[Git][security-tracker-team/security-tracker][master] Reserve DLA-3363-1 for pcre2
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 90ab1b53 by Guilhem Moulin at 2023-03-16T03:28:24+01:00 Reserve DLA-3363-1 for pcre2 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -72178,13 +72178,11 @@ CVE-2022-1588 CVE-2022-1587 (An out-of-bounds read vulnerability was discovered in the PCRE2 librar ...) - pcre2 10.40-1 (bug #1011954) [bullseye] - pcre2 10.36-2+deb11u1 - [buster] - pcre2 (Minor issue) [stretch] - pcre2 (Minor issue) NOTE: https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0 (pcre2-10.40) CVE-2022-1586 (An out-of-bounds read vulnerability was discovered in the PCRE2 librar ...) - pcre2 10.40-1 (bug #1011954) [bullseye] - pcre2 10.36-2+deb11u1 - [buster] - pcre2 (Minor issue) [stretch] - pcre2 (Minor issue) NOTE: https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a (pcre2-10.40) NOTE: https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc388f89095b184ba6d99422cfc676c (pcre2-10.40) @@ -228580,7 +228578,6 @@ CVE-2019-20455 (Gateways/Gateway.php in Heartland Global Payments PHP SDK NOT-FOR-US: Heartland & Global Payments PHP SDK CVE-2019-20454 (An out-of-bounds read was discovered in PCRE before 10.34 when the pat ...) - pcre2 10.34-1 - [buster] - pcre2 (Minor issue) [stretch] - pcre2 (Minor issue) NOTE: https://bugs.exim.org/show_bug.cgi?id=2421 NOTE: https://bugs.php.net/bug.php?id=78338 = data/DLA/list = @@ -1,3 +1,6 @@ +[16 Mar 2023] DLA-3363-1 pcre2 - security update + {CVE-2019-20454 CVE-2022-1586 CVE-2022-1587} + [buster] - pcre2 10.32-5+deb10u1 [14 Mar 2023] DLA-3362-1 qemu - security update {CVE-2020-14394 CVE-2020-17380 CVE-2020-29130 CVE-2021-3409 CVE-2021-3592 CVE-2021-3593 CVE-2021-3594 CVE-2021-3595 CVE-2022-0216 CVE-2022-1050} [buster] - qemu 1:3.1+dfsg-8+deb10u10 = data/dla-needed.txt = @@ -185,10 +185,6 @@ openimageio (Markus Koschany) NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git NOTE: 20220313: will be released today (apo) -- -pcre2 (guilhem) - NOTE: 20230303: Programming language: C. - NOTE: 20230303: Follow fixes from bullseye 11.5 (Beuc/front-desk) --- php-cas NOTE: 20221105: Programming language: PHP. NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90ab1b536c119407cf18bca9436cd64b6ec44d81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90ab1b536c119407cf18bca9436cd64b6ec44d81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for thunderbird issues from mfsa2023-11
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f1b17fc by Salvatore Bonaccorso at 2023-03-15T22:32:22+01:00 Track fixed version for thunderbird issues from mfsa2023-11 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -811,7 +811,7 @@ CVE-2023-28176 {DSA-5374-1} - firefox - firefox-esr 102.9.0esr-1 - - thunderbird + - thunderbird 1:102.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28176 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28176 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/#CVE-2023-28176 @@ -842,7 +842,7 @@ CVE-2023-28164 {DSA-5374-1} - firefox - firefox-esr 102.9.0esr-1 - - thunderbird + - thunderbird 1:102.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28164 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28164 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/#CVE-2023-28164 @@ -859,7 +859,7 @@ CVE-2023-28162 {DSA-5374-1} - firefox - firefox-esr 102.9.0esr-1 - - thunderbird + - thunderbird 1:102.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28162 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28162 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/#CVE-2023-28162 @@ -7449,7 +7449,7 @@ CVE-2023-25752 {DSA-5374-1} - firefox - firefox-esr 102.9.0esr-1 - - thunderbird + - thunderbird 1:102.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-25752 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-25752 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/#CVE-2023-25752 @@ -7458,7 +7458,7 @@ CVE-2023-25751 {DSA-5374-1} - firefox - firefox-esr 102.9.0esr-1 - - thunderbird + - thunderbird 1:102.9.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-25751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-25751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/#CVE-2023-25751 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f1b17fcd321300a3cb07b6e92b16e6d58132b17 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f1b17fcd321300a3cb07b6e92b16e6d58132b17 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add thunderbird to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f4d3555 by Salvatore Bonaccorso at 2023-03-15T22:30:31+01:00 Add thunderbird to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -55,6 +55,8 @@ samba sofia-sip Maintainer proposed debdiff for review with additional question and sent a followup -- +thunderbird (jmm) +-- xrdp needs some additional clarification, tentatively DSA worthy maybe upgrade to 0.9.21 within bullseye? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f4d35551139b117ee499f313fcd5b1fae76da44 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f4d35551139b117ee499f313fcd5b1fae76da44 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new thunderbird issues from mfsa2023-11
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d37c52f1 by Salvatore Bonaccorso at 2023-03-15T22:29:42+01:00 Add new thunderbird issues from mfsa2023-11 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -811,8 +811,10 @@ CVE-2023-28176 {DSA-5374-1} - firefox - firefox-esr 102.9.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28176 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28176 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/#CVE-2023-28176 CVE-2023-28175 RESERVED CVE-2023-28174 @@ -840,21 +842,27 @@ CVE-2023-28164 {DSA-5374-1} - firefox - firefox-esr 102.9.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28164 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28164 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/#CVE-2023-28164 CVE-2023-28163 RESERVED - firefox (Windows-specific) - firefox-esr (Windows-specific) + - thunderbird (Windows-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28163 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28163 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/#CVE-2023-28163 CVE-2023-28162 RESERVED {DSA-5374-1} - firefox - firefox-esr 102.9.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28162 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28162 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/#CVE-2023-28162 CVE-2023-28161 RESERVED - firefox @@ -7441,15 +7449,19 @@ CVE-2023-25752 {DSA-5374-1} - firefox - firefox-esr 102.9.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-25752 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-25752 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/#CVE-2023-25752 CVE-2023-25751 RESERVED {DSA-5374-1} - firefox - firefox-esr 102.9.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-25751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-25751 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-11/#CVE-2023-25751 CVE-2023-25750 RESERVED - firefox View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d37c52f135625516cb85d97beadb973c2e92d35d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d37c52f135625516cb85d97beadb973c2e92d35d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 43478e0c by Salvatore Bonaccorso at 2023-03-15T22:07:22+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6814,7 +6814,7 @@ CVE-2023-25970 CVE-2023-25969 RESERVED CVE-2023-25968 (Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs, Madalin ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25967 RESERVED CVE-2023-25966 @@ -7264,7 +7264,7 @@ CVE-2023-25806 (OpenSearch Security is a plugin for OpenSearch that offers encry CVE-2023-25805 (versionn, software for changing version information across multiple fi ...) NOT-FOR-US: Node versionn CVE-2023-25804 (Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Ke ...) - TODO: check + NOT-FOR-US: Roxy-WI CVE-2023-25803 (Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Ke ...) NOT-FOR-US: Roxy-WI CVE-2023-25802 (Roxy-WI is a Web interface for managing Haproxy, Nginx, Apache, and Ke ...) @@ -7664,7 +7664,7 @@ CVE-2023-25711 CVE-2023-25710 RESERVED CVE-2023-25709 (Cross-Site Request Forgery (CSRF) vulnerability in Plainware Locatorai ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25708 (Cross-Site Request Forgery (CSRF) vulnerability in Rextheme WP VR ...) NOT-FOR-US: WordPress plugin CVE-2023-25707 @@ -8970,7 +8970,7 @@ CVE-2023-25284 CVE-2023-25283 (A stack overflow vulnerability in D-Link DIR820LA1_FW106B02 allows att ...) NOT-FOR-US: D-Link CVE-2023-25282 (A heap overflow vulnerability in D-Link DIR820LA1_FW106B02 allows atta ...) - TODO: check + NOT-FOR-US: D-Link CVE-2023-25281 RESERVED CVE-2023-25280 @@ -10449,19 +10449,19 @@ CVE-2023-24734 (An arbitrary file upload vulnerability in the camera_upload.php CVE-2023-24733 (PMB v7.4.6 was discovered to contain a reflected cross-site scripting ...) NOT-FOR-US: PMB CVE-2023-24732 (Simple Customer Relationship Management System v1.0 as discovered to c ...) - TODO: check + NOT-FOR-US: Simple Customer Relationship Management System CVE-2023-24731 (Simple Customer Relationship Management System v1.0 as discovered to c ...) - TODO: check + NOT-FOR-US: Simple Customer Relationship Management System CVE-2023-24730 (Simple Customer Relationship Management System v1.0 as discovered to c ...) - TODO: check + NOT-FOR-US: Simple Customer Relationship Management System CVE-2023-24729 (Simple Customer Relationship Management System v1.0 as discovered to c ...) - TODO: check + NOT-FOR-US: Simple Customer Relationship Management System CVE-2023-24728 (Simple Customer Relationship Management System v1.0 as discovered to c ...) - TODO: check + NOT-FOR-US: Simple Customer Relationship Management System CVE-2023-24727 RESERVED CVE-2023-24726 (Art Gallery Management System v1.0 was discovered to contain a SQL inj ...) - TODO: check + NOT-FOR-US: Art Gallery Management System CVE-2023-24725 RESERVED CVE-2023-24724 @@ -11901,7 +11901,7 @@ CVE-2023-24231 (A stored cross-site scripting (XSS) vulnerability in the compone CVE-2023-24230 (A stored cross-site scripting (XSS) vulnerability in the component /fo ...) NOT-FOR-US: Formwork CVE-2023-24229 (DrayTek Vigor2960 v1.5.1.4 was discovered to contain a command injecti ...) - TODO: check + NOT-FOR-US: DrayTek Vigor2960 CVE-2023-24228 RESERVED CVE-2023-24227 @@ -21419,7 +21419,7 @@ CVE-2022-47429 CVE-2022-47428 RESERVED CVE-2022-47427 (Cross-Site Request Forgery (CSRF) vulnerability in Joseph C Dolson My ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-47426 RESERVED CVE-2022-47425 @@ -31172,7 +31172,7 @@ CVE-2022-44582 CVE-2022-44581 RESERVED CVE-2022-44580 (SQL Injection (SQLi) vulnerability in RichPlugins Plugin for Google Re ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-44579 RESERVED CVE-2022-44578 @@ -41000,7 +41000,7 @@ CVE-2022-39044 (Hidden functionality vulnerability in multiple Buffalo network d CVE-2022-38467 (Reflected Cross-Site Scripting (XSS) vulnerability in CRM Perks Forms ...) NOT-FOR-US: CRM Perks CVE-2022-38456 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-38141 RESERVED CVE-2022-38063 @@ -50490,7 +50490,7 @@ CVE-2022-37404 (Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnera CVE-2022-37403 (Authenticated (admin+) Stored Cross-Site Scripting (XSS) vulnerability ...) NOT-FOR-US: WordPress plugin CVE-2022-37402 (Stored Cross-site Scripting (XSS) vulnerability in AFS
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-2710{2,3}/libde265
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3879ab48 by Salvatore Bonaccorso at 2023-03-15T22:06:29+01:00 Add CVE-2023-2710{2,3}/libde265 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3996,9 +3996,13 @@ CVE-2023-27105 CVE-2023-27104 RESERVED CVE-2023-27103 (Libde265 v1.0.11 was discovered to contain a heap buffer overflow via ...) - TODO: check + - libde265 + NOTE: https://github.com/strukturag/libde265/issues/394 + NOTE: https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995 CVE-2023-27102 (Libde265 v1.0.11 was discovered to contain a segmentation violation vi ...) - TODO: check + - libde265 + NOTE: https://github.com/strukturag/libde265/issues/393 + NOTE: https://github.com/strukturag/libde265/commit/0b1752abff97cb542941d317a0d18aa50cb199b1 CVE-2023-27101 RESERVED CVE-2023-27100 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3879ab48354a00541271474a1cbae0a85b8fd0eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3879ab48354a00541271474a1cbae0a85b8fd0eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two new nomad CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9800528d by Salvatore Bonaccorso at 2023-03-15T21:42:12+01:00 Add two new nomad CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1421,7 +1421,8 @@ CVE-2023-1301 (A vulnerability, which was classified as critical, has been found CVE-2023-1300 (A vulnerability classified as critical was found in SourceCodester COV ...) NOT-FOR-US: SourceCodester CVE-2023-1299 (HashiCorp Nomad and Nomad Enterprise 1.5.0 allow a job submitter to es ...) - TODO: check + - nomad (Vulnerable code not present; Introduced in 1.5.0) + NOTE: https://discuss.hashicorp.com/t/hcsec-2023-08-nomad-job-submitter-privilege-escalation-using-workload-identity/51389 CVE-2023-1298 RESERVED CVE-2023-28004 @@ -1463,7 +1464,8 @@ CVE-2023-27987 CVE-2023-1297 RESERVED CVE-2023-1296 (HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.5.0 did not correct ...) - TODO: check + - nomad (Vulnerable code not present) + NOTE: https://discuss.hashicorp.com/t/hcsec-2023-09-nomad-acls-can-not-deny-access-to-workloads-own-variables/51390 CVE-2023-1295 RESERVED CVE-2023-1294 (A vulnerability was found in SourceCodester File Tracker Manager Syste ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9800528d26ff33f9c7af9a68bb8d1f37bce77f8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9800528d26ff33f9c7af9a68bb8d1f37bce77f8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8da1ad5c by Salvatore Bonaccorso at 2023-03-15T21:28:29+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -175,13 +175,13 @@ CVE-2023-1420 CVE-2023-1419 RESERVED CVE-2023-1418 (A vulnerability classified as problematic was found in SourceCodester ...) - TODO: check + NOT-FOR-US: SourceCodester Friendly Island Pizza Website and Ordering System CVE-2023-1417 RESERVED CVE-2023-1416 (A vulnerability classified as critical has been found in Simple Art Ga ...) - TODO: check + NOT-FOR-US: Simple Art Gallery CVE-2023-1415 (A vulnerability was found in Simple Art Gallery 1.0. It has been decla ...) - TODO: check + NOT-FOR-US: Simple Art Gallery CVE-2023-1414 RESERVED CVE-2023-1413 @@ -873,7 +873,7 @@ CVE-2023-1380 NOTE: https://www.openwall.com/lists/oss-security/2023/03/13/1 NOTE: https://lore.kernel.org/linux-wireless/20230309104457.22628-1-jisoo.j...@yonsei.ac.kr/T/#u CVE-2023-1379 (A vulnerability was found in SourceCodester Friendly Island Pizza Webs ...) - TODO: check + NOT-FOR-US: SourceCodester Friendly Island Pizza Website and Ordering System CVE-2023-1378 (A vulnerability classified as critical was found in SourceCodester Fri ...) NOT-FOR-US: SourceCodester Friendly Island Pizza Website and Ordering System CVE-2023-1377 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8da1ad5c234fc6fa629379fc53d641b51db6b0cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8da1ad5c234fc6fa629379fc53d641b51db6b0cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ba04d72 by Salvatore Bonaccorso at 2023-03-15T21:20:41+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5946,7 +5946,7 @@ CVE-2023-26286 CVE-2023-26285 RESERVED CVE-2023-26284 (IBM MQ Certified Container 9.3.0.1 through 9.3.0.3 and 9.3.1.0 through ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-26283 RESERVED CVE-2023-26282 @@ -7660,7 +7660,7 @@ CVE-2023-25710 CVE-2023-25709 (Cross-Site Request Forgery (CSRF) vulnerability in Plainware Locatorai ...) TODO: check CVE-2023-25708 (Cross-Site Request Forgery (CSRF) vulnerability in Rextheme WP VR ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25707 RESERVED CVE-2023-25706 @@ -15882,7 +15882,7 @@ CVE-2023-22878 CVE-2023-22877 RESERVED CVE-2023-22876 (IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.7 a ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-22875 (IBM QRadar SIEM 7.4 and 7.5copies certificate key files used for SSL/T ...) NOT-FOR-US: IBM CVE-2023-22874 @@ -23424,7 +23424,7 @@ CVE-2022-46776 CVE-2022-46775 RESERVED CVE-2022-46774 (IBM Manage Application 8.8.0 and 8.9.0 in the IBM Maximo Application S ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-46773 RESERVED CVE-2022-46772 @@ -34595,7 +34595,7 @@ CVE-2022-43876 CVE-2022-43875 (IBM Financial Transaction Manager for SWIFT Services for Multiplatform ...) NOT-FOR-US: IBM CVE-2022-43874 (IBM App Connect Enterprise Certified Container 4.1, 4.2, 5.0, 5.1, 5.2 ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-43873 (An authenticated user can exploit a vulnerability in the IBM Spectrum ...) NOT-FOR-US: IBM CVE-2022-43872 (IBM Financial Transaction Manager 3.2.4 authorization checks are done ...) @@ -239332,7 +239332,7 @@ CVE-2020-4929 (IBM QRadar SIEM 7.3 and 7.4 is vulnerable to cross-site scripting CVE-2020-4928 (IBM Cloud Pak System 2.3 could allow a local privileged attacker to up ...) NOT-FOR-US: IBM CVE-2020-4927 (A vulnerability in the Spectrum Scale 5.0.5.0 through 5.1.6.1 core com ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4926 (A vulnerability in the Spectrum Scale 5.1 core component and IBM Elast ...) NOT-FOR-US: IBM CVE-2020-4925 (A security vulnerability in the Spectrum Scale 5.0 and 5.1 allows a no ...) @@ -240077,7 +240077,7 @@ CVE-2020-4558 CVE-2020-4557 (IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business ...) NOT-FOR-US: IBM CVE-2020-4556 (IBM Financial Transaction Manager for High Value Payments for Multi-Pl ...) - TODO: check + NOT-FOR-US: IBM CVE-2020-4555 (IBM Financial Transaction Manager 3.0.6 and 3.1.0 does not invalidate ...) NOT-FOR-US: IBM CVE-2020-4554 (IBM i2 Analyst Notebook 9.2.1 and 9.2.2 could allow a local attacker t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ba04d720aa4fe46e71f4f9cd983aa41c3e4ad7a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ba04d720aa4fe46e71f4f9cd983aa41c3e4ad7a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: be61f2b1 by security tracker role at 2023-03-15T20:10:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,201 @@ +CVE-2023-28449 + RESERVED +CVE-2023-28448 + RESERVED +CVE-2023-28447 + RESERVED +CVE-2023-28446 + RESERVED +CVE-2023-28445 + RESERVED +CVE-2023-28444 + RESERVED +CVE-2023-28443 + RESERVED +CVE-2023-28442 + RESERVED +CVE-2023-28441 + RESERVED +CVE-2023-28440 + RESERVED +CVE-2023-28439 + RESERVED +CVE-2023-28438 + RESERVED +CVE-2023-28437 + RESERVED +CVE-2023-28436 + RESERVED +CVE-2023-28435 + RESERVED +CVE-2023-28434 + RESERVED +CVE-2023-28433 + RESERVED +CVE-2023-28432 + RESERVED +CVE-2023-28431 + RESERVED +CVE-2023-28430 + RESERVED +CVE-2023-28429 + RESERVED +CVE-2023-28428 + RESERVED +CVE-2023-28427 + RESERVED +CVE-2023-28426 + RESERVED +CVE-2023-28425 + RESERVED +CVE-2023-28424 + RESERVED +CVE-2023-28423 + RESERVED +CVE-2023-28422 + RESERVED +CVE-2023-28421 + RESERVED +CVE-2023-28420 + RESERVED +CVE-2023-28419 + RESERVED +CVE-2023-28418 + RESERVED +CVE-2023-28417 + RESERVED +CVE-2023-28416 + RESERVED +CVE-2023-28415 + RESERVED +CVE-2023-28414 + RESERVED +CVE-2023-28413 + RESERVED +CVE-2023-28409 + RESERVED +CVE-2023-28408 + RESERVED +CVE-2023-28394 + RESERVED +CVE-2023-28392 + RESERVED +CVE-2023-28390 + RESERVED +CVE-2023-28387 + RESERVED +CVE-2023-28382 + RESERVED +CVE-2023-28369 + RESERVED +CVE-2023-28367 + RESERVED +CVE-2023-27926 + RESERVED +CVE-2023-27925 + RESERVED +CVE-2023-27923 + RESERVED +CVE-2023-27922 + RESERVED +CVE-2023-27921 + RESERVED +CVE-2023-27920 + RESERVED +CVE-2023-27919 + RESERVED +CVE-2023-27918 + RESERVED +CVE-2023-27889 + RESERVED +CVE-2023-27888 + RESERVED +CVE-2023-27527 + RESERVED +CVE-2023-27521 + RESERVED +CVE-2023-27518 + RESERVED +CVE-2023-27514 + RESERVED +CVE-2023-27512 + RESERVED +CVE-2023-27510 + RESERVED +CVE-2023-27507 + RESERVED +CVE-2023-27397 + RESERVED +CVE-2023-27396 + RESERVED +CVE-2023-27385 + RESERVED +CVE-2023-27384 + RESERVED +CVE-2023-27304 + RESERVED +CVE-2023-26595 + RESERVED +CVE-2023-26593 + RESERVED +CVE-2023-25955 + RESERVED +CVE-2023-25954 + RESERVED +CVE-2023-25953 + RESERVED +CVE-2023-25950 + RESERVED +CVE-2023-25946 + RESERVED +CVE-2023-25755 + RESERVED +CVE-2023-25184 + RESERVED +CVE-2023-25072 + RESERVED +CVE-2023-25070 + RESERVED +CVE-2023-24586 + RESERVED +CVE-2023-23906 + RESERVED +CVE-2023-23901 + RESERVED +CVE-2023-23578 + RESERVED +CVE-2023-22441 + RESERVED +CVE-2023-22361 + RESERVED +CVE-2023-22282 + RESERVED +CVE-2023-1420 + RESERVED +CVE-2023-1419 + RESERVED +CVE-2023-1418 (A vulnerability classified as problematic was found in SourceCodester ...) + TODO: check +CVE-2023-1417 + RESERVED +CVE-2023-1416 (A vulnerability classified as critical has been found in Simple Art Ga ...) + TODO: check +CVE-2023-1415 (A vulnerability was found in Simple Art Gallery 1.0. It has been decla ...) + TODO: check +CVE-2023-1414 + RESERVED +CVE-2023-1413 + RESERVED +CVE-2023-1412 + RESERVED +CVE-2023-1411 + RESERVED +CVE-2023-1410 + RESERVED +CVE-2023-1409 + RESERVED +CVE-2022-48421 + RESERVED CVE-2023-28373 RESERVED CVE-2023-28372 @@ -610,6 +808,7 @@ CVE-2023-28177 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28177 CVE-2023-28176 RESERVED + {DSA-5374-1} - firefox - firefox-esr 102.9.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28176 @@ -638,6 +837,7 @@ CVE-2023-28165 RESERVED CVE-2023-28164 RESERVED + {DSA-5374-1} - firefox - firefox-esr 102.9.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28164 @@ -650,6 +850,7 @@ CVE-2023-28163 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-10/#CVE-2023-28163 CVE-2023-28162 RESERVED + {DSA-5374-1} - firefox - firefox-esr 102.9.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-09/#CVE-2023-28162 @@ -671,8 +872,8 @@ CVE-2023-1380 - linux NOTE: https://www.openwall.com/lists/oss-security/2023/03/13/1 NOTE:
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2021-37789/libstb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9aa99c41 by Salvatore Bonaccorso at 2023-03-15T20:41:55+01:00 Track fixed version for CVE-2021-37789/libstb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -124450,7 +124450,7 @@ CVE-2021-37790 RESERVED CVE-2021-37789 (stb_image.h 2.27 has a heap-based buffer over in stbi__jpeg_load, lead ...) {DLA-3305-1} - - libstb (bug #1023693) + - libstb 0.0~git20210910.af1a5bc+ds-1 (bug #1023693) [bullseye] - libstb (Minor issue) NOTE: https://github.com/nothings/stb/issues/1178 NOTE: https://github.com/nothings/stb/commit/5ba0baaa269b3fd681828e0e3b3ac0f1472eaf40 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9aa99c4177743e0c08fc3e7274fb7783c3befb86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9aa99c4177743e0c08fc3e7274fb7783c3befb86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-28371/stellarium
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f342d61 by Salvatore Bonaccorso at 2023-03-15T20:59:20+01:00 Add CVE-2023-28371/stellarium - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,10 @@ CVE-2023-28373 CVE-2023-28372 RESERVED CVE-2023-28371 (In Stellarium through 1.2, attackers can write to files that are typic ...) - TODO: check + - stellarium + NOTE: https://github.com/Stellarium/stellarium/commit/1261f74dc4aa6bbd01ab514343424097f8cf46b7 + NOTE: https://github.com/Stellarium/stellarium/commit/787a894897b7872ae96e6f5804a182210edd5c78 + NOTE: https://github.com/Stellarium/stellarium/commit/eba61df3b38605befcb43687a4c0a159dbc0c5cb CVE-2023-28368 RESERVED CVE-2023-28366 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f342d6188d31f1a10dc75e8cf39403e9e34252b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f342d6188d31f1a10dc75e8cf39403e9e34252b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] firefox-esr
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fcdce712 by Moritz Mühlenhoff at 2023-03-15T19:50:23+01:00 firefox-esr - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[15 Mar 2023] DSA-5374-1 firefox-esr - security update + {CVE-2023-25751 CVE-2023-25752 CVE-2023-28162 CVE-2023-28164 CVE-2023-28176} + [bullseye] - firefox-esr 102.9.0esr-1~deb11u1 [14 Mar 2023] DSA-5373-1 node-sqlite3 - security update {CVE-2022-43441} [bullseye] - node-sqlite3 5.0.0+ds1-1+deb11u2 = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- apache2 (jmm) -- -firefox-esr (jmm) --- gpac (aron) -- jupyter-core View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcdce71265e358b1b134268d7c51afd80dc2ca8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcdce71265e358b1b134268d7c51afd80dc2ca8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4096b90c by Moritz Muehlenhoff at 2023-03-15T19:46:07+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41582,6 +41582,7 @@ CVE-2020-36604 (hoek before 8.5.1 and 9.x before 9.0.3 allows prototype poisonin NOTE: Fixed by: https://github.com/hapijs/hoek/commit/948baf98634a5c206875b67d11368f133034fa90 (v9.0.3) CVE-2022-3276 (Command injection is possible in the puppetlabs-mysql module prior to ...) - puppet-module-puppetlabs-mysql (bug #1027154) + [bookworm] - puppet-module-puppetlabs-mysql (Minor issue) [bullseye] - puppet-module-puppetlabs-mysql (Minor issue) NOTE: https://puppet.com/security/cve/CVE-2022-3276 NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/f83792b256fa6acc1b1375b3bfed257629a5c02d (v13.0.0) @@ -152268,6 +152269,7 @@ CVE-2021-26827 (Buffer Overflow in TP-Link WR2041 v1 firmware for the TL-WR2041+ NOT-FOR-US: TP-Link CVE-2021-26826 (A stack overflow issue exists in Godot Engine up to v3.2 and is caused ...) - godot 3.5.1-stable-1 (bug #982593) + [bookworm] - godot (Minor issue) [bullseye] - godot (Minor issue) [buster] - godot (Minor issue) NOTE: https://github.com/godotengine/godot/pull/45701 @@ -152275,6 +152277,7 @@ CVE-2021-26826 (A stack overflow issue exists in Godot Engine up to v3.2 and is NOTE: https://github.com/godotengine/godot/commit/113b5ab1c45c01b8e6d54d13ac8876d091f883a8 (3.3-stable) CVE-2021-26825 (An integer overflow issue exists in Godot Engine up to v3.2 that can b ...) - godot 3.5.1-stable-1 (bug #982593) + [bookworm] - godot (Minor issue) [bullseye] - godot (Minor issue) [buster] - godot (Minor issue) NOTE: https://github.com/godotengine/godot/pull/45701 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4096b90c9b4ba07209e8baaf703036d3e6d67d3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4096b90c9b4ba07209e8baaf703036d3e6d67d3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a85187f8 by Moritz Muehlenhoff at 2023-03-15T19:07:14+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -123601,6 +123601,7 @@ CVE-2021-38085 (The Canon TR150 print driver through 3.71.2.10 is vulnerable to NOT-FOR-US: Canon CVE-2021-38084 (An issue was discovered in the POP3 component of Courier Mail Server b ...) - courier (bug #989375) + [bookworm] - courier (Minor issue) [bullseye] - courier (Minor issue) [buster] - courier (Minor issue) [stretch] - courier (Minor issue, include in next update) @@ -230813,9 +230814,10 @@ CVE-2020-8033 (Ruckus R500 3.4.2.0.384 devices allow XSS via the index.asp Devic CVE-2020-8032 (A Insecure Temporary File vulnerability in the packaging of cyrus-sasl ...) - cyrus-sasl2 (openSUSE specific packaging issue) CVE-2020-8031 (A Improper Neutralization of Input During Web Page Generation ('Cross- ...) - - open-build-service (bug #983576) + - open-build-service 2.9.4-4 (bug #983576) [stretch] - open-build-service (Minor issue, XSS in web app) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1178880 + NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, marking as fixed version CVE-2020-8030 (A Insecure Temporary File vulnerability in skuba of SUSE CaaS Platform ...) NOT-FOR-US: SuSE CaaS CVE-2020-8029 (A Incorrect Permission Assignment for Critical Resource vulnerability ...) @@ -230836,14 +230838,16 @@ CVE-2020-8022 (A Incorrect Default Permissions vulnerability in the packaging of NOT-FOR-US: SAP CVE-2020-8021 (a Improper Access Control vulnerability in of Open Build Service allow ...) {DLA-2545-1} - - open-build-service (bug #983576) + - open-build-service 2.9.4-4 (bug #983576) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1171649 NOTE: https://github.com/openSUSE/open-build-service/commit/7323c904f86ba9e04065c23422d06c03647589fb + NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, marking as fixed version CVE-2020-8020 (A Improper Neutralization of Input During Web Page Generation vulnerab ...) {DLA-2545-1} - - open-build-service (bug #983576) + - open-build-service 2.9.4-4 (bug #983576) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1171439 NOTE: https://github.com/openSUSE/open-build-service/commit/7cc32c8e2ff7290698e101d9a80a9dc29a5500fb + NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, marking as fixed version CVE-2020-8019 (A UNIX Symbolic Link (Symlink) Following vulnerability in the packagin ...) NOT-FOR-US: SAP CVE-2020-8018 (A Incorrect Default Permissions vulnerability in the SLES15-SP1-CHOST- ...) @@ -293499,6 +293503,7 @@ CVE-2019-5428 REJECTED CVE-2019-5427 (c3p0 version 0.9.5.4 may be exploited by a billion laughs attack ...) - c3p0 (low; bug #927936) + [bookworm] - c3p0 (Minor issue) [bullseye] - c3p0 (Minor issue) [buster] - c3p0 (Minor issue) [stretch] - c3p0 (Minor issue) @@ -327340,11 +327345,12 @@ CVE-2018-12467 (Authorized users of the openbuildservice before 2.9.4 could dele NOTE: Fixed by: https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063 NOTE: Introduced by: https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b CVE-2018-12466 (openSUSE openbuildservice before 9.2.4 allowed authenticated users to ...) - - open-build-service (bug #911797) + - open-build-service 2.9.4-4 (bug #911797) [stretch] - open-build-service (Minor issue) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1098934 NOTE: Fixed by: https://github.com/openSUSE/open-build-service/commit/f57b660f49f830006766a8d4abc3b4af6e178063 NOTE: Introduced by: https://github.com/openSUSE/open-build-service/commit/990ef7cccef6f38fc1d1a1bb22a08e174dcba43b + NOTE: With 2.9.4-4, the rails web frontend is no longer shipped, marking as fixed version CVE-2018-12465 (An OS command injection vulnerability in the web administration compon ...) NOT-FOR-US: Micro Focus CVE-2018-12464 (A SQL injection vulnerability in the web administration and quarantine ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a85187f840c5f028834e9be400833199da643682 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a85187f840c5f028834e9be400833199da643682 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing
[Git][security-tracker-team/security-tracker][master] intel-microcode fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d90f132 by Moritz Muehlenhoff at 2023-03-15T16:47:30+01:00 intel-microcode fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49139,7 +49139,7 @@ CVE-2022-38401 (Adobe InCopy version 17.3 (and earlier) and 16.4.2 (and earlier) CVE-2022-38102 RESERVED CVE-2022-38090 (Improper isolation of shared resources in some Intel(R) Processors whe ...) - - intel-microcode (bug #1031334) + - intel-microcode 3.20230214.1 (bug #1031334) [bullseye] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00767.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214 @@ -54695,7 +54695,7 @@ CVE-2022-34846 CVE-2022-34657 RESERVED CVE-2022-33196 (Incorrect default permissions in some memory controller configurations ...) - - intel-microcode (bug #1031334) + - intel-microcode 3.20230214.1 (bug #1031334) [bullseye] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00738.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214 @@ -58757,7 +58757,7 @@ CVE-2022-34488 (Improper buffer restrictions in the firmware for some Intel(R) N CVE-2022-34346 (Out-of-bounds read in the Intel(R) Media SDK software before version 2 ...) NOT-FOR-US: Intel CVE-2022-33972 (Incorrect calculation in microcode keying mechanism for some 3rd Gener ...) - - intel-microcode (bug #1031334) + - intel-microcode 3.20230214.1 (bug #1031334) [bullseye] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00730.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214 @@ -106578,7 +106578,7 @@ CVE-2021-43746 (Adobe Premiere Rush versions 1.5.16 (and earlier) allows access CVE-2021-3961 (snipe-it is vulnerable to Improper Neutralization of Input During Web ...) - snipe-it (bug #1005172) CVE-2022-21216 (Insufficient granularity of access control in out-of-band management i ...) - - intel-microcode (bug #1031334) + - intel-microcode 3.20230214.1 (bug #1031334) [bullseye] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00700.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20230214 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d90f13291b38af4fa8c87afa604bf856e65ac89 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d90f13291b38af4fa8c87afa604bf856e65ac89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bf9428e by Moritz Muehlenhoff at 2023-03-15T12:53:04+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53,11 +53,11 @@ CVE-2023-28345 CVE-2023-28344 RESERVED CVE-2023-28343 (OS command injection affects Altenergy Power Control Software C1.2.5 v ...) - TODO: check + NOT-FOR-US: Altenergy Power Control Software CVE-2023-1408 RESERVED CVE-2023-1407 (A vulnerability classified as critical was found in SourceCodester Stu ...) - TODO: check + NOT-FOR-US: SourceCodester CVE-2023-1406 RESERVED CVE-2022-48420 @@ -1117,7 +1117,7 @@ CVE-2023-1329 CVE-2023-1328 (A vulnerability was found in Guizhou 115cms 4.2. It has been classifie ...) NOT-FOR-US: Guizhou 115cms CVE-2023-1327 (Netgear RAX30 (AX2400), prior to version 1.0.6.74, was affected by an ...) - TODO: check + NOT-FOR-US: Netgear CVE-2023-1326 RESERVED CVE-2023-1325 @@ -1199,7 +1199,7 @@ CVE-2023-28007 CVE-2023-28006 RESERVED CVE-2023-28005 (A vulnerability in Trend Micro Endpoint Encryption Full Disk Encryptio ...) - TODO: check + NOT-FOR-US: Trend Micro CVE-2023-1307 (Authentication Bypass by Primary Weakness in GitHub repository froxlor ...) - froxlor (bug #581792) CVE-2023-1306 @@ -2048,7 +2048,7 @@ CVE-2023-27759 CVE-2023-27758 RESERVED CVE-2023-27757 (An arbitrary file upload vulnerability in the /admin/user/uploadImg co ...) - TODO: check + NOT-FOR-US: PerfreeBlog CVE-2023-27756 RESERVED CVE-2023-27755 @@ -2437,7 +2437,7 @@ CVE-2023-27590 (Rizin is a UNIX-like reverse engineering framework and command-l CVE-2023-27589 (Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE ...) TODO: check CVE-2023-27588 (Hasura is an open-source product that provides users GraphQL or REST A ...) - TODO: check + NOT-FOR-US: Hasura CVE-2023-27587 (ReadtoMyShoe, a web app that lets users upload articles and listen to ...) NOT-FOR-US: ReadtoMyShoe CVE-2023-27586 @@ -3503,9 +3503,9 @@ CVE-2023-27242 CVE-2023-27241 RESERVED CVE-2023-27240 (Tenda AX3 V16.03.12.11 was discovered to contain a command injection v ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-27239 (Tenda AX3 V16.03.12.11 was discovered to contain a stack overflow via ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-27238 RESERVED CVE-2023-27237 @@ -3513,9 +3513,9 @@ CVE-2023-27237 CVE-2023-27236 RESERVED CVE-2023-27235 (An arbitrary file upload vulnerability in the \admin\c\CommonControlle ...) - TODO: check + NOT-FOR-US: Jizhicms CVE-2023-27234 (A Cross-Site Request Forgery (CSRF) in /Sys/index.html of Jizhicms v2. ...) - TODO: check + NOT-FOR-US: Jizhicms CVE-2023-27233 RESERVED CVE-2023-27232 @@ -3856,9 +3856,9 @@ CVE-2023-27072 CVE-2023-27071 RESERVED CVE-2023-27070 (A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatf ...) - TODO: check + NOT-FOR-US: TotalJS OpenPlatform CVE-2023-27069 (A stored cross-site scripting (XSS) vulnerability in TotalJS OpenPlatf ...) - TODO: check + NOT-FOR-US: TotalJS OpenPlatform CVE-2023-27068 RESERVED CVE-2023-27067 @@ -5125,7 +5125,7 @@ CVE-2023-0998 (A vulnerability classified as critical has been found in SourceCo CVE-2023-0997 (A vulnerability was found in SourceCodester Moosikay E-Commerce System ...) NOT-FOR-US: SourceCodester Moosikay E-Commerce System CVE-2023-26511 (A Hard Coded Admin Credentials issue in the Web-UI Admin Panel in Prop ...) - TODO: check + NOT-FOR-US: Propius MachineSelector CVE-2023-26510 (Ghost 5.35.0 allows authorization bypass: contributors can view draft ...) NOT-FOR-US: Ghost CMS CVE-2023-26509 @@ -7481,6 +7481,7 @@ CVE-2023-25696 (Improper Input Validation vulnerability in the Apache Airflow Hi NOT-FOR-US: Apache Airflow Hive Provider CVE-2023-25695 RESERVED + - airflow (bug #819700) CVE-2023-25694 REJECTED CVE-2023-25693 (Improper Input Validation vulnerability in the Apache Airflow Sqoop Pr ...) @@ -46694,11 +46695,11 @@ CVE-2022-39218 (The JS Compute Runtime for Fastly's Compute@Edge platform provid CVE-2022-39217 (some-natalie/ghas-to-csv (GitHub Advanced Security to CSV) is a GitHub ...) NOT-FOR-US: GitHub Advanced Security to CSV CVE-2022-39216 (Combodo iTop is an open source, web-based IT service management platfo ...) - TODO: check + NOT-FOR-US: Combodo CVE-2022-39215 (Tauri is a framework for building binaries for all major desktop platf ...) NOT-FOR-US: Tauri CVE-2022-39214 (Combodo iTop is an open source, web-based IT service management platfo
[Git][security-tracker-team/security-tracker][master] NFU
Henri Salo pushed to branch master at Debian Security Tracker / security-tracker Commits: af8e549f by Henri Salo at 2023-03-15T13:11:59+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5806,7 +5806,7 @@ CVE-2023-26264 CVE-2023-26263 RESERVED CVE-2023-26262 (An issue was discovered in Sitecore XP/XM 10.3. As an authenticated Si ...) - TODO: check + NOT-FOR-US: Sitecore CVE-2023-26261 (In UBIKA WAAP Gateway/Cloud through 6.10, a blind XPath injection lead ...) NOT-FOR-US: UBIKA WAAP Gateway/Cloud CVE-2023-26260 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af8e549f29cd79e0b8a7332dfbec232101c349a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af8e549f29cd79e0b8a7332dfbec232101c349a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e777964 by Emilio Pozuelo Monfort at 2023-03-15T11:53:31+01:00 lts: take firefox-esr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -58,6 +58,8 @@ erlang NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their VCS can be used. -- +firefox-esr (Emilio) +-- firmware-nonfree (tobi) NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. NOTE: 20221204: Coming soon in the first week of December. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e7779647aedad1ae8d1ab50a1d93c4b17818b40 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e7779647aedad1ae8d1ab50a1d93c4b17818b40 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e97e19c by security tracker role at 2023-03-15T08:10:24+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,125 @@ +CVE-2023-28373 + RESERVED +CVE-2023-28372 + RESERVED +CVE-2023-28371 (In Stellarium through 1.2, attackers can write to files that are typic ...) + TODO: check +CVE-2023-28368 + RESERVED +CVE-2023-28366 + RESERVED +CVE-2023-28365 + RESERVED +CVE-2023-28364 + RESERVED +CVE-2023-28363 + RESERVED +CVE-2023-28362 + RESERVED +CVE-2023-28361 + RESERVED +CVE-2023-28360 + RESERVED +CVE-2023-28359 + RESERVED +CVE-2023-28358 + RESERVED +CVE-2023-28357 + RESERVED +CVE-2023-28356 + RESERVED +CVE-2023-28355 + RESERVED +CVE-2023-28354 + RESERVED +CVE-2023-28353 + RESERVED +CVE-2023-28352 + RESERVED +CVE-2023-28351 + RESERVED +CVE-2023-28350 + RESERVED +CVE-2023-28349 + RESERVED +CVE-2023-28348 + RESERVED +CVE-2023-28347 + RESERVED +CVE-2023-28346 + RESERVED +CVE-2023-28345 + RESERVED +CVE-2023-28344 + RESERVED +CVE-2023-28343 (OS command injection affects Altenergy Power Control Software C1.2.5 v ...) + TODO: check +CVE-2023-1408 + RESERVED +CVE-2023-1407 (A vulnerability classified as critical was found in SourceCodester Stu ...) + TODO: check +CVE-2023-1406 + RESERVED +CVE-2022-48420 + RESERVED +CVE-2022-48419 + RESERVED +CVE-2022-48418 + RESERVED +CVE-2022-48417 + RESERVED +CVE-2022-48416 + RESERVED +CVE-2022-48415 + RESERVED +CVE-2022-48414 + RESERVED +CVE-2022-48413 + RESERVED +CVE-2022-48412 + RESERVED +CVE-2022-48411 + RESERVED +CVE-2020-36690 + RESERVED +CVE-2020-36689 + RESERVED +CVE-2020-36688 + RESERVED +CVE-2020-36687 + RESERVED +CVE-2020-36686 + RESERVED +CVE-2020-36685 + RESERVED +CVE-2020-36684 + RESERVED +CVE-2020-36683 + RESERVED +CVE-2020-36682 + RESERVED +CVE-2020-36681 + RESERVED +CVE-2019-25125 + RESERVED +CVE-2019-25124 + RESERVED +CVE-2019-25123 + RESERVED +CVE-2019-25122 + RESERVED +CVE-2019-25121 + RESERVED +CVE-2019-25120 + RESERVED +CVE-2019-25119 + RESERVED +CVE-2019-25118 + RESERVED +CVE-2019-25117 + RESERVED +CVE-2019-25116 + RESERVED CVE-2023-28342 RESERVED CVE-2023-28341 @@ -994,8 +1116,8 @@ CVE-2023-1329 RESERVED CVE-2023-1328 (A vulnerability was found in Guizhou 115cms 4.2. It has been classifie ...) NOT-FOR-US: Guizhou 115cms -CVE-2023-1327 - RESERVED +CVE-2023-1327 (Netgear RAX30 (AX2400), prior to version 1.0.6.74, was affected by an ...) + TODO: check CVE-2023-1326 RESERVED CVE-2023-1325 @@ -1076,8 +1198,8 @@ CVE-2023-28007 RESERVED CVE-2023-28006 RESERVED -CVE-2023-28005 - RESERVED +CVE-2023-28005 (A vulnerability in Trend Micro Endpoint Encryption Full Disk Encryptio ...) + TODO: check CVE-2023-1307 (Authentication Bypass by Primary Weakness in GitHub repository froxlor ...) - froxlor (bug #581792) CVE-2023-1306 @@ -1925,8 +2047,8 @@ CVE-2023-27759 RESERVED CVE-2023-27758 RESERVED -CVE-2023-27757 - RESERVED +CVE-2023-27757 (An arbitrary file upload vulnerability in the /admin/user/uploadImg co ...) + TODO: check CVE-2023-27756 RESERVED CVE-2023-27755 @@ -2310,8 +2432,8 @@ CVE-2023-27592 RESERVED CVE-2023-27591 RESERVED -CVE-2023-27590 - RESERVED +CVE-2023-27590 (Rizin is a UNIX-like reverse engineering framework and command-line to ...) + TODO: check CVE-2023-27589 (Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE ...) TODO: check CVE-2023-27588 (Hasura is an open-source product that provides users GraphQL or REST A ...) @@ -3380,20 +3502,20 @@ CVE-2023-27242 RESERVED CVE-2023-27241 RESERVED -CVE-2023-27240 - RESERVED -CVE-2023-27239 - RESERVED +CVE-2023-27240 (Tenda AX3 V16.03.12.11 was discovered to contain a command injection v ...) + TODO: check +CVE-2023-27239 (Tenda AX3 V16.03.12.11 was discovered to contain a stack overflow via ...) + TODO: check CVE-2023-27238 RESERVED CVE-2023-27237 RESERVED CVE-2023-27236 RESERVED -CVE-2023-27235 - RESERVED -CVE-2023-27234 - RESERVED +CVE-2023-27235 (An arbitrary file upload vulnerability in the \admin\c\CommonControlle ...) + TODO: check +CVE-2023-27234 (A Cross-Site Request Forgery (CSRF) in /Sys/index.html of Jizhicms v2. ...) + TODO: check CVE-2023-27233 RESERVED CVE-2023-27232 @@ -5002,8 +5124,8 @@ CVE-2023-0998 (A
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-28328/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f036f7aa by Salvatore Bonaccorso at 2023-03-15T08:06:34+01:00 Add CVE-2023-28328/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34,6 +34,8 @@ CVE-2023-28329 RESERVED CVE-2023-28328 RESERVED + - linux 6.1.4-1 + NOTE: https://git.kernel.org/linus/0ed554fd769a19ea8464bb83e9ac201002ef74ad (6.2-rc1) CVE-2023-28327 RESERVED - linux 6.1.4-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f036f7aab31b6c4148e7af54345b5ee72d6cdbfa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f036f7aab31b6c4148e7af54345b5ee72d6cdbfa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-28327/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3781e050 by Salvatore Bonaccorso at 2023-03-15T08:00:11+01:00 Add CVE-2023-28327/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36,6 +36,10 @@ CVE-2023-28328 RESERVED CVE-2023-28327 RESERVED + - linux 6.1.4-1 + [bullseye] - linux 5.10.162-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/b3abe42e94900bdd045c472f9c9be620ba5ce553 (6.1) CVE-2023-28326 RESERVED CVE-2023-1405 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3781e0508d506cf1e9a033b6c820545389742cb1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3781e0508d506cf1e9a033b6c820545389742cb1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-1390/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 985c71ac by Salvatore Bonaccorso at 2023-03-15T07:49:08+01:00 Add CVE-2023-1390/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -70,6 +70,9 @@ CVE-2023-1391 (A vulnerability, which was classified as problematic, was found i NOT-FOR-US: SourceCodester Online Tours & Travels Management System CVE-2023-1390 RESERVED + - linux 5.10.12-1 + [buster] - linux 4.19.171-1 + NOTE: https://git.kernel.org/linus/b77413446408fdd256599daf00d5be72b5f3e7c6 (5.11-rc4) CVE-2023-1389 RESERVED CVE-2023-1388 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/985c71ac8743e5e429800ca12b210f54ac3ed576 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/985c71ac8743e5e429800ca12b210f54ac3ed576 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-1382/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 63067fcd by Salvatore Bonaccorso at 2023-03-15T07:39:40+01:00 Add CVE-2023-1382/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -86,6 +86,10 @@ CVE-2023-1383 RESERVED CVE-2023-1382 RESERVED + - linux 6.0.12-1 + [bullseye] - linux 5.10.158-1 + [buster] - linux 4.19.269-1 + NOTE: https://git.kernel.org/linus/a7b42969d63f47320853a802efd879fbdc4e010e (6.1-rc7) CVE-2022-48410 RESERVED CVE-2022-48409 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63067fcd6aff3357f10d27909eb1e8ebb76230a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63067fcd6aff3357f10d27909eb1e8ebb76230a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-41550/libosip2 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 146b7263 by Salvatore Bonaccorso at 2023-03-15T07:06:18+01:00 Track fixed version for CVE-2022-41550/libosip2 via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40886,7 +40886,7 @@ CVE-2022-41552 (Server-Side Request Forgery (SSRF) vulnerability in Hitachi Infr CVE-2022-41551 (Garage Management System v1.0 was discovered to contain a SQL injectio ...) NOT-FOR-US: Garage Management System CVE-2022-41550 (GNU oSIP v5.3.0 was discovered to contain an integer overflow via the ...) - - libosip2 (bug #1021662) + - libosip2 5.3.0-2.1 (bug #1021662) [bullseye] - libosip2 (Minor issue) [buster] - libosip2 (Minor issue) NOTE: https://savannah.gnu.org/bugs/?63103 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/146b7263a856a574e3120cc0cf2eaebc94c8864d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/146b7263a856a574e3120cc0cf2eaebc94c8864d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits