[Git][security-tracker-team/security-tracker][master] 9 commits: CVE-2023-38199,modsecurity-crs: mark buster as postponed
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 01f830da by Markus Koschany at 2023-07-31T00:57:09+02:00 CVE-2023-38199,modsecurity-crs: mark buster as postponed Minor issue - - - - - 1da0ed93 by Markus Koschany at 2023-07-31T00:57:10+02:00 CVE-2023-38336,netkit-rcp: buster is no-dsa Minor issue. - - - - - 9f78cb14 by Markus Koschany at 2023-07-31T00:57:10+02:00 CVE-2021-31294,redis: buster is no-dsa Minor issue. According to upstream: Versions before 6.2 were not intended to have safety guarantees related to this. - - - - - 94b8336e by Markus Koschany at 2023-07-31T00:57:10+02:00 Add zabbix to dla-needed.txt - - - - - 13a8636d by Markus Koschany at 2023-07-31T00:57:10+02:00 Add sox to dla-needed.txt - - - - - d3a8f3ed by Markus Koschany at 2023-07-31T00:57:10+02:00 Add pdfcrack to dla-needed.txt - - - - - 28f97c8c by Markus Koschany at 2023-07-31T00:57:10+02:00 CVE-2023-3019,CVE-2023-1386,qemu: no-dsa in Buster Minor issue - - - - - 7e8c934b by Markus Koschany at 2023-07-31T00:57:10+02:00 Triage plantuml CVE as no-dsa for Buster Minor issues. - - - - - 100de074 by Markus Koschany at 2023-07-31T00:57:11+02:00 CVE-2023-37369,qtbase-opensource-src: Buster is no-dsa Minor issue - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -152,6 +152,7 @@ CVE-2023-37369 - qtbase-opensource-src 5.15.10+dfsg-3 [bookworm] - qtbase-opensource-src (Minor issue) [bullseye] - qtbase-opensource-src (Minor issue) + [buster] - qtbase-opensource-src (Minor issue) - qt4-x11 NOTE: https://www.qt.io/blog/security-advisory-qxmlstreamreader NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/455027 @@ -1521,6 +1522,7 @@ CVE-2023-38336 (netkit-rcp in rsh-client 0.17-24 allows command injection via fi - netkit-rsh (bug #1039689) [bookworm] - netkit-rsh (Minor issue) [bullseye] - netkit-rsh (Minor issue) + [buster] - netkit-rsh (Minor issue) CVE-2023-37794 (WAYOS FBM-291W 19.09.11V was discovered to contain a command injection ...) NOT-FOR-US: WAYOS CVE-2023-37793 (WAYOS FBM-291W 19.09.11V was discovered to contain a buffer overflow v ...) @@ -1792,6 +1794,7 @@ CVE-2023-38199 (coreruleset (aka OWASP ModSecurity Core Rule Set) through 3.3.4 - modsecurity-crs (bug #1041109) [bookworm] - modsecurity-crs (Minor issue) [bullseye] - modsecurity-crs (Minor issue) + [buster] - modsecurity-crs (Minor issue) NOTE: https://github.com/coreruleset/coreruleset/issues/3191 NOTE: https://github.com/coreruleset/coreruleset/pull/3237 CVE-2023-38198 (acme.sh before 3.0.6 runs arbitrary commands from a remote server via ...) @@ -2094,6 +2097,7 @@ CVE-2023-3019 (A DMA reentrancy issue leading to a use-after-free error was foun - qemu (bug #1041102) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) + [buster] - qemu (Minor issue) NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=59243 NOTE: Proposed upstream patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-05/msg08310.html CVE-2023-3011 (The ARMember plugin for WordPress is vulnerable to Cross-Site Request ...) @@ -4010,12 +4014,14 @@ CVE-2023-3432 (Server-Side Request Forgery (SSRF) in GitHub repository plantuml/ - plantuml (bug #104) [bookworm] - plantuml (Minor issue) [bullseye] - plantuml (Minor issue) + [buster] - plantuml (Minor issue) NOTE: https://huntr.dev/bounties/8ac3316f-431c-468d-87e4-3dafff2ecf51/ NOTE: https://github.com/plantuml/plantuml/commit/b32500bb61ae617bb312496d6d832e4be8190797 (v1.2023.9) CVE-2023-3431 (Improper Access Control in GitHub repository plantuml/plantuml prior t ...) - plantuml (bug #103) [bookworm] - plantuml (Minor issue) [bullseye] - plantuml (Minor issue) + [buster] - plantuml (Minor issue) NOTE: https://huntr.dev/bounties/fa741f95-b53c-4ed7-b157-e32c5145164c/ NOTE: https://github.com/plantuml/plantuml/commit/fbe7fa3b25b4c887d83927cffb1009ec6cb8ab1e (v1.2023.9) CVE-2023-3405 (Unchecked parameter value in M-Files Server in versions before 23.6.12 ...) @@ -18793,6 +18799,7 @@ CVE-2023-1386 (A flaw was found in the 9p passthrough filesystem (9pfs) implemen - qemu [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) + [buster] - qemu (Minor issue) NOTE: https://github.com/v9fs/linux/issues/29 CVE-2023-1385 (Improper JPAKE implementation allows offline PIN brute-forcing due to ...) NOT-FOR-US: Amazon Fire TV Stick 3rd gen and Insignia TV with FireOS @@ -96833,6 +96840,7 @@ CVE-2022-1231 (XSS via Embedded SVG in SVG Diagram Format in GitHub repository p -
