general library for manipulating and transforming HTML/XML ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96f9432b2b4e296632acc4545d33539e6c3f4ca4 -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 14999e71 by Moritz Mühlenhoff at 2022-12-28T18:31:05+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7705,7 +7705,7 @@ CVE-2022-4143 CVE-2022-4142 RESERVED CVE-2022-4141 (Heap based buffer overflow in vim/vim 9.0.0946 and below by allowing a ...) - - vim + - vim (bug #1027146) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/20ece512-c600-45ac-8a84-d0931e05541f @@ -21286,10 +21286,10 @@ CVE-2022-41639 (A heap based buffer overflow vulnerability exists in tile decodi - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1633 CVE-2022-38143 (A heap out-of-bounds write vulnerability exists in the way OpenImageIO ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1630 CVE-2022-36354 (A heap out-of-bounds read vulnerability exists in the RLA format parse ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1629 CVE-2022-3388 (An input validation vulnerability exists in the Monitor Pro interface ...) NOT-FOR-US: MicroSCADA View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14999e71ef8443cdc4d7a9ec16884dd51dca2dfc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14999e71ef8443cdc4d7a9ec16884dd51dca2dfc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b62a408 by Moritz Mühlenhoff at 2022-12-28T17:41:58+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4631,7 +4631,7 @@ CVE-2022-4399 (A vulnerability was found in TicklishHoneyBee nodau. It has been NOTE: https://github.com/TicklishHoneyBee/nodau/pull/26 NOTE: Negligible security impact CVE-2022-4398 (Integer Overflow or Wraparound in GitHub repository radareorg/radare2 ...) - - radare2 + - radare2 (bug #1027144) NOTE: https://huntr.dev/bounties/c6f8d3ef-5420-4eba-9a5f-aba5e2b5fea2 NOTE: https://github.com/radareorg/radare2/commit/b53a1583d05c3a5bfe5fa60da133fe59dfbb02b8 CVE-2022-4397 (A vulnerability was found in morontt zend-blog-number-2. It has been c ...) @@ -7046,7 +7046,7 @@ CVE-2022-46177 CVE-2022-46176 RESERVED CVE-2022-46175 (JSON5 is an extension to the popular JSON file format that aims to be ...) - - node-json5 + - node-json5 (bug #1027145) [bullseye] - node-json5 (Minor issue) NOTE: https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h NOTE: https://github.com/json5/json5/issues/199 @@ -16799,37 +16799,37 @@ CVE-2022-43604 CVE-2022-43603 (A denial of service vulnerability exists in the ZfileOutput::close() f ...) TODO: check CVE-2022-43602 (Multiple code execution vulnerabilities exist in the IFFOutput::close( ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656 CVE-2022-43601 (Multiple code execution vulnerabilities exist in the IFFOutput::close( ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656 CVE-2022-43600 (Multiple code execution vulnerabilities exist in the IFFOutput::close( ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656 CVE-2022-43599 (Multiple code execution vulnerabilities exist in the IFFOutput::close( ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1656 CVE-2022-43598 (Multiple memory corruption vulnerabilities exist in the IFFOutput alig ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1655 CVE-2022-43597 (Multiple memory corruption vulnerabilities exist in the IFFOutput alig ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1655 CVE-2022-43596 (An information disclosure vulnerability exists in the IFFOutput channe ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1654 CVE-2022-43595 (Multiple denial of service vulnerabilities exist in the image output c ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1653 CVE-2022-43594 (Multiple denial of service vulnerabilities exist in the image output c ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1653 CVE-2022-43593 (A denial of service vulnerability exists in the DPXOutput::close() fun ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1652 CVE-2022-43592 (An information disclosure vulnerability exists in the DPXOutput::close ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1651 CVE-2022-43591 RESERVED @@ -19975,14 +19975,14 @@ CVE-2022-41999 (A denial of service vulnerability exists in the DDS native tile CVE-2022-41991 RESERVED CVE-2022-41988 (An information disclosure vulnerability exists in the OpenImageIO::dec ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1643 NOTE: https://github.com/OpenImageIO/oiio/commit/e9103925bb2aeed36b01b3805f36959f5d1a2e18#diff-8496b368a265f99b41e3c06bf99a5ea82d4f40fff1919ee79caa26ae033b3a06R118 CVE-2022-41838 (A code execution vulnerability exists in the DDS scanline parsing func ...) - - openimageio + - openimageio (bug #1027143) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1634 CVE-2022-41837 (An out-of-bounds write
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5aba3687 by Moritz Muehlenhoff at 2022-12-13T20:12:59+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -979,7 +979,7 @@ CVE-2022-4417 CVE-2021-4244 (A vulnerability classified as problematic has been found in yikes-inc- ...) NOT-FOR-US: yikes-inc-easy-mailchimp-extender CVE-2021-4243 (A vulnerability was found in claviska jquery-minicolors up to 2.3.5. I ...) - - jquery-minicolors + - jquery-minicolors (bug #1026050) [bullseye] - jquery-minicolors (Minor issue) NOTE: https://github.com/claviska/jquery-minicolors/releases/tag/2.3.6 NOTE: https://github.com/claviska/jquery-minicolors/commit/ef134824a7f4110ada53ea6c173111a4fa2f48f3 @@ -1043,7 +1043,7 @@ CVE-2022-4398 (Integer Overflow or Wraparound in GitHub repository radareorg/rad CVE-2022-4397 (A vulnerability was found in morontt zend-blog-number-2. It has been c ...) NOT-FOR-US: morontt zend-blog-number-2 CVE-2022-4396 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in RDFlib py ...) - - python-pyrdfa + - python-pyrdfa (bug #1026051) NOTE: https://github.com/RDFLib/pyrdfa3/commit/ffd1d62dd50d5f4190013b39cedcdfbd81f3ce3e NOTE: https://github.com/RDFLib/pyrdfa3/pull/40 CVE-2022-46906 (Insufficient processing of user input in WebSoft HCM 2021.2.3.327 allo ...) @@ -8721,7 +8721,7 @@ CVE-2022-44638 (In libpixman in Pixman before 0.42.2, there is an out-of-bounds NOTE: https://gitlab.freedesktop.org/pixman/pixman/-/issues/63 NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2345 CVE-2022-44637 (Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in i ...) - - redmine + - redmine (bug #1026048) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories CVE-2022-44636 RESERVED @@ -10244,10 +10244,10 @@ CVE-2022-44032 (An issue was discovered in the Linux kernel through 6.0.6. drive NOTE: https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/ NOTE: https://lore.kernel.org/lkml/20220919040701.GA302806@ubuntu/ CVE-2022-44031 (Redmine before 4.2.9 and 5.0.x before 5.0.4 allows persistent XSS in i ...) - - redmine + - redmine (bug #1026048) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories CVE-2022-44030 (Redmine 5.x before 5.0.4 allows downloading of file attachments of any ...) - - redmine + - redmine (bug #1026048) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories NOTE: https://github.com/redmine/redmine/commit/c02e3bfaec5fb45bd02d840b2306a875cc4f7f88 NOTE: https://github.com/redmine/redmine/commit/eea816ae0825a3d794e650d11a3909ace772152b View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5aba3687a4dff6f3c855f8e5b5819f79a8261dbf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5aba3687a4dff6f3c855f8e5b5819f79a8261dbf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 686231bf by Moritz Muehlenhoff at 2022-11-13T20:46:36+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,7 @@ CVE-2022-45190 CVE-2022-45189 RESERVED CVE-2022-45188 (Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow ...) - - netatalk + - netatalk (bug #1024021) NOTE: https://rushbnt.github.io/bug%20analysis/netatalk-0day/ CVE-2022-45187 RESERVED @@ -519,7 +519,7 @@ CVE-2022-3874 CVE-2022-3873 (Cross-site Scripting (XSS) - DOM in GitHub repository jgraph/drawio pr ...) NOT-FOR-US: jgraph/drawio CVE-2022-3872 (An off-by-one read/write issue was found in the SDHCI device of QEMU. ...) - - qemu + - qemu (bug #1024022) [bullseye] - qemu (Minor issue) [buster] - qemu (Minor issue, DoS, waiting for sanctioned patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2140567 @@ -1026,11 +1026,11 @@ CVE-2022-44795 (An issue was discovered in Object First 1.0.7.712. A flaw was fo CVE-2022-44794 (An issue was discovered in Object First 1.0.7.712. Management protocol ...) NOT-FOR-US: Object First CVE-2022-44793 (handle_ipv6IpForwarding in agent/mibgroup/ip-mib/ip_scalars.c in Net-S ...) - - net-snmp + - net-snmp (bug #1024020) NOTE: https://github.com/net-snmp/net-snmp/issues/475 NOTE: https://gist.github.com/menglong2234/d07a65b5028145c9f4e1d1db8c4c202f CVE-2022-44792 (handle_ipDefaultTTL in agent/mibgroup/ip-mib/ip_scalars.c in Net-SNMP ...) - - net-snmp + - net-snmp (bug #1024020) NOTE: https://github.com/net-snmp/net-snmp/issues/474 NOTE: https://gist.github.com/menglong2234/b7bc13ae1a144f47cc3c95a7ea062428 CVE-2022-44791 @@ -8592,13 +8592,13 @@ CVE-2022-42968 (Gitea before 1.17.3 does not sanitize and escape refs in the git CVE-2022-42967 RESERVED CVE-2022-42966 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) - - python-cleo + - python-cleo (bug #1024018) NOTE: https://research.jfrog.com/vulnerabilities/cleo-redos-xray-257186/ NOTE: Doesn't seem to be reported upstream so far CVE-2022-42965 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) NOT-FOR-US: snowflake-connector-python CVE-2022-42964 (An exponential ReDoS (Regular Expression Denial of Service) can be tri ...) - - pymatgen + - pymatgen (bug #1024017) NOTE: https://research.jfrog.com/vulnerabilities/pymatgen-redos-xray-257184/ NOTE: Doesn't seem to be reported upstream so far CVE-2022-3520 @@ -17291,11 +17291,11 @@ CVE-2022-39412 (Vulnerability in the Oracle Access Manager product of Oracle Fus CVE-2022-39411 (Vulnerability in the Oracle Transportation Management product of Oracl ...) NOT-FOR-US: Oracle CVE-2022-39410 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1024016) CVE-2022-39409 (Vulnerability in the Oracle Transportation Management product of Oracl ...) NOT-FOR-US: Oracle CVE-2022-39408 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1024016) CVE-2022-39407 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2022-39406 (Vulnerability in the PeopleSoft Enterprise Common Components product o ...) @@ -17305,14 +17305,13 @@ CVE-2022-39405 (Vulnerability in the Oracle Access Manager product of Oracle Fus CVE-2022-39404 (Vulnerability in the MySQL Installer product of Oracle MySQL (componen ...) NOT-FOR-US: Oracle CVE-2022-39403 (Vulnerability in the MySQL Shell product of Oracle MySQL (component: S ...) - - mysql-8.0 - TODO: check, component "MySQL Shell", unclear if in src:mysql-8.0 + NOT-FOR-US: Oracle (MySQL Shell) CVE-2022-39402 (Vulnerability in the MySQL Shell product of Oracle MySQL (component: S ...) - - mysql-8.0 + - mysql-8.0 (bug #1024016) CVE-2022-39401 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2022-39400 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1024016) CVE-2022-39399 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) - openjdk-11 11.0.17+8-1 [bullseye] - openjdk-11 (Minor issue, fix along with next CPU) @@ -76239,13 +76238,13 @@ CVE-2021-3962 (A flaw was found in ImageMagick where it did not properly sanitiz CVE-2022-21641 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...)
