[Git][security-tracker-team/security-tracker][master] Track proposed mariadb updates for bullseye-pu and bookworm-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ea29c636 by Salvatore Bonaccorso at 2023-12-01T07:06:09+01:00 Track proposed mariadb updates for bullseye-pu and bookworm-pu - - - - - 2 changed files: - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -104,3 +104,5 @@ CVE-2020-22218 [bullseye] - libssh2 1.9.0-2+deb11u1 CVE-2023-5981 [bullseye] - gnutls28 3.7.1-5+deb11u4 +CVE-2023-22084 + [bullseye] - mariadb-10.5 1:10.5.23-0+deb11u1 = data/next-point-update.txt = @@ -97,6 +97,8 @@ CVE-2023-49316 [bookworm] - php-phpseclib3 3.0.19-1+deb12u1 CVE-2023-5981 [bookworm] - gnutls28 3.7.9-2+deb12u1 +CVE-2023-22084 + [bookworm] - mariadb 1:10.11.6-0+deb12u1 CVE-2023-34324 [bookworm] - linux 6.1.64-1 CVE-2023-35827 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea29c6367547397f1103684d707d0bea891df99c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ea29c6367547397f1103684d707d0bea891df99c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3679-1 for vlc
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: 684f7571 by Adrian Bunk at 2023-11-30T23:50:53+00:00 Reserve DLA-3679-1 for vlc - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Nov 2023] DLA-3679-1 vlc - security update + {CVE-2023-47359 CVE-2023-47360} + [buster] - vlc 3.0.20-0+deb10u1 [01 Dec 2023] DLA-3678-1 horizon - security update {CVE-2022-45582} [buster] - horizon 3:14.0.2-3+deb10u3 = data/dla-needed.txt = @@ -219,10 +219,6 @@ tor varnish (Abhijith PA) NOTE: 20231117: Added by Front-Desk (apo) -- -vlc (Adrian Bunk) - NOTE: 20231106: Added by Front-Desk (pochu) - NOTE: 20231106: Follow bullseye and update to 3.0.20 (pochu) --- wireshark (Adrian Bunk) NOTE: 20231118: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/684f757186f7249f03c0b1ea242a25758c07b1ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/684f757186f7249f03c0b1ea242a25758c07b1ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3678-1 for horizon
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 7edadaf7 by Guilhem Moulin at 2023-12-01T00:43:45+01:00 Reserve DLA-3678-1 for horizon - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -66305,7 +66305,6 @@ CVE-2022-45582 (Open Redirect vulnerability in Horizon Web Dashboard 19.4.0 thru - horizon 3:23.1.0-3 [bookworm] - horizon 3:23.0.0-5+deb12u1 [bullseye] - horizon 3:18.6.2-5+deb11u2 - [buster] - horizon (Minor issue) NOTE: https://bugs.launchpad.net/horizon/+bug/1982676 NOTE: https://opendev.org/openstack/horizon/commit/beed6bf6f6f83df9972db5fb539d64175ce12ce9 (19.4.0) NOTE: https://opendev.org/openstack/horizon/commit/2f600272bfffb3024e6f06a369f9b4768dd1a0b0 (20.1.4) = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Dec 2023] DLA-3678-1 horizon - security update + {CVE-2022-45582} + [buster] - horizon 3:14.0.2-3+deb10u3 [30 Nov 2023] DLA-3677-1 gimp-dds - security update {CVE-2023-1} [buster] - gimp-dds 3.0.1-1+deb10u1 = data/dla-needed.txt = @@ -62,10 +62,6 @@ dogecoin frr NOTE: 20231119: Added by Front-Desk (apo) -- -horizon (guilhem) - NOTE: 20231101: Added by Front-Desk (lamby) - NOTE: 20231101: Sync with bullseye (CVE-2022-45582). (lamby) --- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7edadaf7f7e4c8c9702d5418cd1015d75fc9e3db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7edadaf7f7e4c8c9702d5418cd1015d75fc9e3db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove flatpak from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e9a816a by Markus Koschany at 2023-11-30T23:11:40+01:00 Remove flatpak from dla-needed.txt As discussed with Sylvain via private email. Here is my reasoning from 13.07.2023 again. CVE-2023-28100 and CVE-2023-28101 are minor issues and most users will install their applications via GUIs and from trusted repositories anyway. An upgrade to the 1.10.x series would require backports of at least bubblewrap and ostree. This may or may not cause regressions in other applications. The risk to reward ratio is rather unfavorable in this case and since targeted fixes are also intrusive and sensible workarounds do exist, it is better to keep flatpak as is. - - - - - 1fd38ff1 by Markus Koschany at 2023-11-30T23:13:56+01:00 CVE-2023-28100,CVE-2023-28101,flatpak: mark both CVE as ignored in Buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -39151,7 +39151,7 @@ CVE-2023-28102 (discordrb is an implementation of the Discord API using Ruby. In CVE-2023-28101 (Flatpak is a system for building, distributing, and running sandboxed ...) - flatpak 1.14.4-1 (bug #1033098) [bullseye] - flatpak 1.10.8-0+deb11u1 - [buster] - flatpak (Minor issue) + [buster] - flatpak (Minor issue) NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8 NOTE: https://github.com/flatpak/flatpak/commit/6cac99dafe6003c8a4bd5666341c217876536869 (1.15.4) NOTE: https://github.com/flatpak/flatpak/commit/7fe63f2e8f1fd2dafc31d45154cf0b191ebec66c (1.15.4) @@ -39161,7 +39161,7 @@ CVE-2023-28101 (Flatpak is a system for building, distributing, and running sand CVE-2023-28100 (Flatpak is a system for building, distributing, and running sandboxed ...) - flatpak 1.14.4-1 (bug #1033099) [bullseye] - flatpak 1.10.8-0+deb11u1 - [buster] - flatpak (Minor issue) + [buster] - flatpak (Minor issue) NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp NOTE: https://github.com/flatpak/flatpak/commit/8e63de9a7d3124f91140fc74f8ca9ed73ed53be9 (1.15.4) NOTE: https://github.com/flatpak/flatpak/commit/a9bf18040cc075a70657c6090a59d7f6fe78f893 (1.10.8) = data/dla-needed.txt = @@ -59,10 +59,6 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -flatpak - NOTE: 20231006: Added by Front-Desk (Beuc) - NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) --- frr NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8bf283d8bfddc75770dd9178b0d15c025c8e3ebf...1fd38ff1b65935881a8402e4d42d556f695a3023 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/8bf283d8bfddc75770dd9178b0d15c025c8e3ebf...1fd38ff1b65935881a8402e4d42d556f695a3023 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for python-aiohttp issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8bf283d8 by Salvatore Bonaccorso at 2023-11-30T22:52:11+01:00 Add Debian bug references for python-aiohttp issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -317,14 +317,14 @@ CVE-2023-49094 (Symbolicator is a symbolication service for native stacktraces a CVE-2023-49087 (xml-security is a library that implements XML signatures and encryptio ...) TODO: check CVE-2023-49082 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) - - python-aiohttp + - python-aiohttp (bug #1057164) [bookworm] - python-aiohttp (Minor issue) [bullseye] - python-aiohttp (Minor issue) NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx NOTE: https://github.com/aio-libs/aiohttp/commit/493f06797654c383242f0e8007f6e06b818a1fbc (master) NOTE: https://github.com/aio-libs/aiohttp/commit/4075c653fb67a29740bf9ac050bb02d10a57343a (v3.9.0b1) CVE-2023-49081 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) - - python-aiohttp + - python-aiohttp (bug #1057163) [bookworm] - python-aiohttp (Minor issue) [bullseye] - python-aiohttp (Minor issue) NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bf283d8bfddc75770dd9178b0d15c025c8e3ebf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8bf283d8bfddc75770dd9178b0d15c025c8e3ebf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-33201,CVE-2023-33202,bouncycastle: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0fde016a by Markus Koschany at 2023-11-30T22:29:20+01:00 CVE-2023-33201,CVE-2023-33202,bouncycastle: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -938,7 +938,7 @@ CVE-2023-3631 (Improper Neutralization of Special Elements used in an SQL Comman CVE-2023-3377 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: Veribilim Software Computer Veribase CVE-2023-33202 (Bouncy Castle for Java before 1.73 contains a potential Denial of Serv ...) - - bouncycastle (bug #1056754) + - bouncycastle 1.77-1 (bug #1056754) [bookworm] - bouncycastle (Minor issue) [bullseye] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33202 @@ -27501,7 +27501,7 @@ CVE-2023-33203 (The Linux kernel before 6.2.9 has a race condition and resultant NOTE: https://git.kernel.org/linus/6b6bc5b8bd2d4ca9e1efa9ae0f98a0b0687ace75 (6.3-rc4) CVE-2023-33201 (Bouncy Castle For Java before 1.74 is affected by an LDAP injection vu ...) {DLA-3514-1} - - bouncycastle (bug #1040050) + - bouncycastle 1.77-1 (bug #1040050) [bookworm] - bouncycastle (Minor issue) [bullseye] - bouncycastle (Minor issue) NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33201 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fde016ab6c3471d88617f700dbcabd3587edafd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0fde016ab6c3471d88617f700dbcabd3587edafd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4770 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 896b76f2 by Salvatore Bonaccorso at 2023-11-30T22:24:55+01:00 Add CVE-2023-4770 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -93,7 +93,7 @@ CVE-2023-5965 (An authenticated privileged attacker could upload a specially cra CVE-2023-5803 (Cross-Site Request Forgery (CSRF) vulnerability in Business Directory ...) NOT-FOR-US: WordPress plugin CVE-2023-4770 (An uncontrolled search path element vulnerability has been found on 4D ...) - TODO: check + NOT-FOR-US: 4D.exe and 4D Server.exe CVE-2023-48964 (Tenda i6 V1.0.0.8(3856) is vulnerable to Buffer Overflow via /goform/W ...) NOT-FOR-US: Tenda CVE-2023-48963 (Tenda i6 V1.0.0.8(3856) is vulnerable to Buffer Overflow via /goform/w ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/896b76f2d29a4bc884702fbcf21ff39b259df062 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/896b76f2d29a4bc884702fbcf21ff39b259df062 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for gnutls28 for bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 46d74f16 by Salvatore Bonaccorso at 2023-11-30T22:03:46+01:00 Track proposed update for gnutls28 for bullseye-pu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -102,3 +102,5 @@ CVE-2023-47471 [bullseye] - libde265 1.0.11-0+deb11u2 CVE-2020-22218 [bullseye] - libssh2 1.9.0-2+deb11u1 +CVE-2023-5981 + [bullseye] - gnutls28 3.7.1-5+deb11u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46d74f16570700523d25b74891149301875131f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46d74f16570700523d25b74891149301875131f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] track proposed update for gnutls28 via bookworm-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2101158 by Salvatore Bonaccorso at 2023-11-30T22:00:31+01:00 track proposed update for gnutls28 via bookworm-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -95,6 +95,8 @@ CVE-2023-49208 [bookworm] - glewlwyd 2.7.5-3+deb12u1 CVE-2023-49316 [bookworm] - php-phpseclib3 3.0.19-1+deb12u1 +CVE-2023-5981 + [bookworm] - gnutls28 3.7.9-2+deb12u1 CVE-2023-34324 [bookworm] - linux 6.1.64-1 CVE-2023-35827 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2101158e1149060b2b5310d61a12c3b9ac9b561 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2101158e1149060b2b5310d61a12c3b9ac9b561 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f157bca7 by Salvatore Bonaccorso at 2023-11-30T21:37:52+01:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -153,7 +153,7 @@ CVE-2023-48331 (Cross-Site Request Forgery (CSRF) vulnerability in Stormhill Med CVE-2023-48330 (Cross-Site Request Forgery (CSRF) vulnerability in Mike Strand Bulk Co ...) NOT-FOR-US: WordPress plugin CVE-2023-48329 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-48328 (Cross-Site Request Forgery (CSRF) vulnerability in Imagely WordPress G ...) NOT-FOR-US: WordPress plugin CVE-2023-48326 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) @@ -281,11 +281,11 @@ CVE-2023-34388 (AnImproper Authentication vulnerability in the Schweitzer Engine CVE-2023-34030 (Cross-Site Request Forgery (CSRF) vulnerability in Really Simple Plugi ...) NOT-FOR-US: WordPress plugin CVE-2023-34018 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3 (Cross-Site Request Forgery (CSRF) vulnerability in Really Simple Plugi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-32291 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49620 (Before DolphinScheduler version 3.1.0, the login user could delete UDF ...) NOT-FOR-US: Apache DolphinScheduler CVE-2023-49733 (Improper Restriction of XML External Entity Reference vulnerability in ...) @@ -29235,9 +29235,9 @@ CVE-2023-31179 (AgilePoint NX v8.0 SU2.2 & SU2.3 - Path traversal -Vulnerability CVE-2023-31178 (AgilePoint NX v8.0 SU2.2 & SU2.3 \u2013 Arbitrary File DeleteVulnerabi ...) NOT-FOR-US: AgilePoint CVE-2023-31177 (An Improper Neutralization of Input During Web Page Generation ('Cross ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories SEL-451 CVE-2023-31176 (An Insufficient Entropy vulnerability in the Schweitzer Engineering La ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories SEL-451 CVE-2023-31175 (An Execution with Unnecessary Privileges vulnerability in the Schweitz ...) NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2023-31174 (A Cross-Site Request Forgery (CSRF) vulnerability in the Schweitzer En ...) @@ -29396,13 +29396,13 @@ CVE-2023-2269 (A denial of service problem was found, due to a possible recursiv CVE-2023-2268 (Plane version 0.7.1 allows an unauthenticated attacker to view all sto ...) NOT-FOR-US: Plane CVE-2023-2267 (An Improper Input Validation vulnerability in Schweitzer Engineering L ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories SEL-411L CVE-2023-2266 (AnImproper neutralization of input during web page generation in the S ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories SEL-411L CVE-2023-2265 (AnImproper Restriction of Rendered UI Layers or Frames in the Schweitz ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories SEL-411L CVE-2023-2264 (An improper input validation vulnerability in the Schweitzer Engineeri ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories SEL-411L CVE-2023-2263 (The Rockwell Automation Kinetix 5700 DC Bus Power Supply Series A is v ...) NOT-FOR-US: Rockwell Automation CVE-2023-2262 (A buffer overflow vulnerability exists in the Rockwell Automation sele ...) @@ -43492,7 +43492,7 @@ CVE-2023-26535 (Cross-Site Request Forgery (CSRF) vulnerability in WPPOOL Sheets CVE-2023-26534 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in OneW ...) NOT-FOR-US: WordPress plugin CVE-2023-26533 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-26532 (Cross-Site Request Forgery (CSRF) vulnerability in AccessPress Themes ...) NOT-FOR-US: WordPress plugin CVE-2023-26531 (Cross-Site Request Forgery (CSRF) vulnerability in \u95ea\u7535\u535a ...) @@ -48144,7 +48144,7 @@ CVE-2023-25059 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-25058 (Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Sc ...) NOT-FOR-US: WordPress plugin CVE-2023-25057 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25056 (Cross-Site Request Forgery (CSRF) vulnerability in SlickRemix Feed The ...) NOT-FOR-US: WordPress plugin
[Git][security-tracker-team/security-tracker][master] Associate two older NFUs with phpmemcachedadmin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a2e2d37 by Salvatore Bonaccorso at 2023-11-30T21:32:46+01:00 Associate two older NFUs with phpmemcachedadmin - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -514388,9 +514388,9 @@ CVE-2014-8737 (Multiple directory traversal vulnerabilities in GNU binutils 2.24 NOTE: Upstream tracker: https://sourceware.org/bugzilla/show_bug.cgi?id=17552 NOTE: Upstream patch: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=dd9b91de2149ee81d47f708e7b0bbf57da10ad42 CVE-2014-8732 (Cross-site scripting (XSS) vulnerability in phpMemcachedAdmin 1.2.2 an ...) - NOT-FOR-US: phpMemcachedAdmin + - phpmemcachedadmin (bug #776613) CVE-2014-8731 (PHPMemcachedAdmin 1.2.2 and earlier allows remote attackers to execute ...) - NOT-FOR-US: phpMemcachedAdmin + - phpmemcachedadmin (bug #776613) CVE-2014-8716 (The JPEG decoder in ImageMagick before 6.8.9-9 allows local users to c ...) {DLA-960-1 DLA-90-1} - imagemagick 8:6.8.9.9-3 (bug #768494) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a2e2d37f0ed0e866e611a1043d80e7ebdadc5cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a2e2d37f0ed0e866e611a1043d80e7ebdadc5cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two issues for phpmemcachedadmin, itp'ed, #776613
