[Git][security-tracker-team/security-tracker][master] LTS: add xqilla
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cd9e307 by Anton Gladky at 2023-07-06T06:54:41+02:00 LTS: add xqilla - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -268,6 +268,9 @@ webkit2gtk (Emilio) NOTE: 20230606: https://lists.debian.org/debian-lts/2023/06/msg5.html (pochu) NOTE: 20230627: will likely hold the update and mark as not-supported due to feedback (pochu) -- +xqilla + NOTE: 20230706: Added by Front-Desk (gladk) +-- yajl (tobi) NOTE: 20230702: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cd9e30762c0c123604902006e71b399d27d2359 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cd9e30762c0c123604902006e71b399d27d2359 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2023-35170 (duplicate CVE)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8cbaa299 by Salvatore Bonaccorso at 2023-07-05T22:39:17+02:00 Remove notes from CVE-2023-35170 (duplicate CVE) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -961,7 +961,6 @@ CVE-2023-35930 (SpiceDB is an open source, Google Zanzibar-inspired, database sy NOT-FOR-US: SpiceDB CVE-2023-35170 REJECTED - NOT-FOR-US: Sliver CVE-2023-34422 (A valid, authenticated LXCA user with elevated privileges may be able ...) NOT-FOR-US: Lenovo CVE-2023-34421 (A valid, authenticated LXCA user with elevated privileges may be able ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cbaa2999b210b4c2a6920198d54715eafdfbdc9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cbaa2999b210b4c2a6920198d54715eafdfbdc9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d63a02c by Salvatore Bonaccorso at 2023-07-05T22:34:27+02:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -73,17 +73,17 @@ CVE-2023-34106 (GLPI is a free asset and IT management software package. Version NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-923r-hqh4-wj7c NOTE: Only supported behind an authenticated HTTP zone CVE-2023-5 (Cross Site Scripting (XSS) in Sophos Sophos iView (The EOL was Decembe ...) - TODO: check + NOT-FOR-US: Sophos CVE-2023-2880 (Frauscher Sensortechnik GmbH FDS001 for FAdC/FAdCi v1.3.3 and all prev ...) - TODO: check + NOT-FOR-US: Frauscher Sensortechnik GmbH FDS001 for FAdC/FAdCi CVE-2023-2538 (A CWE-552 "Files or Directories Accessible to External Parties\u201d i ...) - TODO: check + NOT-FOR-US: Tyan S5552 BMC CVE-2021-46893 (Vulnerability of unstrict data verification and parameter check. Succe ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-46891 (Vulnerability of incomplete read and write permission verification in ...) - TODO: check + NOT-FOR-US: Huawei CVE-2021-46890 (Vulnerability of incomplete read and write permission verification in ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-35001 (Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byte ...) - linux [bullseye] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d63a02c78f6b70829716d1c4054e0486aead4f2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d63a02c78f6b70829716d1c4054e0486aead4f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update CVE-2023-33460 information for ruby-yajl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d945fe1 by Salvatore Bonaccorso at 2023-07-05T22:32:07+02:00 Update CVE-2023-33460 information for ruby-yajl This is one reason why we in security-tracking of CVEs for sources embedding potentially affected sources really only add entries when they are affected. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3140,6 +3140,7 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse [bookworm] - yajl (Minor issue) [bullseye] - yajl (Minor issue) NOTE: https://github.com/lloyd/yajl/issues/250 + NOTE: Introduced with: https://github.com/lloyd/yajl/commit/cfa9f8fcb12d80dd5ebf94f5e6a607aab4d225fb (2.0.0) - burp [buster] - burp (Minor issue; fix only after newer releases got a fix) - crun @@ -3150,11 +3151,7 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse [bookworm] - r-cran-jsonlite (Minor issue) [bullseye] - r-cran-jsonlite (Minor issue) [buster] - r-cran-jsonlite (Minor issue; fix only after newer releases got a fix) - - ruby-yajl (ruby-yajl embeds non-affected old version of yajl) - [bookworm] - ruby-yajl (Minor issue) - [bullseye] - ruby-yajl (Minor issue) - [buster] - ruby-yajl (Minor issue) - NOTE: Introduced in yajl at version 2.0.0 with commit https://github.com/lloyd/yajl/commit/cfa9f8f + - ruby-yail (Vulnerable code not present; embeds not-affected old yajl version) NOTE: ruby-yail embeds yajl version 1.0.12 (https://github.com/brianmario/yajl-ruby/blob/master/ext/yajl/api/yajl_version.h) CVE-2023-33457 (In Sogou Workflow v0.10.6, memcpy a negtive size in URIParser::parse , ...) NOT-FOR-US: Sogou Workflow View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d945fe110957e76eb74539bffa883c9cca0d9fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d945fe110957e76eb74539bffa883c9cca0d9fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-34457/python-mechanicalsoup
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 89ebeca2 by Salvatore Bonaccorso at 2023-07-05T22:30:09+02:00 Add CVE-2023-34457/python-mechanicalsoup - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53,7 +53,9 @@ CVE-2023-34472 (AMI SPx contains a vulnerability in the BMC where an Attacker ma CVE-2023-34471 (AMI SPx contains a vulnerability in the BMC where a user may cause a m ...) NOT-FOR-US: AMI SPx CVE-2023-34457 (MechanicalSoup is a Python library for automating interaction with web ...) - TODO: check + - python-mechanicalsoup + NOTE: https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4 + NOTE: https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e (v1.3.0) CVE-2023-34338 (AMI SPx contains a vulnerability in the BMC where an Attacker may caus ...) NOT-FOR-US: AMI SPx CVE-2023-34337 (AMI SPx contains a vulnerability in the BMC where a user may cause an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89ebeca2aeb2bf0551468ea56b7401db08aebc16 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89ebeca2aeb2bf0551468ea56b7401db08aebc16 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new glpi issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 03ee1307 by Salvatore Bonaccorso at 2023-07-05T22:27:09+02:00 Add new glpi issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39,7 +39,9 @@ CVE-2023-35972 (An authenticated remote command injection vulnerabilityexists in CVE-2023-35971 (A vulnerability in the ArubaOS web-based management interface could al ...) NOT-FOR-US: Aruba CVE-2023-35924 (GLPI is a free asset and IT management software package. Starting in v ...) - TODO: check + - glpi (unimportant) + NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-gxh4-j63w-8jmm + NOTE: Only supported behind an authenticated HTTP zone CVE-2023-35863 (In MADEFORNET HTTP Debugger through 9.12, the Windows service does not ...) NOT-FOR-US: MADEFORNET HTTP Debugger CVE-2023-34654 (taocms <=3.0.2 is vulnerable to Cross Site Scripting (XSS).) @@ -57,11 +59,17 @@ CVE-2023-34338 (AMI SPx contains a vulnerability in the BMC where an Attacker ma CVE-2023-34337 (AMI SPx contains a vulnerability in the BMC where a user may cause an ...) NOT-FOR-US: AMI SPx CVE-2023-34244 (GLPI is a free asset and IT management software package. Starting in v ...) - TODO: check + - glpi (unimportant) + NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-p93p-pwg9-w95w + NOTE: Only supported behind an authenticated HTTP zone CVE-2023-34107 (GLPI is a free asset and IT management software package. Versions of t ...) - TODO: check + - glpi (unimportant) + NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-966h-xrf5-pmj4 + NOTE: Only supported behind an authenticated HTTP zone CVE-2023-34106 (GLPI is a free asset and IT management software package. Versions of t ...) - TODO: check + - glpi (unimportant) + NOTE: https://github.com/glpi-project/glpi/security/advisories/GHSA-923r-hqh4-wj7c + NOTE: Only supported behind an authenticated HTTP zone CVE-2023-5 (Cross Site Scripting (XSS) in Sophos Sophos iView (The EOL was Decembe ...) TODO: check CVE-2023-2880 (Frauscher Sensortechnik GmbH FDS001 for FAdC/FAdCi v1.3.3 and all prev ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03ee13070247223d172a71dfa2676975a45f70e0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03ee13070247223d172a71dfa2676975a45f70e0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] DLA-3479-1 for golang-yaml.v2
Roberto C. Sánchez pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2aa48306 by Roberto C. Sánchez at 2023-07-05T16:26:20-04:00
DLA-3479-1 for golang-yaml.v2
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[05 Jul 2023] DLA-3479-1 golang-yaml.v2 - security update
+ {CVE-2021-4235 CVE-2022-3064}
+ [buster] - golang-yaml.v2 2.2.2-1+deb10u1
[02 Jul 2023] DLA-3478-1 yajl - security update
{CVE-2023-33460}
[buster] - yajl 2.1.0-3+deb10u1
=
data/dla-needed.txt
=
@@ -74,10 +74,6 @@ fusiondirectory (Abhijith PA)
glib2.0 (santiago)
NOTE: 20230612: Added by Front-Desk (apo)
--
-golang-yaml.v2 (Roberto C. Sánchez)
- NOTE: 20230125: Added by Front-Desk (gladk)
- NOTE: 20230525: In review with utkarsh.
---
grpc
NOTE: 20230614: Added by Front-Desk (opal)
NOTE: 20230618: CVE-2023-32731 fix will need a massive rewrite (rouca)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2aa483061113fd74f45298401642109cd35b4f81
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2aa483061113fd74f45298401642109cd35b4f81
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1bf24e3f by Salvatore Bonaccorso at 2023-07-05T22:25:14+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,61 +1,61 @@ CVE-2023-3515 (Open Redirect in GitHub repository go-gitea/gitea prior to 1.19.4.) - gitea CVE-2023-3455 (Key management vulnerability on system. Successful exploitation of thi ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-3336 (TN-5900 Series version 3.3 and prior versions is vulnearble to user en ...) - TODO: check + NOT-FOR-US: Moxa CVE-2023-3089 (A compliance problem was found in the Red Hat OpenShift Container Plat ...) - TODO: check + NOT-FOR-US: Red Hat OpenShift Container Platform CVE-2023-36934 (In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0 ...) - TODO: check + NOT-FOR-US: Progress MOVEit Transfer CVE-2023-36933 (In Progress MOVEit Transfer before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7 ...) - TODO: check + NOT-FOR-US: Progress MOVEit Transfer CVE-2023-36932 (In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0 ...) - TODO: check + NOT-FOR-US: Progress MOVEit Transfer CVE-2023-36665 (protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.4 allows Pr ...) TODO: check CVE-2023-36624 (Loxone Miniserver Go Gen.2 through 14.0.3.28 allows an authenticated o ...) - TODO: check + NOT-FOR-US: Loxone Miniserver Go CVE-2023-36623 (The root password of the Loxone Miniserver Go Gen.2 before 14.2 is cal ...) - TODO: check + NOT-FOR-US: Loxone Miniserver Go CVE-2023-36622 (The websocket configuration endpoint of the Loxone Miniserver Go Gen.2 ...) - TODO: check + NOT-FOR-US: Loxone Miniserver Go CVE-2023-35979 (There is an unauthenticated buffer overflow vulnerabilityin the proces ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-35978 (A vulnerability in ArubaOS could allow an unauthenticatedremote attack ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-35977 (Vulnerabilities exist which allow an authenticated attackerto access s ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-35976 (Vulnerabilities exist which allow an authenticated attackerto access s ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-35975 (An authenticated path traversal vulnerability exists in theArubaOS com ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-35974 (Authenticated command injection vulnerabilities exist inthe ArubaOS co ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-35973 (Authenticated command injection vulnerabilities exist inthe ArubaOS co ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-35972 (An authenticated remote command injection vulnerabilityexists in the A ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-35971 (A vulnerability in the ArubaOS web-based management interface could al ...) - TODO: check + NOT-FOR-US: Aruba CVE-2023-35924 (GLPI is a free asset and IT management software package. Starting in v ...) TODO: check CVE-2023-35863 (In MADEFORNET HTTP Debugger through 9.12, the Windows service does not ...) - TODO: check + NOT-FOR-US: MADEFORNET HTTP Debugger CVE-2023-34654 (taocms <=3.0.2 is vulnerable to Cross Site Scripting (XSS).) - TODO: check + NOT-FOR-US: Taocms CVE-2023-34473 (AMI SPx contains a vulnerability in the BMC where a valid user may cau ...) - TODO: check + NOT-FOR-US: AMI SPx CVE-2023-34472 (AMI SPx contains a vulnerability in the BMC where an Attacker may caus ...) - TODO: check + NOT-FOR-US: AMI SPx CVE-2023-34471 (AMI SPx contains a vulnerability in the BMC where a user may cause a m ...) - TODO: check + NOT-FOR-US: AMI SPx CVE-2023-34457 (MechanicalSoup is a Python library for automating interaction with web ...) TODO: check CVE-2023-34338 (AMI SPx contains a vulnerability in the BMC where an Attacker may caus ...) - TODO: check + NOT-FOR-US: AMI SPx CVE-2023-34337 (AMI SPx contains a vulnerability in the BMC where a user may cause an ...) - TODO: check + NOT-FOR-US: AMI SPx CVE-2023-34244 (GLPI is a free asset and IT management software package. Starting in v ...) TODO: check CVE-2023-34107 (GLPI is a free asset and IT management software package. Versions of t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1bf24e3fb2c438db313fea4209e659b2da90dcf4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1bf24e3fb2c438db313fea4209e659b2da90dcf4 You're receiving this email because of your account on salsa.debian.org.
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-3515/gitea
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9defe9e4 by Salvatore Bonaccorso at 2023-07-05T22:24:11+02:00 Add CVE-2023-3515/gitea - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2023-3515 (Open Redirect in GitHub repository go-gitea/gitea prior to 1.19.4.) - TODO: check + - gitea CVE-2023-3455 (Key management vulnerability on system. Successful exploitation of thi ...) TODO: check CVE-2023-3336 (TN-5900 Series version 3.3 and prior versions is vulnearble to user en ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9defe9e4734c77a1a983c476eaac58c3778519f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9defe9e4734c77a1a983c476eaac58c3778519f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 76cc0da5 by security tracker role at 2023-07-05T20:12:38+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,85 @@ -CVE-2023-35001 [nf_tables nft_byteorder_eval OOB read/write] +CVE-2023-3515 (Open Redirect in GitHub repository go-gitea/gitea prior to 1.19.4.) + TODO: check +CVE-2023-3455 (Key management vulnerability on system. Successful exploitation of thi ...) + TODO: check +CVE-2023-3336 (TN-5900 Series version 3.3 and prior versions is vulnearble to user en ...) + TODO: check +CVE-2023-3089 (A compliance problem was found in the Red Hat OpenShift Container Plat ...) + TODO: check +CVE-2023-36934 (In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0 ...) + TODO: check +CVE-2023-36933 (In Progress MOVEit Transfer before 2021.0.9 (13.0.9), 2021.1.7 (13.1.7 ...) + TODO: check +CVE-2023-36932 (In Progress MOVEit Transfer before 2020.1.11 (12.1.11), 2021.0.9 (13.0 ...) + TODO: check +CVE-2023-36665 (protobuf.js (aka protobufjs) 6.10.0 through 7.x before 7.2.4 allows Pr ...) + TODO: check +CVE-2023-36624 (Loxone Miniserver Go Gen.2 through 14.0.3.28 allows an authenticated o ...) + TODO: check +CVE-2023-36623 (The root password of the Loxone Miniserver Go Gen.2 before 14.2 is cal ...) + TODO: check +CVE-2023-36622 (The websocket configuration endpoint of the Loxone Miniserver Go Gen.2 ...) + TODO: check +CVE-2023-35979 (There is an unauthenticated buffer overflow vulnerabilityin the proces ...) + TODO: check +CVE-2023-35978 (A vulnerability in ArubaOS could allow an unauthenticatedremote attack ...) + TODO: check +CVE-2023-35977 (Vulnerabilities exist which allow an authenticated attackerto access s ...) + TODO: check +CVE-2023-35976 (Vulnerabilities exist which allow an authenticated attackerto access s ...) + TODO: check +CVE-2023-35975 (An authenticated path traversal vulnerability exists in theArubaOS com ...) + TODO: check +CVE-2023-35974 (Authenticated command injection vulnerabilities exist inthe ArubaOS co ...) + TODO: check +CVE-2023-35973 (Authenticated command injection vulnerabilities exist inthe ArubaOS co ...) + TODO: check +CVE-2023-35972 (An authenticated remote command injection vulnerabilityexists in the A ...) + TODO: check +CVE-2023-35971 (A vulnerability in the ArubaOS web-based management interface could al ...) + TODO: check +CVE-2023-35924 (GLPI is a free asset and IT management software package. Starting in v ...) + TODO: check +CVE-2023-35863 (In MADEFORNET HTTP Debugger through 9.12, the Windows service does not ...) + TODO: check +CVE-2023-34654 (taocms <=3.0.2 is vulnerable to Cross Site Scripting (XSS).) + TODO: check +CVE-2023-34473 (AMI SPx contains a vulnerability in the BMC where a valid user may cau ...) + TODO: check +CVE-2023-34472 (AMI SPx contains a vulnerability in the BMC where an Attacker may caus ...) + TODO: check +CVE-2023-34471 (AMI SPx contains a vulnerability in the BMC where a user may cause a m ...) + TODO: check +CVE-2023-34457 (MechanicalSoup is a Python library for automating interaction with web ...) + TODO: check +CVE-2023-34338 (AMI SPx contains a vulnerability in the BMC where an Attacker may caus ...) + TODO: check +CVE-2023-34337 (AMI SPx contains a vulnerability in the BMC where a user may cause an ...) + TODO: check +CVE-2023-34244 (GLPI is a free asset and IT management software package. Starting in v ...) + TODO: check +CVE-2023-34107 (GLPI is a free asset and IT management software package. Versions of t ...) + TODO: check +CVE-2023-34106 (GLPI is a free asset and IT management software package. Versions of t ...) + TODO: check +CVE-2023-5 (Cross Site Scripting (XSS) in Sophos Sophos iView (The EOL was Decembe ...) + TODO: check +CVE-2023-2880 (Frauscher Sensortechnik GmbH FDS001 for FAdC/FAdCi v1.3.3 and all prev ...) + TODO: check +CVE-2023-2538 (A CWE-552 "Files or Directories Accessible to External Parties\u201d i ...) + TODO: check +CVE-2021-46893 (Vulnerability of unstrict data verification and parameter check. Succe ...) + TODO: check +CVE-2021-46891 (Vulnerability of incomplete read and write permission verification in ...) + TODO: check +CVE-2021-46890 (Vulnerability of incomplete read and write permission verification in ...) + TODO: check +CVE-2023-35001 (Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byte ...) - linux [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE:
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-35001/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fad61a73 by Salvatore Bonaccorso at 2023-07-05T22:04:41+02:00 Add CVE-2023-35001/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,8 @@ +CVE-2023-35001 [nf_tables nft_byteorder_eval OOB read/write] + - linux + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://www.openwall.com/lists/oss-security/2023/07/05/3 CVE-2023-31248 [nf_tables UAF when using nft_chain_lookup_byid] - linux [buster] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fad61a73a3480fb0279236350396a162c3fd2491 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fad61a73a3480fb0279236350396a162c3fd2491 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-31248/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ace6209d by Salvatore Bonaccorso at 2023-07-05T22:03:19+02:00 Add CVE-2023-31248/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-31248 [nf_tables UAF when using nft_chain_lookup_byid] + - linux + [buster] - linux (Vulnerable code not present) + NOTE: https://www.openwall.com/lists/oss-security/2023/07/05/2 CVE-2023-3484 - gitlab CVE-2023-35786 (Zoho ManageEngine ADManager Plus before 7183 allows admin users to exp ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ace6209dd0589b27ba0f94a1ed8458067a3c16aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ace6209dd0589b27ba0f94a1ed8458067a3c16aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust comment to cover 6.1.y versions
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f34a87d by Salvatore Bonaccorso at 2023-07-05T21:26:28+02:00 Adjust comment to cover 6.1.y versions - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -22,7 +22,7 @@ gpac/oldstable (jmm) -- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point - releases to more recent v5.10.y versions + releases to more recent v5.10.y and 6.1.y versions -- nbconvert/oldstable Guilhem Moulin proposed an update ready for review View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f34a87debdfd99247d1cfaaf80eaa6ef9d10c75 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f34a87debdfd99247d1cfaaf80eaa6ef9d10c75 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for linux update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ee5d3be4 by Salvatore Bonaccorso at 2023-07-05T21:22:54+02:00
Reserve DSA number for linux update
- - - - -
1 changed file:
- data/DSA/list
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[05 Jul 2023] DSA-5448-1 linux - security update
+ {CVE-2023-2124 CVE-2023-2156 CVE-2023-2269 CVE-2023-3090 CVE-2023-3212
CVE-2023-3268 CVE-2023-3269 CVE-2023-3390 CVE-2023-31084 CVE-2023-32250
CVE-2023-32254 CVE-2023-35788}
+ [bookworm] - linux 6.1.37-1
[05 Jul 2023] DSA-5447-1 mediawiki - security update
{CVE-2023-29141 CVE-2023-36674 CVE-2023-36675}
[bullseye] - mediawiki 1:1.35.11-1~deb11u1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee5d3be43c8c8d75791efc1cfacd95cfb4130e6b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee5d3be43c8c8d75791efc1cfacd95cfb4130e6b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: CVE-2021-4235/golang-yaml.v2 will be fixed
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: d3257ff8 by Roberto C. Sánchez at 2023-07-05T14:52:58-04:00 LTS: CVE-2021-4235/golang-yaml.v2 will be fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -69485,7 +69485,6 @@ CVE-2021-4236 (Web Sockets do not execute any AuthenticateMethod methods which m NOT-FOR-US: ecnepsnai/web CVE-2021-4235 (Due to unbounded alias chasing, a maliciously crafted YAML file can ca ...) - golang-yaml.v2 2.2.8-1 - [buster] - golang-yaml.v2 (Limited support, minor issue, DoS) NOTE: https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241 (v2.2.3) NOTE: https://github.com/go-yaml/yaml/pull/375 NOTE: https://pkg.go.dev/vuln/GO-2021-0061 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3257ff86a47f193bbdf7224f89487bec036f58c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3257ff86a47f193bbdf7224f89487bec036f58c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: unclaim python-glance-store
Jochen Sprickerhof pushed to branch master at Debian Security Tracker / security-tracker Commits: 3794aa30 by Jochen Sprickerhof at 2023-07-05T20:18:35+02:00 dla: unclaim python-glance-store As discussed with Roberto - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -176,9 +176,11 @@ php-dompdf pypdf2 (Adrian Bunk) NOTE: 20230705: Added by Front-Desk (gladk) -- -python-glance-store (jspricke) +python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. + NOTE: 20230705: JS: pushed a patched version to: https://salsa.debian.org/lts-team/packages/python-glance-store + NOTE: 20230705: JS: upstream patch looks fine to me but should probably be tested and released together with the other affected packages. -- python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3794aa30bd489dc2fa769a07d54ee4ed616a315b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3794aa30bd489dc2fa769a07d54ee4ed616a315b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2020-36649 fixed in older suites
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: beb1adb3 by Moritz Muehlenhoff at 2023-07-05T19:43:37+02:00 CVE-2020-36649 fixed in older suites - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30758,7 +30758,9 @@ CVE-2022-4885 (A vulnerability has been found in sviehb jefferson up to 0.3 and CVE-2020-36650 (A vulnerability, which was classified as critical, was found in Ionica ...) NOT-FOR-US: gry nodejs module CVE-2020-36649 (A vulnerability was found in mholt PapaParse up to 5.1.x. It has been ...) - - mediawiki (unimportant) + - mediawiki 1:1.39.4-1 (unimportant) + [bookworm] - mediawiki 1:1.39.4-1~deb12u1 + [bullseye] - mediawiki 1:1.35.11-1~deb11u1 NOTE: MediaWiki embeds a copy, but negligible security impact NOTE: https://phabricator.wikimedia.org/T326946 NOTE: https://github.com/mholt/PapaParse/commit/235a12758cd77266d2e98fd715f53536b34ad621 (5.2.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/beb1adb37d8ad95ab2abee554608015ae70bdba0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/beb1adb37d8ad95ab2abee554608015ae70bdba0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mediawiki DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
49580bd3 by Moritz Mühlenhoff at 2023-07-05T19:38:59+02:00
mediawiki DSA
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -34703,6 +34703,7 @@ CVE-2022-47928 (In MISP before 2.4.167, there is XSS in
the template file upload
NOT-FOR-US: MISP
CVE-2022-47927 (An issue was discovered in MediaWiki before 1.35.9, 1.36.x
through 1.3 ...)
- mediawiki 1:1.39.1-1
+ [bullseye] - mediawiki 1:1.35.11-1~deb11u1
NOTE:
https://lists.wikimedia.org/hyperkitty/list/wikitec...@lists.wikimedia.org/thread/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/
NOTE: https://phabricator.wikimedia.org/T322637
CVE-2022-47914
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[05 Jul 2023] DSA-5447-1 mediawiki - security update
+ {CVE-2023-29141 CVE-2023-36674 CVE-2023-36675}
+ [bullseye] - mediawiki 1:1.35.11-1~deb11u1
+ [bookworm] - mediawiki 1:1.39.4-1~deb12u1
[03 Jul 2023] DSA-5446-1 ghostscript - security update
{CVE-2023-36664}
[bullseye] - ghostscript 9.53.3~dfsg-7+deb11u5
=
data/dsa-needed.txt
=
@@ -24,8 +24,6 @@ linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v5.10.y versions
--
-mediawiki (jmm)
---
nbconvert/oldstable
Guilhem Moulin proposed an update ready for review
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49580bd337ea5b1b2658d51e9ab97a7c29ae436b
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49580bd337ea5b1b2658d51e9ab97a7c29ae436b
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] remove for one mw issue which will be fixed in DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e3dbb466 by Moritz Muehlenhoff at 2023-07-05T19:29:08+02:00 remove postponed for one mw issue which will be fixed in DSA - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34703,8 +34703,6 @@ CVE-2022-47928 (In MISP before 2.4.167, there is XSS in the template file upload NOT-FOR-US: MISP CVE-2022-47927 (An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.3 ...) - mediawiki 1:1.39.1-1 - [bullseye] - mediawiki (Minor issue, fix along in next security update) - [buster] - mediawiki (Minor issue, fix along in next security update) NOTE: https://lists.wikimedia.org/hyperkitty/list/wikitec...@lists.wikimedia.org/thread/UEMW64LVEH3BEXCJV43CVS6XPYURKWU3/ NOTE: https://phabricator.wikimedia.org/T322637 CVE-2022-47914 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3dbb4668948b422893835275f1a6e74b7603391 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3dbb4668948b422893835275f1a6e74b7603391 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take over golang-yaml.v2 and qt4-x11
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: eb2475ef by Roberto C. Sánchez at 2023-07-05T13:16:02-04:00 LTS: take over golang-yaml.v2 and qt4-x11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,7 +74,7 @@ fusiondirectory (Abhijith PA) glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) -- -golang-yaml.v2 (sgmoore) +golang-yaml.v2 (Roberto C. Sánchez) NOTE: 20230125: Added by Front-Desk (gladk) NOTE: 20230525: In review with utkarsh. -- @@ -184,7 +184,7 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -qt4-x11 (sgmoore) +qt4-x11 (Roberto C. Sánchez) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb2475ef3e46af8022bc8d417eae65ecfbccc5e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb2475ef3e46af8022bc8d417eae65ecfbccc5e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-33460 does not affect ruby-yajl
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 9513f0d4 by Tobias Frost at 2023-07-05T17:54:17+02:00 CVE-2023-33460 does not affect ruby-yajl ruby-yail embeds yajl version 1.0.12 (https://github.com/brianmario/yajl-ruby/blob/master/ext/yajl/api/yajl_version.h), vulnerability intdroduced in version 2.0.0 (https://github.com/lloyd/yajl/commit/cfa9f8f) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3047,10 +3047,12 @@ CVE-2023-33460 (There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse [bookworm] - r-cran-jsonlite (Minor issue) [bullseye] - r-cran-jsonlite (Minor issue) [buster] - r-cran-jsonlite (Minor issue; fix only after newer releases got a fix) - - ruby-yajl + - ruby-yajl (ruby-yajl embeds non-affected old version of yajl) [bookworm] - ruby-yajl (Minor issue) [bullseye] - ruby-yajl (Minor issue) [buster] - ruby-yajl (Minor issue) + NOTE: Introduced in yajl at version 2.0.0 with commit https://github.com/lloyd/yajl/commit/cfa9f8f + NOTE: ruby-yail embeds yajl version 1.0.12 (https://github.com/brianmario/yajl-ruby/blob/master/ext/yajl/api/yajl_version.h) CVE-2023-33457 (In Sogou Workflow v0.10.6, memcpy a negtive size in URIParser::parse , ...) NOT-FOR-US: Sogou Workflow CVE-2023-33381 (A command injection vulnerability was found in the ping functionality ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9513f0d40c879bdba6909e72bc63741a78135335 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9513f0d40c879bdba6909e72bc63741a78135335 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] two new gitlab issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b6e14872 by Moritz Muehlenhoff at 2023-07-05T17:31:01+02:00 two new gitlab issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-3484 + - gitlab CVE-2023-35786 (Zoho ManageEngine ADManager Plus before 7183 allows admin users to exp ...) NOT-FOR-US: Zoho CVE-2023-34150 (** UNSUPPORTED WHEN ASSIGNED **Use of TikaEncodingDetector in Apache A ...) @@ -7151,7 +7153,7 @@ CVE-2023-2234 CVE-2023-2233 RESERVED CVE-2023-2232 (An issue has been discovered in GitLab affecting all versions starting ...) - TODO: check + - gitlab CVE-2023-2231 (A vulnerability, which was classified as critical, was found in MAXTEC ...) NOT-FOR-US: MAXTECH CVE-2023-2230 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6e1487224b34f70ad67c32c02be83638d0883a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6e1487224b34f70ad67c32c02be83638d0883a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] one more linux issue unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b3eb92cc by Moritz Muehlenhoff at 2023-07-05T17:17:51+02:00 one more linux issue unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2482,8 +2482,10 @@ CVE-2023-3184 (A vulnerability was found in SourceCodester Sales Tracker Managem CVE-2023-3183 (A vulnerability was found in SourceCodester Performance Indicator Syst ...) NOT-FOR-US: SourceCodester Performance Indicator System CVE-2023-3141 (A use-after-free flaw was found in r592_remove in drivers/memstick/hos ...) - - linux 6.3.7-1 + - linux 6.3.7-1 (unimportant) + [bookworm] - linux 6.1.37-1 NOTE: https://git.kernel.org/linus/63264422785021704c39b38f65a78ab9e4a186d7 (6.4-rc1) + NOTE: Only "exploitable" by removing the module which needs root privileges CVE-2023-34856 (A Cross Site Scripting (XSS) vulnerability in D-Link DI-7500G-CI-19.05 ...) NOT-FOR-US: D-Link CVE-2023-34245 (@udecode/plate-link is the link handler for the udecode/plate rich-tex ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3eb92ccfb800531d1000e54c55870d959eaff1e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3eb92ccfb800531d1000e54c55870d959eaff1e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take pypdf2
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab608b6e by Adrian Bunk at 2023-07-05T18:06:48+03:00 dla: take pypdf2 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -173,7 +173,7 @@ php-dompdf NOTE: 20230618: Added by Front-Desk (opal) NOTE: 20230618: Low priority but higher than to not fix it. -- -pypdf2 +pypdf2 (Adrian Bunk) NOTE: 20230705: Added by Front-Desk (gladk) -- python-glance-store (jspricke) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab608b6ed37b958ae52ee609e2b9fba5f27d6684 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab608b6ed37b958ae52ee609e2b9fba5f27d6684 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update CVE-2023-34256 and consider it unimportant
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ef27714e by Salvatore Bonaccorso at 2023-07-05T16:49:09+02:00 Update CVE-2023-34256 and consider it unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3615,8 +3615,10 @@ CVE-2023-34258 (An issue was discovered in BMC Patrol before 22.1.00. The agent' CVE-2023-34257 (An issue was discovered in BMC Patrol through 23.1.00. The agent's con ...) NOT-FOR-US: BMC Patrol CVE-2023-34256 (An issue was discovered in the Linux kernel before 6.3.3. There is an ...) - - linux 6.3.7-1 + - linux 6.3.7-1 (unimportant) + [bookworm] - linux 6.1.37-1 NOTE: https://git.kernel.org/linus/4f04351888a83e595571de672e0a4a8b74f4fb31 (6.4-rc2) + NOTE: Exploitable only when modifying block device while beeing mounted. CVE-2023-34255 REJECTED CVE-2023-34229 (In JetBrains TeamCity before 2023.05 stored XSS in GitLab Connection p ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef27714ed0aa93651998de36a0e0da1327e32f84 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ef27714ed0aa93651998de36a0e0da1327e32f84 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark a few linux issues as non issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 60a44245 by Moritz Muehlenhoff at 2023-07-05T16:19:40+02:00 mark a few linux issues as non issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1635,9 +1635,11 @@ CVE-2023-35840 (_joinPath in elFinderVolumeLocalFileSystem.class.php in elFinder CVE-2023-35839 (Solon before 2.3.3 allows Deserialization of Untrusted Data.) NOT-FOR-US: Solon CVE-2023-35829 (An issue was discovered in the Linux kernel before 6.3.2. A use-after- ...) - - linux 6.3.7-1 + - linux 6.3.7-1 (unimportant) + [bookworm] - linux 6.1.37-1 [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/3228cec23b8b29215e18090c6ba635840190993d (6.4-rc1) + NOTE: Only "exploitable" by removing the module which needs root privileges CVE-2023-34657 (A stored cross-site scripting (XSS) vulnerability in Eyoucms v1.6.2 al ...) NOT-FOR-US: Eyoucms CVE-2023-34642 (KioWare for Windows through v8.33 was discovered to contain an incompl ...) @@ -1671,22 +1673,29 @@ CVE-2023-35828 (An issue was discovered in the Linux kernel before 6.3.2. A use- [bookworm] - linux 6.1.37-1 NOTE: https://git.kernel.org/linus/2b947f8769be8b8181dc795fd292d3e7120f5204 (6.4-rc1) NOTE: USB_RENESAS_USB3 not enabled in Debian + NOTE: Only "exploitable" by removing the module which needs root privileges CVE-2023-35827 (An issue was discovered in the Linux kernel through 6.3.8. A use-after ...) - linux NOTE: https://lore.kernel.org/lkml/cca0b40b-d6f8-54c7-1e46-83cb62d0a2f1%40huawei.com/T/ CVE-2023-35826 (An issue was discovered in the Linux kernel before 6.3.2. A use-after- ...) - - linux 6.3.7-1 + - linux 6.3.7-1 (unimportant) + [bookworm] - linux 6.1.37-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/50d0a7aea4809cef87979d4669911276aa23b71f (6.4-rc1) + NOTE: Only "exploitable" by removing the module which needs root privileges CVE-2023-35825 REJECTED CVE-2023-35824 (An issue was discovered in the Linux kernel before 6.3.2. A use-after- ...) - - linux 6.3.7-1 + - linux 6.3.7-1 (unimportant) + [bookworm] - linux 6.1.37-1 NOTE: https://git.kernel.org/linus/5abda7a16698d4d1f47af1168d8fa2c640116b4a (6.4-rc1) + NOTE: Only "exploitable" by removing the module which needs root privileges CVE-2023-35823 (An issue was discovered in the Linux kernel before 6.3.2. A use-after- ...) - - linux 6.3.7-1 + - linux 6.3.7-1 (unimportant) + [bookworm] - linux 6.1.37-1 NOTE: https://git.kernel.org/linus/30cf57da176cca80f11df0d9b7f71581fe601389 (6.4-rc1) + NOTE: Only "exploitable" by removing the module which needs root privileges CVE-2023-35005 (In Apache Airflow, some potentially sensitive values were being shown ...) - airflow (bug #819700) CVE-2023-3306 (A vulnerability was found in Ruijie RG-EW1200G EW_3.0(1)B11P204. It ha ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60a44245bb000d4655a246f6fa26852479b70655 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60a44245bb000d4655a246f6fa26852479b70655 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track two source-wise fixed issues in linux/6.1.37-1 but irrelevant for the DSA
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f7bd521 by Salvatore Bonaccorso at 2023-07-05T16:12:18+02:00 Track two source-wise fixed issues in linux/6.1.37-1 but irrelevant for the DSA - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1668,6 +1668,7 @@ CVE-2023-30759 (The driver installation package created by Printer Driver Packag NOT-FOR-US: Ricoh CVE-2023-35828 (An issue was discovered in the Linux kernel before 6.3.2. A use-after- ...) - linux 6.3.7-1 (unimportant) + [bookworm] - linux 6.1.37-1 NOTE: https://git.kernel.org/linus/2b947f8769be8b8181dc795fd292d3e7120f5204 (6.4-rc1) NOTE: USB_RENESAS_USB3 not enabled in Debian CVE-2023-35827 (An issue was discovered in the Linux kernel through 6.3.8. A use-after ...) @@ -15102,6 +15103,7 @@ CVE-2023-1409 RESERVED CVE-2022-48425 (In the Linux kernel through 6.2.7, fs/ntfs3/inode.c has an invalid kfr ...) - linux 6.3.7-1 (unimportant) + [bookworm] - linux 6.1.37-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/98bea253aa28ad8be2ce565a9ca21beb4a9419e5 (6.4-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f7bd52147b78917037ada2d5da17cae5d010201 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f7bd52147b78917037ada2d5da17cae5d010201 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libpam-krb5 unimportant
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bfbc782b by Moritz Muehlenhoff at 2023-07-05T15:58:58+02:00 libpam-krb5 unimportant - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1226,7 +1226,9 @@ CVE-2023-32320 (Nextcloud Server is a data storage system for Nextcloud, a self- CVE-2023-31469 (A REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) was ...) NOT-FOR-US: Apache StreamPipes CVE-2023-3326 (pam_krb5 authenticates a user by essentially running kinit with the pa ...) - TODO: check + - libpam-krb5 (unimportant) + NOTE: Documented shortcoming of Linux pam-krb + NOTE: https://www.openwall.com/lists/oss-security/2023/06/22/2 CVE-2023-3256 (Advantech R-SeeNet versions 2.4.22 allows low-level users to access ...) NOT-FOR-US: Advantech R-SeeNet CVE-2023-36371 (An issue in the GDKfree component of MonetDB Server v11.45.17 and v11. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfbc782b8432e9e9f661d4ccd73141528e286c82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfbc782b8432e9e9f661d4ccd73141528e286c82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new orthanc issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4788b86d by Moritz Muehlenhoff at 2023-07-05T15:48:42+02:00 new orthanc issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -464,7 +464,8 @@ CVE-2023-34487 (itsourcecode Online Hotel Management System Project In PHP v1.0. CVE-2023-34486 (itsourcecode Online Hotel Management System Project In PHP v1.0.0 is v ...) NOT-FOR-US: itsourcecode Online Hotel Management System Project CVE-2023-33466 (Orthanc before 1.12.0 allows authenticated users with access to the Or ...) - TODO: check + - orthanc + NOTE: https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568 CVE-2023-33277 (The web interface of Gira Giersiepen Gira KNX/IP-Router 3.1.3683.0 and ...) NOT-FOR-US: Gira Giersiepen Gira KNX/IP-Router CVE-2023-33190 (Sealos is an open source cloud operating system distribution based on ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4788b86d19f8aa72b2d7fa1f60bf4f5578ab3644 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4788b86d19f8aa72b2d7fa1f60bf4f5578ab3644 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9cd8fcea by Moritz Muehlenhoff at 2023-07-05T15:39:57+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -452,7 +452,7 @@ CVE-2023-34844 (Play With Docker < 0.0.2 has an insecure CAP_SYS_ADMIN privilege CVE-2023-34735 (Property Cloud Platform Management Center 1.0 is vulnerable to error-b ...) NOT-FOR-US: Property Cloud Platform Management Center CVE-2023-34658 (Telegram v9.6.3 on iOS allows attackers to hide critical information o ...) - TODO: check + NOT-FOR-US: Telegram on iOS CVE-2023-34656 (An issue was discovered with the JSESSION IDs in Xiamen Si Xin Communi ...) NOT-FOR-US: Xiamen Si Xin Communication Technology Video management system CVE-2023-34599 (Multiple Cross-Site Scripting (XSS) vulnerabilities have been identifi ...) @@ -21581,11 +21581,11 @@ CVE-2023-26137 CVE-2023-26136 (Versions of the package tough-cookie before 4.1.3 are vulnerable to Pr ...) TODO: check CVE-2023-26135 (All versions of the package flatnest are vulnerable to Prototype Pollu ...) - TODO: check + NOT-FOR-US: Node flatnest CVE-2023-26134 (Versions of the package git-commit-info before 2.0.2 are vulnerable to ...) - TODO: check + NOT-FOR-US: Node git-commit-info CVE-2023-26133 (All versions of the package progressbar.js are vulnerable to Prototype ...) - TODO: check + NOT-FOR-US: progressbar.js CVE-2023-26132 (Versions of the package dottie before 2.0.4 are vulnerable to Prototyp ...) TODO: check CVE-2023-26131 (All versions of the package github.com/xyproto/algernon/engine; all ve ...) @@ -21599,7 +21599,7 @@ CVE-2023-26130 (Versions of the package yhirose/cpp-httplib before 0.12.4 are vu CVE-2023-26129 (All versions of the package bwm-ng are vulnerable to Command Injection ...) NOT-FOR-US: bwm-ng Nodejs module (not the same as src:bwm-ng) CVE-2023-26128 (All versions of the package keep-module-latest are vulnerable to Comma ...) - TODO: check + NOT-FOR-US: Node keep-module-latest CVE-2023-26127 (All versions of the package n158 are vulnerable to Command Injection d ...) TODO: check CVE-2023-26126 (All versions of the package m.static are vulnerable to Directory Trave ...) @@ -21691,7 +21691,7 @@ CVE-2023-0922 (The Samba AD DC administration tool, when operating against a rem CVE-2023-0921 (A lack of length validation in GitLab CE/EE affecting all versions fro ...) - gitlab 15.10.8+ds1-2 CVE-2022-48330 (A Huawei sound box product has an out-of-bounds write vulnerability. A ...) - TODO: check + NOT-FOR-US: Huawei CVE-2023-26101 (In Progress Flowmon Packet Investigator before 12.1.0, a Flowmon user ...) NOT-FOR-US: Progress Flowmon Packet Investigator CVE-2023-26100 (In Progress Flowmon before 12.2.0, an application endpoint failed to s ...) @@ -21725,7 +21725,7 @@ CVE-2023-26087 CVE-2023-26086 RESERVED CVE-2023-26085 (A possible out-of-bounds read and write (due to an improper length che ...) - TODO: check + NOT-FOR-US: Arm NN Android-NN-Driver CVE-2023-26084 (The armv8_dec_aes_gcm_full() API of Arm AArch64cryptolib before 86065c ...) NOT-FOR-US: AArch64cryptolib CVE-2023-26083 (Memory leak vulnerability in Mali GPU Kernel Driver in Midgard GPU Ker ...) @@ -22003,7 +22003,7 @@ CVE-2023-26015 CVE-2023-26014 (Cross-Site Request Forgery (CSRF) vulnerability in Tim Eckel Minify HT ...) NOT-FOR-US: WordPress plugin CVE-2023-26013 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-26012 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Denz ...) NOT-FOR-US: WordPress plugin CVE-2023-26011 (Cross-Site Request Forgery (CSRF) vulnerability in Tim Eckel Read More ...) @@ -22081,7 +22081,7 @@ CVE-2023-25976 (Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Int CVE-2023-25975 RESERVED CVE-2023-25974 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in psic ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25973 (Cross-Site Request Forgery (CSRF) vulnerability in Lucian Apostol Auto ...) NOT-FOR-US: WordPress plugin CVE-2023-25972 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in IKSW ...) @@ -22103,7 +22103,7 @@ CVE-2023-25965 CVE-2023-25964 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Noah ...) NOT-FOR-US: WordPress plugin CVE-2023-25963 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Joom ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25962 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Bipl ...)
[Git][security-tracker-team/security-tracker][master] new ruby::uri issue, apply some hacks to mark Buster as affected
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d7bbfc1c by Moritz Muehlenhoff at 2023-07-05T15:16:07+02:00 new ruby::uri issue, apply some hacks to mark Buster as affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -423,7 +423,16 @@ CVE-2023-37254 (An issue was discovered in the Cargo extension for MediaWiki thr CVE-2023-37251 (An issue was discovered in the GoogleAnalyticsMetrics extension for Me ...) NOT-FOR-US: MediaWiki extension GoogleAnalyticsMetrics CVE-2023-36617 (A ReDoS issue was discovered in the URI component before 0.12.2 for Ru ...) - TODO: check + - rubygems (Incomplete fix never applied) + - ruby3.1 (Incomplete fix never applied) + - ruby2.7 (Incomplete fix never applied) + - ruby2.5 + - jruby + [bookworm] - jruby (Incomplete fix never applied) + [bullseye] - jruby (Incomplete fix never applied) + NOTE: https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/ + NOTE: https://github.com/ruby/uri/commit/9010ee2536adda10a0555ae1ed6fe2f5808e6bf1 + NOTE: https://github.com/ruby/uri/commit/9d7bcef1e6ad23c9c6e4932f297fb737888144c8 CVE-2023-36488 (ILIAS 7.21 and 8.0_beta1 through 8.2 is vulnerable to stored Cross Sit ...) - ilias (bug #195688) CVE-2023-36487 (The password reset function in ILIAS 7.0_beta1 through 7.20 and 8.0_be ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7bbfc1c87fef0b489193afc52b85b9775117765 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7bbfc1c87fef0b489193afc52b85b9775117765 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add notes for CVE-2023-3269
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 25d57aa3 by Salvatore Bonaccorso at 2023-07-05T15:04:51+02:00 Add notes for CVE-2023-3269 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1780,6 +1780,7 @@ CVE-2023-3269 - linux 6.3.11-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) + NOTE: https://github.com/lrh2000/StackRot NOTE: https://www.openwall.com/lists/oss-security/2023/07/05/1 CVE-2023-3268 (An out of bounds (OOB) memory access flaw was found in the Linux kerne ...) - linux 6.3.7-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25d57aa3cf567b8f46c081c60e23a24a64ef4be9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25d57aa3cf567b8f46c081c60e23a24a64ef4be9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-3269/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a35ccdde by Salvatore Bonaccorso at 2023-07-05T15:00:15+02:00 Add CVE-2023-3269/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1776,6 +1776,11 @@ CVE-2023-3291 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior t [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/526954e6-8683-4697-bfa2-886c3204a1d5/ NOTE: https://github.com/gpac/gpac/commit/6a748ccc3f76ff10e3ae43014967ea4b0c088aaf +CVE-2023-3269 + - linux 6.3.11-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://www.openwall.com/lists/oss-security/2023/07/05/1 CVE-2023-3268 (An out of bounds (OOB) memory access flaw was found in the Linux kerne ...) - linux 6.3.7-1 NOTE: https://git.kernel.org/linus/43ec16f1450f4936025a9bdf1a273affdb9732c1 (6.4-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a35ccdde81f6ce74aabd450d32ac5cdb3aa690eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a35ccdde81f6ce74aabd450d32ac5cdb3aa690eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reclaim qt4-x11
Scarlett Gately Moore pushed to branch master at Debian Security Tracker / security-tracker Commits: 70dc0fcd by Scarlett Moore at 2023-07-05T04:57:05-07:00 Reclaim qt4-x11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -184,7 +184,7 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -qt4-x11 +qt4-x11 (sgmoore) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230615: VCS: https://salsa.debian.org/qt-kde-team/qt/qt4-x11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70dc0fcdd552b8e0cc720765c52f789331b14659 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70dc0fcdd552b8e0cc720765c52f789331b14659 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e651ad6 by Moritz Muehlenhoff at 2023-07-05T11:29:25+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2023-35786 (Zoho ManageEngine ADManager Plus before 7183 allows admin users to exp ...) - TODO: check + NOT-FOR-US: Zoho CVE-2023-34150 (** UNSUPPORTED WHEN ASSIGNED **Use of TikaEncodingDetector in Apache A ...) - TODO: check + NOT-FOR-US: Apache Any23 CVE-2023-3255 [VNC: infinite loop in inflate_buffer() leads to denial of service] - qemu NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2218486 @@ -76,7 +76,7 @@ CVE-2023-3503 (A vulnerability has been found in SourceCodester Shopping Website CVE-2023-3502 (A vulnerability, which was classified as critical, was found in Source ...) NOT-FOR-US: SourceCodester Shopping Website CVE-2023-31999 (All versions of @fastify/oauth2 used a statically generated state para ...) - TODO: check + NOT-FOR-US: @fastify/oauth2 CVE-2023-3460 (The Ultimate Member WordPress plugin before 2.6.7 does not prevent vis ...) NOT-FOR-US: WordPress plugin CVE-2023-3139 (The Protect WP Admin WordPress plugin before 4.0 discloses the URL of ...) @@ -11223,7 +11223,7 @@ CVE-2023-29461 (An arbitrary code execution vulnerability contained in Rockwell CVE-2023-29460 (An arbitrary code execution vulnerability contained in Rockwell Automa ...) NOT-FOR-US: Rockwell Automation CVE-2023-29459 (The laola.redbull application through 5.1.9-R for Android exposes the ...) - TODO: check + NOT-FOR-US: laola.redbull CVE-2023-29458 RESERVED CVE-2023-29457 @@ -13618,7 +13618,6 @@ CVE-2023-25180 NOTE: Be careful. Original fix introduces new bugs. NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2840 NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2841 - TODO: isolate required commits from merge commit CVE-2023-24593 RESERVED - glib2.0 2.74.4-1 @@ -13630,7 +13629,6 @@ CVE-2023-24593 NOTE: Be careful. Original fix introduces new bugs. NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2840 NOTE: https://gitlab.gnome.org/GNOME/glib/-/issues/2841 - TODO: isolate required commits from merge commit CVE-2023-1613 (A vulnerability has been found in Rebuild up to 3.2.3 and classified a ...) NOT-FOR-US: Rebuild CVE-2023-1612 (A vulnerability, which was classified as critical, was found in Rebuil ...) @@ -14477,7 +14475,7 @@ CVE-2023-28544 CVE-2023-28543 RESERVED CVE-2023-28542 (Memory Corruption in WLAN HOST while fetching TX status information.) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-28541 (Memory Corruption in Data Modem while processing DMA buffer release ev ...) NOT-FOR-US: Qualcomm CVE-2023-28540 @@ -15121,9 +15119,9 @@ CVE-2023-28368 (TP-Link L2 switch T2600G-28SQ firmware versions prior to 'T2600G CVE-2023-28366 RESERVED CVE-2023-28365 (A backup file vulnerability found in UniFi applications (Version 7.3.8 ...) - TODO: check + NOT-FOR-US: UniFi CVE-2023-28364 (An Open Redirect vulnerability exists prior to version 1.52.117, where ...) - TODO: check + - brave-browser (bug #864795) CVE-2023-28363 RESERVED CVE-2023-28362 @@ -15699,7 +15697,7 @@ CVE-2023-28204 (An out-of-bounds read was addressed with improved input validati CVE-2023-28203 RESERVED CVE-2023-28202 (This issue was addressed with improved state management. This issue is ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-28201 (This issue was addressed with improved state management. This issue is ...) NOT-FOR-US: Apple CVE-2023-28200 (A validation issue was addressed with improved input sanitization. Thi ...) @@ -15721,7 +15719,7 @@ CVE-2023-28193 CVE-2023-28192 (A permissions issue was addressed with improved validation. This issue ...) NOT-FOR-US: Apple CVE-2023-28191 (This issue was addressed with improved redaction of sensitive informat ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-28190 (A privacy issue was addressed by moving sensitive data to a more secur ...) NOT-FOR-US: Apple CVE-2023-28189 (The issue was addressed with improved checks. This issue is fixed in m ...) @@ -16259,7 +16257,7 @@ CVE-2023-28031 (Dell BIOS contains an improper input validation vulnerability. A CVE-2023-28030 (Dell BIOS contains an improper input validation vulnerability. A local ...) NOT-FOR-US: Dell CVE-2023-28029 (Dell BIOS contains an improper input validation vulnerability. A local ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-28028 (Dell BIOS contains an improper input validation vulnerability. A local ...) NOT-FOR-US: Dell
[Git][security-tracker-team/security-tracker][master] Remove notes from now REJECTED CVE
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e77e12b9 by Salvatore Bonaccorso at 2023-07-05T10:41:33+02:00 Remove notes from now REJECTED CVE - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -131,7 +131,6 @@ CVE-2023-36291 (Cross Site Scripting vulnerability in Maxsite CMS v.108.7 allows NOT-FOR-US: Maxsite CMS CVE-2023-36262 REJECTED - NOTE: Bogus report against OBS Studio (src:obs-studio) CVE-2023-36258 (An issue in langchain v.0.0.199 allows an attacker to execute arbitrar ...) NOT-FOR-US: Langchain CVE-2023-36223 (Cross Site Scripting vulnerability in mlogclub bbs-go v. 3.5.5. and be ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e77e12b956d45d7da80c4c03e639b2174f7c4338 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e77e12b956d45d7da80c4c03e639b2174f7c4338 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: be892357 by security tracker role at 2023-07-05T08:11:59+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-35786 (Zoho ManageEngine ADManager Plus before 7183 allows admin users to exp ...) + TODO: check +CVE-2023-34150 (** UNSUPPORTED WHEN ASSIGNED **Use of TikaEncodingDetector in Apache A ...) + TODO: check CVE-2023-3255 [VNC: infinite loop in inflate_buffer() leads to denial of service] - qemu NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2218486 @@ -125,7 +129,8 @@ CVE-2023-36377 (Buffer Overflow vulnerability in mtrojnar osslsigncode v.2.3 and NOTE: https://github.com/mtrojnar/osslsigncode/releases/tag/2.3 CVE-2023-36291 (Cross Site Scripting vulnerability in Maxsite CMS v.108.7 allows a rem ...) NOT-FOR-US: Maxsite CMS -CVE-2023-36262 (An issue in OBS Studio OBS-Studio v.29.1.2 allows a local attack to ob ...) +CVE-2023-36262 + REJECTED NOTE: Bogus report against OBS Studio (src:obs-studio) CVE-2023-36258 (An issue in langchain v.0.0.199 allows an attacker to execute arbitrar ...) NOT-FOR-US: Langchain @@ -4706,7 +4711,7 @@ CVE-2023-33203 (The Linux kernel before 6.2.9 has a race condition and resultant [bullseye] - linux 5.10.178-1 [buster] - linux 4.19.282-1 NOTE: https://git.kernel.org/linus/6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 (6.3-rc4) -CVE-2023-33201 [potential blind LDAP injection attack using a self-signed certificate] +CVE-2023-33201 (Bouncy Castle For Java before 1.74 is affected by an LDAP injection vu ...) - bouncycastle (bug #1040050) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33201 CVE-2023-31729 (TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command Injection.) @@ -55583,8 +55588,8 @@ CVE-2022-42177 RESERVED CVE-2022-42176 (In PCTechSoft PCSecure V5.0.8.xw, use of Hard-coded Credentials in con ...) NOT-FOR-US: PCTechSoft PCSecure -CVE-2022-42175 - RESERVED +CVE-2022-42175 (Insecure Direct Object Reference vulnerability in WHMCS module SolusVM ...) + TODO: check CVE-2022-42174 RESERVED CVE-2022-42173 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be892357d99450486525b30c6a2dc2bd3c6198e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be892357d99450486525b30c6a2dc2bd3c6198e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-24535
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b8f8ae5b by Salvatore Bonaccorso at 2023-07-05T08:36:56+02:00 Add CVE-2023-24535 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26551,7 +26551,14 @@ CVE-2023-24536 (Multipart form parsing can consume large amounts of CPU and memo NOTE: https://github.com/golang/go/commit/bf8c7c575c8a552d9d79deb29e80854dc88528d0 (go1.20.3) NOTE: https://github.com/golang/go/commit/7917b5f31204528ea72e0629f0b7d52b35b27538 (go1.19.8) CVE-2023-24535 (Parsing invalid messages can panic. Parsing a text-format message whic ...) - TODO: check + - python3.12 (unimportant) + - python3.11 (unimportant) + - python3.10 (unimportant) + - python3.9 (unimportant) + - python3.7 (unimportant) + - python2.7 (unimportant) + NOTE: https://github.com/python/cpython/issues/103800 + NOTE: Disupted upstream and not considered a security issue, negligible security impact CVE-2023-24534 (HTTP and MIME header parsing can allocate large amounts of memory, eve ...) - golang-1.20 1.20.3-1 [experimental] - golang-1.19 1.19.8-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8f8ae5b368ca382a20e75bbb93a02c1dde3eb1a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8f8ae5b368ca382a20e75bbb93a02c1dde3eb1a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-3255/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0713a625 by Salvatore Bonaccorso at 2023-07-05T08:28:54+02:00 Add CVE-2023-3255/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-3255 [VNC: infinite loop in inflate_buffer() leads to denial of service] + - qemu + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2218486 + NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg00596.html CVE-2023-37212 - firefox 115.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-22/#CVE-2023-37212 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0713a6254747d40767d6befd4b764df121c55a3e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0713a6254747d40767d6befd4b764df121c55a3e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2020-23064/jquery
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 786f4406 by Salvatore Bonaccorso at 2023-07-05T08:14:58+02:00 Add CVE-2020-23064/jquery - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -209777,7 +209777,9 @@ CVE-2020-23066 (Cross Site Scripting vulnerability in TinyMCE v.4.9.6 and before CVE-2020-23065 (Cross Site Scripting vulnerabiltiy in eZ Systems AS eZPublish Platform ...) TODO: check CVE-2020-23064 (Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before ...) - TODO: check + - jquery + NOTE: https://snyk.io/vuln/SNYK-JS-JQUERY-565129 + NOTE: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ CVE-2020-23063 RESERVED CVE-2020-23062 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/786f4406ed9884f8aaa8d92a69d0da1edeb74783 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/786f4406ed9884f8aaa8d92a69d0da1edeb74783 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