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fcd0fc3e by Moritz Muehlenhoff at 2022-10-24T00:24:19+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -534,11 +534,11 @@ CVE-2022-3629 (A vulnerability was found in Linux Kernel. It has been declared a CVE-2022-3628 RESERVED CVE-2022-3627 (LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif ...) - - tiff + - tiff (bug #1022555) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/411 CVE-2022-3626 (LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in libtiff/tif ...) - - tiff + - tiff (bug #1022555) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/426 CVE-2022-3625 (A vulnerability was found in Linux Kernel. It has been classified as c ...) @@ -559,7 +559,7 @@ CVE-2022-3621 (A vulnerability was found in Linux Kernel. It has been classified [bullseye] - linux 5.10.148-1 NOTE: https://git.kernel.org/linus/21a87d88c2253350e115029f14fe2a10a7e6c856 (6.1-rc1) CVE-2022-3620 (A vulnerability was found in Exim and classified as problematic. This ...) - - exim4 + - exim4 (bug #1022556) [bullseye] - exim4 (Vulnerable code not present) [buster] - exim4 (Vulnerable code not present) NOTE: Introduced by: https://git.exim.org/exim.git/commit/92583637b25b6bde926f9ca6be7b085e5ac8b1e6 (exim-4.95-RC0) @@ -610,15 +610,15 @@ CVE-2022-3601 CVE-2022-3600 RESERVED CVE-2022-3599 (LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in tools ...) - - tiff + - tiff (bug #1022555) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/398 CVE-2022-3598 (LibTIFF 4.4.0 has an out-of-bounds write in extractContigSamplesShifte ...) - - tiff + - tiff (bug #1022555) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdff NOTE: https://gitlab.com/libtiff/libtiff/-/issues/435 CVE-2022-3597 (LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in libtiff/tif ...) - - tiff + - tiff (bug #1022555) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/413 CVE-2021-46846 @@ -811,7 +811,7 @@ CVE-2022-3572 CVE-2022-3571 RESERVED CVE-2022-3570 (Multiple heap buffer overflows in tiffcrop.c utility in libtiff librar ...) - - tiff + - tiff (bug #1022555) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/bd94a9b383d8755a27b5a1bc27660b8ad10b094c NOTE: https://gitlab.com/libtiff/libtiff/-/issues/381 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/386 @@ -1663,7 +1663,7 @@ CVE-2022-3555 (A vulnerability was found in X.org libX11 and classified as probl [buster] - libx11 (Minor issue) NOTE: https://gitlab.freedesktop.org/xorg/lib/libx11/commit/8a368d808fec166b5fb3dfe6312aab22c7ee20af (libX11-1.7.4) CVE-2022-3554 (A vulnerability has been found in X.org libX11 and classified as probl ...) - - libx11 + - libx11 (bug #1022560) [bullseye] - libx11 (Minor issue) [buster] - libx11 (Minor issue) NOTE: https://gitlab.freedesktop.org/xorg/lib/libx11/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef @@ -49205,7 +49205,7 @@ CVE-2022-0701 (The SEO 301 Meta WordPress plugin through 1.9.1 does not escape i CVE-2022-0700 (The Simple Tracking WordPress plugin before 1.7 does not sanitise and ...) NOT-FOR-US: WordPress plugin CVE-2022-0699 (A double-free condition exists in contrib/shpsort.c of shapelib 1.5.0 ...) - - shapelib + - shapelib (bug #1022557) NOTE: https://github.com/OSGeo/shapelib/commit/c75b9281a5b9452d92e1682bdfe6019a13ed819f NOTE: https://github.com/OSGeo/shapelib/issues/39 CVE-2022-25597 (ASUS RT-AC86Us LPD service has insufficient filtering for speci ...) @@ -77011,6 +77011,7 @@ CVE-2021-3863 (snipe-it is vulnerable to Improper Neutralization of Input During - snipe-it (bug #1005172) CVE-2021-42010 RESERVED + NOT-FOR-US: Apache Heron CVE-2021-42009 (An authenticated Apache Traffic Control Traffic Ops user with Portal-l ...) NOT-FOR-US: Apache Traffic Control CVE-2021-3862 (icecoder is vulnerable to Improper Neutralization of Input During Web ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcd0fc3e8bd3599153a25565cd6c8917a55a4775
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: df892199 by Moritz Muehlenhoff at 2022-10-14T20:50:56+02:00 bugnums additional reference for latest lnux/wifi issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -72,7 +72,7 @@ CVE-2022-3480 RESERVED CVE-2022-3479 RESERVED - - nss + - nss (bug #1021786) NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1774654 CVE-2022-42907 RESERVED @@ -149,7 +149,7 @@ CVE-2022-3463 CVE-2022-3462 RESERVED CVE-2022-42889 (Apache Commons Text performs variable interpolation, allowing properti ...) - - commons-text + - commons-text (bug #1021787) NOTE: https://www.openwall.com/lists/oss-security/2022/10/13/4 CVE-2022-42878 RESERVED @@ -554,21 +554,25 @@ CVE-2022-42722 (In the Linux kernel 5.8 through 5.19.14, local attackers able to [buster] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2022/10/13/2 NOTE: https://lore.kernel.org/netdev/20221013100522.46346-1-johan...@sipsolutions.net/T/#u + NOTE: https://github.com/PurpleVsGreen/beacown CVE-2022-42721 (A list management bug in BSS handling in the mac80211 stack in the Lin ...) - linux [buster] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2022/10/13/2 NOTE: https://lore.kernel.org/netdev/20221013100522.46346-1-johan...@sipsolutions.net/T/#u + NOTE: https://github.com/PurpleVsGreen/beacown CVE-2022-42720 (Various refcounting bugs in the multi-BSS handling in the mac80211 sta ...) - linux [buster] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2022/10/13/2 NOTE: https://lore.kernel.org/netdev/20221013100522.46346-1-johan...@sipsolutions.net/T/#u + NOTE: https://github.com/PurpleVsGreen/beacown CVE-2022-42719 (A use-after-free in the mac80211 stack when parsing a multi-BSSID elem ...) - linux [buster] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2022/10/13/2 NOTE: https://lore.kernel.org/netdev/20221013100522.46346-1-johan...@sipsolutions.net/T/#u + NOTE: https://github.com/PurpleVsGreen/beacown CVE-2022-42718 RESERVED CVE-2022-42717 (An issue was discovered in Hashicorp Packer before 2.3.1. The recommen ...) @@ -2901,6 +2905,7 @@ CVE-2022-41674 (An issue was discovered in the Linux kernel through 5.19.11. Att [buster] - linux (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2022/10/13/2 NOTE: https://lore.kernel.org/netdev/20221013100522.46346-1-johan...@sipsolutions.net/T/#u + NOTE: https://github.com/PurpleVsGreen/beacown CVE-2022-41673 RESERVED CVE-2022-41672 (In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn' ...) @@ -27855,7 +27860,7 @@ CVE-2022-32150 RESERVED CVE-2022-32149 RESERVED - - golang-golang-x-text + - golang-golang-x-text (bug #1021785) NOTE: https://groups.google.com/g/golang-dev/c/qfPIly0X7aU. NOTE: https://go.dev/issue/56152. NOTE: https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df892199f31089c57a9c97de3115264eb64b2fe1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df892199f31089c57a9c97de3115264eb64b2fe1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6cebc00a by Moritz Muehlenhoff at 2022-10-13T21:22:40+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,7 +7,7 @@ CVE-2022-42904 CVE-2022-42903 RESERVED CVE-2022-42902 (In Linaro Automated Validation Architecture (LAVA) before 2022.10, the ...) - - lava + - lava (bug #1021737) NOTE: https://git.lavasoftware.org/lava/lava/-/merge_requests/1834 NOTE: https://git.lavasoftware.org/lava/lava/-/commit/e66b74cd6c175ff8826b8f3431740963be228b52?merge_request_iid=1834 CVE-2022-42901 (Bentley MicroStation and MicroStation-based applications may be affect ...) @@ -6337,7 +6337,7 @@ CVE-2022-3169 (A flaw was found in the Linux kernel. A denial of service flaw ma CVE-2022-3168 RESERVED CVE-2019-25076 (The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.1 ...) - - openvswitch + - openvswitch (bug #1021740) [bullseye] - openvswitch (Minor issue) NOTE: https://arxiv.org/abs/2011.09107 NOTE: https://sites.google.com/view/tuple-space-explosion @@ -49214,7 +49214,7 @@ CVE-2022-24841 (fleetdm/fleet is an open source device management, built on osqu CVE-2022-24840 (django-s3file is a lightweight file upload input for Django and Amazon ...) NOT-FOR-US: django-s3file CVE-2022-24839 (org.cyberneko.html is an html parser written in Java. The fork of `org ...) - - nekohtml + - nekohtml (bug #1021739) [bullseye] - nekohtml (Minor issue) [buster] - nekohtml (Minor issue) [stretch] - nekohtml (Minor issue) @@ -78270,11 +78270,11 @@ CVE-2021-40650 (In Connx Version 6.2.0.1269 (20210623), a cookie can be issued b CVE-2021-40649 (In Connx Version 6.2.0.1269 (20210623), a cookie can be issued by the ...) NOT-FOR-US: Connx CVE-2021-40648 (In man2html 1.6g, a filename can be created to overwrite the previous ...) - - man2html + - man2html (bug #1021738) [bullseye] - man2html (Minor issue) NOTE: https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933 CVE-2021-40647 (In man2html 1.6g, a specific string being read in from a file will ove ...) - - man2html + - man2html (bug #1021738) [bullseye] - man2html (Minor issue) NOTE: https://gist.github.com/untaman/cb58123fe89fc65e3984165db5d40933 CVE-2021-40646 @@ -127080,7 +127080,7 @@ CVE-2020-35857 (An issue was discovered in the trust-dns-server crate before 0.1 CVE-2019-25011 (NetBox through 2.6.2 allows an Authenticated User to conduct an XSS at ...) NOT-FOR-US: NetBox CVE-2019-25010 (An issue was discovered in the failure crate through 2019-11-13 for Ru ...) - - rust-failure + - rust-failure (bug #969839) [bullseye] - rust-failure (Minor issue, unmaintained/deprecated upstream) [buster] - rust-failure (Minor issue, unmaintained/deprecated upstream) NOTE: https://rustsec.org/advisories/RUSTSEC-2019-0036.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6cebc00af2c166f45f96b3e760c287cfd45015b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6cebc00af2c166f45f96b3e760c287cfd45015b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b4168a5 by Moritz Muehlenhoff at 2022-10-12T20:07:29+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2782,7 +2782,7 @@ CVE-2022-41609 CVE-2022-41608 RESERVED CVE-2022-41606 (HashiCorp Nomad and Nomad Enterprise 1.0.2 up to 1.2.12, and 1.3.5 job ...) - - nomad + - nomad (bug #1021670) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-22-nomad-panics-on-job-submission-with-bad-artifact-stanza-source-url/45420 CVE-2022-41605 RESERVED @@ -5243,7 +5243,7 @@ CVE-2022-40665 REJECTED CVE-2022-40664 RESERVED - - shiro + - shiro (bug #1021671) NOTE: https://www.openwall.com/lists/oss-security/2022/10/12/1 CVE-2022-40663 (This vulnerability allows remote attackers to execute arbitrary code o ...) NOT-FOR-US: NIKON @@ -23654,15 +23654,15 @@ CVE-2022-33749 (XAPI open file limit DoS It is possible for an unauthenticated c - xen-api NOTE: https://xenbits.xen.org/xsa/advisory-413.html CVE-2022-33748 (lock order inversion in transitive grant copy handling As part of XSA- ...) - - xen + - xen (bug #1021668) [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-411.html CVE-2022-33747 (Arm: unbounded memory consumption for 2nd-level page tables Certain ac ...) - - xen + - xen (bug #1021668) [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-409.html CVE-2022-33746 (P2M pool freeing may take excessively long The P2M pool backing second ...) - - xen + - xen (bug #1021668) [buster] - xen (DSA 4677-1) NOTE: https://xenbits.xen.org/xsa/advisory-410.html CVE-2022-33745 (insufficient TLB flush for x86 PV guests in shadow mode For migration ...) @@ -51677,7 +51677,7 @@ CVE-2022-24108 (The Skyoftech So Listing Tabs module 2.2.0 for OpenCart allows a CVE-2022-24107 (Xpdf prior to 4.04 lacked an integer overflow check in JPXStream.cc. ...) - xpdf (Debian uses poppler, which is not affected) CVE-2022-24106 (In Xpdf prior to 4.04, the DCT (JPEG) decoder was incorrectly allowing ...) - - poppler + - poppler (bug #1021669) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1297 CVE-2022-24105 (Adobe Photoshop versions 22.5.6 (and earlier)and 23.2.2 (and earlier) ...) NOT-FOR-US: Adobe View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b4168a58d32667646c6322376378ca304786962 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b4168a58d32667646c6322376378ca304786962 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 54fe6ddb by Moritz Muehlenhoff at 2022-10-02T20:21:20+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3226,7 +3226,7 @@ CVE-2022-3215 (NIOHTTP1 and projects using it for generating HTTP responses can CVE-2022-3214 (Delta Industrial Automation's DIAEnergy, an industrial energy manageme ...) NOT-FOR-US: Delta CVE-2022-3213 (A heap buffer overflow issue was found in ImageMagick. When an applica ...) - - imagemagick + - imagemagick (bug #1021141) [bullseye] - imagemagick (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2126824 NOTE: https://github.com/ImageMagick/ImageMagick/commit/30ccf9a0da1f47161b5935a95be854fe84e6c2a2 @@ -4919,21 +4919,21 @@ CVE-2022-3134 (Use After Free in GitHub repository vim/vim prior to 9.0.0389. .. CVE-2022-39959 RESERVED CVE-2022-39958 (The OWASP ModSecurity Core Rule Set (CRS) is affected by a response bo ...) - - modsecurity-crs + - modsecurity-crs (bug #1021137) [bullseye] - modsecurity-crs (Minor issues; will be fixed in point release) NOTE: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ CVE-2022-39957 (The OWASP ModSecurity Core Rule Set (CRS) is affected by a response bo ...) - - modsecurity-crs + - modsecurity-crs (bug #1021137) [bullseye] - modsecurity-crs (Minor issues; will be fixed in point release) NOTE: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ CVE-2022-39956 (The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rul ...) - - modsecurity-crs + - modsecurity-crs (bug #1021137) [bullseye] - modsecurity-crs (Minor issues; will be fixed in point release) NOTE: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ NOTE: Depends on changes to be done in src:libmodsecurity3 / src:modsecurity-apache, cf. NOTE: https://bugs.debian.org/1020303 CVE-2022-39955 (The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rul ...) - - modsecurity-crs + - modsecurity-crs (bug #1021137) [bullseye] - modsecurity-crs (Minor issues; will be fixed in point release) NOTE: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ CVE-2022-39954 @@ -5340,7 +5340,7 @@ CVE-2022-3101 NOT-FOR-US: tripleo-ansible CVE-2022-3100 [access policy bypass via query string injection] RESERVED - - barbican + - barbican (bug #1021139) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2125404 CVE-2022-39798 RESERVED @@ -6444,24 +6444,21 @@ CVE-2022-39253 CVE-2022-39252 (matrix-rust-sdk is an implementation of a Matrix client-server library ...) TODO: check CVE-2022-39251 (Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. ...) - - node-matrix-js-sdk + - node-matrix-js-sdk (bug #1021136) NOTE: https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c NOTE: https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76 NOTE: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients - TODO: check if affecting the nodejs version of matrix-js-sdk CVE-2022-39250 (Matrix JavaScript SDK is the Matrix Client-Server software development ...) - - node-matrix-js-sdk + - node-matrix-js-sdk (bug #1021136) NOTE: https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-5w8r-8pgj-5jmf NOTE: https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76 NOTE: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients - TODO: check if affecting the nodejs version of matrix-js-sdk CVE-2022-39249 (Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. ...) - - node-matrix-js-sdk + - node-matrix-js-sdk (bug #1021136) NOTE: https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg NOTE: https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76 NOTE: https://github.com/matrix-org/matrix-spec-proposals/pull/3061 NOTE: https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients - TODO: check if affecting the nodejs version of matrix-js-sdk CVE-2022-39248 (matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1. ...) NOT-FOR-US: Matrix SDK for Android CVE-2022-39247 @@ -6487,11
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0374758e by Moritz Muehlenhoff at 2022-09-30T17:12:05+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3391,7 +3391,7 @@ CVE-2022-40470 CVE-2022-40469 RESERVED CVE-2022-40468 (Tinyproxy commit 84f203f and earlier does not process HTTP request lin ...) - - tinyproxy + - tinyproxy (bug #1021015) [bullseye] - tinyproxy (Minor issue) NOTE: https://github.com/tinyproxy/tinyproxy/issues/457 NOTE: https://github.com/tinyproxy/tinyproxy/commit/3764b8551463b900b5b4e3ec0cd9bb9182191cb7 @@ -3989,7 +3989,7 @@ CVE-2022-3166 RESERVED CVE-2022-3165 [VNC: integer underflow in vnc_client_cut_text_ext leads to CPU exhaustion] RESERVED - - qemu + - qemu (bug #1021019) [bullseye] - qemu (Vulnerable code introduced later) [buster] - qemu (Vulnerable code introduced later) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2129739 @@ -6269,7 +6269,7 @@ CVE-2022-39175 CVE-2022-39174 RESERVED CVE-2022-39173 (In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow ...) - - wolfssl + - wolfssl (bug #1021021) CVE-2022-39172 RESERVED CVE-2022-39171 @@ -7090,7 +7090,7 @@ CVE-2022-38865 (Certain The MPlayer Project products are vulnerable to Divide By NOTE: https://git.ffmpeg.org/gitweb/mplayer.git/commit/33d9295663c37a37216633d7e3f07e7155da6144 (r38386) NOTE: Crash in CLI tool, no security impact CVE-2022-38864 (Certain The MPlayer Project products are vulnerable to Buffer Overflow ...) - - mplayer + - mplayer (bug #1021013) NOTE: https://trac.mplayerhq.hu/ticket/2406 NOTE: https://git.ffmpeg.org/gitweb/mplayer.git/commit/36546389ef9fb6b0e0540c5c3f212534c34b0e94 (r38391) CVE-2022-38863 (Certain The MPlayer Project products are vulnerable to Buffer Overflow ...) @@ -7099,12 +7099,12 @@ CVE-2022-38863 (Certain The MPlayer Project products are vulnerable to Buffer Ov NOTE: https://git.ffmpeg.org/gitweb/mplayer.git/commit/b5e745b4bfab2835103a060094fae3c6cc1ba17d (r38393) NOTE: Crash in CLI tool, no security impact CVE-2022-38862 (Certain The MPlayer Project products are vulnerable to Buffer Overflow ...) - - mplayer + - mplayer (bug #1021013) [bullseye] - mplayer (Minor issue) NOTE: https://trac.mplayerhq.hu/ticket/2400 NOTE: https://trac.mplayerhq.hu/ticket/2404 CVE-2022-38861 (The MPlayer Project mplayer SVN-r38374-13.0.1 is vulnerable to memory ...) - - mplayer + - mplayer (bug #1021013) NOTE: https://trac.mplayerhq.hu/ticket/2407 NOTE: https://git.ffmpeg.org/gitweb/mplayer.git/commit/2622e7fbe3605a2f3b4f74900197fefeedc0d2e1 (r38402) CVE-2022-38860 (Certain The MPlayer Project products are vulnerable to Divide By Zero ...) @@ -7123,7 +7123,7 @@ CVE-2022-38858 (Certain The MPlayer Project products are vulnerable to Buffer Ov CVE-2022-38857 RESERVED CVE-2022-38856 (Certain The MPlayer Project products are vulnerable to Buffer Overflow ...) - - mplayer + - mplayer (bug #1021013) NOTE: https://trac.mplayerhq.hu/ticket/2395 TODO: Fixed by other fixes, but not pin pointed upstream, try to isolate revision to fix issue CVE-2022-38855 (Certain The MPlayer Project products are vulnerable to Buffer Overflow ...) @@ -7484,7 +7484,7 @@ CVE-2022-2995 (Incorrect handling of the supplementary groups in the CRI-O conta CVE-2022-2994 RESERVED CVE-2022-38752 (Using snakeYAML to parse untrusted YAML files may be vulnerable to Den ...) - - snakeyaml + - snakeyaml (bug #1021014) [bullseye] - snakeyaml (Minor issue) NOTE: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081 (not public) @@ -8000,7 +8000,7 @@ CVE-2022-38602 CVE-2022-38601 RESERVED CVE-2022-38600 (Mplayer SVN-r38374-13.0.1 is vulnerable to Memory Leak via vf.c and vf ...) - - mplayer + - mplayer (bug #1021013) NOTE: https://trac.mplayerhq.hu/ticket/2390#comment:2 NOTE: https://git.ffmpeg.org/gitweb/mplayer.git/commit/59792bad144c11b21b27171a93a36e3fbd21eb5e (r38380) NOTE: Followup: https://git.ffmpeg.org/gitweb/mplayer.git/commit/48ca1226397974bb2bc53de878411f88a80fe1f8 (r38392) @@ -8156,7 +8156,7 @@ CVE-2022-38529 (tinyexr commit 0647fb3 was discovered to contain a heap-buffer o NOTE: https://github.com/syoyo/tinyexr/issues/169 NOTE: https://github.com/syoyo/tinyexr/commit/82984a37d1dba67000a35b083b26df5e57a2bb72 CVE-2022-38528 (Open Asset Import Library (assimp) commit 3c253ca was discovered to co ...) -
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c450ca7 by Moritz Muehlenhoff at 2022-09-12T22:58:12+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -592,7 +592,7 @@ CVE-2022-40321 CVE-2022-3173 RESERVED CVE-2022-40320 (cfg_tilde_expand in confuse.c in libConfuse 3.3 has a heap-based buffe ...) - - libconfuse + - libconfuse (bug #1019596) [bullseye] - libconfuse (Minor issue) NOTE: https://github.com/libconfuse/libconfuse/issues/163 NOTE: Fixed by: https://github.com/libconfuse/libconfuse/commit/d73777c2c3566fb2647727bb56d9a2295b81669b @@ -1695,12 +1695,12 @@ CVE-2022-39834 CVE-2022-39833 RESERVED CVE-2022-39832 (An issue was discovered in PSPP 1.6.2. There is a heap-based buffer ov ...) - - pspp + - pspp (bug #1019598) [bullseye] - pspp (Minor issue) [buster] - pspp (Minor issue) NOTE: https://savannah.gnu.org/bugs/index.php?63000 CVE-2022-39831 (An issue was discovered in PSPP 1.6.2. There is a heap-based buffer ov ...) - - pspp + - pspp (bug #1019597) [bullseye] - pspp (Minor issue) [buster] - pspp (Minor issue) NOTE: https://savannah.gnu.org/bugs/?62977 @@ -4929,7 +4929,7 @@ CVE-2022-38532 CVE-2022-38531 (FPT G-97RG6M R4.2.98.035 and G-97RG3 R4.2.43.078 are vulnerable to Rem ...) NOT-FOR-US: FPT router CVE-2022-38530 (GPAC v2.1-DEV-rev232-gfcaa01ebb-master was discovered to contain a sta ...) - - gpac + - gpac (bug #1019595) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2216 @@ -5944,7 +5944,7 @@ CVE-2022-38225 CVE-2022-38224 RESERVED CVE-2022-38223 (There is an out-of-bounds write in checkType located in etc.c in w3m 0 ...) - - w3m + - w3m (bug #1019599) [bullseye] - w3m (Minor issue) [buster] - w3m (Minor issue) NOTE: https://github.com/tats/w3m/issues/242 @@ -11177,13 +11177,13 @@ CVE-2022-36193 CVE-2022-36192 RESERVED CVE-2022-36191 (A heap-buffer-overflow had occurred in function gf_isom_dovi_config_ge ...) - - gpac + - gpac (bug #1019595) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2218 NOTE: https://github.com/gpac/gpac/commit/fef6242c69be4f7ba22b32578e4b62648a3d4ed3 CVE-2022-36190 (GPAC mp4box 2.1-DEV-revUNKNOWN-master has a use-after-free vulnerabili ...) - - gpac + - gpac (bug #1019595) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2220 @@ -11196,7 +11196,7 @@ CVE-2022-36188 CVE-2022-36187 RESERVED CVE-2022-36186 (A Null Pointer dereference vulnerability exists in GPAC 2.1-DEV-revUNK ...) - - gpac + - gpac (bug #1019595) [bullseye] - gpac (Vulnerable code not present) [buster] - gpac (Vulnerable code not present) NOTE: https://github.com/gpac/gpac/issues/2223 @@ -11291,7 +11291,7 @@ CVE-2022-36145 (SWFMill commit 53d7690 was discovered to contain a segmentation NOTE: https://github.com/djcsdy/swfmill/issues/64 NOTE: Crash in CLI tool, no security impact CVE-2022-36144 (SWFMill commit 53d7690 was discovered to contain a heap-buffer overflo ...) - - swfmill + - swfmill (bug #1019600) [bullseye] - swfmill (Minor issue) [buster] - swfmill (Minor issue) NOTE: https://github.com/djcsdy/swfmill/issues/63 @@ -11312,7 +11312,7 @@ CVE-2022-36140 (SWFMill commit 53d7690 was discovered to contain a segmentation NOTE: https://github.com/djcsdy/swfmill/issues/57 NOTE: Crash in CLI tool, no security impact CVE-2022-36139 (SWFMill commit 53d7690 was discovered to contain a heap-buffer overflo ...) - - swfmill + - swfmill (bug #1019600) [bullseye] - swfmill (Minor issue) [buster] - swfmill (Minor issue) NOTE: https://github.com/djcsdy/swfmill/issues/56 @@ -11425,7 +11425,7 @@ CVE-2022-36111 CVE-2022-36110 (Netmaker makes networks with WireGuard. Prior to version 0.15.1, Impro ...) NOT-FOR-US: Netmaker CVE-2022-36109 (Moby is an open-source project created by Docker to enable software co ...) - - docker.io + - docker.io (bug #1019601) [bullseye] - docker.io (Minor issue) NOTE: https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4 NOTE: https://github.com/moby/moby/commit/de7af816e76a7fd3fbf06bffa6832959289fba32 @@ -12896,191 +12896,191 @@ CVE-2022-35488 (In Zammad 5.2.0, an attacker could manipulate the rate limiting CVE-2022-35487 (Zammad 5.2.0 suffers from Incorrect
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 88eeaa02 by Moritz Muehlenhoff at 2022-08-10T22:20:49+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1711,7 +1711,7 @@ CVE-2022-37396 (In JetBrains Rider before 2022.2 Trust and Open Project dialog c CVE-2022-37395 RESERVED CVE-2022-37394 (An issue was discovered in OpenStack Nova before 23.2.2, 24.x before 2 ...) - - nova + - nova (bug #1016980) NOTE: https://bugs.launchpad.net/ossa/+bug/1981813 NOTE: https://review.opendev.org/c/openstack/nova/+/849985 NOTE: https://review.opendev.org/c/openstack/nova/+/850003 @@ -2591,7 +2591,7 @@ CVE-2022-2590 NOTE: https://lore.kernel.org/all/b314c287-5fc2-9f61-53f6-33282a2be...@redhat.com/ NOTE: https://www.openwall.com/lists/oss-security/2022/08/08/1 CVE-2022-2589 (Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/ ...) - - fava + - fava (bug #1016971) NOTE: https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08/ NOTE: https://github.com/beancount/fava/commit/68bbb6e39319deb35ab9f18d0b6aa9fa70472539 (v1.22.3) CVE-2022-37037 @@ -2599,7 +2599,7 @@ CVE-2022-37037 CVE-2022-37036 RESERVED CVE-2022-37035 (An issue was discovered in bgpd in FRRouting (FRR) 8.3. In bgp_notify_ ...) - - frr + - frr (bug #1016978) NOTE: https://github.com/FRRouting/frr/issues/11698 CVE-2022-37034 RESERVED @@ -4058,7 +4058,7 @@ CVE-2022-34859 CVE-2022-33963 RESERVED CVE-2022-2523 (Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/ ...) - - fava + - fava (bug #1016971) NOTE: https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f NOTE: https://github.com/beancount/fava/commit/dccfb6a2f4567f35ce2e9a78e24f92ebf946bc9b (v1.22.2) CVE-2022-36381 @@ -4195,7 +4195,7 @@ CVE-2022-33142 CVE-2022-2515 RESERVED CVE-2022-2514 (The time and filter parameters in Fava prior to v1.22 are vulnerable t ...) - - fava + - fava (bug #1016971) NOTE: https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429 NOTE: https://github.com/beancount/fava/commit/ca9e3882c7b5fbf5273ba52340b9fea6a99f3711 (v1.22) CVE-2022-2513 @@ -7639,9 +7639,8 @@ CVE-2022-34945 (Pharmacy Management System v1.0 was discovered to contain a SQL CVE-2022-34944 RESERVED CVE-2022-34943 (Laravel v5.1 was discovered to contain a remote code execution (RCE) v ...) - - php-laravel-framework + - php-laravel-framework (bug #1016977) NOTE: https://github.com/beicheng-maker/vulns/issues/1 - TODO: check, unclear if upstream reported CVE-2022-34942 RESERVED CVE-2022-34941 @@ -8869,7 +8868,7 @@ CVE-2022-34522 CVE-2022-34521 RESERVED CVE-2022-34520 (Radare2 v5.7.2 was discovered to contain a NULL pointer dereference vi ...) - - radare2 + - radare2 (bug #1016979) NOTE: https://github.com/radareorg/radare2/issues/20354 NOTE: https://github.com/radareorg/radare2/commit/fc285cecb8469f0262db0170bf6dd7c01d9b8ed5 (5.7.4) CVE-2022-34519 @@ -8910,7 +8909,7 @@ CVE-2022-34503 (QPDF v8.4.2 was discovered to contain a heap buffer overflow via NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1201830#c5 NOTE: Negligible security impact CVE-2022-34502 (Radare2 v5.7.0 was discovered to contain a heap buffer overflow via th ...) - - radare2 + - radare2 (bug #1016979) NOTE: https://github.com/radareorg/radare2/issues/20336 NOTE: https://github.com/radareorg/radare2/commit/b4ca66f5d4363d68a6379e5706353b3bde5104a4 (5.7.2) CVE-2022-34501 (The bin-collection package in PyPI before v0.1 included a code executi ...) @@ -9552,7 +9551,7 @@ CVE-2022-34295 (totd before 1.5.3 does not properly randomize mesg IDs. ...) CVE-2022-34294 RESERVED CVE-2022-34293 (wolfSSL before 5.4.0 allows remote attackers to cause a denial of serv ...) - - wolfssl + - wolfssl (bug #1016981) NOTE: http://www.openwall.com/lists/oss-security/2022/08/08/6 CVE-2022-34292 RESERVED @@ -14455,12 +14454,12 @@ CVE-2022-32295 (On Ampere Altra and AltraMax devices before SRP 1.09, the Altra CVE-2022-32294 (Zimbra Collaboration Open Source 8.8.15 does not encrypt the initial-l ...) NOT-FOR-US: Zimbra CVE-2022-32293 (In ConnMan through 1.41, a man-in-the-middle attack against a WISPR HT ...) - - connman + - connman (bug #1016976) NOTE: https://lore.kernel.org/connman/20220801080043.4861-1-w...@monom.org/ NOTE: https://lore.kernel.org/connman/20220801080043.4861-3-w...@monom.org/ NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1200190 CVE-2022-32292 (In ConnMan through 1.41,
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: af34593a by Moritz Muehlenhoff at 2022-07-31T21:42:55+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11179,7 +11179,7 @@ CVE-2017-20051 (A vulnerability was found in InnoSetup Installer. It has been de CVE-2022-32548 RESERVED CVE-2022-32547 (In ImageMagick, there is load of misaligned address for type 'double', ...) - - imagemagick + - imagemagick (bug #1016442) [bullseye] - imagemagick (Minor issue) [buster] - imagemagick (Minor issue) [stretch] - imagemagick (Minor issue) @@ -11189,7 +11189,7 @@ CVE-2022-32547 (In ImageMagick, there is load of misaligned address for type 'do NOTE: https://github.com/ImageMagick/ImageMagick/commit/eac8ce4d873f28bb6a46aa3a662fb196b49b95d0 (7.1.0-30) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/dc070da861a015d3c97488fdcca6063b44d47a7b (6.9.12-45) CVE-2022-32546 (A vulnerability was found in ImageMagick, causing an outside the range ...) - - imagemagick + - imagemagick (bug #1016442) [bullseye] - imagemagick (Minor issue) [buster] - imagemagick (Minor issue) [stretch] - imagemagick (Minor issue) @@ -11199,7 +11199,7 @@ CVE-2022-32546 (A vulnerability was found in ImageMagick, causing an outside the NOTE: https://github.com/ImageMagick/ImageMagick/commit/f221ea0fa3171f0f4fdf74ac9d81b203b9534c23 (7.1.0-29) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/29c8abce0da56b536542f76a9ddfebdaab5b2943 (6.9.12-44) CVE-2022-32545 (A vulnerability was found in ImageMagick, causing an outside the range ...) - - imagemagick + - imagemagick (bug #1016442) [bullseye] - imagemagick (Minor issue) [buster] - imagemagick (Minor issue) [stretch] - imagemagick (Minor issue) @@ -12483,7 +12483,7 @@ CVE-2022-1951 (The core plugin for kitestudio WordPress plugin before 2.3.1 does CVE-2022-1950 RESERVED CVE-2022-1949 (An access control bypass vulnerability found in 389-ds-base. That mish ...) - - 389-ds-base + - 389-ds-base (bug #1016446) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2091781 NOTE: https://github.com/389ds/389-ds-base/issues/5170 CVE-2022-32135 @@ -15645,7 +15645,7 @@ CVE-2022-1796 (Use After Free in GitHub repository vim/vim prior to 8.2.4979. .. NOTE: https://github.com/vim/vim/commit/28d032cc688ccfda18c5bbcab8b50aba6e18cde5 (v8.2.4979) NOTE: Crash in CLI tool, no security impact CVE-2022-1795 (Use After Free in GitHub repository gpac/gpac prior to v2.1.0-DEV. ...) - - gpac + - gpac (bug #1016443) [stretch] - gpac (No longer supported in LTS) NOTE: https://huntr.dev/bounties/9c312763-41a6-4fc7-827b-269eb86efcbc NOTE: https://github.com/gpac/gpac/commit/c535bad50d5812d27ee5b22b54371bddec411514 @@ -15703,7 +15703,7 @@ CVE-2022-1777 (The Filr WordPress plugin before 1.2.2.1 does not have authorisat CVE-2022-1776 (The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress p ...) NOT-FOR-US: WordPress plugin CVE-2022-30976 (GPAC 2.0.0 misuses a certain Unicode utf8_wcslen (renamed gf_utf8_wcsl ...) - - gpac + - gpac (bug #1016443) [stretch] - gpac (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2179 NOTE: https://github.com/gpac/gpac/commit/915e2cba715f36b7cc29e2117831ca143d78 @@ -19921,7 +19921,7 @@ CVE-2022-29594 (eG Agent before 7.2 has weak file permissions that enable escala CVE-2022-29593 (relay_cgi.cgi on Dingtian DT-R002 2CH relay devices with firmware 3.1. ...) NOT-FOR-US: Dingtian CVE-2022-1441 (MP4Box is a component of GPAC-2.0.0, which is a widely-used third-part ...) - - gpac + - gpac (bug #1016443) [stretch] - gpac (No longer supported in LTS) NOTE: https://github.com/gpac/gpac/issues/2175 NOTE: https://github.com/gpac/gpac/commit/3dbe11b37d65c8472faf0654410068e5500b3adb @@ -20112,7 +20112,7 @@ CVE-2022-29539 (resi-calltrace in RESI Gemini-Net 4.2 is affected by OS Command CVE-2022-29538 (RESI Gemini-Net Web 4.2 is affected by Improper Access Control in auth ...) NOT-FOR-US: RESI Gemini-Net CVE-2022-29537 (gp_rtp_builder_do_hevc in ietf/rtp_pck_mpeg4.c in GPAC 2.0.0 has a hea ...) - - gpac + - gpac (bug #1016443) [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) [stretch] - gpac (No longer supported in LTS) @@ -20649,14 +20649,14 @@ CVE-2022-29342 CVE-2022-29341 RESERVED CVE-2022-29340 (GPAC 2.1-DEV-rev87-g053aae8-master. has a Null Pointer Dereference vul ...) - - gpac + - gpac (bug #1016443) [bullseye] - gpac
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ceb9248 by Moritz Mühlenhoff at 2022-07-30T00:15:51+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6058,7 +6058,7 @@ CVE-2022-34570 (WAVLINK WN579 X3 M79X3.V5030.191012/M79X3.V5030.191012 contains CVE-2022-34569 RESERVED CVE-2022-34568 (SDL v1.2 was discovered to contain a use-after-free via the XFree func ...) - - libsdl1.2 + - libsdl1.2 (bug #10163512) [bullseye] - libsdl1.2 (Minor issue) [buster] - libsdl1.2 (Minor issue) NOTE: https://github.com/libsdl-org/SDL-1.2/issues/863 @@ -16913,7 +16913,7 @@ CVE-2022-30552 (Das U-Boot 2022.01 has a Buffer Overflow. ...) CVE-2022-30551 (OPC UA Legacy Java Stack 2022-04-01 allows a remote attacker to cause ...) NOT-FOR-US: OPC UA Legacy Java Stack CVE-2022-30550 (An issue was discovered in the auth component in Dovecot 2.2 and 2.3 b ...) - - dovecot + - dovecot (bug #1016351) NOTE: https://www.openwall.com/lists/oss-security/2022/07/06/9 NOTE: https://github.com/dovecot/core/commit/7bad6a24160e34bce8f10e73dbbf9e5fbbcd1904 NOTE: https://github.com/dovecot/core/commit/a1022072e2ce36f853873d910287f466165b184b @@ -80202,7 +80202,7 @@ CVE-2021-33465 (An issue was discovered in yasm version 1.3.0. There is a NULL p NOTE: https://github.com/yasm/yasm/issues/173 NOTE: Crash in CLI tool, no security impact CVE-2021-33464 (An issue was discovered in yasm version 1.3.0. There is a heap-buffer- ...) - - yasm + - yasm (bug #10163513) [bullseye] - yasm (Minor issue) [buster] - yasm (Minor issue) NOTE: https://github.com/yasm/yasm/issues/164 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ceb9248ced230f5b75e06ce02ebee912ec60482 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ceb9248ced230f5b75e06ce02ebee912ec60482 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c0145217 by Moritz Muehlenhoff at 2022-07-27T23:23:52+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -55,7 +55,7 @@ CVE-2022-2551 CVE-2022-2550 (OS Command Injection in GitHub repository hestiacp/hestiacp prior to 1 ...) NOT-FOR-US: Hestia Control Panel CVE-2022-2549 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to v2.1. ...) - - gpac + - gpac (bug #1016142) [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://huntr.dev/bounties/c93083dc-177c-4ba0-ba83-9d7fb29a5537 @@ -11765,7 +11765,7 @@ CVE-2022-32225 (A reflected DOM-Based XSS vulnerability has been discovered in t NOT-FOR-US: Veeam CVE-2022-32224 RESERVED - - rails + - rails (bug #1016140) NOTE: https://github.com/advisories/GHSA-3hhc-qp5v-9p2j CVE-2022-32223 (Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under ce ...) - nodejs (Only affects Windows) @@ -33350,27 +33350,27 @@ CVE-2022-24811 (Combodi iTop is a web based IT Service Management tool. Prior to NOT-FOR-US: Combodi CVE-2022-24810 [A malformed OID in a SET to the nsVacmAccessTable can cause a NULL pointer dereference] RESERVED - - net-snmp + - net-snmp (bug #1016139) NOTE: https://fossies.org/linux/net-snmp/CHANGES (fixed in 5.9.3) CVE-2022-24809 [A malformed OID in a GET-NEXT to the nsVacmAccessTable can cause a NULL pointer dereference] RESERVED - - net-snmp + - net-snmp (bug #1016139) NOTE: https://fossies.org/linux/net-snmp/CHANGES (fixed in 5.9.3) CVE-2022-24808 [A malformed OID in a SET request to NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference] RESERVED - - net-snmp + - net-snmp (bug #1016139) NOTE: https://fossies.org/linux/net-snmp/CHANGES (fixed in 5.9.3) CVE-2022-24807 [A malformed OID in a SET request to SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an out-of-bounds memory access] RESERVED - - net-snmp + - net-snmp (bug #1016139) NOTE: https://fossies.org/linux/net-snmp/CHANGES (fixed in 5.9.3) CVE-2022-24806 [Improper Input Validation when SETing malformed OIDs in master agent and subagent simultaneously] RESERVED - - net-snmp + - net-snmp (bug #1016139) NOTE: https://fossies.org/linux/net-snmp/CHANGES (fixed in 5.9.3) CVE-2022-24805 [A buffer overflow in the handling of the INDEX of NET-SNMP-VACM-MIB can cause an out-of-bounds memory access] RESERVED - - net-snmp + - net-snmp (bug #1016139) NOTE: https://fossies.org/linux/net-snmp/CHANGES (fixed in 5.9.3) CVE-2022-24804 (Discourse is an open source platform for community discussion. In stab ...) NOT-FOR-US: Discourse @@ -63927,7 +63927,7 @@ CVE-2021-39949 CVE-2021-39948 RESERVED CVE-2021-39947 (In specific circumstances, trace file buffers in GitLab Runner version ...) - - gitlab-ci-multi-runner + - gitlab-ci-multi-runner (bug #1016138) CVE-2021-39946 (Improper neutralization of user input in GitLab CE/EE versions 14.3 to ...) - gitlab CVE-2021-39945 (Improper access control in the GitLab CE/EE API affecting all versions ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c01452174c8838a19000aea8a572946f527d98c4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c01452174c8838a19000aea8a572946f527d98c4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d33ae3b by Moritz Muehlenhoff at 2022-07-24T21:10:09+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3603,7 +3603,7 @@ CVE-2022-2306 (Old session tokens can be used to authenticate to the application CVE-2022-2305 RESERVED CVE-2022-2304 (Stack-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. ...) - - vim + - vim (bug #1015984) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/eb7402f3-025a-402f-97a7-c38700d9548a/ @@ -3678,7 +3678,7 @@ CVE-2022-2289 (Use After Free in GitHub repository vim/vim prior to 9.0. ...) NOTE: https://github.com/vim/vim/commit/c5274dd12224421f2430b30c53b881b9403d649e (v9.0.0026) NOTE: Crash in CLI tool, no security impact CVE-2022-2288 (Out-of-bounds Write in GitHub repository vim/vim prior to 9.0. ...) - - vim + - vim (bug #1015984) NOTE: https://huntr.dev/bounties/a71bdcb7-4e9b-4650-ab6a-fe8e3e9852ad/ NOTE: https://github.com/vim/vim/commit/c6fdb15d423df22e1776844811d082322475e48a (v9.0.0025) CVE-2022-34910 @@ -3743,7 +3743,7 @@ CVE-2022-34895 CVE-2022-34894 (In JetBrains Hub before 2022.2.14799, insufficient access control allo ...) NOT-FOR-US: JetBrains Hub CVE-2022-2285 (Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9 ...) - - vim + - vim (bug #1015984) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) NOTE: https://huntr.dev/bounties/64574b28-1779-458d-a221-06c434042736/ @@ -4847,7 +4847,7 @@ CVE-2022-2208 (NULL Pointer Dereference in GitHub repository vim/vim prior to 8. NOTE: https://github.com/vim/vim/commit/cd38bb4d83c942c4bad596835c6766cbf32e5195 (v8.2.5163) NOTE: Crash in CLI tool, no security impact CVE-2022-2207 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) - - vim + - vim (bug #1015984) NOTE: https://huntr.dev/bounties/05bc6051-4dc3-483b-ae56-cf23346b97b9 NOTE: https://github.com/vim/vim/commit/0971c7a4e537ea120a6bb2195960be8d0815e97b (v8.2.5162) CVE-2022-34493 @@ -6269,7 +6269,7 @@ CVE-2022-33980 (Apache Commons Configuration performs variable interpolation, al - commons-configuration2 2.8.0-1 (bug #1014960) NOTE: https://www.openwall.com/lists/oss-security/2022/07/06/5 CVE-2022-2129 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...) - - vim + - vim (bug #1015984) [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/3aaf06e7-9ae1-454d-b8ca-8709c98e5352 NOTE: https://github.com/vim/vim/commit/d6211a52ab9f53b82f884561ed43d2fe4d24ff7d (v8.2.5126) @@ -6279,17 +6279,17 @@ CVE-2022-2127 RESERVED CVE-2022-2126 (Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. ...) {DLA-3053-1} - - vim + - vim (bug #1015984) NOTE: https://huntr.dev/bounties/8d196d9b-3d10-41d2-9f70-8ef0d08c946e NOTE: https://github.com/vim/vim/commit/156d3911952d73b03d7420dc3540215247db0fe8 (v8.2.5123) CVE-2022-2125 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2. ...) - - vim + - vim (bug #1015984) [stretch] - vim (Minor issue) NOTE: https://huntr.dev/bounties/17dab24d-beec-464d-9a72-5b6b11283705 NOTE: https://github.com/vim/vim/commit/0e8e938d497260dd57be67b4966cb27a5f72376f (v8.2.5122) CVE-2022-2124 (Buffer Over-read in GitHub repository vim/vim prior to 8.2. ...) {DLA-3053-1} - - vim + - vim (bug #1015984) NOTE: https://huntr.dev/bounties/8e9e056d-f733-4540-98b6-414bf36e0b42 NOTE: https://github.com/vim/vim/commit/2f074f4685897ab7212e25931eeeb0212292829f (v8.2.5120) CVE-2021-46823 (python-ldap before 3.4.0 is vulnerable to a denial of service when lda ...) @@ -9951,7 +9951,7 @@ CVE-2022-30532 (In affected versions of Octopus Deploy, there is no logging of c CVE-2022-29890 (In affected versions of Octopus Server the help sidebar can be customi ...) NOT-FOR-US: Octopus Server CVE-2022-2000 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...) - - vim + - vim (bug #1015984) [bullseye] - vim (Minor issue) [buster] - vim (Minor issue) [stretch] - vim (Minor issue) @@ -10749,7 +10749,7 @@ CVE-2022-1969 (The Mobile browser color select plugin for WordPress is vulnerabl NOT-FOR-US: Mobile browser color select plugin for WordPress CVE-2022-1968 (Use After Free in GitHub repository vim/vim prior to 8.2. ...) {DLA-3053-1} - - vim + - vim (bug #1015984) [bullseye] - vim (Minor issue) [buster] - vim
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ca57ed23 by Moritz Muehlenhoff at 2022-07-22T23:40:29+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -239,7 +239,7 @@ CVE-2022-2487 (A vulnerability has been found in WAVLINK WN535K2 and WN535K3 and CVE-2022-2486 (A vulnerability, which was classified as critical, was found in WAVLIN ...) NOT-FOR-US: WAVLINK CVE-2021-46828 (In libtirpc before 1.3.3rc1, remote attackers could exhaust the file d ...) - - libtirpc + - libtirpc (bug #1015873) NOTE: http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=86529758570cef4c73fb9b9c4104fdc510f701ed NOTE: Introduced by http://git.linux-nfs.org/?p=steved/libtirpc.git;a=commit;h=b2c9430f46c4ac848957fb8adaac176a3f6ac03f (libtirpc-0-3-3-rc3) CVE-2022-36312 @@ -1626,7 +1626,7 @@ CVE-2022-2402 CVE-2022-2401 (Unrestricted information disclosure of all users in Mattermost version ...) - mattermost-server (bug #823556) CVE-2022-2400 (External Control of File Name or Path in GitHub repository dompdf/domp ...) - - php-dompdf + - php-dompdf (bug #1015874) NOTE: https://huntr.dev/bounties/a6da5e5e-86be-499a-a3c3-2950f749202a NOTE: https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a CVE-2022-2399 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca57ed230485fd052542b6310371f0fe82c788c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca57ed230485fd052542b6310371f0fe82c788c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 12d92256 by Moritz Muehlenhoff at 2022-07-21T13:00:21+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -187,7 +187,7 @@ CVE-2022-36300 CVE-2022-30706 RESERVED CVE-2022-2476 (A null pointer dereference bug was found in wavpack-5.4.0 The results ...) - - wavpack + - wavpack (bug #1015790) [bullseye] - wavpack (Minor issue) [buster] - wavpack (Minor issue) NOTE: https://github.com/dbry/WavPack/issues/121 @@ -49636,7 +49636,7 @@ CVE-2022-21571 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virt CVE-2022-21570 (Vulnerability in the Oracle Coherence product of Oracle Fusion Middlew ...) TODO: check CVE-2022-21569 