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 459651e8 by Salvatore Bonaccorso at 2023-11-30T21:31:21+01:00 Add two issues for phpmemcachedadmin, itped, #776613 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83,9 +83,9 @@ CVE-2023-6136 (Exposure of Sensitive Information to an Unauthorized Actor vulner CVE-2023-6071 (An Improper Neutralization of Special Elements used in a command vulne ...) NOT-FOR-US: Trellix CVE-2023-6027 (A critical flaw has been identified in elijaa/phpmemcachedadmin affect ...) - TODO: check + - phpmemcachedadmin (bug #776613) CVE-2023-6026 (A Path traversal vulnerability has been reported in elijaa/phpmemcache ...) - TODO: check + - phpmemcachedadmin (bug #776613) CVE-2023-5966 (An authenticated privileged attacker could upload a specially crafted ...) NOT-FOR-US: EspoCRM CVE-2023-5965 (An authenticated privileged attacker could upload a specially crafted ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/459651e8c71daee5078203eb34d4baf6f37c4e22 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/459651e8c71daee5078203eb34d4baf6f37c4e22 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d89913d3 by Salvatore Bonaccorso at 2023-11-30T21:27:38+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,285 +1,285 @@ CVE-2023-6439 (A vulnerability classified as problematic was found in ZenTao PMS 18.8 ...) - TODO: check + NOT-FOR-US: ZenTao PMS CVE-2023-6438 (A vulnerability classified as problematic has been found in IceCMS 2.0 ...) - TODO: check + NOT-FOR-US: IceCMS CVE-2023-6435 (A vulnerability has been discovered in BigProf Online Invoicing System ...) - TODO: check + NOT-FOR-US: BigProf Online Invoicing System CVE-2023-6434 (A vulnerability has been discovered in BigProf Online Invoicing System ...) - TODO: check + NOT-FOR-US: BigProf Online Invoicing System CVE-2023-6433 (A vulnerability has been discovered in BigProf Online Invoicing System ...) - TODO: check + NOT-FOR-US: BigProf Online Invoicing System CVE-2023-6432 (A vulnerability has been discovered in BigProf Online Invoicing System ...) - TODO: check + NOT-FOR-US: BigProf Online Invoicing System CVE-2023-6431 (A vulnerability has been discovered in BigProf Online Invoicing System ...) - TODO: check + NOT-FOR-US: BigProf Online Invoicing System CVE-2023-6430 (A vulnerability has been discovered in BigProf Online Invoicing System ...) - TODO: check + NOT-FOR-US: BigProf Online Invoicing System CVE-2023-6429 (A vulnerability has been discovered in BigProf Online Invoicing System ...) - TODO: check + NOT-FOR-US: BigProf Online Invoicing System CVE-2023-6428 (A vulnerability has been discovered in BigProf Online Invoicing System ...) - TODO: check + NOT-FOR-US: BigProf Online Invoicing System CVE-2023-6427 (A vulnerability has been discovered in BigProf Online Invoicing System ...) - TODO: check + NOT-FOR-US: BigProf Online Invoicing System CVE-2023-6426 (A vulnerability has been discovered in BigProf Online Invoicing System ...) - TODO: check + NOT-FOR-US: BigProf Online Invoicing System CVE-2023-6425 (A vulnerability has been discovered in BigProf Online Clinic Managemen ...) - TODO: check + NOT-FOR-US: BigProf Online Clinic Management System CVE-2023-6424 (A vulnerability has been discovered in BigProf Online Clinic Managemen ...) - TODO: check + NOT-FOR-US: BigProf Online Clinic Management System CVE-2023-6423 (A vulnerability has been discovered in BigProf Online Clinic Managemen ...) - TODO: check + NOT-FOR-US: BigProf Online Clinic Management System CVE-2023-6422 (A vulnerability has been discovered in BigProf Online Clinic Managemen ...) - TODO: check + NOT-FOR-US: BigProf Online Clinic Management System CVE-2023-6420 (A vulnerability has been reported in Voovi Social Networking Script ve ...) - TODO: check + NOT-FOR-US: Voovi Social Networking Script CVE-2023-6419 (A vulnerability has been reported in Voovi Social Networking Script ve ...) - TODO: check + NOT-FOR-US: Voovi Social Networking Script CVE-2023-6418 (A vulnerability has been reported in Voovi Social Networking Script th ...) - TODO: check + NOT-FOR-US: Voovi Social Networking Script CVE-2023-6417 (A vulnerability has been reported in Voovi Social Networking Script th ...) - TODO: check + NOT-FOR-US: Voovi Social Networking Script CVE-2023-6416 (A vulnerability has been reported in Voovi Social Networking Script th ...) - TODO: check + NOT-FOR-US: Voovi Social Networking Script CVE-2023-6415 (A vulnerability has been reported in Voovi Social Networking Script th ...) - TODO: check + NOT-FOR-US: Voovi Social Networking Script CVE-2023-6414 (A vulnerability has been reported in Voovi Social Networking Script th ...) - TODO: check + NOT-FOR-US: Voovi Social Networking Script CVE-2023-6413 (A vulnerability has been reported in Voovi Social Networking Script th ...) - TODO: check + NOT-FOR-US: Voovi Social Networking Script CVE-2023-6412 (A vulnerability has been reported in Voovi Social Networking Script th ...) - TODO: check + NOT-FOR-US: Voovi Social Networking Script CVE-2023-6411 (A vulnerability has been reported in Voovi Social Networking Script th ...) - TODO: check + NOT-FOR-US: Voovi Social Networking Script CVE-2023-6410 (A vulnerability has been reported in Voovi Social Networking Script th ...) - TODO: check + NOT-FOR-US: Voovi Social Networking Script CVE-2023-6402 (A vulnerability, which was classified as critical, was found in PHPGur ...) - TODO: check + NOT-FOR-US: PHPGurukul CVE-2023-6401 (A vulnerability classified as problematic was found in
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 04525b33 by security tracker role at 2023-11-30T20:12:07+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,6 +1,294 @@ -CVE-2023-49620 +CVE-2023-6439 (A vulnerability classified as problematic was found in ZenTao PMS 18.8 ...) + TODO: check +CVE-2023-6438 (A vulnerability classified as problematic has been found in IceCMS 2.0 ...) + TODO: check +CVE-2023-6435 (A vulnerability has been discovered in BigProf Online Invoicing System ...) + TODO: check +CVE-2023-6434 (A vulnerability has been discovered in BigProf Online Invoicing System ...) + TODO: check +CVE-2023-6433 (A vulnerability has been discovered in BigProf Online Invoicing System ...) + TODO: check +CVE-2023-6432 (A vulnerability has been discovered in BigProf Online Invoicing System ...) + TODO: check +CVE-2023-6431 (A vulnerability has been discovered in BigProf Online Invoicing System ...) + TODO: check +CVE-2023-6430 (A vulnerability has been discovered in BigProf Online Invoicing System ...) + TODO: check +CVE-2023-6429 (A vulnerability has been discovered in BigProf Online Invoicing System ...) + TODO: check +CVE-2023-6428 (A vulnerability has been discovered in BigProf Online Invoicing System ...) + TODO: check +CVE-2023-6427 (A vulnerability has been discovered in BigProf Online Invoicing System ...) + TODO: check +CVE-2023-6426 (A vulnerability has been discovered in BigProf Online Invoicing System ...) + TODO: check +CVE-2023-6425 (A vulnerability has been discovered in BigProf Online Clinic Managemen ...) + TODO: check +CVE-2023-6424 (A vulnerability has been discovered in BigProf Online Clinic Managemen ...) + TODO: check +CVE-2023-6423 (A vulnerability has been discovered in BigProf Online Clinic Managemen ...) + TODO: check +CVE-2023-6422 (A vulnerability has been discovered in BigProf Online Clinic Managemen ...) + TODO: check +CVE-2023-6420 (A vulnerability has been reported in Voovi Social Networking Script ve ...) + TODO: check +CVE-2023-6419 (A vulnerability has been reported in Voovi Social Networking Script ve ...) + TODO: check +CVE-2023-6418 (A vulnerability has been reported in Voovi Social Networking Script th ...) + TODO: check +CVE-2023-6417 (A vulnerability has been reported in Voovi Social Networking Script th ...) + TODO: check +CVE-2023-6416 (A vulnerability has been reported in Voovi Social Networking Script th ...) + TODO: check +CVE-2023-6415 (A vulnerability has been reported in Voovi Social Networking Script th ...) + TODO: check +CVE-2023-6414 (A vulnerability has been reported in Voovi Social Networking Script th ...) + TODO: check +CVE-2023-6413 (A vulnerability has been reported in Voovi Social Networking Script th ...) + TODO: check +CVE-2023-6412 (A vulnerability has been reported in Voovi Social Networking Script th ...) + TODO: check +CVE-2023-6411 (A vulnerability has been reported in Voovi Social Networking Script th ...) + TODO: check +CVE-2023-6410 (A vulnerability has been reported in Voovi Social Networking Script th ...) + TODO: check +CVE-2023-6402 (A vulnerability, which was classified as critical, was found in PHPGur ...) + TODO: check +CVE-2023-6401 (A vulnerability classified as problematic was found in NotePad++ up to ...) + TODO: check +CVE-2023-6376 (Henschen & Associates court document management software does not suff ...) + TODO: check +CVE-2023-6375 (Tyler Technologies Court Case Management Plus may store backups in a l ...) + TODO: check +CVE-2023-6360 (The 'My Calendar' WordPress Plugin, version < 3.4.22 is affected by an ...) + TODO: check +CVE-2023-6354 (Tyler Technologies Magistrate Court Case Management Plus allows an una ...) + TODO: check +CVE-2023-6353 (Tyler Technologies Civil and Criminal Electronic Filing allows an unau ...) + TODO: check +CVE-2023-6352 (The default configuration of Aquaforest TIFF Server allows access to a ...) + TODO: check +CVE-2023-6344 (Tyler Technologies Court Case Management Plus allows a remote, unauthe ...) + TODO: check +CVE-2023-6343 (Tyler Technologies Court Case Management Plus allows a remote, unauthe ...) + TODO: check +CVE-2023-6342 (Tyler Technologies Court Case Management Plus allows a remote attacker ...) + TODO: check +CVE-2023-6341 (Catalis (previously Icon Software) CMS360 allows a remote, unauthentic ...) + TODO: check +CVE-2023-6137 (Cross-Site Request Forgery (CSRF) vulnerability in finnj Frontier Post ...) + TODO: check +CVE-2023-6136 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + TODO:
[Git][security-tracker-team/security-tracker][master] Add note about zbar fixes and upstream status
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 38853dc4 by Salvatore Bonaccorso at 2023-11-30T21:04:37+01:00 Add note about zbar fixes and upstream status - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14635,10 +14635,12 @@ CVE-2023-40890 (A stack-based buffer overflow vulnerability exists in the lookup - zbar (bug #1051724) NOTE: https://hackmd.io/@cspl/H1PxPAUnn NOTE: https://github.com/mchehab/zbar/issues/263 + NOTE: 0.23.92-9 upload adds patch to avoid exploitation, but no upstream fix exists yet. CVE-2023-40889 (A heap-based buffer overflow exists in the qr_reader_match_centers fun ...) - zbar (bug #1051724) NOTE: https://hackmd.io/@cspl/B1ZkFZv23 NOTE: https://github.com/mchehab/zbar/issues/263 + NOTE: 0.23.92-9 upload adds patch to avoid exploitation, but no upstream fix exists yet. CVE-2023-40787 (In SpringBlade V3.6.0 when executing SQL query, the parameters submitt ...) NOT-FOR-US: SpringBlade CVE-2023-3646 (On affected platforms running Arista EOS with mirroring to multiple de ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38853dc44ad00d65d755a70763680c2df7bc3869 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38853dc44ad00d65d755a70763680c2df7bc3869 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add references for CVE-2023-49081
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: edb0be1a by Salvatore Bonaccorso at 2023-11-30T20:55:51+01:00 Add references for CVE-2023-49081 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40,6 +40,9 @@ CVE-2023-49081 (aiohttp is an asynchronous HTTP client/server framework for asyn [bookworm] - python-aiohttp (Minor issue) [bullseye] - python-aiohttp (Minor issue) NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 + NOTE: https://github.com/aio-libs/aiohttp/pull/7835 + NOTE: https://github.com/aio-libs/aiohttp/commit/1e86b777e61cf4eefc7d92fa57fa19dcc676013b (master) + NOTE: https://github.com/aio-libs/aiohttp/commit/53476dfd4ef4fb1bb74a267714bbc39eda71b403 (v3.9.0rc0) CVE-2023-49077 (Mailcow: dockerized is an open source groupware/email suite based on d ...) NOT-FOR-US: Mailcow CVE-2023-49076 (Customer-data-framework allows management of customer data within Pimc ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edb0be1ae715eb40e99d729c80bb288af4e9b4de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edb0be1ae715eb40e99d729c80bb288af4e9b4de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add references for CVE-2023-49082
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 28f42944 by Salvatore Bonaccorso at 2023-11-30T20:52:43+01:00 Add references for CVE-2023-49082 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33,6 +33,8 @@ CVE-2023-49082 (aiohttp is an asynchronous HTTP client/server framework for asyn [bookworm] - python-aiohttp (Minor issue) [bullseye] - python-aiohttp (Minor issue) NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx + NOTE: https://github.com/aio-libs/aiohttp/commit/493f06797654c383242f0e8007f6e06b818a1fbc (master) + NOTE: https://github.com/aio-libs/aiohttp/commit/4075c653fb67a29740bf9ac050bb02d10a57343a (v3.9.0b1) CVE-2023-49081 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) - python-aiohttp [bookworm] - python-aiohttp (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28f4294446161c97b29b92b17a83a5f3d4db5902 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28f4294446161c97b29b92b17a83a5f3d4db5902 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-2906/wireshark does not affect buster
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abedeab8 by Adrian Bunk at 2023-11-30T19:57:31+02:00 CVE-2023-2906/wireshark does not affect buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15115,9 +15115,10 @@ CVE-2023-2906 (Due to a failure in validating the length provided by an attacker {DSA-5559-1} - wireshark 4.0.8-1 [bullseye] - wireshark (Minor issue) - [buster] - wireshark (Minor issue) + [buster] - wireshark (Vulnerable code introduced in 3.0.0) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-26.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19229 + NOTE: Introduced by https://gitlab.com/wireshark/wireshark/-/commit/4ff777d5ce1d9951a1edbf7ffa914a12a00bb2b3 (v2.9.0) CVE-2023-4534 (A vulnerability, which was classified as problematic, was found in Neo ...) NOT-FOR-US: NeoMind Fusion Platform CVE-2023-4520 (The FV Flowplayer Video Player plugin for WordPress is vulnerable to S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abedeab862926fdb099aaced7fd6f31217bc6350 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abedeab862926fdb099aaced7fd6f31217bc6350 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-39350,CVE-2023-39351/freerdp2: reference introductory commit
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: e6bd87b4 by Sylvain Beucler at 2023-11-30T18:14:39+01:00 CVE-2023-39350,CVE-2023-39351/freerdp2: reference introductory commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14261,6 +14261,7 @@ CVE-2023-39351 (FreeRDP is a free implementation of the Remote Desktop Protocol [bullseye] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q9x9-cqjc-rgwq NOTE: https://github.com/FreeRDP/FreeRDP/commit/99e243cdbc31f66b5c917452c8fed3276e8bdcd5 (2.11.0) + NOTE: Introduced by: https://github.com/FreeRDP/FreeRDP/commit/579a13b054c306de36a24621763729ebf01797d3 (2.0.0) CVE-2023-39350 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) {DLA-3606-1} - freerdp2 2.11.2+dfsg1-1 (bug #1051638) @@ -14268,6 +14269,7 @@ CVE-2023-39350 (FreeRDP is a free implementation of the Remote Desktop Protocol [bullseye] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrrv-3w42-pffh NOTE: https://github.com/FreeRDP/FreeRDP/commit/7ece410ce5b5660b9191e1ccb6835158afa11822 (2.11.0) + NOTE: Introduced by: https://github.com/FreeRDP/FreeRDP/commit/579a13b054c306de36a24621763729ebf01797d3 (2.0.0) CVE-2023-34392 (A Missing Authentication for Critical Function vulnerability in the Sc ...) NOT-FOR-US: Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator CVE-2023-34391 (Insecure Inherited Permissions vulnerability in Schweitzer Engineering ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6bd87b4618ccd954c5738b372470adba3933c1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6bd87b4618ccd954c5738b372470adba3933c1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3677-1 for gimp-dds
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: f39d857b by Adrian Bunk at 2023-11-30T18:52:24+02:00 Reserve DLA-3677-1 for gimp-dds - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Nov 2023] DLA-3677-1 gimp-dds - security update + {CVE-2023-1} + [buster] - gimp-dds 3.0.1-1+deb10u1 [30 Nov 2023] DLA-3676-1 libde265 - security update {CVE-2023-27102 CVE-2023-27103 CVE-2023-43887 CVE-2023-47471} [buster] - libde265 1.0.11-0+deb10u5 = data/dla-needed.txt = @@ -66,9 +66,6 @@ flatpak frr NOTE: 20231119: Added by Front-Desk (apo) -- -gimp-dds (Adrian Bunk) - NOTE: 20231127: Added by Front-Desk (Beuc) --- horizon (guilhem) NOTE: 20231101: Added by Front-Desk (lamby) NOTE: 20231101: Sync with bullseye (CVE-2022-45582). (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f39d857b40dd7a94b5b3c99241c0d27b2023918d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f39d857b40dd7a94b5b3c99241c0d27b2023918d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3676-1 for libde265
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 808dc32e by Anton Gladky at 2023-11-30T17:39:19+01:00 Reserve DLA-3676-1 for libde265 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -41871,14 +41871,12 @@ CVE-2023-27103 (Libde265 v1.0.11 was discovered to contain a heap buffer overflo - libde265 1.0.12-1 (bug #1033257) [bookworm] - libde265 (Minor issue) [bullseye] - libde265 (Minor issue) - [buster] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/394 NOTE: https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995 (v1.0.12) CVE-2023-27102 (Libde265 v1.0.11 was discovered to contain a segmentation violation vi ...) - libde265 1.0.12-1 (bug #1033257) [bookworm] - libde265 (Minor issue) [bullseye] - libde265 (Minor issue) - [buster] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/393 NOTE: https://github.com/strukturag/libde265/commit/0b1752abff97cb542941d317a0d18aa50cb199b1 (v1.0.12) CVE-2023-27101 = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Nov 2023] DLA-3676-1 libde265 - security update + {CVE-2023-27102 CVE-2023-27103 CVE-2023-43887 CVE-2023-47471} + [buster] - libde265 1.0.11-0+deb10u5 [30 Nov 2023] DLA-3675-1 zbar - security update {CVE-2023-40889 CVE-2023-40890} [buster] - zbar 0.22-1+deb10u1 = data/dla-needed.txt = @@ -89,10 +89,6 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- -libde265 (gladk) - NOTE: 20231119: Added by Front-Desk (apo) - NOTE: 20231119: Fix along with postponed issues. --- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/808dc32e5e7fbd049a8faf0570941fe689e19210 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/808dc32e5e7fbd049a8faf0570941fe689e19210 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium DSA
Andres Salomon pushed to branch master at Debian Security Tracker / security-tracker Commits: 64518309 by Andres Salomon at 2023-11-30T11:34:08-05:00 chromium DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[30 Nov 2023] DSA-5569-1 chromium - security update + {CVE-2023-6345 CVE-2023-6346 CVE-2023-6347 CVE-2023-6348 CVE-2023-6350 CVE-2023-6351} + [bullseye] - chromium 119.0.6045.199-1~deb11u1 + [bookworm] - chromium 119.0.6045.199-1~deb12u1 [27 Nov 2023] DSA-5568-1 fastdds - security update {CVE-2023-42459} [bookworm] - fastdds 2.9.1+ds-1+deb12u2 = data/dsa-needed.txt = @@ -11,8 +11,6 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. --- -chromium (dilinger) -- cryptojs -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64518309eea0efe7250da226c3d06582c560e738 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64518309eea0efe7250da226c3d06582c560e738 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add one missing CVE which is fixed as well (sync with kernel-sec)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 090df1f0 by Salvatore Bonaccorso at 2023-11-30T17:15:18+01:00 Add one missing CVE which is fixed as well (sync with kernel-sec) - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -115,5 +115,7 @@ CVE-2023-5345 [bookworm] - linux 6.1.64-1 CVE-2023-5717 [bookworm] - linux 6.1.64-1 +CVE-2023-6111 + [bookworm] - linux 6.1.64-1 CVE-2023-6121 [bookworm] - linux 6.1.64-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/090df1f07c5c7f45ac93c6fad96c76d3809ca955 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/090df1f07c5c7f45ac93c6fad96c76d3809ca955 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2023-6111 in sync with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b913a65 by Salvatore Bonaccorso at 2023-11-30T17:13:55+01:00 Update status for CVE-2023-6111 in sync with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2110,7 +2110,6 @@ CVE-2023-6124 (Server-Side Request Forgery (SSRF) in GitHub repository salesagil NOT-FOR-US: suitecrm CVE-2023-6111 (A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab ...) - linux 6.5.13-1 - [bookworm] - linux (Vulnerable code introduce later) [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/93995bf4af2c5a99e2a87f0cd5ce547d31eb7630 (6.7-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b913a6574248300929c214b0bfb226ce10a3760 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b913a6574248300929c214b0bfb226ce10a3760 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new virtuoso-opensource issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2964fd61 by Moritz Muehlenhoff at 2023-11-30T17:12:28+01:00 new virtuoso-opensource issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -45,21 +45,29 @@ CVE-2023-49076 (Customer-data-framework allows management of customer data withi CVE-2023-49052 (File Upload vulnerability in Microweber v.2.0.4 allows a remote attack ...) NOT-FOR-US: microweber CVE-2023-48952 (An issue in the box_deserialize_reusing function in openlink virtuoso- ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1175 CVE-2023-48951 (An issue in the box_equal function in openlink virtuoso-opensource v7. ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1177 CVE-2023-48950 (An issue in the box_col_len function in openlink virtuoso-opensource v ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1174 CVE-2023-48949 (An issue in the box_add function in openlink virtuoso-opensource v7.2. ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1173 CVE-2023-48948 (An issue in the box_div function in openlink virtuoso-opensource v7.2. ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1176 CVE-2023-48947 (An issue in the cha_cmp function of openlink virtuoso-opensource v7.2. ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1179 CVE-2023-48946 (An issue in the box_mpy function of openlink virtuoso-opensource v7.2. ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1178 CVE-2023-48945 (A stack overflow in openlink virtuoso-opensource v7.2.11 allows attack ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1172 CVE-2023-47464 (Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 bef ...) NOT-FOR-US: GL.iNet AX1800 CVE-2023-47463 (Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 bef ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2964fd61f8e3e20c9cc557046bbe65fe5ef1e7a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2964fd61f8e3e20c9cc557046bbe65fe5ef1e7a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new aiohttp issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 671749a2 by Moritz Muehlenhoff at 2023-11-30T17:05:43+01:00 new aiohttp issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,9 +29,15 @@ CVE-2023-49094 (Symbolicator is a symbolication service for native stacktraces a CVE-2023-49087 (xml-security is a library that implements XML signatures and encryptio ...) TODO: check CVE-2023-49082 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) - TODO: check + - python-aiohttp + [bookworm] - python-aiohttp (Minor issue) + [bullseye] - python-aiohttp (Minor issue) + NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-qvrw-v9rv-5rjx CVE-2023-49081 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) - TODO: check + - python-aiohttp + [bookworm] - python-aiohttp (Minor issue) + [bullseye] - python-aiohttp (Minor issue) + NOTE: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-q3qx-c6g2-7pw2 CVE-2023-49077 (Mailcow: dockerized is an open source groupware/email suite based on d ...) NOT-FOR-US: Mailcow CVE-2023-49076 (Customer-data-framework allows management of customer data within Pimc ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/671749a2ed64600d69421a4165cf81d4311baa13 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/671749a2ed64600d69421a4165cf81d4311baa13 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes for linux via upcoming point release
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1fdf9c09 by Salvatore Bonaccorso at 2023-11-30T17:01:54+01:00 Track fixes for linux via upcoming point release - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -95,3 +95,25 @@ CVE-2023-49208 [bookworm] - glewlwyd 2.7.5-3+deb12u1 CVE-2023-49316 [bookworm] - php-phpseclib3 3.0.19-1+deb12u1 +CVE-2023-34324 + [bookworm] - linux 6.1.64-1 +CVE-2023-35827 + [bookworm] - linux 6.1.64-1 +CVE-2023-46813 + [bookworm] - linux 6.1.64-1 +CVE-2023-46862 + [bookworm] - linux 6.1.64-1 +CVE-2023-5090 + [bookworm] - linux 6.1.64-1 +CVE-2023-5158 + [bookworm] - linux 6.1.64-1 +CVE-2023-5178 + [bookworm] - linux 6.1.64-1 +CVE-2023-5197 + [bookworm] - linux 6.1.64-1 +CVE-2023-5345 + [bookworm] - linux 6.1.64-1 +CVE-2023-5717 + [bookworm] - linux 6.1.64-1 +CVE-2023-6121 + [bookworm] - linux 6.1.64-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fdf9c090cdb2c440650058ceb302d2fda2e9b98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1fdf9c090cdb2c440650058ceb302d2fda2e9b98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim horizon in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 4818f8aa by Guilhem Moulin at 2023-11-30T16:41:09+01:00 LTS: claim horizon in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -69,7 +69,7 @@ frr gimp-dds (Adrian Bunk) NOTE: 20231127: Added by Front-Desk (Beuc) -- -horizon +horizon (guilhem) NOTE: 20231101: Added by Front-Desk (lamby) NOTE: 20231101: Sync with bullseye (CVE-2022-45582). (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4818f8aa5e6caea39ef7b92f607a5c45617dd2af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4818f8aa5e6caea39ef7b92f607a5c45617dd2af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/CVE/list: add note about CVE-2022-3437/samba. regression risky
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b6346ec by Santiago Ruano Rincón at 2023-11-30T12:26:11-03:00 data/CVE/list: add note about CVE-2022-3437/samba. regression risky - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -77344,6 +77344,7 @@ CVE-2022-3437 (A heap-based buffer overflow vulnerability was found in Samba wit NOTE: https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2 (heimdal-7.7.1) NOTE: https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef (heimdal-7.7.1) NOTE: In scope for continued Samba support + NOTE: Important risk of regression in samba/bullseye (4.13) CVE-2021-46845 RESERVED CVE-2020-36606 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b6346ec3e0836b959cc91b08e35a563e9f790fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b6346ec3e0836b959cc91b08e35a563e9f790fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3675-1 for zbar
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 4da3d8e8 by Bastien Roucariès at 2023-11-30T14:33:04+00:00 Reserve DLA-3675-1 for zbar - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Nov 2023] DLA-3675-1 zbar - security update + {CVE-2023-40889 CVE-2023-40890} + [buster] - zbar 0.22-1+deb10u1 [30 Nov 2023] DLA-3674-1 thunderbird - security update {CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6207 CVE-2023-6208 CVE-2023-6209 CVE-2023-6212} [buster] - thunderbird 1:115.5.0-1~deb10u1 = data/dla-needed.txt = @@ -244,9 +244,6 @@ wireshark (Adrian Bunk) zabbix NOTE: 20231015: Added by Front-Desk (ta) -- -zbar (rouca) - NOTE: 20231119: Added by Front-Desk (apo) --- zfs-linux NOTE: 20231127: Added by Front-Desk (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4da3d8e847737959c535d7f98b33e1d074ee5233 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4da3d8e847737959c535d7f98b33e1d074ee5233 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3674-1 for thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: d2d19d76 by Emilio Pozuelo Monfort at 2023-11-30T15:25:02+01:00 Reserve DLA-3674-1 for thunderbird - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Nov 2023] DLA-3674-1 thunderbird - security update + {CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6207 CVE-2023-6208 CVE-2023-6209 CVE-2023-6212} + [buster] - thunderbird 1:115.5.0-1~deb10u1 [28 Nov 2023] DLA-3673-1 gst-plugins-bad1.0 - security update {CVE-2023-6} [buster] - gst-plugins-bad1.0 1.14.4-1+deb10u5 = data/dla-needed.txt = @@ -222,9 +222,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -thunderbird (Emilio) - NOTE: 20231122: Added by Front-Desk (ola) --- tinymce (Sean Whitton) NOTE: 20231123: Added by Front-Desk (ola) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2d19d76129e8fe47208e4e61965ab89029b7fef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2d19d76129e8fe47208e4e61965ab89029b7fef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: eaf40c64 by Moritz Muehlenhoff at 2023-11-30T14:46:17+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,15 +7,15 @@ CVE-2023-5772 (The Debug Log Manager plugin for WordPress is vulnerable to Cross CVE-2023-5247 (Malicious Code Execution Vulnerability due to External Control of File ...) NOT-FOR-US: Mitsubishi CVE-2023-4474 (The improper neutralization of special elements in the WSGI server of ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-4473 (A command injection vulnerability in the web server of the Zyxel NAS32 ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-49701 (Memory Corruption in SIM management while USIMPhase2init) NOT-FOR-US: USIMPhase2init CVE-2023-49700 (Security best practices violations, a string operation in Streamingmed ...) - TODO: check + NOT-FOR-US: ASR Falcon CVE-2023-49699 (Memory Corruption in IMS while calling VoLTE Streamingmedia Interface) - TODO: check + NOT-FOR-US: ASR Falcon CVE-2023-49694 (A low-privileged OS user with access to a Windows host where NETGEAR P ...) NOT-FOR-US: NETGEAR CVE-2023-49693 (NETGEAR ProSAFE Network Management System has Java Debug Wire Protocol ...) @@ -23,9 +23,9 @@ CVE-2023-49693 (NETGEAR ProSAFE Network Management System has Java Debug Wire Pr CVE-2023-49097 (ZITADEL is an identity infrastructure system. ZITADEL uses the notific ...) NOT-FOR-US: ZITADEL CVE-2023-49095 (nexkey is a microblogging platform. Insufficient validation of Activit ...) - TODO: check + NOT-FOR-US: nexkey CVE-2023-49094 (Symbolicator is a symbolication service for native stacktraces and min ...) - TODO: check + NOT-FOR-US: Symbolicator CVE-2023-49087 (xml-security is a library that implements XML signatures and encryptio ...) TODO: check CVE-2023-49082 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) @@ -33,7 +33,7 @@ CVE-2023-49082 (aiohttp is an asynchronous HTTP client/server framework for asyn CVE-2023-49081 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) TODO: check CVE-2023-49077 (Mailcow: dockerized is an open source groupware/email suite based on d ...) - TODO: check + NOT-FOR-US: Mailcow CVE-2023-49076 (Customer-data-framework allows management of customer data within Pimc ...) NOT-FOR-US: Pimcore CVE-2023-49052 (File Upload vulnerability in Microweber v.2.0.4 allows a remote attack ...) @@ -55,23 +55,23 @@ CVE-2023-48946 (An issue in the box_mpy function of openlink virtuoso-opensource CVE-2023-48945 (A stack overflow in openlink virtuoso-opensource v7.2.11 allows attack ...) TODO: check CVE-2023-47464 (Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 bef ...) - TODO: check + NOT-FOR-US: GL.iNet AX1800 CVE-2023-47463 (Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 bef ...) - TODO: check + NOT-FOR-US: GL.iNet AX1800 CVE-2023-47418 (Remote Code Execution (RCE) vulnerability in o2oa version 8.1.2 and be ...) - TODO: check + NOT-FOR-US: p2pa CVE-2023-40458 (Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability i ...) - TODO: check + NOT-FOR-US: Sierra Wireless CVE-2023-3741 (An OS Command injection vulnerability in NEC Platforms DT900 and DT900 ...) - TODO: check + NOT-FOR-US: NEC CVE-2023-37928 (A post-authentication command injection vulnerability in the WSGI serv ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-37927 (The improper neutralization of special elements in the CGI program of ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-35138 (A command injection vulnerability in the \u201cshow_zysync_server_cont ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-35137 (An improper authentication vulnerability in the authentication module ...) - TODO: check + NOT-FOR-US: Zyxel CVE-2023-6378 (A serialization vulnerability in logback receiver component part of l ...) - logback [bookworm] - logback (Minor issue) @@ -77688,17 +77688,17 @@ CVE-2022-42543 (In fdt_path_offset_namelen of fdt_ro.c, there is a possible out CVE-2022-42542 (In phNxpNciHal_core_initialized of phNxpNciHal.cc, there is a possible ...) NOT-FOR-US: Android CVE-2022-42541 (Remote code execution) - TODO: check + NOT-FOR-US: Google Chromecast CVE-2022-42540 (Elevation of privilege) - TODO: check + NOT-FOR-US: Google Chromecast CVE-2022-42539 (Information disclosure) - TODO: check + NOT-FOR-US: Google Chromecast CVE-2022-42538 (Elevation of privilege) - TODO: check + NOT-FOR-US: Google Chromecast
[Git][security-tracker-team/security-tracker][master] CVE-2023-6378/logback: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c010888 by Sylvain Beucler at 2023-11-30T14:11:12+01:00 CVE-2023-6378/logback: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -76,6 +76,7 @@ CVE-2023-6378 (A serialization vulnerability in logback receiver component part - logback [bookworm] - logback (Minor issue) [bullseye] - logback (Minor issue) + [buster] - logback (Minor issue, DoS) NOTE: https://logback.qos.ch/news.html#1.3.12 CVE-2023-6218 (In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9) ...) NOT-FOR-US: Progress MOVEit Transfer View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c010888334b85705a9679e331326089587e5a4d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1c010888334b85705a9679e331326089587e5a4d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: CVE-2023-39358,CVE-2023-39360/cacti: buster not-affected + more links
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: c2cd83ad by Sylvain Beucler at 2023-11-30T13:36:14+01:00 CVE-2023-39358,CVE-2023-39360/cacti: buster not-affected + more links - - - - - 5c29eb62 by Sylvain Beucler at 2023-11-30T13:36:16+01:00 CVE-2023-39366/cacti: all the code path for the CVE vector appears to be present and similar, re-mark for fix in bullseye buster - - - - - c52977ca by Sylvain Beucler at 2023-11-30T13:36:18+01:00 CVE-2023-39510/cacti: buster not-affected + introductory commit - - - - - ebbc8845 by Sylvain Beucler at 2023-11-30T13:37:18+01:00 CVE-2023-39511/cacti: buster not-affected + patch + introductory commit - - - - - dc86d26e by Sylvain Beucler at 2023-11-30T13:37:27+01:00 CVE-2023-39512/cacti: buster not-affected + introductory commit - - - - - 70f06ace by Sylvain Beucler at 2023-11-30T13:37:27+01:00 CVE-2023-39514/cacti: buster not-affected + introductory commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13191,7 +13191,10 @@ CVE-2023-39511 (Cacti is an open source operational monitoring and fault managem - cacti 1.2.25+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u1 [bullseye] - cacti (Vulnerable code not present) + [buster] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-5hpr-4hhc-8q42 + NOTE: https://github.com/Cacti/cacti/commit/8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e (release/1.2.25) + NOTE: Introduced by: https://github.com/Cacti/cacti/commit/9d3495abdc86f40bc7fa9767fcf0136db5b6179a (release/1.2.20) CVE-2023-39265 (Apache Superset would allow for SQLite database connections to be inco ...) NOT-FOR-US: Apache Superset CVE-2023-39264 (By default, stack traces for errors were enabled, which resulted in th ...) @@ -13397,8 +13400,10 @@ CVE-2023-39514 (Cacti is an open source operational monitoring and fault managem - cacti 1.2.25+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u1 [bullseye] - cacti (Vulnerable code not present) + [buster] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-6hrc-2cfc-8hm7 NOTE: https://github.com/Cacti/cacti/commit/8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e + NOTE: Introduced by: https://github.com/Cacti/cacti/commit/75c147b70493d188ad85313569f86e33e13988b2 (release/1.2.17) CVE-2023-39513 (Cacti is an open source operational monitoring and fault management fr ...) {DSA-5550-1} - cacti 1.2.25+ds1-1 @@ -13410,18 +13415,21 @@ CVE-2023-39512 (Cacti is an open source operational monitoring and fault managem - cacti 1.2.25+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u1 [bullseye] - cacti (Vulnerable code not present) + [buster] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-vqcc-5v63-g9q7 NOTE: https://github.com/Cacti/cacti/commit/8d8aeec0eca3be7b10a12e6c2a78e6560bcef43e + NOTE: Introduced by: https://github.com/Cacti/cacti/commit/75c147b70493d188ad85313569f86e33e13988b2 (release/1.2.17) CVE-2023-39510 (Cacti is an open source operational monitoring and fault management fr ...) - cacti 1.2.25+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u1 [bullseye] - cacti (Vulnerable code not present) + [buster] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-24w4-4hp2-3j8h NOTE: https://github.com/Cacti/cacti/commit/c67daa614d91c8592b8792298da8e3aa017c4009 + NOTE: Introduced by: https://github.com/Cacti/cacti/commit/26e2dbacf298265ce9e517f6f1f008ec46167b5d (release/1.2.20) CVE-2023-39366 (Cacti is an open source operational monitoring and fault management fr ...) - cacti 1.2.25+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u1 - [bullseye] - cacti (Vulnerable code not present) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-rwhh-xxm6-vcrv NOTE: https://github.com/Cacti/cacti/commit/c67daa614d91c8592b8792298da8e3aa017c4009 CVE-2023-39365 (Cacti is an open source operational monitoring and fault management fr ...) @@ -13451,8 +13459,11 @@ CVE-2023-39360 (Cacti is an open source operational monitoring and fault managem - cacti 1.2.25+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u1 [bullseye] - cacti (Vulnerable code not present) + [buster] - cacti (Vulnerable code introduced later) NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-gx8c-xvjh-9qh4 - NOTE: https://github.com/cacti/cacti/commit/9696bbd8060c7332b11b709f4dd17e6c3776bba2 + NOTE:
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6334abbe by Moritz Muehlenhoff at 2023-11-30T12:29:18+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-49620 + NOT-FOR-US: Apache DolphinScheduler +CVE-2023-49733 + NOT-FOR-US: Apache Cocoon CVE-2023-5772 (The Debug Log Manager plugin for WordPress is vulnerable to Cross-Site ...) NOT-FOR-US: WordPress plugin CVE-2023-5247 (Malicious Code Execution Vulnerability due to External Control of File ...) @@ -67609,6 +67613,7 @@ CVE-2022-45136 (Apache Jena SDB 3.17.0 and earlier is vulnerable to a JDBC Deser NOTE: The SDB module was removed after 3.17.0, marking 4.5.0 as fixed: https://jena.apache.org/documentation/archive/sdb/ CVE-2022-45135 RESERVED + NOT-FOR-US: Apache Cocoon CVE-2022-43668 (Typora versions prior to 1.4.4 fails to properly neutralize JavaScript ...) NOT-FOR-US: Typora CVE-2022-3932 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6334abbefc82472b9ee0f8fde9b58e4b6d3f7bb1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6334abbefc82472b9ee0f8fde9b58e4b6d3f7bb1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Claim tinymce in dla-needed.txt
Sean Whitton pushed to branch master at Debian Security Tracker / security-tracker Commits: 73af63b5 by Sean Whitton at 2023-11-30T09:25:28+00:00 LTS: Claim tinymce in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -225,7 +225,7 @@ suricata (Adrian Bunk) thunderbird (Emilio) NOTE: 20231122: Added by Front-Desk (ola) -- -tinymce +tinymce (Sean Whitton) NOTE: 20231123: Added by Front-Desk (ola) -- tomcat9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73af63b5266bd3aced20978e754182b1dca20a65 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73af63b5266bd3aced20978e754182b1dca20a65 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2023-34854, CVE-2022-45592/hoteldruid: follow stable triage for buster (too little information)
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 591b7686 by Sylvain Beucler at 2023-11-30T09:53:42+01:00 CVE-2023-34854,CVE-2022-45592/hoteldruid: follow stable triage for buster (too little information) - - - - - 9a229634 by Sylvain Beucler at 2023-11-30T09:53:44+01:00 CVE-2022-44010,CVE-2022-44011/clickhouse: buster postponed - - - - - 1b5e852c by Sylvain Beucler at 2023-11-30T09:53:46+01:00 CVE-2023-46998/libjs-bootbox: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3404,6 +3404,7 @@ CVE-2023-46998 (Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 t - libjs-bootbox (bug #1055612) [bookworm] - libjs-bootbox (Minor issue) [bullseye] - libjs-bootbox (Minor issue) + [buster] - libjs-bootbox (Minor issue, reflected XSS) NOTE: https://github.com/bootboxjs/bootbox/issues/661 CVE-2023-46845 (EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, ...) NOT-FOR-US: EC-CUBE @@ -65936,11 +65937,13 @@ CVE-2023-34854 [Authenticated remote code execution via backup/restore in HotelD - hoteldruid 3.0.6-1 [bookworm] - hoteldruid (Minor issue) [bullseye] - hoteldruid (Minor issue) + [buster] - hoteldruid (Minor issue) CVE-2022-45592 [(1) Server Side Request Forgery (SSRF), (2) persistant Cross site scripting (XSS), and (3) File upload vulnerability.] RESERVED - hoteldruid 3.0.6-1 [bookworm] - hoteldruid (Minor issue) [bullseye] - hoteldruid (Minor issue) + [buster] - hoteldruid (Minor issue) CVE-2022-45591 RESERVED CVE-2022-45590 @@ -71577,11 +71580,13 @@ CVE-2022-44011 (An issue was discovered in ClickHouse before 22.9.1.2603. An aut - clickhouse [bookworm] - clickhouse (Minor issue) [bullseye] - clickhouse (Minor issue) + [buster] - clickhouse (Minor issue, DoS) NOTE: https://github.com/ClickHouse/ClickHouse/pull/40241 CVE-2022-44010 (An issue was discovered in ClickHouse before 22.9.1.2603. An attacker ...) - clickhouse [bookworm] - clickhouse (Minor issue) [bullseye] - clickhouse (Minor issue) + [buster] - clickhouse (Minor issue, DoS) NOTE: https://github.com/ClickHouse/ClickHouse/pull/40292 CVE-2022-44009 (Improper access control in Key-Value RBAC in StackStorm version 3.7.0 ...) NOT-FOR-US: StackStorm View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4973ede0bfa564ecbab5a4a8c54d2a28d1c8a5e1...1b5e852cc04cfebda1e0b941df627974657a5e80 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4973ede0bfa564ecbab5a4a8c54d2a28d1c8a5e1...1b5e852cc04cfebda1e0b941df627974657a5e80 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4973ede0 by Moritz Muehlenhoff at 2023-11-30T09:49:24+01:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -70,6 +70,8 @@ CVE-2023-35137 (An improper authentication vulnerability in the authentication m TODO: check CVE-2023-6378 (A serialization vulnerability in logback receiver component part of l ...) - logback + [bookworm] - logback (Minor issue) + [bullseye] - logback (Minor issue) NOTE: https://logback.qos.ch/news.html#1.3.12 CVE-2023-6218 (In Progress MOVEit Transfer versions released before 2022.0.9 (14.0.9) ...) NOT-FOR-US: Progress MOVEit Transfer @@ -191,6 +193,8 @@ CVE-2023-45539 (HAProxy before 2.8.2 accepts # as part of the URI component, whi NOTE: https://git.haproxy.org/?p=haproxy-2.2.git;a=commit;h=178cea76b1c9d9413afa6961b6a4576fcb5b26fa (v2.3.31) CVE-2023-45286 (A race condition in go-resty can result in HTTP request body disclosur ...) - golang-github-go-resty-resty + [bookworm] - golang-github-go-resty-resty (Minor issue) + [bullseye] - golang-github-go-resty-resty (Minor issue) NOTE: https://github.com/go-resty/resty/issues/743 NOTE: https://github.com/go-resty/resty/issues/739 NOTE: https://github.com/go-resty/resty/pull/745 = data/dsa-needed.txt = @@ -36,7 +36,7 @@ linux (carnil) nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- -nghttp2 +nghttp2 (jmm) -- nodejs maintainer proposed to follow the upstream 18.x LTS branch @@ -55,8 +55,7 @@ python3.11/stable (carnil) -- python3.9/oldstable -- -rabbitmq-server - Maintainer suggested to release fixes for CVE-2023-46118 via DSA +rabbitmq-server (jmm) -- redmine/stable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4973ede0bfa564ecbab5a4a8c54d2a28d1c8a5e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4973ede0bfa564ecbab5a4a8c54d2a28d1c8a5e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e8788693 by Salvatore Bonaccorso at 2023-11-30T09:47:35+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,23 +1,23 @@ CVE-2023-5772 (The Debug Log Manager plugin for WordPress is vulnerable to Cross-Site ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5247 (Malicious Code Execution Vulnerability due to External Control of File ...) - TODO: check + NOT-FOR-US: Mitsubishi CVE-2023-4474 (The improper neutralization of special elements in the WSGI server of ...) TODO: check CVE-2023-4473 (A command injection vulnerability in the web server of the Zyxel NAS32 ...) TODO: check CVE-2023-49701 (Memory Corruption in SIM management while USIMPhase2init) - TODO: check + NOT-FOR-US: USIMPhase2init CVE-2023-49700 (Security best practices violations, a string operation in Streamingmed ...) TODO: check CVE-2023-49699 (Memory Corruption in IMS while calling VoLTE Streamingmedia Interface) TODO: check CVE-2023-49694 (A low-privileged OS user with access to a Windows host where NETGEAR P ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2023-49693 (NETGEAR ProSAFE Network Management System has Java Debug Wire Protocol ...) - TODO: check + NOT-FOR-US: NETGEAR CVE-2023-49097 (ZITADEL is an identity infrastructure system. ZITADEL uses the notific ...) - TODO: check + NOT-FOR-US: ZITADEL CVE-2023-49095 (nexkey is a microblogging platform. Insufficient validation of Activit ...) TODO: check CVE-2023-49094 (Symbolicator is a symbolication service for native stacktraces and min ...) @@ -31,9 +31,9 @@ CVE-2023-49081 (aiohttp is an asynchronous HTTP client/server framework for asyn CVE-2023-49077 (Mailcow: dockerized is an open source groupware/email suite based on d ...) TODO: check CVE-2023-49076 (Customer-data-framework allows management of customer data within Pimc ...) - TODO: check + NOT-FOR-US: Pimcore CVE-2023-49052 (File Upload vulnerability in Microweber v.2.0.4 allows a remote attack ...) - TODO: check + NOT-FOR-US: microweber CVE-2023-48952 (An issue in the box_deserialize_reusing function in openlink virtuoso- ...) TODO: check CVE-2023-48951 (An issue in the box_equal function in openlink virtuoso-opensource v7. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8788693f027ffba90206730c71e9b4bafe23c21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8788693f027ffba90206730c71e9b4bafe23c21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take gimp-dds
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab06ac4e by Adrian Bunk at 2023-11-30T10:38:42+02:00 dla: take gimp-dds - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -66,7 +66,7 @@ flatpak frr NOTE: 20231119: Added by Front-Desk (apo) -- -gimp-dds +gimp-dds (Adrian Bunk) NOTE: 20231127: Added by Front-Desk (Beuc) -- horizon View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab06ac4e53a14903d6b70266d3eb4dcd10b5a5c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab06ac4e53a14903d6b70266d3eb4dcd10b5a5c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2022-28958
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 58746a30 by Salvatore Bonaccorso at 2023-11-30T09:29:12+01:00 Remove notes from CVE-2022-28958 This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -115646,7 +115646,6 @@ CVE-2022-28959 (Multiple cross-site scripting (XSS) vulnerabilities in the compo NOTE: https://github.com/spip/SPIP/commit/6c1650713fc948318852ace759aab8f1a84791cf CVE-2022-28958 REJECTED - NOT-FOR-US: D-Link CVE-2022-28957 RESERVED CVE-2022-28956 (An issue in the getcfg.php component of D-Link DIR816L_FW206b01 allows ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58746a3081a9f783378bc7a18504af7510e37517 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58746a3081a9f783378bc7a18504af7510e37517 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ccc48bc by security tracker role at 2023-11-30T08:11:57+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,73 @@ +CVE-2023-5772 (The Debug Log Manager plugin for WordPress is vulnerable to Cross-Site ...) + TODO: check +CVE-2023-5247 (Malicious Code Execution Vulnerability due to External Control of File ...) + TODO: check +CVE-2023-4474 (The improper neutralization of special elements in the WSGI server of ...) + TODO: check +CVE-2023-4473 (A command injection vulnerability in the web server of the Zyxel NAS32 ...) + TODO: check +CVE-2023-49701 (Memory Corruption in SIM management while USIMPhase2init) + TODO: check +CVE-2023-49700 (Security best practices violations, a string operation in Streamingmed ...) + TODO: check +CVE-2023-49699 (Memory Corruption in IMS while calling VoLTE Streamingmedia Interface) + TODO: check +CVE-2023-49694 (A low-privileged OS user with access to a Windows host where NETGEAR P ...) + TODO: check +CVE-2023-49693 (NETGEAR ProSAFE Network Management System has Java Debug Wire Protocol ...) + TODO: check +CVE-2023-49097 (ZITADEL is an identity infrastructure system. ZITADEL uses the notific ...) + TODO: check +CVE-2023-49095 (nexkey is a microblogging platform. Insufficient validation of Activit ...) + TODO: check +CVE-2023-49094 (Symbolicator is a symbolication service for native stacktraces and min ...) + TODO: check +CVE-2023-49087 (xml-security is a library that implements XML signatures and encryptio ...) + TODO: check +CVE-2023-49082 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) + TODO: check +CVE-2023-49081 (aiohttp is an asynchronous HTTP client/server framework for asyncio an ...) + TODO: check +CVE-2023-49077 (Mailcow: dockerized is an open source groupware/email suite based on d ...) + TODO: check +CVE-2023-49076 (Customer-data-framework allows management of customer data within Pimc ...) + TODO: check +CVE-2023-49052 (File Upload vulnerability in Microweber v.2.0.4 allows a remote attack ...) + TODO: check +CVE-2023-48952 (An issue in the box_deserialize_reusing function in openlink virtuoso- ...) + TODO: check +CVE-2023-48951 (An issue in the box_equal function in openlink virtuoso-opensource v7. ...) + TODO: check +CVE-2023-48950 (An issue in the box_col_len function in openlink virtuoso-opensource v ...) + TODO: check +CVE-2023-48949 (An issue in the box_add function in openlink virtuoso-opensource v7.2. ...) + TODO: check +CVE-2023-48948 (An issue in the box_div function in openlink virtuoso-opensource v7.2. ...) + TODO: check +CVE-2023-48947 (An issue in the cha_cmp function of openlink virtuoso-opensource v7.2. ...) + TODO: check +CVE-2023-48946 (An issue in the box_mpy function of openlink virtuoso-opensource v7.2. ...) + TODO: check +CVE-2023-48945 (A stack overflow in openlink virtuoso-opensource v7.2.11 allows attack ...) + TODO: check +CVE-2023-47464 (Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 bef ...) + TODO: check +CVE-2023-47463 (Insecure Permissions vulnerability in GL.iNet AX1800 version 4.0.0 bef ...) + TODO: check +CVE-2023-47418 (Remote Code Execution (RCE) vulnerability in o2oa version 8.1.2 and be ...) + TODO: check +CVE-2023-40458 (Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability i ...) + TODO: check +CVE-2023-3741 (An OS Command injection vulnerability in NEC Platforms DT900 and DT900 ...) + TODO: check +CVE-2023-37928 (A post-authentication command injection vulnerability in the WSGI serv ...) + TODO: check +CVE-2023-37927 (The improper neutralization of special elements in the CGI program of ...) + TODO: check +CVE-2023-35138 (A command injection vulnerability in the \u201cshow_zysync_server_cont ...) + TODO: check +CVE-2023-35137 (An improper authentication vulnerability in the authentication module ...) + TODO: check CVE-2023-6378 (A serialization vulnerability in logback receiver component part of l ...) - logback NOTE: https://logback.qos.ch/news.html#1.3.12 @@ -111,7 +181,7 @@ CVE-2023-48848 (An arbitrary file read vulnerability in ureport v2.2.9 allows a NOT-FOR-US: ureport CVE-2023-48121 (An authentication bypass vulnerability in the Direct Connection Module ...) NOT-FOR-US: Direct Connection Module in Ezviz -CVE-2023-48042 (Amazzing Filter for Prestashop through 3.2.2 is vulnerable to Cross-Si ...) +CVE-2023-48042 (Cross Site Scripting (XSS) in Search filters in Prestashop Amazzing fi ...) NOT-FOR-US: Amazzing Filter for Prestashop