[Git][security-tracker-team/security-tracker][master] LTS: claim nodejs and cjose in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d2fe873 by Guilhem Moulin at 2023-07-31T00:28:52+02:00 LTS: claim nodejs and cjose in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -39,7 +39,7 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -cjose +cjose (guilhem) NOTE: 20230730: Added by Front-Desk (apo) -- docker.io (rouca) @@ -88,7 +88,7 @@ libreoffice (Abhijith PA) linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- -nodejs +nodejs (guilhem) NOTE: 20230731: Added by Front-Desk (apo) -- nova View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d2fe87396afc5cf833af681135009a43ab407d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d2fe87396afc5cf833af681135009a43ab407d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 9 commits: Add cjose to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 498f5f3b by Markus Koschany at 2023-07-31T00:15:47+02:00 Add cjose to dla-needed.txt - - - - - c9994c81 by Markus Koschany at 2023-07-31T00:15:48+02:00 CVE-2023-3748,frr: Buster is not affected The vulnerable code was introduced later - - - - - eb450498 by Markus Koschany at 2023-07-31T00:15:48+02:00 Add nodejs to dla-needed.txt - - - - - 44a1f513 by Markus Koschany at 2023-07-31T00:15:48+02:00 Add orthanc to dla-needed.txt - - - - - f0ea15f3 by Markus Koschany at 2023-07-31T00:15:49+02:00 CVE-2021-37819,libitext-java: buster is no-dsa Minor issue - - - - - 78172fc4 by Markus Koschany at 2023-07-31T00:15:50+02:00 CVE-2023-35946,CVE-2023-35947,gradle: Buster is no-dsa Minor issues because Debian uses local system libraries to build packages. The paths wont contain any special characters and an attacker will not have control over the dependencies which are located in /usr/share/java or /usr/share/maven-repo. This would require root access. - - - - - 2d040c41 by Markus Koschany at 2023-07-31T00:15:51+02:00 Add open-vm-tools to dla-needed.txt - - - - - 38ab281e by Markus Koschany at 2023-07-31T00:15:51+02:00 Add openssl to dla-needed.txt - - - - - a4571d12 by Markus Koschany at 2023-07-31T00:15:51+02:00 Add amd64-microcode to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1037,6 +1037,7 @@ CVE-2023-3750 (A flaw was found in libvirt. The virStoragePoolObjListSearch func NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/9a47442366fcf8a7b6d7422016d7bbb6764a1098 CVE-2023-3748 (A flaw was found in FRRouting when parsing certain babeld unicast hell ...) - frr (bug #1042473) + [buster] - frr (The vulnerable code was introduced later) NOTE: https://github.com/FRRouting/frr/issues/11808 NOTE: https://github.com/FRRouting/frr/pull/12950 NOTE: https://github.com/FRRouting/frr/pull/12952 @@ -3541,6 +3542,7 @@ CVE-2023-35947 (Gradle is a build tool with a focus on build automation and supp - gradle (bug #1041424) [bookworm] - gradle (Minor issue) [bullseye] - gradle (Minor issue) + [buster] - gradle (Minor issue) NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842 NOTE: https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879 (v8.2.0-RC3) NOTE: https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91 (v8.2.0-RC3) @@ -3548,6 +3550,7 @@ CVE-2023-35946 (Gradle is a build tool with a focus on build automation and supp - gradle (bug #1041424) [bookworm] - gradle (Minor issue) [bullseye] - gradle (Minor issue) + [buster] - gradle (Minor issue) NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v NOTE: https://github.com/gradle/gradle/commit/859eae2b2acf751ae7db3c9ffefe275aa5da0d5d (v8.2.0-RC3) NOTE: https://github.com/gradle/gradle/commit/b07e528feb3a5ffa66bdcc358549edd73e4c8a12 (v8.2.0-RC3) @@ -144630,6 +144633,7 @@ CVE-2021-37819 (PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite - libitext-java [bookworm] - libitext-java (Minor issue) [bullseye] - libitext-java (Minor issue) + [buster] - libitext-java (Minor issue) - libitext1-java [bookworm] - libitext1-java (Minor issue) [bullseye] - libitext1-java (Minor issue) = data/dla-needed.txt = @@ -24,6 +24,9 @@ rather than remove/replace existing ones. amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) -- +amd64-microcode + NOTE: 20230731: Added by Front-Desk (apo) +-- cairosvg (gladk) NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) @@ -36,6 +39,9 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- +cjose + NOTE: 20230730: Added by Front-Desk (apo) +-- docker.io (rouca) NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) @@ -82,6 +88,9 @@ libreoffice (Abhijith PA) linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- +nodejs + NOTE: 20230731: Added by Front-Desk (apo) +-- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression @@ -101,6 +110,9 @@ nvidia-cuda-toolkit