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1015789) CVE-2022-21568 (Vulnerability in the Oracle iReceivables product of Oracle E-Business ...) TODO: check CVE-2022-21567 (Vulnerability in the Oracle Workflow product of Oracle E-Business Suit ...) @@ -49662,13 +49662,13 @@ CVE-2022-21558 (Vulnerability in the Oracle Crystal Ball product of Oracle Const CVE-2022-21557 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) TODO: check CVE-2022-21556 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1015789) CVE-2022-21555 (Vulnerability in the MySQL Shell for VS Code product of Oracle MySQL ( ...) TODO: check CVE-2022-21554 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox CVE-2022-21553 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1015789) CVE-2022-21552 (Vulnerability in the Oracle WebCenter Content product of Oracle Fusion ...) TODO: check CVE-2022-21551 (Vulnerability in Oracle GoldenGate (component: Oracle GoldenGate). The ...) @@ -49680,7 +49680,7 @@ CVE-2022-21549 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E CVE-2022-21548 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) TODO: check CVE-2022-21547 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1015789) CVE-2022-21546 RESERVED CVE-2022-21545 (Vulnerability in the Oracle iRecruitment product of Oracle E-Business ...) @@ -49700,41 +49700,41 @@ CVE-2022-21540 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E - openjdk-11 11.0.16+8-1 - openjdk-17 17.0.4+8-1 CVE-2022-21539 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1015789) CVE-2022-21538 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1015789) CVE-2022-21537 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1015789) CVE-2022-21536 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) TODO: check CVE-2022-21535 (Vulnerability in the MySQL Shell product of Oracle MySQL (component: S ...) NOT-FOR-US: MySQL Shell CVE-2022-21534 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1015789) CVE-2022-21533 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) TODO: check CVE-2022-21532 (Vulnerability in the JD Edwards EnterpriseOne Orchestrator product of ...) TODO: check CVE-2022-21531 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1015789) CVE-2022-21530 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1015789) CVE-2022-21529 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1015789) CVE-2022-21528 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1015789) CVE-2022-21527 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1015789) CVE-2022-21526 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + - mysql-8.0 (bug #1015789) CVE-2022-21525 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 + -
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f4bcd1b by Moritz Mühlenhoff at 2022-07-21T11:52:57+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -584,13 +584,13 @@ CVE-2022-36128 CVE-2022-36127 (A vulnerability in Apache SkyWalking NodeJS Agent prior to 0.5.1. The ...) NOT-FOR-US: Apache SkyWalking CVE-2022-2454 (Integer Overflow or Wraparound in GitHub repository gpac/gpac prior to ...) - - gpac + - gpac (bug #1015788) [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://huntr.dev/bounties/105d40d0-46d7-461e-9f8e-20c4cdea925f NOTE: https://github.com/gpac/gpac/commit/faa75edde3dfeba1e2cf6ffa48e45a50f1042096 CVE-2022-2453 (Use After Free in GitHub repository gpac/gpac prior to 2.1-DEV. ...) - - gpac + - gpac (bug #1015788) [bullseye] - gpac (Minor issue) [buster] - gpac (Minor issue) NOTE: https://huntr.dev/bounties/c8c964de-046a-41b2-9ff5-e25cfdb36b5a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f4bcd1be633d00e607a3099e19920675db0f259 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f4bcd1be633d00e607a3099e19920675db0f259 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: dfa0e3c8 by Moritz Muehlenhoff at 2022-07-17T22:16:53+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18913,7 +18913,7 @@ CVE-2022-29155 (In OpenLDAP 2.x before 2.5.12 and 2.6.x before 2.6.2, a SQL inje CVE-2022-29154 RESERVED CVE-2022-29153 (HashiCorp Consul and Consul Enterprise through 2022-04-12 allow SSRF. ...) - - consul + - consul (bug #1015218) NOTE: https://discuss.hashicorp.com/t/hcsec-2022-10-consul-s-http-health-check-may-allow-server-side-request-forgery/38393 CVE-2022-29152 (The Ericom PowerTerm WebConnect 6.0 login portal can unsafely write an ...) NOT-FOR-US: Ericom @@ -31685,12 +31685,12 @@ CVE-2022-24730 (Argo CD is a declarative, GitOps continuous delivery tool for Ku NOT-FOR-US: Argo CD CVE-2022-24729 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor 4.19.0+dfsg-1 - - ckeditor3 + - ckeditor3 (bug #1015217) [stretch] - ckeditor3 (EOL'd for stretch) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-f6rf-9m92-x2hh CVE-2022-24728 (CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. ...) - ckeditor 4.19.0+dfsg-1 - - ckeditor3 + - ckeditor3 (bug #1015217) [stretch] - ckeditor3 (EOL'd for stretch) NOTE: https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-4fc4-4p5g-6w89 NOTE: https://github.com/ckeditor/ckeditor4/commit/d158413449692d920a778503502dcb22881bc949 (4.18.0) @@ -38688,7 +38688,7 @@ CVE-2021-46172 CVE-2021-46171 (Modex v2.11 was discovered to contain a NULL pointer dereference in se ...) NOT-FOR-US: Modex CVE-2021-46170 (An issue was discovered in JerryScript commit a6ab5e9. There is an Use ...) - - iotjs + - iotjs (bug #1015219) [bullseye] - iotjs (Minor issue) [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4917 @@ -50713,7 +50713,7 @@ CVE-2021-43455 (An Unquoted Service Path vulnerability exists in FreeLAN 2.2 via CVE-2021-43454 (An Unquoted Service Path vulnerability exists in AnyTXT Searcher 1.2.3 ...) NOT-FOR-US: AnyTXT Searcher for Windows CVE-2021-43453 (A Heap-based Buffer Overflow vulnerability exists in JerryScript 2.4.0 ...) - - iotjs + - iotjs (bug #1015219) [bullseye] - iotjs (Minor issue) [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/pull/4808 @@ -53230,7 +53230,7 @@ CVE-2021-42865 CVE-2021-42864 RESERVED CVE-2021-42863 (A buffer overflow in ecma_builtin_typedarray_prototype_filter() in Jer ...) - - iotjs + - iotjs (bug #1015219) [bullseye] - iotjs (Minor issue) [buster] - iotjs (Vulnerable code introduced later) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4793 @@ -56829,7 +56829,7 @@ CVE-2021-41961 CVE-2021-41960 RESERVED CVE-2021-41959 (JerryScript Git version 14ff5bf does not sufficiently track and releas ...) - - iotjs + - iotjs (bug #1015219) [bullseye] - iotjs (Minor issue) [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4781 @@ -57399,7 +57399,7 @@ CVE-2021-41752 (Stack overflow vulnerability in Jerryscript before commit e1ce7d NOTE: https://github.com/jerryscript-project/jerryscript/issues/4779 TODO: check - could be only a test artifact CVE-2021-41751 (Buffer overflow vulnerability in file ecma-builtin-array-prototype.c:9 ...) - - iotjs + - iotjs (bug #1015219) [bullseye] - iotjs (Minor issue) [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/pull/4797 @@ -57560,10 +57560,10 @@ CVE-2021-41685 CVE-2021-41684 RESERVED CVE-2021-41683 (There is a stack-overflow at ecma-helpers.c:326 in ecma_get_lex_env_ty ...) - - iotjs + - iotjs (bug #1015219) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4745 CVE-2021-41682 (There is a heap-use-after-free at ecma-helpers-string.c:1940 in ecma_c ...) - - iotjs + - iotjs (bug #1015219) NOTE: https://github.com/jerryscript-project/jerryscript/issues/4747 NOTE: https://github.com/jerryscript-project/jerryscript/commit/3ad76f932c8d2e3b9ba2d95e64848698ec7d7290 CVE-2021-41681 @@ -58815,7 +58815,7 @@ CVE-2021-41165 (CKEditor4 is an open source WYSIWYG HTML editor. In affected ver [bullseye] - ckeditor (Minor issue) [buster] - ckeditor (Minor issue) [stretch] - ckeditor (Minor issue) - - ckeditor3 + - ckeditor3
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 002fa016 by Moritz Muehlenhoff at 2022-07-16T00:43:58+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5315,7 +5315,7 @@ CVE-2022-2101 CVE-2022-33880 RESERVED CVE-2022-33879 (The initial fixes in CVE-2022-30126 and CVE-2022-30973 for regexes in ...) - - tika + - tika (bug #1015002) [bullseye] - tika (Minor issue) [buster] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/06/27/5 @@ -15417,7 +15417,7 @@ CVE-2022-1555 (DOM XSS in microweber ver 1.2.15 in GitHub repository microweber/ CVE-2022-1554 (Path Traversal due to `send_file` call in GitHub repository clinical-g ...) NOT-FOR-US: clinical-genomics/scout CVE-2022-30126 (In Apache Tika, a regular expression in our StandardsText class, used ...) - - tika + - tika (bug #1015002) [bullseye] - tika (Minor issue) [buster] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/05/16/3 @@ -29718,7 +29718,7 @@ CVE-2022-25209 (Jenkins Chef Sinatra Plugin 1.20 and earlier does not configure CVE-2022-25175 (Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier use ...) NOT-FOR-US: Jenkins Pipeline: Multibranch Plugin CVE-2022-25169 (The BPG parser in versions of Apache Tika before 1.28.2 and 2.4.0 may ...) - - tika + - tika (bug #1015002) [bullseye] - tika (Minor issue) [buster] - tika (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/05/16/4 @@ -30908,7 +30908,7 @@ CVE-2022-24793 (PJSIP is a free and open source multimedia communication library - asterisk (bug #1014976) [stretch] - asterisk (Vulnerable code not present) - pjproject - - ring + - ring (bug #1014998) NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4 NOTE: https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a CVE-2022-24792 (PJSIP is a free and open source multimedia communication library writt ...) @@ -31032,7 +31032,7 @@ CVE-2022-24764 (PJSIP is a free and open source multimedia communication library - asterisk (bug #1014976) [stretch] - asterisk (Vulnerable code not present) - pjproject - - ring + - ring (bug #1014998) NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-f5qg-pqcg-765m NOTE: https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00 CVE-2022-24763 (PJSIP is a free and open source multimedia communication library writt ...) @@ -31040,7 +31040,7 @@ CVE-2022-24763 (PJSIP is a free and open source multimedia communication library - asterisk (bug #1014976) [stretch] - asterisk (Vulnerable code not present) - pjproject - - ring + - ring (bug #1014998) NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-5x45-qp78-g4p4 NOTE: https://github.com/pjsip/pjproject/commit/856f87c2e97a27b256482dbe0d748b1194355a21 CVE-2022-24762 (sysend.js is a library that allows a user to send messages between pag ...) @@ -31086,7 +31086,7 @@ CVE-2022-24754 (PJSIP is a free and open source multimedia communication library {DLA-2962-1} - asterisk (Vulnerable code not present) - pjproject - - ring + - ring (bug #1014998) NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-73f7-48m9-w662 NOTE: https://github.com/pjsip/pjproject/commit/d27f79da11df7bc8bb56c2f291d71e54df8d2c47 CVE-2022-24753 (Stripe CLI is a command-line tool for the Stripe eCommerce platform. A ...) @@ -35323,7 +35323,7 @@ CVE-2022-23608 (PJSIP is a free and open source multimedia communication library - asterisk 1:18.10.1~dfsg+~cs6.10.40431411-1 [stretch] - asterisk (Vulnerable code not present) - pjproject - - ring + - ring (bug #1014998) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-29945 NOTE: https://downloads.asterisk.org/pub/security/AST-2022-005.html NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA--m5fm-qm62 @@ -47609,7 +47609,7 @@ CVE-2022-21723 (PJSIP is a free and open source multimedia communication library - asterisk 1:18.10.1~dfsg+~cs6.10.40431411-1 [stretch] - asterisk (Vulnerable code not present) - pjproject - - ring + - ring (bug #1014998) [stretch] - ring (Vulnerable code not present) NOTE: https://issues.asterisk.org/jira/browse/ASTERISK-29945 NOTE: https://downloads.asterisk.org/pub/security/AST-2022-006.html @@ -47620,7 +47620,7 @@ CVE-2022-21722 (PJSIP
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: eb904674 by Moritz Muehlenhoff at 2022-07-15T18:07:08+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3985,7 +3985,7 @@ CVE-2022-34302 CVE-2022-34301 RESERVED CVE-2022-34300 (In tinyexr 1.0.1, there is a heap-based buffer over-read in tinyexr::D ...) - - tinyexr + - tinyexr (bug #1014980) [bullseye] - tinyexr (Minor issue) NOTE: https://github.com/syoyo/tinyexr/issues/167 CVE-2022-34299 (There is a heap-based buffer over-read in libdwarf 0.4.0. This issue i ...) @@ -19006,9 +19006,8 @@ CVE-2022-1290 (Stored XSS in "Name", "Group Name" "Title" in GitHub reposi CVE-2022-1289 (A denial of service vulnerability was found in tildearrow Furnace. It ...) - furnace (bug #1008592) CVE-2022-28890 (A vulnerability in the RDF/XML parser of Apache Jena allows an attacke ...) - - apache-jena + - apache-jena (bug #1014982) NOTE: https://www.openwall.com/lists/oss-security/2022/05/04/1 - TODO: check, possibly not affected as according to upstrema 4.2.x and 4.3.x doe not allow external entities, double check CVE-2021-4226 RESERVED CVE-2022-28889 (In Apache Druid 0.22.1 and earlier, the server did not set appropriate ...) @@ -19593,7 +19592,7 @@ CVE-2022-1255 (The Import and export users and customers WordPress plugin before CVE-2022-1254 (A URL redirection vulnerability in Skyhigh SWG in main releases 10.x p ...) NOT-FOR-US: Skyhigh SWG CVE-2022-1253 (Heap-based Buffer Overflow in GitHub repository strukturag/libde265 pr ...) - - libde265 + - libde265 (bug #1014977) [bullseye] - libde265 (Minor issue) [buster] - libde265 (Minor issue) [stretch] - libde265 (Minor issue) @@ -63107,7 +63106,7 @@ CVE-2021-39240 (An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before NOTE: https://git.haproxy.org/?p=haproxy.git;a=commit;h=4b8852c70d8c4b7e225e24eb58258a15eb54c26e NOTE: https://git.haproxy.org/?p=haproxy.git;a=commit;h=a495e0d94876c9d39763db319f609351907a31e8 CVE-2021-39239 (A vulnerability in XML processing in Apache Jena, in versions up to 4. ...) - - apache-jena + - apache-jena (bug #1014982) NOTE: https://lists.apache.org/thread/qpbfrdty7jt3yfm39hx4p9dp151sd6gm CVE-2021-39238 (Certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise Pag ...) NOT-FOR-US: HP @@ -70154,14 +70153,14 @@ CVE-2021-36412 (A heap-based buffer overflow vulnerability exists in MP4Box in G NOTE: https://github.com/gpac/gpac/issues/1838 NOTE: https://github.com/gpac/gpac/commit/828188475084db87cebc34208b6bd2509709845e (v2.0.0) CVE-2021-36411 (An issue has been found in libde265 v1.0.8 due to incorrect access con ...) - - libde265 + - libde265 (bug #1014977) [bullseye] - libde265 (Minor issue) [buster] - libde265 (Minor issue) [stretch] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/302 NOTE: https://github.com/strukturag/libde265/commit/45904e5667c5bf59c67fcdc586dfba110832894c CVE-2021-36410 (A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion. ...) - - libde265 + - libde265 (bug #1014977) [bullseye] - libde265 (Minor issue) [buster] - libde265 (Minor issue) [stretch] - libde265 (Minor issue) @@ -70170,14 +70169,14 @@ CVE-2021-36410 (A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-m CVE-2021-3641 (Improper Link Resolution Before File Access ('Link Following') vulnera ...) NOT-FOR-US: Bitdefender CVE-2021-36409 (There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at ...) - - libde265 + - libde265 (bug #1014977) [bullseye] - libde265 (Minor issue) [buster] - libde265 (Minor issue) [stretch] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/300 NOTE: https://github.com/strukturag/libde265/commit/64d591a6c70737604ca3f5791736fc462cbe8a3c CVE-2021-36408 (An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-f ...) - - libde265 + - libde265 (bug #1014977) [bullseye] - libde265 (Minor issue) [buster] - libde265 (Minor issue) [stretch] - libde265 (Minor issue) @@ -72629,7 +72628,7 @@ CVE-2021-35454 CVE-2021-35453 RESERVED CVE-2021-35452 (An Incorrect Access Control vulnerability exists in libde265 v1.0.8 du ...) - - libde265 + - libde265 (bug #1014977) [bullseye] - libde265 (Minor issue) [buster] - libde265 (Minor issue) [stretch] - libde265 (Minor issue, revisit when fixed upstream) @@ -73529,7 +73528,7 @@ CVE-2021-35045
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6003b55f by Moritz Muehlenhoff at 2022-07-15T17:32:05+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30801,7 +30801,7 @@ CVE-2022-24794 (Express OpenID Connect is an Express JS middleware implementing NOT-FOR-US: Express OpenID Connect CVE-2022-24793 (PJSIP is a free and open source multimedia communication library writt ...) {DLA-3036-1} - - asterisk 1:18.11.2~dfsg+~cs6.10.40431413-1 + - asterisk (bug #1014976) [stretch] - asterisk (Vulnerable code not present) - pjproject - ring @@ -30809,7 +30809,7 @@ CVE-2022-24793 (PJSIP is a free and open source multimedia communication library NOTE: https://github.com/pjsip/pjproject/commit/9fae8f43accef8ea65d4a8ae9cdf297c46cfe29a CVE-2022-24792 (PJSIP is a free and open source multimedia communication library writt ...) {DLA-3036-1} - - asterisk + - asterisk (bug #1014976) [stretch] - asterisk (Vulnerable code not present) - pjproject - ring (unimportant) @@ -30834,7 +30834,7 @@ CVE-2022-24788 (Vyper is a pythonic Smart Contract Language for the ethereum vir CVE-2022-24787 (Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual M ...) NOT-FOR-US: Vyper CVE-2022-24786 (PJSIP is a free and open source multimedia communication library writt ...) - - asterisk + - asterisk (bug #1014976) [stretch] - asterisk (Vulnerable code not present) - pjproject [stretch] - pjproject (Vulnerable code not present) @@ -30925,7 +30925,7 @@ CVE-2022-24765 (Git for Windows is a fork of Git containing Windows-specific pat NOTE: https://github.blog/2022-04-12-git-security-vulnerability-announced/ CVE-2022-24764 (PJSIP is a free and open source multimedia communication library writt ...) {DLA-2962-1} - - asterisk + - asterisk (bug #1014976) [stretch] - asterisk (Vulnerable code not present) - pjproject - ring @@ -30933,7 +30933,7 @@ CVE-2022-24764 (PJSIP is a free and open source multimedia communication library NOTE: https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00 CVE-2022-24763 (PJSIP is a free and open source multimedia communication library writt ...) {DLA-3036-1} - - asterisk + - asterisk (bug #1014976) [stretch] - asterisk (Vulnerable code not present) - pjproject - ring View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6003b55ffa18d865edffb0f682e0327e9eed865e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6003b55ffa18d865edffb0f682e0327e9eed865e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 17b628e2 by Moritz Muehlenhoff at 2022-07-15T14:32:12+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17051,7 +17051,7 @@ CVE-2022-29567 (The default configuration of a TreeGrid component uses Object::t CVE-2022-29566 (The Bulletproofs 2017/1066 paper mishandles Fiat-Shamir generation bec ...) NOT-FOR-US: Bulletproofs CVE-2022-1427 (Out-of-bounds Read in mrb_obj_is_kind_of in in GitHub repository mruby ...) - - mruby + - mruby (bug #1014968) [bullseye] - mruby (Minor issue) [buster] - mruby (Minor issue) [stretch] - mruby (Vulnerable code not present) @@ -20521,7 +20521,7 @@ CVE-2022-1203 (The Content Mask WordPress plugin before 1.8.4.1 does not have au CVE-2022-1202 (The WP-CRM WordPress plugin through 1.2.1 does not validate and saniti ...) NOT-FOR-US: WordPress plugin CVE-2022-1201 (NULL Pointer Dereference in mrb_vm_exec with super in GitHub repositor ...) - - mruby + - mruby (bug #1014968) [bullseye] - mruby (Minor issue) [buster] - mruby (Minor issue) [stretch] - mruby (Vulnerable code not present) @@ -22155,10 +22155,9 @@ CVE-2022-27494 CVE-2022-26423 RESERVED CVE-2022-1071 (User after free in mrb_vm_exec in GitHub repository mruby/mruby prior ...) - - mruby + - mruby (bug #1014968) NOTE: https://huntr.dev/bounties/6597ece9-07af-415b-809b-919ce0a17cf3 NOTE: https://github.com/mruby/mruby/commit/aaa28a508903041dd7399d4159a8ace9766b022f - TODO: check where issue introduced and present before code refactoring CVE-2022-1070 RESERVED CVE-2022-1069 @@ -25228,7 +25227,7 @@ CVE-2022-0891 (A heap buffer overflow in ExtractImageSection function in tiffcro NOTE: https://gitlab.com/libtiff/libtiff/-/issues/380 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/382 CVE-2022-0890 (NULL Pointer Dereference in GitHub repository mruby/mruby prior to 3.2 ...) - - mruby + - mruby (bug #1014968) [bullseye] - mruby (Minor issue) [buster] - mruby (Minor issue) [stretch] - mruby (Minor issue) @@ -32287,13 +32286,12 @@ CVE-2022-21194 (The following Yokogawa Electric products do not change the passw CVE-2022-21177 (There is a path traversal vulnerability in CAMS for HIS Log Server con ...) NOT-FOR-US: Yokogawa Electric products CVE-2022-0481 (NULL Pointer Dereference in Homebrew mruby prior to 3.2. ...) - - mruby + - mruby (bug #1014968) [bullseye] - mruby (Minor issue) [buster] - mruby (Minor issue) [stretch] - mruby (Vulnerable code not present) NOTE: https://huntr.dev/bounties/54725c8c-87f4-41b6-878c-01d8e0ee7027 NOTE: https://github.com/mruby/mruby/commit/ae3c99767a27f5c6c584162e2adc6a5d0eb2c54e - TODO: check, possibly only introduced with dccd66f9efecd0a974b735c62836fe566015cf37 in 3.1.0-rc CVE-2022-24324 RESERVED CVE-2022-24323 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...) @@ -36386,7 +36384,7 @@ CVE-2022-0242 (Unrestricted Upload of File with Dangerous Type in GitHub reposit CVE-2022-0241 RESERVED CVE-2022-0240 (mruby is vulnerable to NULL Pointer Dereference ...) - - mruby + - mruby (bug #1014968) [bullseye] - mruby (Minor issue) [buster] - mruby (Minor issue) [stretch] - mruby (Minor issue) @@ -40135,7 +40133,7 @@ CVE-2021-46021 (An Use-After-Free vulnerability in rec_record_destroy() at rec-r NOTE: https://lists.gnu.org/archive/html/bug-recutils/2021-12/msg8.html NOTE: Negligible security impact CVE-2021-46020 (An untrusted pointer dereference in mrb_vm_exec() of mruby v3.0.0 can ...) - - mruby + - mruby (bug #1014968) [bullseye] - mruby (Minor issue) [buster] - mruby (Minor issue) [stretch] - mruby (revisit when/if fix is complete) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17b628e271bde61628d984f0fa757f31aa71d97e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17b628e271bde61628d984f0fa757f31aa71d97e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c1bf9c9 by Moritz Muehlenhoff at 2022-07-15T14:30:14+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47604,32 +47604,32 @@ CVE-2022-21698 (client_golang is the instrumentation library for Go applications CVE-2022-21697 (Jupyter Server Proxy is a Jupyter notebook server extension to proxy w ...) NOT-FOR-US: Jupyter Server Proxy CVE-2022-21696 (OnionShare is an open source tool that lets you securely and anonymous ...) - - onionshare + - onionshare (bug #1014966) NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-68vr-8f46-vc9f CVE-2022-21695 (OnionShare is an open source tool that lets you securely and anonymous ...) - - onionshare + - onionshare (bug #1014966) NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-99p8-9p2c-49j4 CVE-2022-21694 (OnionShare is an open source tool that lets you securely and anonymous ...) - - onionshare + - onionshare (bug #1014966) NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h NOTE: https://github.com/onionshare/onionshare/issues/1389 CVE-2022-21693 (OnionShare is an open source tool that lets you securely and anonymous ...) - - onionshare + - onionshare (bug #1014966) NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6 CVE-2022-21692 (OnionShare is an open source tool that lets you securely and anonymous ...) - - onionshare + - onionshare (bug #1014966) NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v CVE-2022-21691 (OnionShare is an open source tool that lets you securely and anonymous ...) - - onionshare + - onionshare (bug #1014966) NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-w9m4-7w72-r766 CVE-2022-21690 (OnionShare is an open source tool that lets you securely and anonymous ...) - - onionshare + - onionshare (bug #1014966) NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-ch22-x2v3-v6vq CVE-2022-21689 (OnionShare is an open source tool that lets you securely and anonymous ...) - - onionshare + - onionshare (bug #1014966) NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc CVE-2022-21688 (OnionShare is an open source tool that lets you securely and anonymous ...) - - onionshare + - onionshare (bug #1014966) NOTE: https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v CVE-2022-21687 (gh-ost is a triggerless online schema migration solution for MySQL. Ve ...) NOT-FOR-US: GitHub Online Schema @@ -56386,11 +56386,9 @@ CVE-2021-41870 (An issue was discovered in the firmware update form in Socomec R CVE-2021-41869 (SuiteCRM 7.10.x before 7.10.33 and 7.11.x before 7.11.22 is vulnerable ...) NOT-FOR-US: SuiteCRM CVE-2021-41868 (OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to u ...) - - onionshare - TODO: check details, exact fixing commits unclear + - onionshare (bug #1014966) CVE-2021-41867 (An information disclosure vulnerability in OnionShare 2.3 before 2.4 a ...) - - onionshare - TODO: check details, exact fixing commits unclear + - onionshare (bug #1014966) CVE-2021-41866 (MyBB before 1.8.28 allows stored XSS because the displayed Template Na ...) NOT-FOR-US: MyBB CVE-2021-3853 (chaskiq is vulnerable to Improper Neutralization of Input During Web P ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c1bf9c99b52b1e39708afb86f4868603dfa7d0a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c1bf9c99b52b1e39708afb86f4868603dfa7d0a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c03c8a5 by Moritz Muehlenhoff at 2022-07-15T13:19:42+02:00 bugnums add reference for 389-ds-base issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32,7 +32,7 @@ CVE-2022-35864 RESERVED CVE-2022-2414 RESERVED - - dogtag-pki + - dogtag-pki (bug #1014957) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2104676 NOTE: https://github.com/dogtagpki/pki/pull/4021 NOTE: https://github.com/dogtagpki/pki/commit/4e893243d72ad766558c10c907841f5f9c047055 @@ -1036,7 +1036,7 @@ CVE-2022-35416 (H3C SSL VPN through 2022-07-10 allows wnm/login/login.json svpnl CVE-2022-35415 RESERVED CVE-2022-35414 (softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized r ...) - - qemu + - qemu (bug #1014958) NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1065 NOTE: https://github.com/qemu/qemu/commit/418ade7849ce7641c0f7333718caf5091a02fd4c NOTE: https://sick.codes/sick-2022-113 @@ -1118,7 +1118,7 @@ CVE-2022-2348 RESERVED CVE-2022-2347 [Unchecked Download Size and Direction in U-Boot USB DFU] RESERVED - - u-boot + - u-boot (bug #1014959) NOTE: https://www.openwall.com/lists/oss-security/2022/07/08/2 CVE-2022-35399 REJECTED @@ -4826,7 +4826,7 @@ CVE-2022-33981 (drivers/block/floppy.c in the Linux kernel before 5.17.6 is vuln NOTE: https://www.openwall.com/lists/oss-security/2022/04/28/1 NOTE: https://git.kernel.org/linus/233087ca063686964a53c829d547c7571e3f67bf (5.18-rc5) CVE-2022-33980 (Apache Commons Configuration performs variable interpolation, allowing ...) - - commons-configuration2 + - commons-configuration2 (bug #1014960) NOTE: https://www.openwall.com/lists/oss-security/2022/07/06/5 CVE-2022-2129 (Out-of-bounds Write in GitHub repository vim/vim prior to 8.2. ...) - vim @@ -24996,9 +24996,9 @@ CVE-2022-0920 (The Salon booking system Free and Pro WordPress plugins before 7. CVE-2022-0919 (The Salon booking system Free and pro WordPress plugins before 7.6.3 d ...) NOT-FOR-US: WordPress plugin CVE-2022-0918 (A vulnerability was discovered in the 389 Directory Server that allows ...) - - 389-ds-base + - 389-ds-base NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2055815 - TODO: check details + NOTE: https://github.com/389ds/389-ds-base/issues/5242 CVE-2022-0917 RESERVED CVE-2022-0916 (An issue was discovered in Logitech Options. The OAuth 2.0 state param ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c03c8a5e40456784e82e41338e8757332be8deb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c03c8a5e40456784e82e41338e8757332be8deb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4eb6a9b4 by Moritz Muehlenhoff at 2022-07-13T13:10:35+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -80729,7 +80729,7 @@ CVE-2018-25014 (A flaw was found in libwebp in versions before 1.0.1. An unitial CVE-2021-3534 REJECTED CVE-2021-3533 (A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR ...) - - ansible + - ansible (bug #1014857) [bullseye] - ansible (Minor issue, revisit when/if fixed upstream) [buster] - ansible (Minor issue, revisit when/if fixed upstream) [stretch] - ansible (EOL'd for stretch) @@ -143589,7 +143589,7 @@ CVE-2020-18972 (Exposure of Sensitive Information to an Unauthorized Actor in Po NOTE: https://sourceforge.net/p/podofo/tickets/49/ NOTE: Negligible security impact CVE-2020-18971 (Stack-based Buffer Overflow in PoDoFo v0.9.6 allows attackers to cause ...) - - libpodofo + - libpodofo (bug #1014858) [bullseye] - libpodofo (Minor issue) [buster] - libpodofo (Minor issue) [stretch] - libpodofo (Minor issue; can be fixed in next update) @@ -190323,7 +190323,7 @@ CVE-2020-1698 (A flaw was found in keycloak in versions before 9.0.0. A logged e CVE-2020-1697 (It was found in all keycloak versions before 9.0.0 that links to exter ...) NOT-FOR-US: Keycloak CVE-2020-1696 (A flaw was found in the all pki-core 10.x.x versions, where Token Proc ...) - - dogtag-pki + - dogtag-pki (bug #1014854) [bullseye] - dogtag-pki (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1780707 CVE-2020-1695 (A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final ...) @@ -221462,7 +221462,7 @@ CVE-2019-10181 (It was found that in icedtea-web up to and including 1.7.2 and 1 NOTE: https://github.com/AdoptOpenJDK/IcedTea-Web/commit/32d174def953d801eb1cfc9d989bff5e80aac3cd (1.7) NOTE: https://github.com/AdoptOpenJDK/IcedTea-Web/commit/528cb8163b7053576a658b9602b5694b21957b0e (1.8) CVE-2019-10180 (A vulnerability was found in all pki-core 10.x.x version, where the To ...) - - dogtag-pki + - dogtag-pki (bug #1014855) [bullseye] - dogtag-pki (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1721137 CVE-2019-10179 (A vulnerability was found in all pki-core 10.x.x versions, where the K ...) @@ -221471,7 +221471,7 @@ CVE-2019-10179 (A vulnerability was found in all pki-core 10.x.x versions, where NOTE: https://github.com/dogtagpki/pki/commit/8884b4344225bd6656876d9e2a58b3268e9a899b (v10.9.0-b3) NOTE: https://github.com/dogtagpki/pki/commit/a93a65be0b1bcf94e004ba59c6a0c8a2c086936f (v10.9.0) CVE-2019-10178 (It was found that the Token Processing Service (TPS) did not properly ...) - - dogtag-pki + - dogtag-pki (bug #1014856) [bullseye] - dogtag-pki (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1719042 CVE-2019-10177 (A stored cross-site scripting (XSS) vulnerability was found in the PDF ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4eb6a9b4d61c37ff091d55fe0b752e3706a266e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4eb6a9b4d61c37ff091d55fe0b752e3706a266e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ce6ea077 by Moritz Muehlenhoff at 2022-07-12T17:33:46+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7741,7 +7741,7 @@ CVE-2022-32534 (The Bosch Ethernet switch PRA-ES8P2S with software version 1.01. CVE-2022-32533 (** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not sufficientl ...) NOT-FOR-US: Apache Portals Jetspeed CVE-2022-32532 (Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured ...) - - shiro + - shiro (bug #1014820) [bullseye] - shiro (Minor issue) [buster] - shiro (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2022/06/28/2 @@ -57211,7 +57211,7 @@ CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification o NOTE: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053 NOTE: https://github.com/mariocasciaro/object-path/commit/e6bb638ffdd431176701b3e9024f80050d0ef0a6 CVE-2021-41303 (Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a ...) - - shiro + - shiro (bug #1014819) [bullseye] - shiro (Minor issue) [buster] - shiro (Minor issue) [stretch] - shiro (Minor issue) @@ -80252,7 +80252,7 @@ CVE-2021-32066 (An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7 - ruby2.7 2.7.4-1 (bug #990815) - ruby2.5 - ruby2.3 - - jruby + - jruby (bug #1014818) [buster] - jruby (Minor issue) [stretch] - jruby (Minor issue) NOTE: https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/ @@ -81181,7 +81181,7 @@ CVE-2021-31810 (An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7 - ruby2.7 2.7.4-1 (bug #990815) - ruby2.5 - ruby2.3 - - jruby + - jruby (bug #1014818) [buster] - jruby (Minor issue) [stretch] - jruby (Minor issue) NOTE: https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce6ea07741df5482d6b22736dcf13e1d2ecad4c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce6ea07741df5482d6b22736dcf13e1d2ecad4c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits