[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
88d32646 by Moritz Muehlenhoff at 2023-07-09T22:16:29+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,5 +1,5 @@
CVE-2023-3045 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
- TODO: check
+ NOT-FOR-US: Tise Technology Parking Web Report
CVE-2023-36935
REJECTED
CVE-2023-36360
@@ -7,11 +7,11 @@ CVE-2023-36360
CVE-2023-34682
REJECTED
CVE-2023-2853 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: Softmed SelfPatron
CVE-2023-2852 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
- TODO: check
+ NOT-FOR-US: Softmed SelfPatron
CVE-2023-3566 (A vulnerability was found in wallabag 2.5.4. It has been
declared as p ...)
- TODO: check
+ NOT-FOR-US: Wallabag
CVE-2023-3565 (Cross-site Scripting (XSS) - Generic in GitHub repository
nilsteampass ...)
- teampass (bug #730180)
CVE-2023-3564 (A vulnerability was found in GZ Scripts GZ Multi Hotel Booking
System ...)
@@ -127,7 +127,6 @@ CVE-2023-34197 (Zoho ManageEngine ServiceDesk Plus before
14202, ServiceDesk Plu
NOT-FOR-US: Zoho
CVE-2023-33715
REJECTED
- NOT-FOR-US: ACDSee
CVE-2023-33664 (ai-dev aicombinationsonfly before v0.3.1 was discovered to
contain a S ...)
NOT-FOR-US: ai-dev aicombinationsonfly
CVE-2023-32183 (Incorrect Default Permissions vulnerability in the openSUSE
Tumbleweed ...)
@@ -8869,7 +8868,7 @@ CVE-2023-2048 (A vulnerability was found in Campcodes
Advanced Online Voting Sys
CVE-2023-2047 (A vulnerability was found in Campcodes Advanced Online Voting
System 1 ...)
NOT-FOR-US: Campcodes Advanced Online Voting System
CVE-2023-2046 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
- TODO: check
+ NOT-FOR-US: Yontem Informatics Vehicle Tracking System
CVE-2023-2045 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
NOT-FOR-US: Ipekyolu Software Auto Damage Tracking Software
CVE-2023-2044 (A vulnerability has been found in Control iD iDSecure 4.7.29.1
and cla ...)
@@ -46178,9 +46177,9 @@ CVE-2022-44722
CVE-2022-44721
REJECTED
CVE-2022-44720 (An issue was discovered in Weblib Ucopia before 6.0.13. OS
Command Inj ...)
- TODO: check
+ NOT-FOR-US: Weblib Ucopia
CVE-2022-44719 (An issue was discovered in Weblib Ucopia before 6.0.13. The
SSH Server ...)
- TODO: check
+ NOT-FOR-US: Weblib Ucopia
CVE-2022-44718 (An issue was discovered in NetScout nGeniusONE 6.3.2 build
904. Open R ...)
NOT-FOR-US: NetScout
CVE-2022-44717 (An issue was discovered in NetScout nGeniusONE 6.3.2 build
904. Open R ...)
@@ -48470,7 +48469,7 @@ CVE-2022-44278 (Sanitization Management System v1.0 is
vulnerable to SQL Injecti
CVE-2022-44277 (Sanitization Management System v1.0 is vulnerable to SQL
Injection via ...)
NOT-FOR-US: Sanitization Management System
CVE-2022-44276 (In Responsive Filemanager < 9.12.0, an attacker can bypass
upload rest ...)
- TODO: check
+ NOT-FOR-US: Responsive Filemanager
CVE-2022-44275
RESERVED
CVE-2022-44274
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88d32646f1f822ffc1b228cb192334d884ce8004
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88d32646f1f822ffc1b228cb192334d884ce8004
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c5c5afe1 by security tracker role at 2023-07-09T20:12:41+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,15 @@
+CVE-2023-3045 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-36935
+ REJECTED
+CVE-2023-36360
+ REJECTED
+CVE-2023-34682
+ REJECTED
+CVE-2023-2853 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2023-2852 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
CVE-2023-3566 (A vulnerability was found in wallabag 2.5.4. It has been
declared as p ...)
TODO: check
CVE-2023-3565 (Cross-site Scripting (XSS) - Generic in GitHub repository
nilsteampass ...)
@@ -113,7 +125,8 @@ CVE-2023-36201 (An issue in JerryscriptProject jerryscript
v.3.0.0 allows an att
NOTE: https://github.com/jerryscript-project/jerryscript/issues/5026
CVE-2023-34197 (Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk
Plus MSP ...)
NOT-FOR-US: Zoho
-CVE-2023-33715 (A buffer overflow in ACDSee Free v2.0.2.227 allows attackers
to cause ...)
+CVE-2023-33715
+ REJECTED
NOT-FOR-US: ACDSee
CVE-2023-33664 (ai-dev aicombinationsonfly before v0.3.1 was discovered to
contain a S ...)
NOT-FOR-US: ai-dev aicombinationsonfly
@@ -461,7 +474,7 @@ CVE-2023-37212 (Memory safety bugs present in Firefox 114.
Some of these bugs sh
- firefox 115.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-22/#CVE-2023-37212
CVE-2023-37211 (Memory safety bugs present in Firefox 114, Firefox ESR 102.12,
and Thu ...)
- {DSA-5450-1 DLA-3484-1}
+ {DSA-5451-1 DSA-5450-1 DLA-3484-1}
- firefox 115.0-1
- firefox-esr 102.13.0esr-1
- thunderbird 1:102.13.0-1
@@ -475,7 +488,7 @@ CVE-2023-37209 (A use-after-free condition existed in
`NotifyOnHistoryReload` wh
- firefox 115.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-22/#CVE-2023-37209
CVE-2023-37208 (When opening Diagcab files, Firefox did not warn the user that
these f ...)
- {DSA-5450-1 DLA-3484-1}
+ {DSA-5451-1 DSA-5450-1 DLA-3484-1}
- firefox 115.0-1
- firefox-esr 102.13.0esr-1
- thunderbird 1:102.13.0-1
@@ -483,7 +496,7 @@ CVE-2023-37208 (When opening Diagcab files, Firefox did not
warn the user that t
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/#CVE-2023-37208
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-24/#CVE-2023-37208
CVE-2023-37207 (A website could have obscured the fullscreen notification by
using a U ...)
- {DSA-5450-1 DLA-3484-1}
+ {DSA-5451-1 DSA-5450-1 DLA-3484-1}
- firefox 115.0-1
- firefox-esr 102.13.0esr-1
- thunderbird 1:102.13.0-1
@@ -503,7 +516,7 @@ CVE-2023-37203 (Insufficient validation in the Drag and
Drop API in conjunction
- firefox 115.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-22/#CVE-2023-37203
CVE-2023-37202 (Cross-compartment wrappers wrapping a scripted proxy could
have caused ...)
- {DSA-5450-1 DLA-3484-1}
+ {DSA-5451-1 DSA-5450-1 DLA-3484-1}
- firefox 115.0-1
- firefox-esr 102.13.0esr-1
- thunderbird 1:102.13.0-1
@@ -511,7 +524,7 @@ CVE-2023-37202 (Cross-compartment wrappers wrapping a
scripted proxy could have
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/#CVE-2023-37202
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-24/#CVE-2023-37202
CVE-2023-37201 (An attacker could have triggered a use-after-free condition
when creat ...)
- {DSA-5450-1 DLA-3484-1}
+ {DSA-5451-1 DSA-5450-1 DLA-3484-1}
- firefox 115.0-1
- firefox-esr 102.13.0esr-1
- thunderbird 1:102.13.0-1
@@ -8855,8 +8868,8 @@ CVE-2023-2048 (A vulnerability was found in Campcodes
Advanced Online Voting Sys
NOT-FOR-US: Campcodes Advanced Online Voting System
CVE-2023-2047 (A vulnerability was found in Campcodes Advanced Online Voting
System 1 ...)
NOT-FOR-US: Campcodes Advanced Online Voting System
-CVE-2023-2046
- RESERVED
+CVE-2023-2046 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
CVE-2023-2045 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
NOT-FOR-US: Ipekyolu Software Auto Damage Tracking Software
CVE-2023-2044 (A vulnerability has been found in Control iD iDSecure 4.7.29.1
and cla ...)
View it on GitLab:
[Git][security-tracker-team/security-tracker][master] yajl fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c246019e by Moritz Muehlenhoff at 2023-07-09T22:04:58+02:00 yajl fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -105007,7 +105007,7 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation [bullseye] - ruby-yajl (Minor issue) [buster] - ruby-yajl (Minor issue) [stretch] - ruby-yajl (Minor issue) - - yajl (bug #1040036) + - yajl 2.1.0-4 (bug #1040036) - burp (bug #1040146) - crun (bug #1040147) - epics-base (bug #1040159) @@ -382742,7 +382742,7 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is - ruby-yajl 1.2.0-3.1 (low; bug #880691) [stretch] - ruby-yajl (Minor issue) [jessie] - ruby-yajl (Minor issue) - - yajl (bug #1040036) + - yajl 2.1.0-4 (bug #1040036) - burp (bug #1040146) - crun (bug #1040147) - epics-base (bug #1040159) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c246019eb45ccff09ae02d7f4c37cd1866eafe0c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c246019eb45ccff09ae02d7f4c37cd1866eafe0c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove annotation from CVE-2023-34254 of unimportant severity
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 735eaa5b by Salvatore Bonaccorso at 2023-07-09T21:11:41+02:00 Remove annotation from CVE-2023-34254 of unimportant severity As this does affect the Agent, the usual reasoning does not apply. Reported-by: Moritz Mühlenhoff j...@debian.org Fixes: 967c8d344ba5 (Mark glpi issues as unimportant) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1410,9 +1410,8 @@ CVE-2023-35163 (Vega is a decentralized trading platform that allows pseudo-anon CVE-2023-35154 (Knowage is an open source analytics and business intelligence suite. S ...) NOT-FOR-US: Knowage CVE-2023-34254 (The GLPI Agent is a generic management agent. Prior to version 1.5, if ...) - - glpi (unimportant) + - glpi NOTE: https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-39vc-hxgm-j465 - NOTE: Only supported behind an authenticated HTTP zone CVE-2023-3394 (Session Fixation in GitHub repository fossbilling/fossbilling prior to ...) NOT-FOR-US: fossbilling CVE-2023-3393 (Code Injection in GitHub repository fossbilling/fossbilling prior to 0 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/735eaa5b947fb2333f35c050777192aee1a0e9fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/735eaa5b947fb2333f35c050777192aee1a0e9fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Mark CVE-2023-36201 as ignored for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 53d95b27 by Anton Gladky at 2023-07-09T20:45:19+02:00 Mark CVE-2023-36201 as ignored for buster - - - - - ebd698e1 by Anton Gladky at 2023-07-09T20:45:19+02:00 Mark CVE-2023-3523 as EOL for buster (gpac) - - - - - 2533cd69 by Anton Gladky at 2023-07-09T20:45:19+02:00 LTS: Add node-tough-cookie - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -109,6 +109,7 @@ CVE-2023-36256 (The Online Examination System Project 1.0 version is vulnerable CVE-2023-36201 (An issue in JerryscriptProject jerryscript v.3.0.0 allows an attacker ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5026 CVE-2023-34197 (Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP ...) NOT-FOR-US: Zoho @@ -160,6 +161,7 @@ CVE-2023-3523 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2. - gpac NOTE: https://huntr.dev/bounties/57e0be03-8484-415e-8b5c-c1fe4546eaac/ NOTE: https://github.com/gpac/gpac/commit/64201a26476c12a7dbd7ffb5757743af6954db96 + [buster] - gpac (EOL in buster LTS) CVE-2023-3456 (Vulnerability of kernel raw address leakage in the hang detector modu ...) NOT-FOR-US: Huawei CVE-2023-37454 (An issue was discovered in the Linux kernel through 6.4.2. A crafted U ...) = data/dla-needed.txt = @@ -103,6 +103,9 @@ linux (Ben Hutchings) mediawiki (Markus Koschany) NOTE: 20230701: Added by Front-Desk (ta) -- +node-tough-cookie + NOTE: 20230709: Added by Front-Desk (gladk) +-- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression @@ -132,6 +135,9 @@ openjdk-11 (Emilio) NOTE: 20230612: sid updated, preparing backport (pochu) NOTE: 20230627: waiting for DSA (pochu) -- +pandoc + NOTE: 20230709: Added by Front-Desk (gladk) +-- php-dompdf (rouca) NOTE: 20230618: Added by Front-Desk (opal) NOTE: 20230618: Low priority but higher than to not fix it. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/00404a33424169134995001a541dfecc28fd17a8...2533cd69dae703e8ebb5ec18e44b2b682bcf950d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/00404a33424169134995001a541dfecc28fd17a8...2533cd69dae703e8ebb5ec18e44b2b682bcf950d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fix CVE ID list
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
00404a33 by Moritz Mühlenhoff at 2023-07-09T20:26:31+02:00
fix CVE ID list
- - - - -
1 changed file:
- data/DSA/list
Changes:
=
data/DSA/list
=
@@ -1,4 +1,5 @@
[09 Jul 2023] DSA-5451-1 thunderbird - security update
+ {CVE-2023-37201 CVE-2023-37202 CVE-2023-37207 CVE-2023-37208
CVE-2023-37211}
[bullseye] - thunderbird 1:102.13.0-1~deb11u1
[bookworm] - thunderbird 1:102.13.0-1~deb12u1
[07 Jul 2023] DSA-5450-1 firefox-esr - security update
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00404a33424169134995001a541dfecc28fd17a8
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00404a33424169134995001a541dfecc28fd17a8
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1cd95a43 by Moritz Mühlenhoff at 2023-07-09T20:23:48+02:00
thunderbird DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[09 Jul 2023] DSA-5451-1 thunderbird - security update
+ [bullseye] - thunderbird 1:102.13.0-1~deb11u1
+ [bookworm] - thunderbird 1:102.13.0-1~deb12u1
[07 Jul 2023] DSA-5450-1 firefox-esr - security update
{CVE-2023-37201 CVE-2023-37202 CVE-2023-37207 CVE-2023-37208
CVE-2023-37211}
[bullseye] - firefox-esr 102.13.0esr-1~deb11u1
=
data/dsa-needed.txt
=
@@ -69,8 +69,6 @@ salt/oldstable
--
samba/oldstable
--
-thunderbird (jmm)
---
wpewebkit
--
xrdp/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cd95a434945bc175d8c119b9e86eecebcf8316d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cd95a434945bc175d8c119b9e86eecebcf8316d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] node-dottie fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ac8e94c6 by Moritz Muehlenhoff at 2023-07-09T16:31:34+02:00 node-dottie fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22105,7 +22105,7 @@ CVE-2023-26134 (Versions of the package git-commit-info before 2.0.2 are vulnera CVE-2023-26133 (All versions of the package progressbar.js are vulnerable to Prototype ...) NOT-FOR-US: progressbar.js CVE-2023-26132 (Versions of the package dottie before 2.0.4 are vulnerable to Prototyp ...) - - node-dottie (bug #1040592) + - node-dottie 2.0.6+~2.0.5-1 (bug #1040592) [bookworm] - node-dottie (Minor issue) [bullseye] - node-dottie (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac8e94c671e7e0764a0c04358fec522ab99a090f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac8e94c671e7e0764a0c04358fec522ab99a090f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