[Git][security-tracker-team/security-tracker][master] Reverse order of the CVEs for tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fa588a70 by Salvatore Bonaccorso at 2023-07-31T00:03:00+02:00 Reverse order of the CVEs for tiff Seems that the the CVEs were swappend while filling in the details. CVE-2023-38288 is associated with https://gitlab.com/libtiff/libtiff/-/issues/591 . CVE-2023-38289 is associated with https://gitlab.com/libtiff/libtiff/-/issues/592 . OTOH the RHBZ subject descriptions and contents are swapped added repsective notes on https://bugzilla.redhat.com/show_bug.cgi?id=2224971 and https://bugzilla.redhat.com/show_bug.cgi?id=2224974 . Fixes: 0bdc959b6a1e (fill in details for tiff issues) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -570,13 +570,13 @@ CVE-2023-32232 (An issue was discovered in Vasion PrinterLogic Client for Window CVE-2023-32231 (An issue was discovered in Vasion PrinterLogic Client for Windows befo ...) NOT-FOR-US: Vasion CVE-2023-38289 [libtiff: potential integer overflow in raw2tiff.c] - - tiff 4.5.1+git230720-1 - NOTE: https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5 - NOTE: https://gitlab.com/libtiff/libtiff/-/issues/591 -CVE-2023-38288 [libtiff: integer overflow in tiffcp.c] - tiff 4.5.1+git230720-1 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/592 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee +CVE-2023-38288 [libtiff: integer overflow in tiffcp.c] + - tiff 4.5.1+git230720-1 + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5 + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/591 CVE-2023-3870 REJECTED CVE-2023-3863 (A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa588a70f24cb5fe4a07a24ed76ebbcd74806f66 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa588a70f24cb5fe4a07a24ed76ebbcd74806f66 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: update note
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 7776373b by Thorsten Alteholz at 2023-07-30T23:33:39+02:00 update note - - - - - 36c7fadb by Thorsten Alteholz at 2023-07-30T23:33:39+02:00 claim amanda - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,7 +21,7 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -amanda +amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) -- cairosvg (gladk) @@ -141,7 +141,7 @@ rails ring (Thorsten Alteholz) NOTE: 20221120: Added by Front-Desk (ta) NOTE: 20230507: testing package - NOTE: 20230716: testing package, not all tests pass yet + NOTE: 20230730: testing package, not all tests pass yet -- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0bdc959b6a1ec130ec9970e70826f1b35d2383fc...36c7fadb74d6b19bcac9f89bb1167e782368efe6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/0bdc959b6a1ec130ec9970e70826f1b35d2383fc...36c7fadb74d6b19bcac9f89bb1167e782368efe6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fill in details for tiff issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0bdc959b by Moritz Muehlenhoff at 2023-07-30T23:33:09+02:00 fill in details for tiff issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -569,14 +569,14 @@ CVE-2023-32232 (An issue was discovered in Vasion PrinterLogic Client for Window NOT-FOR-US: Vasion CVE-2023-32231 (An issue was discovered in Vasion PrinterLogic Client for Windows befo ...) NOT-FOR-US: Vasion -CVE-2023-38289 [libtiff: integer overflow in tiffcp.c] - - tiff - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2224974 - TODO: unclear details in RHBZ#2224974 -CVE-2023-38288 [libtiff: potential integer overflow in raw2tiff.c] - - tiff - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2224971 - TODO: unclear details in RHBZ#2224971 +CVE-2023-38289 [libtiff: potential integer overflow in raw2tiff.c] + - tiff 4.5.1+git230720-1 + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/4fc16f649fa2875d5c388cf2edc295510a247ee5 + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/591 +CVE-2023-38288 [libtiff: integer overflow in tiffcp.c] + - tiff 4.5.1+git230720-1 + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/592 + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee CVE-2023-3870 REJECTED CVE-2023-3863 (A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bdc959b6a1ec130ec9970e70826f1b35d2383fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bdc959b6a1ec130ec9970e70826f1b35d2383fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] binutils fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 41447f96 by Moritz Muehlenhoff at 2023-07-30T23:26:18+02:00 binutils fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12293,7 +12293,7 @@ CVE-2023-30466 (This vulnerability exists in Milesight 4K/H.265 Series NVR model CVE-2023-30465 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: Apache InLong CVE-2023-1972 (A potential heap based buffer overflow was found in _bfd_elf_slurp_ver ...) - - binutils (unimportant) + - binutils 2.41-1 (unimportant) NOTE: https://sourceware.org/git/?p=binutils-gdb.git;a=blobdiff;f=bfd/elf.c;h=185028cbd97ae0901c4276c8a4787b12bb75875a;hp=027d01437352555bc4ac0717cb0486c751a7775d;hb=c22d38baefc5a7a1e1f5cdc9dbb556b1f0ec5c57;hpb=f2f9bde5cde7ff34ed0a4c4682a211d402aa1086 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30285 NOTE: binutils not covered by security support @@ -318631,9 +318631,10 @@ CVE-2019-3410 (All versions up to UKBB_WF820+_1.0.0B06 of ZTE WF820+ LTE Outdoor CVE-2019-3409 (All versions up to UKBB_WF820+_1.0.0B06 of ZTE WF820+ LTE Outdoor CPE ...) NOT-FOR-US: ZTE CVE-2018-20623 (In GNU Binutils 2.31.1, there is a use-after-free in the error functio ...) - - binutils (unimportant) + - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=24049 NOTE: binutils not covered by security support + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=28e817cc440bce73691c03e01860089a0954a837 (binutils-2_32) CVE-2018-20622 (JasPer 2.0.14 has a memory leak in base/jas_malloc.c in libjasper.a wh ...) {DLA-1628-1} - jasper View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41447f965546918b50768006f7dc6d63b8286078 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41447f965546918b50768006f7dc6d63b8286078 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix via unstable for ntpsec issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d65b42cf by Salvatore Bonaccorso at 2023-07-30T23:12:20+02:00 Track fix via unstable for ntpsec issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,7 @@ CVE-2023-32226 (Sysaid - CWE-552: Files or Directories Accessible to External P CVE-2023-32225 (Sysaid - CWE-434: Unrestricted Upload of File with Dangerous Type - A ...) NOT-FOR-US: SysAid CVE-2023- [crash on NTS requests] - - ntpsec (bug #1038422) + - ntpsec 1.2.2+dfsg1-2 (bug #1038422) [bullseye] - ntpsec (Vulnerable code introduced later) [buster] - ntpsec (Vulnerable code introduced later) NOTE: https://gitlab.com/NTPsec/ntpsec/-/issues/794 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d65b42cf704722f7b107443702f859a54070193d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d65b42cf704722f7b107443702f859a54070193d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a15e0ad5 by Salvatore Bonaccorso at 2023-07-30T22:20:54+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,17 +1,17 @@ CVE-2023-37219 (Tadiran Telecom Composit - CWE-1236: Improper Neutralization of Formul ...) - TODO: check + NOT-FOR-US: Tadiran Telecom Composit CVE-2023-37218 (Tadiran Telecom Aeonix - CWE-22 Improper Limitation of a Pathname to a ...) - TODO: check + NOT-FOR-US: Tadiran Telecom Aeonix CVE-2023-37217 (Tadiran Telecom Aeonix - CWE-204: Observable Response Discrepancy) - TODO: check + NOT-FOR-US: Tadiran Telecom Aeonix CVE-2023-37216 (AnaSystem SensMini M4 \u2013 Using the configuration tool, an authenti ...) - TODO: check + NOT-FOR-US: AnaSystem SensMini M4 CVE-2023-37215 (JBL soundbar multibeam 5.1 - CWE-798: Use of Hard-coded Credentials) - TODO: check + NOT-FOR-US: JBL soundbar multibeam CVE-2023-37214 (Heights Telecom ERO1xS-Pro Dual-Band FW version BZ_ERO1XP.025.) - TODO: check + NOT-FOR-US: Heights Telecom ERO1xS-Pro Dual-Band FW CVE-2023-37213 (Synel SYnergy Fingerprint Terminals - CWE-78: 'OS Command Injection') - TODO: check + NOT-FOR-US: Synel SYnergy Fingerprint Terminals CVE-2023-32227 (Synel SYnergy Fingerprint Terminals - CWE-798: Use of Hard-coded Crede ...) NOT-FOR-US: Synel SYnergy Fingerprint Terminals CVE-2023-32226 (Sysaid - CWE-552: Files or Directories Accessible to External Parties ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a15e0ad511494244bf06ad00a02a64a712873268 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a15e0ad511494244bf06ad00a02a64a712873268 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust commit id for CVE-2018-12934 upstream commit
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1536b80c by Salvatore Bonaccorso at 2023-07-30T22:14:50+02:00 Adjust commit id for CVE-2018-12934 upstream commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -346422,7 +346422,7 @@ CVE-2018-12934 (remember_Ktype in cplus-dem.c in GNU libiberty, as distributed i NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84950 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23059 NOTE: binutils not covered by security support - NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1910070b298052d7ca8e4024891465824588c19e (binutils-2_32) + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1910070b298052d7ca8e4024891465824588c1e9 (binutils-2_32) CVE-2018-12933 (PlayEnhMetaFileRecord in enhmetafile.c in Wine 3.7 allows attackers to ...) - wine 4.0~rc1-1 (low) [stretch] - wine (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1536b80c001cc05e87ad8a71d8ec83ab08f2c464 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1536b80c001cc05e87ad8a71d8ec83ab08f2c464 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6eeb5fa8 by security tracker role at 2023-07-30T20:12:29+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2023-37219 (Tadiran Telecom Composit - CWE-1236: Improper Neutralization of Formul ...) + TODO: check +CVE-2023-37218 (Tadiran Telecom Aeonix - CWE-22 Improper Limitation of a Pathname to a ...) + TODO: check +CVE-2023-37217 (Tadiran Telecom Aeonix - CWE-204: Observable Response Discrepancy) + TODO: check +CVE-2023-37216 (AnaSystem SensMini M4 \u2013 Using the configuration tool, an authenti ...) + TODO: check +CVE-2023-37215 (JBL soundbar multibeam 5.1 - CWE-798: Use of Hard-coded Credentials) + TODO: check +CVE-2023-37214 (Heights Telecom ERO1xS-Pro Dual-Band FW version BZ_ERO1XP.025.) + TODO: check +CVE-2023-37213 (Synel SYnergy Fingerprint Terminals - CWE-78: 'OS Command Injection') + TODO: check CVE-2023-32227 (Synel SYnergy Fingerprint Terminals - CWE-798: Use of Hard-coded Crede ...) NOT-FOR-US: Synel SYnergy Fingerprint Terminals CVE-2023-32226 (Sysaid - CWE-552: Files or Directories Accessible to External Parties ...) @@ -2664,6 +2678,7 @@ CVE-2023-31405 (SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE CVE-2023-3605 (A vulnerability was found in PHPGurukul Online Shopping Portal 1.0. It ...) NOT-FOR-US: PHPGurukul Online Shopping Portal CVE-2023-3417 (Thunderbird allowed the Text Direction Override Unicode Character in f ...) + {DSA-5463-1} - thunderbird 1:102.13.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-27/#CVE-2023-3417 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-28/#CVE-2023-3417 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6eeb5fa8ef9b05e515ad342339c75b207106ae77 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6eeb5fa8ef9b05e515ad342339c75b207106ae77 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] older binutils issue fixed
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: dd668a39 by Moritz Muehlenhoff at 2023-07-30T21:45:52+02:00 older binutils issue fixed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -346402,11 +346402,12 @@ CVE-2018-12936 CVE-2018-12935 RESERVED CVE-2018-12934 (remember_Ktype in cplus-dem.c in GNU libiberty, as distributed in GNU ...) - - binutils (unimportant) + - binutils 2.32.51.20190707-1 (unimportant) NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85453 NOTE: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84950 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=23059 NOTE: binutils not covered by security support + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=1910070b298052d7ca8e4024891465824588c19e (binutils-2_32) CVE-2018-12933 (PlayEnhMetaFileRecord in enhmetafile.c in Wine 3.7 allows attackers to ...) - wine 4.0~rc1-1 (low) [stretch] - wine (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd668a3961ae88e910df367fcea40e611db241d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd668a3961ae88e910df367fcea40e611db241d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] librsvg fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 18af1a2e by Moritz Muehlenhoff at 2023-07-30T21:36:35+02:00 librsvg fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -667,7 +667,7 @@ CVE-2023-3828 (A vulnerability was found in Bug Finder Listplace Directory Listi CVE-2023-3827 (A vulnerability was found in Bug Finder Listplace Directory Listing Pl ...) NOT-FOR-US: Bug Finder CVE-2023-38633 (A directory traversal problem in the URL decoder of librsvg before 2.5 ...) - - librsvg (bug #1041810) + - librsvg 2.54.7+dfsg-1 (bug #1041810) [buster] - librsvg (The vulnerable code was introduced later) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1213502 NOTE: https://gitlab.gnome.org/GNOME/librsvg/-/issues/996 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18af1a2eee67de83a415dc41eb6ae5d225624a76 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/18af1a2eee67de83a415dc41eb6ae5d225624a76 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 908d6736 by Moritz Mühlenhoff at 2023-07-30T21:21:06+02:00 thunderbird DSA - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[30 Jul 2023] DSA-5463-1 thunderbird - security update + {CVE-2023-3417} + [bullseye] - thunderbird 1:102.13.1-1~deb11u1 + [bookworm] - thunderbird 1:102.13.1-1~deb12u1 [30 Jul 2023] DSA-5462-1 linux - security update {CVE-2023-20593} [bookworm] - linux 6.1.38-2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/908d673666ff79b272f1cc63caba0d12cad70108 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/908d673666ff79b272f1cc63caba0d12cad70108 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-3648 does not affect buster or bullseye
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abb0a9d2 by Adrian Bunk at 2023-07-30T21:05:42+03:00 CVE-2023-3648 does not affect buster or bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1618,10 +1618,13 @@ CVE-2023-3649 (iSCSI dissector crash in Wireshark 4.0.0 to 4.0.6 allows denial o CVE-2023-3648 (Kafka dissector crash in Wireshark 4.0.0 to 4.0.6 and 3.6.0 to 3.6.14 ...) - wireshark 4.0.7-1 (bug #1041101) [bookworm] - wireshark (Minor issue) - [bullseye] - wireshark (Minor issue) - [buster] - wireshark (Minor issue) + [bullseye] - wireshark (Vulnerable code not present) + [buster] - wireshark (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-21.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19105 + NOTE: Introduced by: https://gitlab.com/wireshark/wireshark/-/commit/f8d308e9affefea9cca4bd5f2672f4c09688d4e0 (master) + NOTE: Introduced by: https://gitlab.com/wireshark/wireshark/-/commit/b6c69cc5a996a665b3b86112ff38ff026e4c3994 (backport to 4.0.2) + NOTE: Introduced by: https://gitlab.com/wireshark/wireshark/-/commit/e0bd9d312c362318fd19e41c6c0e23fc81d42253 (backport to 3.6.10) CVE-2023-3514 (Improper Privilege Control in RazerCentralSerivce Named Pipe in Razer ...) NOT-FOR-US: Razer CVE-2023-3513 (Improper Privilege Control in RazerCentralSerivce Named Pipe in Razer ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abb0a9d2050e7976132a41c59bcbe0a314d4105a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abb0a9d2050e7976132a41c59bcbe0a314d4105a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-28864,chef: Link to CVE description, impact, remediation
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: b2937ef2 by Markus Koschany at 2023-07-30T18:14:56+02:00 CVE-2023-28864,chef: Link to CVE description, impact, remediation - - - - - 69777e69 by Markus Koschany at 2023-07-30T18:19:38+02:00 Add chef to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -16736,6 +16736,7 @@ CVE-2023-28865 RESERVED CVE-2023-28864 (Progress Chef Infra Server before 15.7 allows a local attacker to expl ...) - chef + NOTE: https://blog.mondoo.com/chef-infra-server-cve-2023-28864-impact-and-remediation CVE-2023-28863 (AMI MegaRAC SPx12 and SPx13 devices have Insufficient Verification of ...) NOT-FOR-US: AMI CVE-2023-28862 (An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session I ...) = data/dla-needed.txt = @@ -28,6 +28,10 @@ cairosvg (gladk) NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) -- +chef + NOTE: 20230730: Added by Front-Desk (apo) + NOTE: 20230730: We could just change the directory permissions to fix this problem. (apo) +-- cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9b292c0b0fb6fa7a0a32a20c64568eed8d52dccf...69777e6973ea60298995886e72699fb2d3496513 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9b292c0b0fb6fa7a0a32a20c64568eed8d52dccf...69777e6973ea60298995886e72699fb2d3496513 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-30577,amanda: Link to fixing commit
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 03f23d79 by Markus Koschany at 2023-07-30T17:57:31+02:00 CVE-2023-30577,amanda: Link to fixing commit - - - - - 9b292c0b by Markus Koschany at 2023-07-30T17:58:15+02:00 Add amanda to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -11661,6 +11661,7 @@ CVE-2023-30578 CVE-2023-30577 (AMANDA (Advanced Maryland Automatic Network Disk Archiver) before tag- ...) - amanda NOTE: https://github.com/zmanda/amanda/security/advisories/GHSA-crrw-v393-h5q3 + NOTE: https://github.com/zmanda/amanda/pull/228 CVE-2023-30576 (Apache Guacamole 0.9.10 through 1.5.1 may continue to reference a free ...) - guacamole-client CVE-2023-30575 (Apache Guacamole 1.5.1 and older may incorrectly calculate the lengths ...) = data/dla-needed.txt = @@ -20,6 +20,9 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. +-- +amanda + NOTE: 20230730: Added by Front-Desk (apo) -- cairosvg (gladk) NOTE: 20230323: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cd0354a852929113c42f2428d026b682a962e53d...9b292c0b0fb6fa7a0a32a20c64568eed8d52dccf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cd0354a852929113c42f2428d026b682a962e53d...9b292c0b0fb6fa7a0a32a20c64568eed8d52dccf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2023-38408,openssh: triage as no-dsa for Buster
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e1b48a3 by Markus Koschany at 2023-07-30T17:11:21+02:00 CVE-2023-38408,openssh: triage as no-dsa for Buster Requires specific conditions like forwarding and an already compromised system. - - - - - f99b7d3a by Markus Koschany at 2023-07-30T17:11:22+02:00 CVE-2023-37769,pixman: triage Buster as no-dsa Minor issue. Affects only a test executable. - - - - - cd0354a8 by Markus Koschany at 2023-07-30T17:11:23+02:00 CVE-2022-40896,pygments: Buster is no-dsa Minor issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -916,6 +916,7 @@ CVE-2023-38408 (The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an - openssh 1:9.3p2-1 (bug #1042460) [bookworm] - openssh (Minor issue; needs specific conditions and forwarding was always subject to caution warning) [bullseye] - openssh (Minor issue; needs specific conditions and forwarding was always subject to caution warning) + [buster] - openssh (Minor issue; needs specific conditions and forwarding was always subject to caution warning) NOTE: https://www.openwall.com/lists/oss-security/2023/07/19/9 NOTE: https://github.com/openssh/openssh-portable/commit/892506b13654301f69f9545f48213fc210e5c5cc NOTE: https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a @@ -1310,6 +1311,7 @@ CVE-2023-37769 (stress-test master commit e4c878 was discovered to contain a FPE - pixman [bookworm] - pixman (Minor issue) [bullseye] - pixman (Minor issue) + [buster] - pixman (Minor issue) NOTE: https://gitlab.freedesktop.org/pixman/pixman/-/issues/76 CVE-2023-37479 (Open Enclave is a hardware-agnostic open source library for developing ...) NOT-FOR-US: Open Enclave @@ -62456,6 +62458,7 @@ CVE-2022-40896 (A ReDoS issue was discovered in pygments/lexers/smithy.py in pyg - pygments 2.15.1+dfsg-1 [bookworm] - pygments (Minor issue) [bullseye] - pygments (Minor issue) + [buster] - pygments (Minor issue) NOTE: https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages-part-2/ NOTE: https://github.com/pygments/pygments/issues/2356 NOTE: https://github.com/pygments/pygments/issues/2355 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/430234d8a7ee36b7524477c93617653edf258416...cd0354a852929113c42f2428d026b682a962e53d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/430234d8a7ee36b7524477c93617653edf258416...cd0354a852929113c42f2428d026b682a962e53d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add upstream tag reference for CVE-2022-34927 fix upstream
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c9f932e by Salvatore Bonaccorso at 2023-07-30T15:05:45+02:00 Add upstream tag reference for CVE-2022-34927 fix upstream - - - - - 430234d8 by Salvatore Bonaccorso at 2023-07-30T15:07:16+02:00 Track fixed version for CVE-2022-34927/milkytracker via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78550,8 +78550,8 @@ CVE-2022-34929 CVE-2022-34928 (JFinal CMS v5.1.0 was discovered to contain a SQL injection vulnerabil ...) NOT-FOR-US: JFinal CMS CVE-2022-34927 (MilkyTracker v1.03.00 was discovered to contain a stack overflow via t ...) - - milkytracker (unimportant; bug #1016578) - NOTE: https://github.com/milkytracker/MilkyTracker/commit/3a5474f9102cbdc10fbd9e7b1b2c8d3f3f45d91b + - milkytracker 1.04.00+dfsg-1 (unimportant; bug #1016578) + NOTE: https://github.com/milkytracker/MilkyTracker/commit/3a5474f9102cbdc10fbd9e7b1b2c8d3f3f45d91b (v1.04.00) NOTE: https://github.com/milkytracker/MilkyTracker/issues/275 NOTE: Crash in GUI tool, no security impact CVE-2022-34926 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5ed8ad67a02055e382e0f06a11adc9bfa89af0e7...430234d8a7ee36b7524477c93617653edf258416 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/5ed8ad67a02055e382e0f06a11adc9bfa89af0e7...430234d8a7ee36b7524477c93617653edf258416 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: set myself as a FD for next week
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ed8ad67 by Anton Gladky at 2023-07-30T14:46:33+02:00 LTS: set myself as a FD for next week - - - - - 1 changed file: - org/lts-frontdesk.2023.txt Changes: = org/lts-frontdesk.2023.txt = @@ -28,7 +28,7 @@ From 03-07 to 09-07:Anton Gladky From 10-07 to 16-07:Chris Lamb From 17-07 to 23-07:Emilio Pozuelo Monfort From 24-07 to 30-07:Markus Koschany -From 31-07 to 06-08:Ola Lundqvist +From 31-07 to 06-08:Anton Gladky From 07-08 to 13-08:Sylvain Beucler From 14-08 to 20-08:Thorsten Alteholz From 21-08 to 27-08:Utkarsh Gupta @@ -49,4 +49,4 @@ From 27-11 to 03-12:Sylvain Beucler From 04-12 to 10-12:Thorsten Alteholz From 11-12 to 17-12:Utkarsh Gupta From 18-12 to 24-12:Anton Gladky -From 25-12 to 31-12:Chris Lamb \ No newline at end of file +From 25-12 to 31-12:Chris Lamb View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ed8ad67a02055e382e0f06a11adc9bfa89af0e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ed8ad67a02055e382e0f06a11adc9bfa89af0e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e980dc2 by Salvatore Bonaccorso at 2023-07-30T14:42:31+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2023-32227 (Synel SYnergy Fingerprint Terminals - CWE-798: Use of Hard-coded Crede ...) - TODO: check + NOT-FOR-US: Synel SYnergy Fingerprint Terminals CVE-2023-32226 (Sysaid - CWE-552: Files or Directories Accessible to External Parties ...) - TODO: check + NOT-FOR-US: SysAid CVE-2023-32225 (Sysaid - CWE-434: Unrestricted Upload of File with Dangerous Type - A ...) - TODO: check + NOT-FOR-US: SysAid CVE-2023- [crash on NTS requests] - ntpsec (bug #1038422) [bullseye] - ntpsec (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e980dc2ebb65ec0d7fbdd23e8346cf4eb98ea95 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e980dc2ebb65ec0d7fbdd23e8346cf4eb98ea95 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b3c3dfe by security tracker role at 2023-07-30T08:12:11+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2023-32227 (Synel SYnergy Fingerprint Terminals - CWE-798: Use of Hard-coded Crede ...) + TODO: check +CVE-2023-32226 (Sysaid - CWE-552: Files or Directories Accessible to External Parties ...) + TODO: check +CVE-2023-32225 (Sysaid - CWE-434: Unrestricted Upload of File with Dangerous Type - A ...) + TODO: check CVE-2023- [crash on NTS requests] - ntpsec (bug #1038422) [bullseye] - ntpsec (Vulnerable code introduced later) @@ -680,6 +686,7 @@ CVE-2023-3611 (An out-of-bounds write vulnerability in the Linux kernel's net/sc - linux 6.4.4-2 NOTE: https://git.kernel.org/linus/3e337087c3b5805fe0b8a46ba622a962880b5d64 (6.5-rc2) CVE-2023-3610 (A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab ...) + {DSA-5461-1} - linux 6.3.11-1 [bookworm] - linux 6.1.37-1 [buster] - linux (Vulnerable code not present) @@ -3875,7 +3882,7 @@ CVE-2023-3439 (A flaw was found in the MCTP protocol in the Linux kernel. The fu NOTE: https://git.kernel.org/linus/b561275d633bcd8e0e8055ab86f1a13df75a0269 (5.18-rc5) NOTE: https://www.openwall.com/lists/oss-security/2023/07/02/1 CVE-2023-3390 (A use-after-free vulnerability was found in the Linux kernel's netfilt ...) - {DSA-5448-1} + {DSA-5461-1 DSA-5448-1} - linux 6.3.11-1 NOTE: https://git.kernel.org/linus/1240eb93f0616b21c675416516ff3d74798fdc97 (6.4-rc7) NOTE: https://kernel.dance/#1240eb93f0616b21c675416516ff3d74798fdc97 @@ -52647,7 +52654,7 @@ CVE-2023-20595 CVE-2023-20594 RESERVED CVE-2023-20593 (An issue in \u201cZen 2\u201d CPUs, under specific microarchitectural ...) - {DSA-5459-1 DLA-3508-1} + {DSA-5462-1 DSA-5461-1 DSA-5459-1 DLA-3508-1} - linux 6.4.4-2 - amd64-microcode 3.20230719.1 (bug #1041863) NOTE: https://www.openwall.com/lists/oss-security/2023/07/24/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b3c3dfe8c4b66e289fb5ce16e34df0d5d071164 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b3c3dfe8c4b66e289fb5ce16e34df0d5d071164 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA numbers for linux update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d7732e4 by Salvatore Bonaccorso at 2023-07-30T08:52:16+02:00 Reserve DSA numbers for linux update Make them separate as exception (the not equal set of CVEs could be workarounded easily). - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,9 @@ +[30 Jul 2023] DSA-5462-1 linux - security update + {CVE-2023-20593} + [bookworm] - linux 6.1.38-2 +[30 Jul 2023] DSA-5461-1 linux - security update + {CVE-2023-3390 CVE-2023-3610 CVE-2023-20593} + [bullseye] - linux 5.10.179-3 [26 Jul 2023] DSA-5460-1 curl - security update {CVE-2023-32001} [bookworm] - curl 7.88.1-10+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d7732e4820e1cbd669b749b557600028505440b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d7732e4820e1cbd669b749b557600028505440b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits