[Git][security-tracker-team/security-tracker][master] Reserve DLA-3635-1 for node-browserify-sign
Yadd pushed to branch master at Debian Security Tracker / security-tracker
Commits:
a14aab60 by Yadd at 2023-10-29T07:40:43+04:00
Reserve DLA-3635-1 for node-browserify-sign
- - - - -
1 changed file:
- data/DLA/list
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[29 Oct 2023] DLA-3635-1 node-browserify-sign - security update
+ {CVE-2023-46234}
+ [buster] - node-browserify-sign 4.0.4-2+deb10u1
[28 Oct 2023] DLA-3634-1 nss - security update
{CVE-2020-25648 CVE-2023-4421}
[buster] - nss 2:3.42.1-1+deb10u7
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a14aab601e01dd5295eccf72932b4ece43c09235
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a14aab601e01dd5295eccf72932b4ece43c09235
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take galera-3
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: aba90ec9 by Adrian Bunk at 2023-10-29T02:08:04+03:00 dla: take galera-3 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,7 +74,7 @@ freerdp2 (tobi) NOTE: 20231007: First round done, unfortunatly missed a few CVES while updating, will do an follow up. NOTE: 20231023: Will continue working on package next weekend. (tobi) -- -galera-3 +galera-3 (Adrian Bunk) NOTE: 20231028: Added by Front-Desk (gladk) NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aba90ec9492efe3af8b6440dee41a56bf10a9928 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aba90ec9492efe3af8b6440dee41a56bf10a9928 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
32522bfe by security tracker role at 2023-10-28T20:11:40+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,9 @@
+CVE-2023-5835 (A vulnerability classified as problematic was found in hu60t
hu60wap6. ...)
+ TODO: check
+CVE-2023-5426 (The Post Meta Data Manager plugin for WordPress is vulnerable
to unaut ...)
+ TODO: check
+CVE-2023-5425 (The Post Meta Data Manager plugin for WordPress is vulnerable
to unaut ...)
+ TODO: check
CVE-2023-46129 [nkeys: xkeys Seal encryption used fixed key for all encryption]
- golang-github-nats-io-nkeys
[bookworm] - golang-github-nats-io-nkeys (Vulnerable
code not present)
@@ -3148,6 +3154,7 @@ CVE-2023-5218 (Use after free in Site Isolation in Google
Chrome prior to 118.0.
- chromium 118.0.5993.70-1
[buster] - chromium (see DSA 5046)
CVE-2023-4421
+ {DLA-3634-1}
- nss 2:3.61-1
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1651411
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2238677
@@ -5417,7 +5424,7 @@ CVE-2023-42114 [Exim NTLM Challenge Out-Of-Bounds Read
Information Disclosure Vu
NOTE: https://www.openwall.com/lists/oss-security/2023/10/01/4
NOTE: https://exim.org/static/doc/security/CVE-2023-zdi.txt
CVE-2023-40476 [Integer overflow in H.265 video parser leading to stack
overwrite]
- {DSA-5533-1}
+ {DSA-5533-1 DLA-3633-1}
- gst-plugins-bad1.0 (bug #1053259)
- gst-plugins-bad0.10
NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0008.html
@@ -5425,7 +5432,7 @@ CVE-2023-40476 [Integer overflow in H.265 video parser
leading to stack overwrit
NOTE: Fixed by:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/ff91a3d8d6f7e2412c44663bf30fad5c7fdbc9d9
NOTE: Fixed by:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/fddda166222a067d0e511950a0a8cfb9f5a521b7
(1.22.6)
CVE-2023-40475 [Integer overflow leading to heap overwrite in MXF file
handling with AES3 audio]
- {DSA-5533-1}
+ {DSA-5533-1 DLA-3633-1}
- gst-plugins-bad1.0 (bug #1053260)
- gst-plugins-bad0.10
NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0007.html
@@ -5433,7 +5440,7 @@ CVE-2023-40475 [Integer overflow leading to heap
overwrite in MXF file handling
NOTE: Fixed by:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/72742dee30cce7bf909639f82de119871566ce39
NOTE: Fixed by:
https://gitlab.freedesktop.org/gstreamer/gstreamer/-/commit/1edd1c38dcc5d27e7c5649d999ee8278872a16d4
(1.22.6)
CVE-2023-40474 [Integer overflow leading to heap overwrite in MXF file
handling with uncompressed video]
- {DSA-5533-1}
+ {DSA-5533-1 DLA-3633-1}
- gst-plugins-bad1.0 (bug #1053261)
- gst-plugins-bad0.10
NOTE: https://gstreamer.freedesktop.org/security/sa-2023-0006.html
@@ -222446,6 +222453,7 @@ CVE-2020-25649 (A flaw was found in FasterXML Jackson
Databind, where it did not
NOTE: https://github.com/FasterXML/jackson-databind/issues/2589
NOTE:
https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59
(jackson-databind-2.11.0.rc1)
CVE-2020-25648 (A flaw was found in the way NSS handled CCS (ChangeCipherSpec)
message ...)
+ {DLA-3634-1}
- nss 2:3.58-1
[stretch] - nss (Minor issue)
NOTE:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32522bfedd44175ac10b7acedf37d38161296c5f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32522bfedd44175ac10b7acedf37d38161296c5f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for zookeepr via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
76b4fd98 by Salvatore Bonaccorso at 2023-10-28T21:15:39+02:00
Track fixed version for zookeepr via unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -3059,7 +3059,7 @@ CVE-2023-24479 (An authentication bypass vulnerability
exists in the httpd nvram
NOT-FOR-US: Yifan
CVE-2023-44981 (Authorization Bypass Through User-Controlled Key vulnerability
in Apac ...)
{DLA-3624-1}
- - zookeeper (bug #1054224)
+ - zookeeper 3.9.1-1 (bug #1054224)
NOTE: https://www.openwall.com/lists/oss-security/2023/10/11/4
NOTE:
https://github.com/apache/zookeeper/commit/e2070bed85d8b0c98a5a0045bf92421f473c412e
(master)
NOTE:
https://github.com/apache/zookeeper/commit/96b3172ca249a8580e9a315d589d319286cee4ee
(release-3.8.3)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76b4fd98ae3b802ccd128b89d5674348243b8a7d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76b4fd98ae3b802ccd128b89d5674348243b8a7d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add galera-3
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: e801f1a0 by Anton Gladky at 2023-10-28T21:06:08+02:00 LTS: add galera-3 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,6 +74,10 @@ freerdp2 (tobi) NOTE: 20231007: First round done, unfortunatly missed a few CVES while updating, will do an follow up. NOTE: 20231023: Will continue working on package next weekend. (tobi) -- +galera-3 + NOTE: 20231028: Added by Front-Desk (gladk) + NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk) +-- h2o (gladk) NOTE: 20231013: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e801f1a04ddb617cd411eaf499ba786e5261373f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e801f1a04ddb617cd411eaf499ba786e5261373f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add python-urllib3 and assign to spwhitton
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cb7d3aa by Anton Gladky at 2023-10-28T20:57:51+02:00 LTS: add python-urllib3 and assign to spwhitton - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -169,6 +169,9 @@ python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +python-urllib3 (spwhitton) + NOTE: 20231028: Added by Front-Desk (gladk) +-- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb7d3aa1a20579cf4b92eb1590ecad18d328cae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cb7d3aa1a20579cf4b92eb1590ecad18d328cae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add oss-security reference for CVE-2023-5178
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e247e8f by Salvatore Bonaccorso at 2023-10-28T17:53:15+02:00 Add oss-security reference for CVE-2023-5178 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1241,6 +1241,7 @@ CVE-2023-5178 - linux 6.5.8-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241924 NOTE: https://git.kernel.org/linus/d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd + NOTE: https://www.openwall.com/lists/oss-security/2023/10/15/1 CVE-2023-5625 - python-eventlet (Red Hat-specific regression) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2244717 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e247e8f84ef2e67a3679e6558237af17e625537 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e247e8f84ef2e67a3679e6558237af17e625537 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two nats-server issues (one covering as well in nkeys)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 754a8d46 by Salvatore Bonaccorso at 2023-10-28T17:50:15+02:00 Add two nats-server issues (one covering as well in nkeys) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,16 @@ +CVE-2023-46129 [nkeys: xkeys Seal encryption used fixed key for all encryption] + - golang-github-nats-io-nkeys + [bookworm] - golang-github-nats-io-nkeys (Vulnerable code not present) + [bullseye] - golang-github-nats-io-nkeys (Vulnerable code not present) + [buster] - golang-github-nats-io-nkeys (Vulnerable code not present) + - nats-server + [bookworm] - nats-server (Vulnerable code not present) + NOTE: https://advisories.nats.io/CVE/secnote-2023-02.txt + NOTE: https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9 +CVE-2023- [Adding accounts for just the system account adds auth bypass] + - nats-server 2.10.3-1 + NOTE: https://advisories.nats.io/CVE/secnote-2023-01.txt + NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23 CVE-2023-5056 NOT-FOR-US: Skupper CVE-2023-5834 (HashiCorp Vagrant's Windows installer targeted a custom location with ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/754a8d46df0cfbe3c5c7dc43623a3b5d6ee13744 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/754a8d46df0cfbe3c5c7dc43623a3b5d6ee13744 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for fastdds, updates prepared by maintainer
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 992fa3db by Salvatore Bonaccorso at 2023-10-28T17:23:29+02:00 Add note for fastdds, updates prepared by maintainer - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -20,6 +20,7 @@ cacti cinder/oldstable -- fastdds + Awaiting feedback from maintainer on bullseye status -- gpac/oldstable (jmm) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/992fa3db223a431456fb3d8be25065f89d13c357 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/992fa3db223a431456fb3d8be25065f89d13c357 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b8b75ecc by Moritz Muehlenhoff at 2023-10-28T17:00:03+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1314,91 +1314,91 @@ CVE-2023-46054 (Cross Site Scripting (XSS) vulnerability in WBCE CMS v.1.6.1 and CVE-2023-46003 (I-doit pro 25 and below is vulnerable to Cross Site Scripting (XSS) vi ...) NOT-FOR-US: I-doit pro CVE-2023-45682 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 15) NOTE: https://github.com/nothings/stb/pull/1560 CVE-2023-45681 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 14) NOTE: https://github.com/nothings/stb/pull/1559 CVE-2023-45680 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 13) NOTE: https://github.com/nothings/stb/pull/1558 CVE-2023-45679 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 12) NOTE: https://github.com/nothings/stb/pull/1557 CVE-2023-45678 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 11) NOTE: https://github.com/nothings/stb/pull/1556 CVE-2023-45677 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 10) NOTE: https://github.com/nothings/stb/pull/1555 CVE-2023-45676 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 9) NOTE: https://github.com/nothings/stb/pull/1554 CVE-2023-45675 (stb_vorbis is a single file MIT licensed library for processing ogg vo ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 8) NOTE: https://github.com/nothings/stb/issues/1552 NOTE: https://github.com/nothings/stb/pull/1553 CVE-2023-45667 (stb_image is a single file MIT licensed library for processing images. ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 7) NOTE: https://github.com/nothings/stb/issues/1550 NOTE: https://github.com/nothings/stb/pull/1551 CVE-2023-45666 (stb_image is a single file MIT licensed library for processing images. ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE: https://securitylab.github.com/advisories/GHSL-2023-145_GHSL-2023-151_stb_image_h/ (issue 6) NOTE: https://github.com/nothings/stb/issues/1548 NOTE: https://github.com/nothings/stb/pull/1549 CVE-2023-45664 (stb_image is a single file MIT licensed library for processing images. ...) - - libstb + - libstb (bug #1054911) [bookworm] - libstb (Minor issue) [bullseye] - libstb (Minor issue) NOTE:
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-46137/twisted
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 480a223d by Salvatore Bonaccorso at 2023-10-28T16:52:46+02:00 Add Debian bug reference for CVE-2023-46137/twisted - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -396,7 +396,7 @@ CVE-2023-46233 (crypto-js is a JavaScript library of crypto standards. Prior to CVE-2023-46232 (era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a layer ...) NOT-FOR-US: era-compiler-vyper CVE-2023-46137 (Twisted is an event-based framework for internet applications. Prior t ...) - - twisted + - twisted (bug #1054913) NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm CVE-2023-46134 (D-Tale is the combination of a Flask back-end and a React front-end to ...) NOT-FOR-US: D-Tale View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/480a223db1419b38f101252c47aafd28a1de7ad5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/480a223db1419b38f101252c47aafd28a1de7ad5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 763c8647 by Moritz Muehlenhoff at 2023-10-28T16:46:20+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,11 +7,11 @@ CVE-2023-5830 (A vulnerability classified as critical has been found in Columbia CVE-2023-46587 (Buffer Overflow vulnerability in XnView Classic v.2.51.5 allows a loca ...) NOT-FOR-US: XnView CVE-2023-46570 (An out-of-bounds read in radare2 v.5.8.9 and before exists in the prin ...) - - radare2 + - radare2 (bug #1054908) NOTE: https://github.com/radareorg/radare2/issues/22333 NOTE: Fixed by: https://github.com/radareorg/radare2/commit/3e406459f163eba7672b3421c8a84b2c0e4ac0f8 CVE-2023-46569 (An out-of-bounds read in radare2 v.5.8.9 and before exists in the prin ...) - - radare2 + - radare2 (bug #1054908) NOTE: https://github.com/radareorg/radare2/issues/22334 NOTE: Fixed by: https://github.com/radareorg/radare2/commit/2e2f2a9b1800d09be09461e7536ac03a301f97f2 CVE-2023-46510 (An issue in ZIONCOM (Hong Kong) Technology Limited A7000R v.4.1cu.4154 ...) @@ -119,7 +119,7 @@ CVE-2023-46852 (In Memcached before 1.6.22, a buffer overflow exists when proces [bullseye] - memcached (Minor issue) NOTE: https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767 (1.6.22) CVE-2023-46604 (Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerabili ...) - - activemq + - activemq (bug #1054909) NOTE: https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt NOTE: http://www.openwall.com/lists/oss-security/2023/10/27/5 CVE-2023-46407 (FFmpeg prior to commit bf814 was discovered to contain an out of bound ...) @@ -2111,7 +2111,7 @@ CVE-2023-4215 (Advantech WebAccess version 9.1.3 contains an exposure of sensiti CVE-2023-4089 (On affected Wago products an remote attacker with administrative privi ...) NOT-FOR-US: Wago CVE-2023-45807 (OpenSearch is a community-driven, open source fork of Elasticsearch an ...) - - opensearch + - opensearch (bug #1054912) NOTE: https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv CVE-2023-45659 (Engelsystem is a shift planning system for chaos events. If a users' ...) NOT-FOR-US: Engelsystem @@ -23962,7 +23962,7 @@ CVE-2023-31143 (mage-ai is an open-source data pipeline tool for transforming an CVE-2023-31142 (Discourse is an open source discussion platform. Prior to version 3.0. ...) NOT-FOR-US: Discourse CVE-2023-31141 (OpenSearch is open-source software suite for search, analytics, and ob ...) - - opensearch + - opensearch (bug #1054912) NOTE: https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h28h CVE-2023-31140 (OpenProject is open source project management software. Starting with ...) NOT-FOR-US: OpenProject @@ -47056,10 +47056,10 @@ CVE-2023-23615 (Discourse is an open source discussion platform. The embeddable CVE-2023-23614 (Pi-hole\xae's Web interface (based off of AdminLTE) provides a central ...) NOT-FOR-US: Pi-Hole CVE-2023-23613 (OpenSearch is an open source distributed and RESTful search engine. In ...) - - opensearch + - opensearch (bug #1054912) NOTE: https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6 CVE-2023-23612 (OpenSearch is an open source distributed and RESTful search engine. Op ...) - - opensearch + - opensearch (bug #1054912) NOTE: https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj CVE-2023-23611 (LTI Consumer XBlock implements the consumer side of the LTI specificat ...) NOT-FOR-US: LTI View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/763c86473fae0c1f3d3457ca66d9195a496ead8e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/763c86473fae0c1f3d3457ca66d9195a496ead8e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] opensearch references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b82f7b81 by Moritz Mühlenhoff at 2023-10-28T16:43:07+02:00 opensearch references - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2112,7 +2112,7 @@ CVE-2023-4089 (On affected Wago products an remote attacker with administrative NOT-FOR-US: Wago CVE-2023-45807 (OpenSearch is a community-driven, open source fork of Elasticsearch an ...) - opensearch - TODO: Check whether packaged bits are affected + NOTE: https://github.com/opensearch-project/security/security/advisories/GHSA-72q2-gwwf-6hrv CVE-2023-45659 (Engelsystem is a shift planning system for chaos events. If a users' ...) NOT-FOR-US: Engelsystem CVE-2023-45542 (Cross Site Scripting vulnerability in mooSocial 3.1.8 allows a remote ...) @@ -23963,7 +23963,7 @@ CVE-2023-31142 (Discourse is an open source discussion platform. Prior to versio NOT-FOR-US: Discourse CVE-2023-31141 (OpenSearch is open-source software suite for search, analytics, and ob ...) - opensearch - TODO: Check whether packaged bits are affected + NOTE: https://github.com/opensearch-project/security/security/advisories/GHSA-g8xc-6mf7-h28h CVE-2023-31140 (OpenProject is open source project management software. Starting with ...) NOT-FOR-US: OpenProject CVE-2023-31139 (DHIS2 Core contains the service layer and Web API for DHIS2, an inform ...) @@ -47057,10 +47057,10 @@ CVE-2023-23614 (Pi-hole\xae's Web interface (based off of AdminLTE) provides a c NOT-FOR-US: Pi-Hole CVE-2023-23613 (OpenSearch is an open source distributed and RESTful search engine. In ...) - opensearch - TODO: Check whether packaged bits are affected + NOTE: https://github.com/opensearch-project/security/security/advisories/GHSA-v3cg-7r9h-r2g6 CVE-2023-23612 (OpenSearch is an open source distributed and RESTful search engine. Op ...) - opensearch - TODO: Check whether packaged bits are affected + NOTE: https://github.com/opensearch-project/security/security/advisories/GHSA-864v-6qj7-62qj CVE-2023-23611 (LTI Consumer XBlock implements the consumer side of the LTI specificat ...) NOT-FOR-US: LTI CVE-2023-23610 (GLPI is a Free Asset and IT Management Software package. Versions prio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b82f7b817412975baf57ff10b88be7f726d8b45f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b82f7b817412975baf57ff10b88be7f726d8b45f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two additional references for CVE-2023-34059/open-vm-tools
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 24affaac by Salvatore Bonaccorso at 2023-10-28T16:22:39+02:00 Add two additional references for CVE-2023-34059/open-vm-tools - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -224,6 +224,8 @@ CVE-2023-38328 (An issue was discovered in eGroupWare 17.1.20190111. An Improper - egroupware CVE-2023-34059 (open-vm-tools contains a file descriptor hijack vulnerability in the v ...) - open-vm-tools 2:12.3.5-1 (bug #1054666) + NOTE: https://www.openwall.com/lists/oss-security/2023/10/27/2 + NOTE: https://github.com/vmware/open-vm-tools/blob/CVE-2023-34059.patch/CVE-2023-34059.patch NOTE: https://www.openwall.com/lists/oss-security/2023/10/27/3 CVE-2023-34058 (VMware Tools contains a SAML token signature bypass vulnerability.A ma ...) - open-vm-tools 2:12.3.5-1 (bug #1054666) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24affaace3c93af24c14508c05809be5c69a8db1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24affaace3c93af24c14508c05809be5c69a8db1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Add CVE-2023-465{69,70}/radare2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c4df4fd3 by Salvatore Bonaccorso at 2023-10-28T16:10:26+02:00
Add CVE-2023-465{69,70}/radare2
- - - - -
1c973326 by Salvatore Bonaccorso at 2023-10-28T16:10:28+02:00
Process some NFUs
- - - - -
d1ac19e7 by Salvatore Bonaccorso at 2023-10-28T16:10:31+02:00
Add CVE-2023-46604/activemq
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -7,9 +7,13 @@ CVE-2023-5830 (A vulnerability classified as critical has been
found in Columbia
CVE-2023-46587 (Buffer Overflow vulnerability in XnView Classic v.2.51.5
allows a loca ...)
NOT-FOR-US: XnView
CVE-2023-46570 (An out-of-bounds read in radare2 v.5.8.9 and before exists in
the prin ...)
- TODO: check
+ - radare2
+ NOTE: https://github.com/radareorg/radare2/issues/22333
+ NOTE: Fixed by:
https://github.com/radareorg/radare2/commit/3e406459f163eba7672b3421c8a84b2c0e4ac0f8
CVE-2023-46569 (An out-of-bounds read in radare2 v.5.8.9 and before exists in
the prin ...)
- TODO: check
+ - radare2
+ NOTE: https://github.com/radareorg/radare2/issues/22334
+ NOTE: Fixed by:
https://github.com/radareorg/radare2/commit/2e2f2a9b1800d09be09461e7536ac03a301f97f2
CVE-2023-46510 (An issue in ZIONCOM (Hong Kong) Technology Limited A7000R
v.4.1cu.4154 ...)
NOT-FOR-US: ZIONCOM (Hong Kong) Technology Limited A7000R
CVE-2023-46509 (An issue in Contec SolarView Compact v.6.0 and before allows
an attack ...)
@@ -33,11 +37,11 @@ CVE-2023-46208 (Unauth. Reflected Cross-Site Scripting
(XSS) vulnerability in St
CVE-2023-46200 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability
in Step ...)
NOT-FOR-US: WordPress plugin
CVE-2023-44480 (Leave Management System Project v1.0 is vulnerable to multiple
Authent ...)
- TODO: check
+ NOT-FOR-US: Leave Management System Project
CVE-2023-43322 (ZPE Systems, Inc Nodegrid OS v5.0.0 to v5.0.17, v5.2.0 to
v5.2.19, v5. ...)
- TODO: check
+ NOT-FOR-US: ZPE Systems
CVE-2023-40140 (In android_view_InputDevice_create of
android_view_InputDevice.cpp, th ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2023-40139 (In FillUi of FillUi.java, there is a possible way to view
another user ...)
TODO: check
CVE-2023-40138 (In FillUi of FillUi.java, there is a possible way to view
another user ...)
@@ -57,27 +61,27 @@ CVE-2023-40131 (In GpuService of GpuService.cpp, there is a
possible use after f
CVE-2023-40130 (In onBindingDied of CallRedirectionProcessor.java, there is a
possible ...)
TODO: check
CVE-2023-40129 (In build_read_multi_rsp of gatt_sr.cc, there is a possible out
of boun ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2023-40128 (In several functions of xmlregexp.c, there is a possible out
of bounds ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2023-40127 (In multiple locations, there is a possible way to access
screenshots d ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2023-40125 (In onCreate of ApnEditor.java, there is a possible way for a
Guest use ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2023-40123 (In updateActionViews of PipMenuView.java, there is a possible
bypass o ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2023-40121 (In appendEscapedSQLString of DatabaseUtils.java, there is a
possible S ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2023-40120 (In multiple locations, there is a possible way to bypass user
notifica ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2023-40117 (In resetSettingsLocked of SettingsProvider.java, there is a
possible l ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2023-40116 (In onTaskAppeared of PipTaskOrganizer.java, there is a
possible way to ...)
- TODO: check
+ NOT-FOR-US: Android
CVE-2023-35794 (An issue was discovered in Cassia Access Controller
2.1.1.2303271039. ...)
- TODO: check
+ NOT-FOR-US: Cassia Access Controller
CVE-2023-32738 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability
in Alka ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-5829 (A vulnerability was found in code-projects Admission Management
System ...)
NOT-FOR-US: code-projects Admission Management System
CVE-2023-5828 (A vulnerability was found in Nanning Ontall Longxing Industrial
Develo ...)
@@ -115,7 +119,9 @@ CVE-2023-46852 (In Memcached before 1.6.22, a buffer
overflow exists when proces
[bullseye] - memcached (Minor issue)
NOTE:
https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767
(1.6.22)
CVE-2023-46604 (Apache ActiveMQ is vulnerable to Remote Code Execution.The
vulnerabili ...)
- TODO: check
+ - activemq
+ NOTE:
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3634-1 for nss
Sean Whitton pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
23dd068e by Sean Whitton at 2023-10-28T15:06:31+01:00
Reserve DLA-3634-1 for nss
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -222425,7 +222425,6 @@ CVE-2020-25649 (A flaw was found in FasterXML Jackson
Databind, where it did not
NOTE:
https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59
(jackson-databind-2.11.0.rc1)
CVE-2020-25648 (A flaw was found in the way NSS handled CCS (ChangeCipherSpec)
message ...)
- nss 2:3.58-1
- [buster] - nss (Minor issue)
[stretch] - nss (Minor issue)
NOTE:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.58_release_notes
NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1641480 (private)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[28 Oct 2023] DLA-3634-1 nss - security update
+ {CVE-2020-25648 CVE-2023-4421}
+ [buster] - nss 2:3.42.1-1+deb10u7
[28 Oct 2023] DLA-3633-1 gst-plugins-bad1.0 - security update
{CVE-2023-40474 CVE-2023-40475 CVE-2023-40476}
[buster] - gst-plugins-bad1.0 1.14.4-1+deb10u4
=
data/dla-needed.txt
=
@@ -129,11 +129,6 @@ nova
NOTE: 20230302: zigo currently has no time and requests the LTS team to do
it (IRC #debian-lts 2023-03-02). (Beuc/front-desk)
NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store,
python-os-brick, nova and cinder. (lamby)
--
-nss (Sean Whitton)
- NOTE: 20231015: Added by Front-Desk (ta)
- NOTE: 20231027: Patches backported. New tests for CVE-2020-25648 do not
pass.
- NOTE: 20231027: Asked upstream dev-tech-crypto ML (spwhitton).
---
nvidia-cuda-toolkit
NOTE: 20230514: Added by Front-Desk (utkarsh)
NOTE: 20230514: package listed in packages-to-support; a bunch of CVEs have
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23dd068e50af44a19d3ffc6ae5471bdbe3754904
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/23dd068e50af44a19d3ffc6ae5471bdbe3754904
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: update request-tracker4 notes with patch info
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 40b8de3b by Roberto C. Sánchez at 2023-10-28T08:55:56-04:00 LTS: update request-tracker4 notes with patch info - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -193,6 +193,7 @@ request-tracker4 NOTE: 20231024: Please check the commit: https://github.com/bestpractical/rt/commit/a7a83dfdf591cd4d9f547048e89a5a310eeef32d NOTE: 20231024: Please check the commit: https://github.com/bestpractical/rt/commit/afb7dcded721e27028e47b62e7e5ed8ffc492beb NOTE: 20231025: Andrew Ruthven is working on the buster-security upload, but will let the LTS handle the paperwork + NOTE: 20231028: Andrew has provided the buster patch, it has been posted to the team mailing list (Message-ID: ) -- ring NOTE: 20230903: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40b8de3b1ce6d2f7d728fba1e8aa941840349d68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/40b8de3b1ce6d2f7d728fba1e8aa941840349d68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c84d1db by Moritz Muehlenhoff at 2023-10-28T14:46:42+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-5056 + NOT-FOR-US: Skupper CVE-2023-5834 (HashiCorp Vagrant's Windows installer targeted a custom location with ...) NOT-FOR-US: HashiCorp Vagrant's Windows installer CVE-2023-5830 (A vulnerability classified as critical has been found in ColumbiaSoft ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c84d1db0068aca68eaffd1de4d843dba91d9c7d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c84d1db0068aca68eaffd1de4d843dba91d9c7d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e730a4f0 by Moritz Muehlenhoff at 2023-10-28T14:43:05+02:00 bullseye/bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -104,9 +104,13 @@ CVE-2023-4967 (Denial of Service in NetScaler ADC and NetScaler Gateway when con NOT-FOR-US: Citrix CVE-2023-46853 (In Memcached before 1.6.22, an off-by-one error exists when processing ...) - memcached 1.6.22-1 + [bookworm] - memcached (Minor issue) + [bullseye] - memcached (Minor issue) NOTE: https://github.com/memcached/memcached/commit/6987918e9a3094ec4fc8976f01f769f624d790fa (1.6.22) CVE-2023-46852 (In Memcached before 1.6.22, a buffer overflow exists when processing m ...) - memcached 1.6.22-1 + [bookworm] - memcached (Minor issue) + [bullseye] - memcached (Minor issue) NOTE: https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767 (1.6.22) CVE-2023-46604 (Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerabili ...) TODO: check @@ -5199,6 +5203,8 @@ CVE-2023-5256 (In certain scenarios, Drupal's JSON:API module will output error - drupal7 CVE-2023-5215 (A flaw was found in libnbd. A server can reply with a block size large ...) - libnbd 1.16.5-1 + [bookworm] - libnbd (Minor issue) + [bullseye] - libnbd (Minor issue) NOTE: https://listman.redhat.com/archives/libguestfs/2023-September/032635.html NOTE: Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/0f8ee8c6bd6dd93de771e6d4da87ec5a59504aae (v1.18.0) NOTE: Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/f03330181229360a1a97a264aa956fea54c657de (v1.16.5) @@ -13374,6 +13380,8 @@ CVE-2023-4067 (The Bus Ticket Booking with Seat Reservation plugin for WordPress NOT-FOR-US: Bus Ticket Booking with Seat Reservation plugin for WordPress CVE-2023-3978 (Text nodes not in the HTML namespace are incorrectly literally rendere ...) - golang-golang-x-net 1:0.14.0-1 (bug #1043163) + [bookworm] - golang-golang-x-net (Minor issue) + [bullseye] - golang-golang-x-net (Minor issue) - golang-golang-x-net-dev [buster] - golang-golang-x-net-dev (Limited support, follow bullseye DSAs/point-releases) NOTE: https://go.dev/cl/514896 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e730a4f0cf1bc421d202ffc2e99341fbd9021c98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e730a4f0cf1bc421d202ffc2e99341fbd9021c98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3633-1 for gst-plugins-bad1.0
Thorsten Alteholz pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9063422b by Thorsten Alteholz at 2023-10-28T14:05:58+02:00
Reserve DLA-3633-1 for gst-plugins-bad1.0
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[28 Oct 2023] DLA-3633-1 gst-plugins-bad1.0 - security update
+ {CVE-2023-40474 CVE-2023-40475 CVE-2023-40476}
+ [buster] - gst-plugins-bad1.0 1.14.4-1+deb10u4
[27 Oct 2023] DLA-3632-1 firefox-esr - security update
{CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728 CVE-2023-5730
CVE-2023-5732}
[buster] - firefox-esr 115.4.0esr-1~deb10u1
=
data/dla-needed.txt
=
@@ -74,10 +74,6 @@ freerdp2 (tobi)
NOTE: 20231007: First round done, unfortunatly missed a few CVES while
updating, will do an follow up.
NOTE: 20231023: Will continue working on package next weekend. (tobi)
--
-gst-plugins-bad1.0 (Thorsten Alteholz)
- NOTE: 20230928: Added by Frond-Desk (ola)
- NOTE: 20231013: testing package
---
h2o (gladk)
NOTE: 20231013: Added by Front-Desk (ta)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9063422bad228a191c06ecf59b664177ad6ce8b9
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9063422bad228a191c06ecf59b664177ad6ce8b9
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-22067 doesn't apply to openjdk-11, thanks to pochu for the report
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
928c1f64 by Moritz Muehlenhoff at 2023-10-28T12:06:32+02:00
CVE-2023-22067 doesnt apply to openjdk-11, thanks to pochu for the report
- - - - -
2 changed files:
- data/CVE/list
- data/DSA/list
Changes:
=
data/CVE/list
=
@@ -54146,8 +54146,6 @@ CVE-2023-22069 (Vulnerability in the Oracle WebLogic
Server product of Oracle Fu
CVE-2023-22068 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
- mysql-8.0
CVE-2023-22067 (Vulnerability in Oracle Java SE (component: CORBA). Supported
version ...)
- {DSA-5537-1}
- - openjdk-11 11.0.21+9-1
- openjdk-8 8u392-ga-1
CVE-2023-22066 (Vulnerability in the MySQL Server product of Oracle MySQL
(component: ...)
- mysql-8.0
=
data/DSA/list
=
@@ -3,7 +3,7 @@
[bullseye] - thunderbird 1:115.4.1-1~deb11u1
[bookworm] - thunderbird 1:115.4.1-1~deb12u1
[27 Oct 2023] DSA-5537-1 openjdk-11 - security update
- {CVE-2023-22067 CVE-2023-22081}
+ {CVE-2023-22081}
[bullseye] - openjdk-11 11.0.21+9-1~deb11u1
[26 Oct 2023] DSA-5536-1 chromium - security update
{CVE-2023-5472}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/928c1f646456ed21a67f678444b4ac6b835b7128
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/928c1f646456ed21a67f678444b4ac6b835b7128
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-46407/ffmpeg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e19bf79 by Salvatore Bonaccorso at 2023-10-28T11:44:42+02:00 Add CVE-2023-46407/ffmpeg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -111,7 +111,12 @@ CVE-2023-46852 (In Memcached before 1.6.22, a buffer overflow exists when proces CVE-2023-46604 (Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerabili ...) TODO: check CVE-2023-46407 (FFmpeg prior to commit bf814 was discovered to contain an out of bound ...) - TODO: check + - ffmpeg + NOTE: Introduced by: https://github.com/FFmpeg/FFmpeg/commit/f7ac3512f5b5cb8eb149f37300b43461d8e93af3 + NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/bf814387f42e9b0dea9d75c03db4723c88e7d962 + NOTE: https://patchwork.ffmpeg.org/project/ffmpeg/patch/20231015004924.597746-1-leo.izen%40gmail.com/ + NOTE: https://patchwork.ffmpeg.org/project/ffmpeg/patch/20231013014959.536776-1-leo.izen%40gmail.com/ + TODO: check details for released versions CVE-2023-46394 (A stored cross-site scripting (XSS) vulnerability in /home/user/edit_s ...) NOT-FOR-US: gougucms CVE-2023-46393 (gougucms v4.08.18 was discovered to contain a password reset poisoning ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e19bf79e6b03cf034b0ff5224b34716c6bb58e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e19bf79e6b03cf034b0ff5224b34716c6bb58e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix for CVE-2023-46234/node-browserify-sign via unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a16c93f by Salvatore Bonaccorso at 2023-10-28T11:10:38+02:00 Track fix for CVE-2023-46234/node-browserify-sign via unstable upload - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -292,7 +292,7 @@ CVE-2023-46435 (Sourcecodester Packers and Movers Management System v1.0 is vuln CVE-2023-46238 (ZITADEL is an identity infrastructure management system. ZITADEL users ...) NOT-FOR-US: ZITADEL CVE-2023-46234 (browserify-sign is a package to duplicate the functionality of node's ...) - - node-browserify-sign (bug #1054667) + - node-browserify-sign 4.2.2-1 (bug #1054667) NOTE: https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw NOTE: https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30 (v4.2.2) CVE-2023-46094 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Conversi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a16c93f579eb4c6a40f964664e8aaa1f76e0d52 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a16c93f579eb4c6a40f964664e8aaa1f76e0d52 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-46490/cacti
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e58f6950 by Salvatore Bonaccorso at 2023-10-28T10:32:04+02:00 Add CVE-2023-46490/cacti - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,9 @@ CVE-2023-46510 (An issue in ZIONCOM (Hong Kong) Technology Limited A7000R v.4.1c CVE-2023-46509 (An issue in Contec SolarView Compact v.6.0 and before allows an attack ...) NOT-FOR-US: Contec SolarView Compact CVE-2023-46490 (SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker ...) - TODO: check + - cacti + NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-f4r3-53jr-654c (not public yet) + NOTE: https://gist.github.com/ISHGARD-2/a9563238fcd7ccf7432ccb145b53 CVE-2023-46468 (An issue in juzawebCMS v.3.4 and before allows a remote attacker to ex ...) NOT-FOR-US: juzawebCMS CVE-2023-46467 (Cross Site Scripting vulnerability in juzawebCMS v.3.4 and before allo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e58f6950dc8d5af86e7c49f4076b629711f62531 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e58f6950dc8d5af86e7c49f4076b629711f62531 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d1e6f86 by Salvatore Bonaccorso at 2023-10-28T10:30:56+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,33 +1,33 @@ CVE-2023-5834 (HashiCorp Vagrant's Windows installer targeted a custom location with ...) - TODO: check + NOT-FOR-US: HashiCorp Vagrant's Windows installer CVE-2023-5830 (A vulnerability classified as critical has been found in ColumbiaSoft ...) - TODO: check + NOT-FOR-US: ColumbiaSoft Document Locator CVE-2023-46587 (Buffer Overflow vulnerability in XnView Classic v.2.51.5 allows a loca ...) - TODO: check + NOT-FOR-US: XnView CVE-2023-46570 (An out-of-bounds read in radare2 v.5.8.9 and before exists in the prin ...) TODO: check CVE-2023-46569 (An out-of-bounds read in radare2 v.5.8.9 and before exists in the prin ...) TODO: check CVE-2023-46510 (An issue in ZIONCOM (Hong Kong) Technology Limited A7000R v.4.1cu.4154 ...) - TODO: check + NOT-FOR-US: ZIONCOM (Hong Kong) Technology Limited A7000R CVE-2023-46509 (An issue in Contec SolarView Compact v.6.0 and before allows an attack ...) - TODO: check + NOT-FOR-US: Contec SolarView Compact CVE-2023-46490 (SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker ...) TODO: check CVE-2023-46468 (An issue in juzawebCMS v.3.4 and before allows a remote attacker to ex ...) - TODO: check + NOT-FOR-US: juzawebCMS CVE-2023-46467 (Cross Site Scripting vulnerability in juzawebCMS v.3.4 and before allo ...) - TODO: check + NOT-FOR-US: juzawebCMS CVE-2023-46215 (Insertion of Sensitive Information into Log File vulnerability in Apac ...) - TODO: check + NOT-FOR-US: Apache Airflow Celery provider CVE-2023-46211 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-46209 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in G5Theme ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-46208 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Stylemix ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-46200 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Step ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44480 (Leave Management System Project v1.0 is vulnerable to multiple Authent ...) TODO: check CVE-2023-43322 (ZPE Systems, Inc Nodegrid OS v5.0.0 to v5.0.17, v5.2.0 to v5.2.19, v5. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d1e6f864b1f7f4b282cd0ff73c42a57a284bca1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d1e6f864b1f7f4b282cd0ff73c42a57a284bca1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ef9b2710 by security tracker role at 2023-10-28T08:11:41+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,79 @@ +CVE-2023-5834 (HashiCorp Vagrant's Windows installer targeted a custom location with ...) + TODO: check +CVE-2023-5830 (A vulnerability classified as critical has been found in ColumbiaSoft ...) + TODO: check +CVE-2023-46587 (Buffer Overflow vulnerability in XnView Classic v.2.51.5 allows a loca ...) + TODO: check +CVE-2023-46570 (An out-of-bounds read in radare2 v.5.8.9 and before exists in the prin ...) + TODO: check +CVE-2023-46569 (An out-of-bounds read in radare2 v.5.8.9 and before exists in the prin ...) + TODO: check +CVE-2023-46510 (An issue in ZIONCOM (Hong Kong) Technology Limited A7000R v.4.1cu.4154 ...) + TODO: check +CVE-2023-46509 (An issue in Contec SolarView Compact v.6.0 and before allows an attack ...) + TODO: check +CVE-2023-46490 (SQL Injection vulnerability in Cacti v1.2.25 allows a remote attacker ...) + TODO: check +CVE-2023-46468 (An issue in juzawebCMS v.3.4 and before allows a remote attacker to ex ...) + TODO: check +CVE-2023-46467 (Cross Site Scripting vulnerability in juzawebCMS v.3.4 and before allo ...) + TODO: check +CVE-2023-46215 (Insertion of Sensitive Information into Log File vulnerability in Apac ...) + TODO: check +CVE-2023-46211 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) + TODO: check +CVE-2023-46209 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in G5Theme ...) + TODO: check +CVE-2023-46208 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Stylemix ...) + TODO: check +CVE-2023-46200 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Step ...) + TODO: check +CVE-2023-44480 (Leave Management System Project v1.0 is vulnerable to multiple Authent ...) + TODO: check +CVE-2023-43322 (ZPE Systems, Inc Nodegrid OS v5.0.0 to v5.0.17, v5.2.0 to v5.2.19, v5. ...) + TODO: check +CVE-2023-40140 (In android_view_InputDevice_create of android_view_InputDevice.cpp, th ...) + TODO: check +CVE-2023-40139 (In FillUi of FillUi.java, there is a possible way to view another user ...) + TODO: check +CVE-2023-40138 (In FillUi of FillUi.java, there is a possible way to view another user ...) + TODO: check +CVE-2023-40137 (In multiple functions of DialogFillUi.java, there is a possible way to ...) + TODO: check +CVE-2023-40136 (In setHeader of DialogFillUi.java, there is a possible way to view ano ...) + TODO: check +CVE-2023-40135 (In applyCustomDescription of SaveUi.java, there is a possible way to v ...) + TODO: check +CVE-2023-40134 (In isFullScreen of FillUi.java, there is a possible way to view anothe ...) + TODO: check +CVE-2023-40133 (In multiple locations of DialogFillUi.java, there is a possible way to ...) + TODO: check +CVE-2023-40131 (In GpuService of GpuService.cpp, there is a possible use after free du ...) + TODO: check +CVE-2023-40130 (In onBindingDied of CallRedirectionProcessor.java, there is a possible ...) + TODO: check +CVE-2023-40129 (In build_read_multi_rsp of gatt_sr.cc, there is a possible out of boun ...) + TODO: check +CVE-2023-40128 (In several functions of xmlregexp.c, there is a possible out of bounds ...) + TODO: check +CVE-2023-40127 (In multiple locations, there is a possible way to access screenshots d ...) + TODO: check +CVE-2023-40125 (In onCreate of ApnEditor.java, there is a possible way for a Guest use ...) + TODO: check +CVE-2023-40123 (In updateActionViews of PipMenuView.java, there is a possible bypass o ...) + TODO: check +CVE-2023-40121 (In appendEscapedSQLString of DatabaseUtils.java, there is a possible S ...) + TODO: check +CVE-2023-40120 (In multiple locations, there is a possible way to bypass user notifica ...) + TODO: check +CVE-2023-40117 (In resetSettingsLocked of SettingsProvider.java, there is a possible l ...) + TODO: check +CVE-2023-40116 (In onTaskAppeared of PipTaskOrganizer.java, there is a possible way to ...) + TODO: check +CVE-2023-35794 (An issue was discovered in Cassia Access Controller 2.1.1.2303271039. ...) + TODO: check +CVE-2023-32738 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Alka ...) + TODO: check CVE-2023-5829 (A vulnerability was found in code-projects Admission Management System ...) NOT-FOR-US: code-projects Admission Management System CVE-2023-5828 (A vulnerability was found in Nanning Ontall Longxing Industrial Develo ...) @@ -867,7 +943,7 @@ CVE-2023-39619 (ReDos in NPMJS Node Email Check
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-3223/undertow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f342e56 by Salvatore Bonaccorso at 2023-10-28T10:00:11+02:00 Add Debian bug reference for CVE-2023-3223/undertow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12215,7 +12215,7 @@ CVE-2023-33934 (Improper Input Validation vulnerability in Apache Software Found CVE-2023-2905 (Due to a failure in validating the length of a provided MQTT_CMD_PUBLI ...) NOT-FOR-US: Cesanta Mongoose CVE-2023-3223 (A flaw was found in undertow. Servlets annotated with @MultipartConfig ...) - - undertow + - undertow (bug #1054893) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2209689 NOTE: https://github.com/undertow-io/undertow/pull/1521 (2.3.9.Final) NOTE: https://github.com/undertow-io/undertow/pull/1523 (backport, 2.2.27.Final) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f342e5641e4ac112c32074699132223fc4cb4e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f342e5641e4ac112c32074699132223fc4cb4e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-45960/dom4j
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 97de0da9 by Salvatore Bonaccorso at 2023-10-28T09:59:17+02:00 Add CVE-2023-45960/dom4j - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -796,7 +796,10 @@ CVE-2023-46068 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-46010 (An issue in SeaCMS v.12.9 allows an attacker to execute arbitrary comm ...) NOT-FOR-US: SeaCMS CVE-2023-45960 (An issue in dom4.j org.dom4.io.SAXReader v.2.1.4 and before allows a r ...) - TODO: check + - dom4j (unimportant) + NOTE: https://github.com/dom4j/dom4j/issues/171 + NOTE: Not considered as a vulnerability by upstream: + NOTE: https://github.com/dom4j/dom4j/issues/171#issuecomment-1781547256 CVE-2023-45837 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in XYDAC Ul ...) NOT-FOR-US: WordPress plugin CVE-2023-45835 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Libsyn L ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97de0da9981aa7f8f9f9f99a224a1eb4ef6ae474 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97de0da9981aa7f8f9f9f99a224a1eb4ef6ae474 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for nodejs issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64b780a6 by Salvatore Bonaccorso at 2023-10-28T09:48:30+02:00 Add Debian bug reference for nodejs issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1132,7 +1132,7 @@ CVE-2023-5625 - python-eventlet (Red Hat-specific regression) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2244717 CVE-2023-39333 - - nodejs + - nodejs (bug #1054892) [bullseye] - nodejs (Only affects 18.x and later) [buster] - nodejs (Only affects 18.x and later) NOTE: https://nodejs.org/en/blog/vulnerability/october-2023-security-releases#code-injection-via-webassembly-export-names-low---cve-2023-39333 @@ -1925,7 +1925,7 @@ CVE-2023-39277 (SonicOS post-authentication stack-based buffer overflow vulnerab CVE-2023-39276 (SonicOS post-authentication stack-based buffer overflow vulnerability ...) NOT-FOR-US: SonicOS CVE-2023-38552 (When the Node.js policy feature checks the integrity of a resource aga ...) - - nodejs + - nodejs (bug #1054892) [bullseye] - nodejs (Only affects 18.x and later) [buster] - nodejs (Only affects 18.x and later) NOTE: https://nodejs.org/en/blog/vulnerability/october-2023-security-releases#integrity-checks-according-to-policies-can-be-circumvented-medium---cve-2023-38552 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64b780a63ea6933076b95cfe2065e74809e45eee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64b780a63ea6933076b95cfe2065e74809e45eee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2023-3223/undertow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ecc02cf by Salvatore Bonaccorso at 2023-10-28T09:46:03+02:00 Update information on CVE-2023-3223/undertow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12214,6 +12214,9 @@ CVE-2023-2905 (Due to a failure in validating the length of a provided MQTT_CMD_ CVE-2023-3223 (A flaw was found in undertow. Servlets annotated with @MultipartConfig ...) - undertow NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2209689 + NOTE: https://github.com/undertow-io/undertow/pull/1521 (2.3.9.Final) + NOTE: https://github.com/undertow-io/undertow/pull/1523 (backport, 2.2.27.Final) + NOTE: https://issues.redhat.com/browse/UNDERTOW-2271 CVE-2023-4219 (A vulnerability was found in SourceCodester Doctors Appointment System ...) NOT-FOR-US: SourceCodester Doctors Appointment System CVE-2023-4203 (Advantech EKI-1524, EKI-1522, EKI-1521 devices through 1.21 are affect ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ecc02cf4226a41e41c1b474021ef1673d9698f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ecc02cf4226a41e41c1b474021ef1673d9698f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for open-vm-tools issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e8f8e3d by Salvatore Bonaccorso at 2023-10-28T08:56:17+02:00 Track fixed version for open-vm-tools issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -128,10 +128,10 @@ CVE-2023-39726 (An issue in Mintty v.3.6.4 and before allows a remote attacker t CVE-2023-38328 (An issue was discovered in eGroupWare 17.1.20190111. An Improper Passw ...) - egroupware CVE-2023-34059 (open-vm-tools contains a file descriptor hijack vulnerability in the v ...) - - open-vm-tools (bug #1054666) + - open-vm-tools 2:12.3.5-1 (bug #1054666) NOTE: https://www.openwall.com/lists/oss-security/2023/10/27/3 CVE-2023-34058 (VMware Tools contains a SAML token signature bypass vulnerability.A ma ...) - - open-vm-tools (bug #1054666) + - open-vm-tools 2:12.3.5-1 (bug #1054666) NOTE: https://www.openwall.com/lists/oss-security/2023/10/27/1 NOTE: https://github.com/vmware/open-vm-tools/blob/CVE-2023-34058.patch/CVE-2023-34058.patch CVE-2023-34057 (VMware Tools contains a local privilege escalation vulnerability.A mal ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e8f8e3d4aaa0c917726b67b5758bde058e0b46d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e8f8e3d4aaa0c917726b67b5758bde058e0b46d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Three openimageio issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e1e36e41 by Salvatore Bonaccorso at 2023-10-28T08:51:58+02:00
Three openimageio issues fixed in unstable
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -44331,7 +44331,7 @@ CVE-2023-24531
RESERVED
CVE-2023-24473 (An information disclosure vulnerability exists in the
TGAInput::read_t ...)
[experimental] - openimageio 2.4.9.0+dfsg-1
- - openimageio (bug #1034150)
+ - openimageio 2.4.13.0+dfsg-1 (bug #1034150)
[bookworm] - openimageio (Minor issue)
[bullseye] - openimageio (Minor issue)
[buster] - openimageio (Minor issue)
@@ -44342,7 +44342,7 @@ CVE-2023-24473 (An information disclosure vulnerability
exists in the TGAInput::
CVE-2023-24472 (A denial of service vulnerability exists in the
FitsOutput::close() fu ...)
{DLA-3518-1}
[experimental] - openimageio 2.4.9.0+dfsg-1
- - openimageio (bug #1034151)
+ - openimageio 2.4.13.0+dfsg-1 (bug #1034151)
[bookworm] - openimageio (Minor issue)
[bullseye] - openimageio (Minor issue)
NOTE:
https://github.com/OpenImageIO/oiio/commit/f8db9f38d18a66889f444031051e0f0acaa611b6
(master)
@@ -44350,7 +44350,7 @@ CVE-2023-24472 (A denial of service vulnerability
exists in the FitsOutput::clos
NOTE:
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1709
CVE-2023-22845 (An out-of-bounds read vulnerability exists in the
TGAInput::decode_pix ...)
[experimental] - openimageio 2.4.9.0+dfsg-1
- - openimageio (bug #1034150)
+ - openimageio 2.4.13.0+dfsg-1 (bug #1034150)
[bookworm] - openimageio (Minor issue)
[bullseye] - openimageio (Minor issue)
[buster] - openimageio (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1e36e41176e69bfe3a6a054e315526b39954f30
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1e36e41176e69bfe3a6a054e315526b39954f30
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
