[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-4104/mozillavpn
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5a3 by Salvatore Bonaccorso at 2023-08-04T07:29:35+02:00 Add Debian bug reference for CVE-2023-4104/mozillavpn - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -191,7 +191,7 @@ CVE-2023-32764 (Fabasoft Cloud Enterprise Client 23.3.0.130 allows a user to esc CVE-2023-2754 (The Cloudflare WARP client for Windows assigns loopback IPv4 addresses ...) TODO: check CVE-2023-4104 - - mozillavpn + - mozillavpn (bug #1043004) NOTE: https://www.openwall.com/lists/oss-security/2023/08/03/1 NOTE: https://github.com/mozilla-mobile/mozilla-vpn-client/pull/7055 NOTE: https://github.com/mozilla-mobile/mozilla-vpn-client/commit/6933a07164cd69636889403c959ac2c2b115e0f6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5a3ac74a8fa337ea11fc478d36dcaf36373 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5a3ac74a8fa337ea11fc478d36dcaf36373 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix indentation for CVE-2023-4132/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0690b12b by Salvatore Bonaccorso at 2023-08-04T07:13:12+02:00 Fix indentation for CVE-2023-4132/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20,7 +20,7 @@ CVE-2023-4133 (A use-after-free vulnerability was found in the cxgb4 driver in t - linux 6.3.7-1 NOTE: https://git.kernel.org/linus/e50b9b9e8610d47b7c22529443e45a16b1ea3a15 (6.3) CVE-2023-4132 (A use-after-free vulnerability was found in the siano smsusb module in ...) -- linux 6.4.4-1 + - linux 6.4.4-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2221707 NOTE: https://git.kernel.org/linus/ebad8e731c1c06adf04621d6fd327b860c0861b5 (6.3-rc1) NOTE: https://git.kernel.org/linus/6f489a966fbeb0da63d45c2c66a8957eab604bf6 (6.5-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0690b12bbd2d07bab1f554b4e1b8402c5460765d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0690b12bbd2d07bab1f554b4e1b8402c5460765d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for ntpsec update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
96dfa18a by Salvatore Bonaccorso at 2023-08-04T07:11:07+02:00
Reserve DSA number for ntpsec update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[04 Aug 2023] DSA-5466-1 ntpsec - security update
+ {CVE-2023-4012}
+ [bookworm] - ntpsec 1.2.2+dfsg1-1+deb12u1
[03 Aug 2023] DSA-5465-1 python-django - security update
{CVE-2023-36053}
[bullseye] - python-django 2:2.2.28-1~deb11u2
=
data/dsa-needed.txt
=
@@ -42,8 +42,6 @@ nodejs
--
nova/oldstable
--
-ntpsec (carnil)
---
openjdk-11/oldstable (jmm)
needs asmtools backport in bullseye
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96dfa18a53a98b7ea2c598a3a762bab53ce2c4ad
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96dfa18a53a98b7ea2c598a3a762bab53ce2c4ad
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4012 for ntpsec issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a0237619 by Salvatore Bonaccorso at 2023-08-04T07:00:49+02:00 Add CVE-2023-4012 for ntpsec issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -664,11 +664,12 @@ CVE-2023-32226 (Sysaid - CWE-552: Files or Directories Accessible to External P NOT-FOR-US: SysAid CVE-2023-32225 (Sysaid - CWE-434: Unrestricted Upload of File with Dangerous Type - A ...) NOT-FOR-US: SysAid -CVE-2023- [crash on NTS requests] +CVE-2023-4012 [crash on NTS requests] - ntpsec 1.2.2+dfsg1-2 (bug #1038422) [bullseye] - ntpsec (Vulnerable code introduced later) [buster] - ntpsec (Vulnerable code introduced later) NOTE: https://gitlab.com/NTPsec/ntpsec/-/issues/794 + NOTE: https://blog.ntpsec.org/2023/08/03/version-1.2.2a.html CVE-2023-38988 (An issue in the delete function in the OaNotifyController class of jee ...) NOT-FOR-US: jeesite CVE-2023-3598 (Out of bounds read and write in ANGLE in Google Chrome prior to 114.0. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a023761902a44d0e28623da641bf3b6b33e9e4dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a023761902a44d0e28623da641bf3b6b33e9e4dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-38497/rustc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b76922b8 by Salvatore Bonaccorso at 2023-08-04T06:48:29+02:00 Add CVE-2023-38497/rustc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-38497 [Cargo does not respect umask when extracting packages] + - rustc + NOTE: https://www.openwall.com/lists/oss-security/2023/08/03/2 + TODO: check details CVE-2023-4147 [netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID] - linux [buster] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b76922b8d47bd96995283e9d4d09ff8909f73579 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b76922b8d47bd96995283e9d4d09ff8909f73579 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4134/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3b139d31 by Salvatore Bonaccorso at 2023-08-04T06:35:30+02:00
Add CVE-2023-4134/linux
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -8,6 +8,10 @@ CVE-2023-4138 (Allocation of Resources Without Limits or
Throttling in GitHub re
- rdiffweb (bug #969974)
CVE-2023-4136 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: CrafterCMS
+CVE-2023-4134 [Input: cyttsp4_core - change del_timer_sync() to
timer_shutdown_sync()]
+ - linux 6.4.4-1 (unimportant)
+ NOTE:
https://git.kernel.org/linus/dbe836576f12743a7d2d170ad4ad4fd324c4d47a (6.5-rc1)
+ NOTE: TOUCHSCREEN_CYTTSP4_CORE not enabled in Debian
CVE-2023-4133 (A use-after-free vulnerability was found in the cxgb4 driver in
the Li ...)
- linux 6.3.7-1
NOTE:
https://git.kernel.org/linus/e50b9b9e8610d47b7c22529443e45a16b1ea3a15 (6.3)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b139d31fd3437a60c18dea95a43cda37c509e34
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b139d31fd3437a60c18dea95a43cda37c509e34
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4147/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e33dbb19 by Salvatore Bonaccorso at 2023-08-04T06:29:01+02:00 Add CVE-2023-4147/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-4147 [netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID] + - linux + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/0ebc1064e4874d5987722a2ddbc18f94aa53b211 (6.5-rc4) CVE-2023-4145 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/custo ...) NOT-FOR-US: pimcore/customer-data-framework CVE-2023-4138 (Allocation of Resources Without Limits or Throttling in GitHub reposit ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e33dbb195aabf77460960fb95d1d19307e4ddd21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e33dbb195aabf77460960fb95d1d19307e4ddd21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-3180/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
193919a1 by Salvatore Bonaccorso at 2023-08-04T06:22:10+02:00
Add CVE-2023-3180/qemu
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -63,7 +63,9 @@ CVE-2023-3346 (Buffer Copy without Checking Size of Input
('Classic Buffer Overf
CVE-2023-3329 (SpiderControl SCADA Webserver versions 2.08 and prior are
vulnerable t ...)
TODO: check
CVE-2023-3180 (A flaw was found in the QEMU virtual crypto device while
handling data ...)
- TODO: check
+ - qemu
+ NOTE: Introduced by:
https://gitlab.com/qemu-project/qemu/-/commit/04b9b37edda85964cca033a48dcc0298036782f2
(v2.8.0-rc0)
+ NOTE: Proposed patch:
https://lists.nongnu.org/archive/html/qemu-devel/2023-08/msg00401.html
CVE-2023-39144 (Element55 KnowMore appliances version 21 and older was
discovered to s ...)
TODO: check
CVE-2023-39121 (emlog v2.1.9 was discovered to contain a SQL injection
vulnerability v ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/193919a1edf13615b03597d300caa1c3bd5283ee
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/193919a1edf13615b03597d300caa1c3bd5283ee
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct the reference for CVE-2023-38560
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dd9aceb9 by Salvatore Bonaccorso at 2023-08-04T06:06:26+02:00 Correct the reference for CVE-2023-38560 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -350,7 +350,7 @@ CVE-2023-39108 (rconfig v3.9.4 was discovered to contain a Server-Side Request F NOT-FOR-US: rConfig CVE-2023-38560 (An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_ ...) - ghostscript - NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706897 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706898 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b7eb1d0174cb25a0cd44a1c0706c2ed73fc95bef CVE-2023-38559 (A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_w ...) - ghostscript View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd9aceb9dea47d490d733685b418dd9c094eaf3a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd9aceb9dea47d490d733685b418dd9c094eaf3a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take ghostscript
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab840cc4 by Adrian Bunk at 2023-08-04T01:47:07+03:00 dla: take ghostscript - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,7 +52,7 @@ dogecoin firefox-esr (Emilio) NOTE: 20230802: Added by pochu -- -ghostscript +ghostscript (Adrian Bunk) NOTE: 20230803: Added by Front-Desk (gladk) -- glib2.0 (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab840cc4adbf1dd54e818ddadcdbb37ddb731076 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab840cc4adbf1dd54e818ddadcdbb37ddb731076 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4132/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: afcd48da by Salvatore Bonaccorso at 2023-08-03T22:49:54+02:00 Add CVE-2023-4132/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,7 +8,10 @@ CVE-2023-4133 (A use-after-free vulnerability was found in the cxgb4 driver in t - linux 6.3.7-1 NOTE: https://git.kernel.org/linus/e50b9b9e8610d47b7c22529443e45a16b1ea3a15 (6.3) CVE-2023-4132 (A use-after-free vulnerability was found in the siano smsusb module in ...) - TODO: check +- linux 6.4.4-1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2221707 + NOTE: https://git.kernel.org/linus/ebad8e731c1c06adf04621d6fd327b860c0861b5 (6.3-rc1) + NOTE: https://git.kernel.org/linus/6f489a966fbeb0da63d45c2c66a8957eab604bf6 (6.5-rc1) CVE-2023-4127 (Race Condition within a Thread in GitHub repository answerdev/answer p ...) NOT-FOR-US: answerdev/answer CVE-2023-4126 (Insufficient Session Expiration in GitHub repository answerdev/answer ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afcd48da5354d6882dcff1f251b3480b66d2df36 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afcd48da5354d6882dcff1f251b3480b66d2df36 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4133/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2bdfb610 by Salvatore Bonaccorso at 2023-08-03T22:47:33+02:00
Add CVE-2023-4133/linux
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -5,7 +5,8 @@ CVE-2023-4138 (Allocation of Resources Without Limits or
Throttling in GitHub re
CVE-2023-4136 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: CrafterCMS
CVE-2023-4133 (A use-after-free vulnerability was found in the cxgb4 driver in
the Li ...)
- TODO: check
+ - linux 6.3.7-1
+ NOTE:
https://git.kernel.org/linus/e50b9b9e8610d47b7c22529443e45a16b1ea3a15 (6.3)
CVE-2023-4132 (A use-after-free vulnerability was found in the siano smsusb
module in ...)
TODO: check
CVE-2023-4127 (Race Condition within a Thread in GitHub repository
answerdev/answer p ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bdfb610f4fa286b420c64a0a7146d1f38926bdc
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bdfb610f4fa286b420c64a0a7146d1f38926bdc
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add ghostscript
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 61ad503e by Anton Gladky at 2023-08-03T22:44:45+02:00 LTS: add ghostscript - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,6 +52,9 @@ dogecoin firefox-esr (Emilio) NOTE: 20230802: Added by pochu -- +ghostscript + NOTE: 20230803: Added by Front-Desk (gladk) +-- glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ad503edf06a0cac65995f5cb084447c726104c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ad503edf06a0cac65995f5cb084447c726104c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Django DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e065ac2b by Moritz Mühlenhoff at 2023-08-03T22:42:51+02:00
Django DSA
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -10889,6 +10889,7 @@ CVE-2023-31048
CVE-2023-31047 (In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before
4.2.1, i ...)
{DLA-3415-1}
- python-django 3:3.2.19-1 (bug #1035467)
+ [bullseye] - python-django 2:2.2.28-1~deb11u2
NOTE:
https://www.djangoproject.com/weblog/2023/may/03/security-releases/
NOTE:
https://github.com/django/django/commit/fb4c55d9ec4bb812a7fb91fa20510d91645e411b
(main)
NOTE:
https://github.com/django/django/commit/eed53d0011622e70b936e203005f0e6f4ac48965
(3.2.19)
@@ -30616,6 +30617,7 @@ CVE-2023-0526 (The Post Shortcode WordPress plugin
through 2.0.9 does not valida
CVE-2023-24580 (An issue was discovered in the Multipart Request Parser in
Django 3.2 ...)
{DLA-3329-1}
- python-django 3:3.2.18-1 (bug #1031290)
+ [bullseye] - python-django 2:2.2.28-1~deb11u2
NOTE:
https://www.djangoproject.com/weblog/2023/feb/14/security-releases/
NOTE:
https://github.com/django/django/commit/a665ed5179f5bbd3db95ce67286d0192eff041d8
(3.2.18)
CVE-2023-24579 (McAfee Total Protection prior to 16.0.51 allows attackers to
trick a v ...)
@@ -32414,6 +32416,7 @@ CVE-2022-48279 (In ModSecurity before 2.9.6 and 3.x
before 3.0.8, HTTP multipart
CVE-2023-23969 (In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before
4.1.6, t ...)
{DLA-3306-1}
- python-django 3:3.2.17-1 (bug #1030251)
+ [bullseye] - python-django 2:2.2.28-1~deb11u2
NOTE: https://www.openwall.com/lists/oss-security/2023/02/01/4
NOTE:
https://github.com/django/django/commit/c7e0151fdf33e1b11d488b6f67b94fdf3a30614a
(3.2.17)
CVE-2023-23968
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[03 Aug 2023] DSA-5465-1 python-django - security update
+ {CVE-2023-36053}
+ [bullseye] - python-django 2:2.2.28-1~deb11u2
+ [bookworm] - python-django 3:3.2.19-1+deb12u1
[03 Aug 2023] DSA-5464-1 firefox-esr - security update
{CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049
CVE-2023-4050 CVE-2023-4055 CVE-2023-4056}
[bullseye] - firefox-esr 102.14.0esr-1~deb11u1
=
data/dsa-needed.txt
=
@@ -60,8 +60,6 @@ php-horde-turba/oldstable
--
py7zr/oldstable
--
-python-django (jmm)
---
python-glance-store/oldstable
--
python-os-brick/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e065ac2bb8b92d7b847e7568c5dffde4ec89337d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e065ac2bb8b92d7b847e7568c5dffde4ec89337d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: CVE-2023-34478 mark as no-dsa
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 16b66fa0 by Anton Gladky at 2023-08-03T22:38:57+02:00 LTS: CVE-2023-34478 mark as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1552,6 +1552,7 @@ CVE-2023-34478 (Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible - shiro [bookworm] - shiro (Minor issue) [bullseye] - shiro (Minor issue) + [buster] - shiro (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/07/24/4 CVE-2023-34429 (Weintek Weincloud v0.13.6 could allow an attacker to cause a denia ...) NOT-FOR-US: Weincloud View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16b66fa05d33782cb17cf1ffb8569b1e7e1712ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16b66fa05d33782cb17cf1ffb8569b1e7e1712ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4138/rdiffweb, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
f586cd29 by Salvatore Bonaccorso at 2023-08-03T22:32:30+02:00
Add CVE-2023-4138/rdiffweb, itped
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,7 +1,7 @@
CVE-2023-4145 (Cross-site Scripting (XSS) - Stored in GitHub repository
pimcore/custo ...)
NOT-FOR-US: pimcore/customer-data-framework
CVE-2023-4138 (Allocation of Resources Without Limits or Throttling in GitHub
reposit ...)
- TODO: check
+ - rdiffweb (bug #969974)
CVE-2023-4136 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: CrafterCMS
CVE-2023-4133 (A use-after-free vulnerability was found in the cxgb4 driver in
the Li ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f586cd29e610b5bcf88b6d5381b4619c61d95e82
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f586cd29e610b5bcf88b6d5381b4619c61d95e82
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9aaeb948 by Salvatore Bonaccorso at 2023-08-03T22:31:47+02:00
Process some NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,45 +1,45 @@
CVE-2023-4145 (Cross-site Scripting (XSS) - Stored in GitHub repository
pimcore/custo ...)
- TODO: check
+ NOT-FOR-US: pimcore/customer-data-framework
CVE-2023-4138 (Allocation of Resources Without Limits or Throttling in GitHub
reposit ...)
TODO: check
CVE-2023-4136 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
- TODO: check
+ NOT-FOR-US: CrafterCMS
CVE-2023-4133 (A use-after-free vulnerability was found in the cxgb4 driver in
the Li ...)
TODO: check
CVE-2023-4132 (A use-after-free vulnerability was found in the siano smsusb
module in ...)
TODO: check
CVE-2023-4127 (Race Condition within a Thread in GitHub repository
answerdev/answer p ...)
- TODO: check
+ NOT-FOR-US: answerdev/answer
CVE-2023-4126 (Insufficient Session Expiration in GitHub repository
answerdev/answer ...)
- TODO: check
+ NOT-FOR-US: answerdev/answer
CVE-2023-4125 (Weak Password Requirements in GitHub repository
answerdev/answer prior ...)
- TODO: check
+ NOT-FOR-US: answerdev/answer
CVE-2023-4124 (Missing Authorization in GitHub repository answerdev/answer
prior to v ...)
- TODO: check
+ NOT-FOR-US: answerdev/answer
CVE-2023-4121 (A vulnerability was found in Beijing Baichuo Smart S85F
Management Pla ...)
- TODO: check
+ NOT-FOR-US: Beijing Baichuo Smart S85F Management Platform
CVE-2023-4120 (A vulnerability was found in Beijing Baichuo Smart S85F
Management Pla ...)
- TODO: check
+ NOT-FOR-US: Beijing Baichuo Smart S85F Management Platform
CVE-2023-4119 (A vulnerability has been found in Academy LMS 6.0 and
classified as pr ...)
- TODO: check
+ NOT-FOR-US: Academy LMS
CVE-2023-4118 (A vulnerability, which was classified as problematic, was found
in Cut ...)
TODO: check
CVE-2023-4117 (A vulnerability, which was classified as problematic, has been
found i ...)
- TODO: check
+ NOT-FOR-US: PHP Jabbers Rental Property Booking
CVE-2023-4116 (A vulnerability classified as problematic was found in PHP
Jabbers Tax ...)
- TODO: check
+ NOT-FOR-US: PHP Jabbers Taxi Booking
CVE-2023-4115 (A vulnerability classified as problematic has been found in PHP
Jabber ...)
- TODO: check
+ NOT-FOR-US: PHP Jabbers Cleaning Business
CVE-2023-4114 (A vulnerability was found in PHP Jabbers Night Club Booking
Software 1 ...)
- TODO: check
+ NOT-FOR-US: PHP Jabbers Night Club Booking Software
CVE-2023-4113 (A vulnerability was found in PHP Jabbers Service Booking Script
1.0. I ...)
- TODO: check
+ NOT-FOR-US: PHP Jabbers Service Booking Script
CVE-2023-4112 (A vulnerability was found in PHP Jabbers Shuttle Booking
Software 1.0. ...)
- TODO: check
+ NOT-FOR-US: PHP Jabbers Shuttle Booking Software
CVE-2023-4111 (A vulnerability was found in PHP Jabbers Bus Reservation System
1.1 an ...)
- TODO: check
+ NOT-FOR-US: PHP Jabbers Bus Reservation System
CVE-2023-4110 (A vulnerability has been found in PHP Jabbers Availability
Booking Cal ...)
- TODO: check
+ NOT-FOR-US: PHP Jabbers Availability Booking Calendar
CVE-2023-3932 (An issue has been discovered in GitLab EE affecting all
versions start ...)
TODO: check
CVE-2023-3766 (A vulnerability was discovered in the odoh-rs rust crate that
stems fr ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9aaeb948a34ccc778aaace3e552820843170f8fa
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9aaeb948a34ccc778aaace3e552820843170f8fa
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e19a95ef by security tracker role at 2023-08-03T20:21:22+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,177 @@
+CVE-2023-4145 (Cross-site Scripting (XSS) - Stored in GitHub repository
pimcore/custo ...)
+ TODO: check
+CVE-2023-4138 (Allocation of Resources Without Limits or Throttling in GitHub
reposit ...)
+ TODO: check
+CVE-2023-4136 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2023-4133 (A use-after-free vulnerability was found in the cxgb4 driver in
the Li ...)
+ TODO: check
+CVE-2023-4132 (A use-after-free vulnerability was found in the siano smsusb
module in ...)
+ TODO: check
+CVE-2023-4127 (Race Condition within a Thread in GitHub repository
answerdev/answer p ...)
+ TODO: check
+CVE-2023-4126 (Insufficient Session Expiration in GitHub repository
answerdev/answer ...)
+ TODO: check
+CVE-2023-4125 (Weak Password Requirements in GitHub repository
answerdev/answer prior ...)
+ TODO: check
+CVE-2023-4124 (Missing Authorization in GitHub repository answerdev/answer
prior to v ...)
+ TODO: check
+CVE-2023-4121 (A vulnerability was found in Beijing Baichuo Smart S85F
Management Pla ...)
+ TODO: check
+CVE-2023-4120 (A vulnerability was found in Beijing Baichuo Smart S85F
Management Pla ...)
+ TODO: check
+CVE-2023-4119 (A vulnerability has been found in Academy LMS 6.0 and
classified as pr ...)
+ TODO: check
+CVE-2023-4118 (A vulnerability, which was classified as problematic, was found
in Cut ...)
+ TODO: check
+CVE-2023-4117 (A vulnerability, which was classified as problematic, has been
found i ...)
+ TODO: check
+CVE-2023-4116 (A vulnerability classified as problematic was found in PHP
Jabbers Tax ...)
+ TODO: check
+CVE-2023-4115 (A vulnerability classified as problematic has been found in PHP
Jabber ...)
+ TODO: check
+CVE-2023-4114 (A vulnerability was found in PHP Jabbers Night Club Booking
Software 1 ...)
+ TODO: check
+CVE-2023-4113 (A vulnerability was found in PHP Jabbers Service Booking Script
1.0. I ...)
+ TODO: check
+CVE-2023-4112 (A vulnerability was found in PHP Jabbers Shuttle Booking
Software 1.0. ...)
+ TODO: check
+CVE-2023-4111 (A vulnerability was found in PHP Jabbers Bus Reservation System
1.1 an ...)
+ TODO: check
+CVE-2023-4110 (A vulnerability has been found in PHP Jabbers Availability
Booking Cal ...)
+ TODO: check
+CVE-2023-3932 (An issue has been discovered in GitLab EE affecting all
versions start ...)
+ TODO: check
+CVE-2023-3766 (A vulnerability was discovered in the odoh-rs rust crate that
stems fr ...)
+ TODO: check
+CVE-2023-3749 (A local user could edit the VideoEdge configuration file and
interfere ...)
+ TODO: check
+CVE-2023-3669 (A missing Brute-Force protection in CODESYS Development System
prior t ...)
+ TODO: check
+CVE-2023-3663 (In CODESYS Development System versions from 3.5.11.20 and
before 3.5.1 ...)
+ TODO: check
+CVE-2023-3662 (In CODESYS Development System versions from 3.5.17.0 and prior
to 3.5. ...)
+ TODO: check
+CVE-2023-3348 (The Wrangler command line tool (<=wrangler@3.1.0) was affected
by a di ...)
+ TODO: check
+CVE-2023-3346 (Buffer Copy without Checking Size of Input ('Classic Buffer
Overflow') ...)
+ TODO: check
+CVE-2023-3329 (SpiderControl SCADA Webserver versions 2.08 and prior are
vulnerable t ...)
+ TODO: check
+CVE-2023-3180 (A flaw was found in the QEMU virtual crypto device while
handling data ...)
+ TODO: check
+CVE-2023-39144 (Element55 KnowMore appliances version 21 and older was
discovered to s ...)
+ TODO: check
+CVE-2023-39121 (emlog v2.1.9 was discovered to contain a SQL injection
vulnerability v ...)
+ TODO: check
+CVE-2023-39114 (ngiflib commit 84a75 was discovered to contain a segmentation
violatio ...)
+ TODO: check
+CVE-2023-39113 (ngiflib commit fb271 was discovered to contain a segmentation
violatio ...)
+ TODO: check
+CVE-2023-39097 (WebBoss.io CMS v3.7.0.1 contains a stored cross-site scripting
(XSS) v ...)
+ TODO: check
+CVE-2023-39096 (WebBoss.io CMS v3.7.0.1 contains a stored Cross-Site Scripting
(XSS) v ...)
+ TODO: check
+CVE-2023-39075 (Renault Zoe EV 2021 automotive infotainment system versions
283C35202R ...)
+ TODO: check
+CVE-2023-38958 (An access control issue in ZKTeco BioAccess IVS v3.3.1 allows
unauthen ...)
+ TODO: check
+CVE-2023-38956 (A path traversal vulnerability in ZKTeco BioAccess IVS v3.3.1
allows u ...)
+ TODO: check
+CVE-2023-38955 (ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers
to obtain ...)
+ TODO: check
[Git][security-tracker-team/security-tracker][master] Track thunderbird fixes via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01e263ff by Salvatore Bonaccorso at 2023-08-03T22:18:24+02:00 Track thunderbird fixes via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -207,7 +207,7 @@ CVE-2023-4057 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, and [bookworm] - firefox-esr (Only affects Firefox ESR 115.1) [bullseye] - firefox-esr (Only affects Firefox ESR 115.1) [buster] - firefox-esr (Only affects Firefox ESR 115.1) - - thunderbird + - thunderbird 1:115.1.0-1 [bookworm] - thunderbird (Only affects Thunderbird 115.1) [bullseye] - thunderbird (Only affects Thunderbird 115.1) [buster] - thunderbird (Only affects Thunderbird 115.1) @@ -217,7 +217,7 @@ CVE-2023-4057 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, and CVE-2023-4056 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 - - thunderbird + - thunderbird 1:115.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4056 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4056 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4056 @@ -226,7 +226,7 @@ CVE-2023-4056 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Fir CVE-2023-4055 (When the number of cookies per domain was exceeded in `document.cookie ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 - - thunderbird + - thunderbird 1:115.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4055 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4055 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4055 @@ -257,7 +257,7 @@ CVE-2023-4051 (A website could have obscured the full screen notification by usi CVE-2023-4050 (In some cases, an untrusted input stream was copied to a stack buffer ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 - - thunderbird + - thunderbird 1:115.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4050 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4050 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4050 @@ -266,7 +266,7 @@ CVE-2023-4050 (In some cases, an untrusted input stream was copied to a stack bu CVE-2023-4049 (Race conditions in reference counting code were found through code ins ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 - - thunderbird + - thunderbird 1:115.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4049 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4049 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4049 @@ -275,7 +275,7 @@ CVE-2023-4049 (Race conditions in reference counting code were found through cod CVE-2023-4048 (An out-of-bounds read could have led to an exploitable crash when pars ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 - - thunderbird + - thunderbird 1:115.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4048 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4048 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4048 @@ -284,7 +284,7 @@ CVE-2023-4048 (An out-of-bounds read could have led to an exploitable crash when CVE-2023-4047 (A bug in popup notifications delay calculation could have made it poss ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 - - thunderbird + - thunderbird 1:115.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4047 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4047 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4047 @@ -293,7 +293,7 @@ CVE-2023-4047 (A bug in popup notifications delay calculation could have made it CVE-2023-4046 (In some circumstances, a stale value could have been used for a global ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 - - thunderbird + - thunderbird 1:115.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4046 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4046 NOTE:
[Git][security-tracker-team/security-tracker][master] Add thunderbird to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d22a6e0 by Salvatore Bonaccorso at 2023-08-03T22:16:16+02:00 Add thunderbird to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -95,6 +95,8 @@ sox all issues unfixed upstream for CVE-2023-34432, rest can be ignored -- +thunderbird (jmm) +-- tiff -- wpewebkit/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d22a6e0296d83ae43fb87201597a9bea39caacf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d22a6e0296d83ae43fb87201597a9bea39caacf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Followup thunderbird entries with mfsa2023-33
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 36f7d264 by Salvatore Bonaccorso at 2023-08-03T22:15:27+02:00 Followup thunderbird entries with mfsa2023-33 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -207,8 +207,13 @@ CVE-2023-4057 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, and [bookworm] - firefox-esr (Only affects Firefox ESR 115.1) [bullseye] - firefox-esr (Only affects Firefox ESR 115.1) [buster] - firefox-esr (Only affects Firefox ESR 115.1) + - thunderbird + [bookworm] - thunderbird (Only affects Thunderbird 115.1) + [bullseye] - thunderbird (Only affects Thunderbird 115.1) + [buster] - thunderbird (Only affects Thunderbird 115.1) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4057 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4057 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4057 CVE-2023-4056 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 @@ -217,6 +222,7 @@ CVE-2023-4056 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Fir NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4056 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4056 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4056 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4056 CVE-2023-4055 (When the number of cookies per domain was exceeded in `document.cookie ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 @@ -225,6 +231,7 @@ CVE-2023-4055 (When the number of cookies per domain was exceeded in `document.c NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4055 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4055 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4055 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4055 CVE-2023-4054 (When opening appref-ms files, Firefox did not warn the user that these ...) - firefox (Affects only Firefox on Windows) - firefox-esr (Affects only Firefox on Windows) @@ -233,14 +240,17 @@ CVE-2023-4054 (When opening appref-ms files, Firefox did not warn the user that NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4054 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4054 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4054 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4054 CVE-2023-4053 (A website could have obscured the full screen notification by using a ...) - firefox 116.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4053 CVE-2023-4052 (The Firefox updater created a directory writable by non-privileged use ...) - firefox (Affects only Firefox on Windows) - firefox-esr (Affects only Firefox ESR 115.0.1 on Windows) + - thunderbird (Affects only Thunderbird on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4052 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4052 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4052 CVE-2023-4051 (A website could have obscured the full screen notification by using th ...) - firefox 116.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4051 @@ -252,6 +262,7 @@ CVE-2023-4050 (In some cases, an untrusted input stream was copied to a stack bu NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4050 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4050 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4050 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4050 CVE-2023-4049 (Race conditions in reference counting code were found through code ins ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 @@ -260,6 +271,7 @@ CVE-2023-4049 (Race conditions in reference counting code were found through cod NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4049 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4049 NOTE:
[Git][security-tracker-team/security-tracker][master] Add thunderbird from mfsa2023-32
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb2b5965 by Salvatore Bonaccorso at 2023-08-03T22:11:32+02:00 Add thunderbird from mfsa2023-32 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -212,21 +212,27 @@ CVE-2023-4057 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, and CVE-2023-4056 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4056 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4056 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4056 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4056 CVE-2023-4055 (When the number of cookies per domain was exceeded in `document.cookie ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4055 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4055 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4055 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4055 CVE-2023-4054 (When opening appref-ms files, Firefox did not warn the user that these ...) - firefox (Affects only Firefox on Windows) - firefox-esr (Affects only Firefox on Windows) + - thunderbird (Affects only Thunderbird on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4054 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4054 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4054 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4054 CVE-2023-4053 (A website could have obscured the full screen notification by using a ...) - firefox 116.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4053 @@ -241,39 +247,51 @@ CVE-2023-4051 (A website could have obscured the full screen notification by usi CVE-2023-4050 (In some cases, an untrusted input stream was copied to a stack buffer ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4050 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4050 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4050 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4050 CVE-2023-4049 (Race conditions in reference counting code were found through code ins ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4049 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4049 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4049 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4049 CVE-2023-4048 (An out-of-bounds read could have led to an exploitable crash when pars ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4048 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4048 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4048 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4048 CVE-2023-4047 (A bug in popup notifications delay calculation could have made it poss ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4047 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4047 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4047 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4047 CVE-2023-4046 (In some circumstances, a stale value could have been used for a global ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4046 NOTE:
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-4907/ffmpeg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
86f0e8f2 by Salvatore Bonaccorso at 2023-08-03T21:34:27+02:00
Update information for CVE-2022-4907/ffmpeg
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -27074,9 +27074,9 @@ CVE-2022-4907 (Uninitialized Use in FFmpeg in Google
Chrome prior to 108.0.5359.
[buster] - chromium (see DSA 5046)
- ffmpeg 7:6.0-4
[bookworm] - ffmpeg (Minor issue, wait until it lands in
5.1.x)
- [bullseye] - ffmpeg (Minor issue, wait until it lands in
4.3.x)
+ [bullseye] - ffmpeg (Vulnerable code introduced later)
[buster] - ffmpeg (Vulnerable code introduced later)
- NOTE:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/e601ec3c1991ee09ff45db3be4d894e5774f6f2b
(n6.0)
+ NOTE: Fixed by:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/e601ec3c1991ee09ff45db3be4d894e5774f6f2b
(n6.0)
NOTE: Introduced by:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/c3bf53fab2165f52b3f71412664668dd75e10a0f
(n5.1)
CVE-2022-4906 (Inappropriate implementation in Blink in Google Chrome prior to
108.0. ...)
{DSA-5293-1}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86f0e8f2d45b94c8339dc4a1fe273c9e5195e5ba
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86f0e8f2d45b94c8339dc4a1fe273c9e5195e5ba
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add references for CVE-2023-4104/mozillavpn
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d66f0fd6 by Salvatore Bonaccorso at 2023-08-03T21:27:25+02:00 Add references for CVE-2023-4104/mozillavpn - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,6 +1,8 @@ CVE-2023-4104 - mozillavpn NOTE: https://www.openwall.com/lists/oss-security/2023/08/03/1 + NOTE: https://github.com/mozilla-mobile/mozilla-vpn-client/pull/7055 + NOTE: https://github.com/mozilla-mobile/mozilla-vpn-client/commit/6933a07164cd69636889403c959ac2c2b115e0f6 CVE-2023-3971 NOT-FOR-US: Red Hat Ansible Automation Controller CVE-2023-34320 [arm: Guests can trigger a deadlock on Cortex-A77] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d66f0fd6f9505b54af7b1501e09dbc52e8fa8811 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d66f0fd6f9505b54af7b1501e09dbc52e8fa8811 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream commit for CVE-2023-3978
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 82233059 by Salvatore Bonaccorso at 2023-08-03T21:20:38+02:00 Add upstream commit for CVE-2023-3978 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49,6 +49,7 @@ CVE-2023-3978 (Text nodes not in the HTML namespace are incorrectly literally re NOTE: https://go.dev/cl/514896 NOTE: https://go.dev/issue/61615 NOTE: https://pkg.go.dev/vuln/GO-2023-1988 + NOTE: https://github.com/golang/net/commit/8ffa475fbdb33da97e8bf79cc5791ee8751fca5e (v0.13.0) CVE-2023-3470 (Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generat ...) NOT-FOR-US: F5 BIG-IP CVE-2023-3426 (The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82233059859de1435f259348dcad54d6bc1206ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82233059859de1435f259348dcad54d6bc1206ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-25435/tiff: reference prior CVE fixed with same patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 259dd1c5 by Sylvain Beucler at 2023-08-03T19:59:30+02:00 CVE-2023-25435/tiff: reference prior CVE fixed with same patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28032,6 +28032,7 @@ CVE-2023-25435 (libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContig [buster] - tiff 4.1.0+git191117-2~deb10u7 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/518 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38 (v4.5.1rc1) + NOTE: Same fix as CVE-2023-0795 CVE-2023-25434 (libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSample ...) - tiff 4.5.0-5 [bullseye] - tiff 4.2.0-1+deb11u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/259dd1c5210ff7bc2c69f6480f827c3d7cd7c65c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/259dd1c5210ff7bc2c69f6480f827c3d7cd7c65c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] firefox-esr DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d6c4e882 by Moritz Mühlenhoff at 2023-08-03T19:22:59+02:00
firefox-esr DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[03 Aug 2023] DSA-5464-1 firefox-esr - security update
+ {CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049
CVE-2023-4050 CVE-2023-4055 CVE-2023-4056}
+ [bullseye] - firefox-esr 102.14.0esr-1~deb11u1
+ [bookworm] - firefox-esr 102.14.0esr-1~deb12u1
[30 Jul 2023] DSA-5463-1 thunderbird - security update
{CVE-2023-3417}
[bullseye] - thunderbird 1:102.13.1-1~deb11u1
=
data/dsa-needed.txt
=
@@ -21,8 +21,6 @@ cjose
--
cinder/oldstable
--
-firefox-esr (jmm)
---
frr (aron)
maintainer proposed to update to 8.4.4 for bookworm, which might be a good
idea
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6c4e8824eb8c8c6186938f339b6b4e6d1924c82
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6c4e8824eb8c8c6186938f339b6b4e6d1924c82
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] rxvt-unicode fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 908e093e by Moritz Mühlenhoff at 2023-08-03T17:46:44+02:00 rxvt-unicode fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -45618,7 +45618,7 @@ CVE-2022-43464 (Hidden functionality vulnerability in UDR-JA1604/UDR-JA1608/UDR- CVE-2022-4171 (The demon image annotation plugin for WordPress is vulnerable to impro ...) NOT-FOR-US: demon image annotation plugin for WordPress CVE-2022-4170 (The rxvt-unicode package is vulnerable to a remote code execution, in ...) - - rxvt-unicode (bug #1025489) + - rxvt-unicode 9.31-1 (bug #1025489) [bookworm] - rxvt-unicode (Minor issue) [bullseye] - rxvt-unicode (Vulnerable code introduced later) [buster] - rxvt-unicode (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/908e093e933fd14b6e76291c2f9355e624217248 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/908e093e933fd14b6e76291c2f9355e624217248 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add cakephp to embeded code copy
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: ac4addff by Bastien Roucariès at 2023-08-03T15:09:14+00:00 Add cakephp to embeded code copy - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -3817,3 +3817,6 @@ php-font-lib llhttp (ITP: #977716) - python-aiohttp (embed) + +cakephp + - zoneminder (embed; bug #1042970) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac4addff0c2463411d84d4da349c526817181eed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac4addff0c2463411d84d4da349c526817181eed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-4907/ffmpeg: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5f583338 by Sylvain Beucler at 2023-08-03T13:30:14+02:00
CVE-2022-4907/ffmpeg: buster not-affected
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -27072,7 +27072,9 @@ CVE-2022-4907 (Uninitialized Use in FFmpeg in Google
Chrome prior to 108.0.5359.
- ffmpeg 7:6.0-4
[bookworm] - ffmpeg (Minor issue, wait until it lands in
5.1.x)
[bullseye] - ffmpeg (Minor issue, wait until it lands in
4.3.x)
+ [buster] - ffmpeg (Vulnerable code introduced later)
NOTE:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/e601ec3c1991ee09ff45db3be4d894e5774f6f2b
(n6.0)
+ NOTE: Introduced by:
https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/c3bf53fab2165f52b3f71412664668dd75e10a0f
(n5.1)
CVE-2022-4906 (Inappropriate implementation in Blink in Google Chrome prior to
108.0. ...)
{DSA-5293-1}
- chromium 108.0.5359.71-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f5833386d7f41d06befbed3d2adb298547ae0de
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f5833386d7f41d06befbed3d2adb298547ae0de
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark chef debian package not-affected by CVE-2023-28864
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 16c3addf by Bastien Roucariès at 2023-08-03T11:01:47+00:00 Mark chef debian package not-affected by CVE-2023-28864 Chef-server upstream package was removed from chef debian package in 201207 after reintroduction of chef in 201205 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17220,6 +17220,7 @@ CVE-2023-28865 RESERVED CVE-2023-28864 (Progress Chef Infra Server before 15.7 allows a local attacker to expl ...) - chef + [buster] - chef (chef package does not include upstream chef-server) NOTE: https://blog.mondoo.com/chef-infra-server-cve-2023-28864-impact-and-remediation NOTE: https://github.com/chef/chef-server/blob/8a2dc82148844767f7c7728633a03dcee812e56a/omnibus/files/server-ctl-cookbooks/infra-server/recipes/oc_bifrost.rb#L42 NOTE: Fixed by: https://github.com/chef/chef-server/commit/985dfee99044ff477dbc08462b6d69add70f8608 (15.7.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16c3addf684ddf5da8d7aa9d7fc751415fbcd4a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16c3addf684ddf5da8d7aa9d7fc751415fbcd4a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c38d4e5 by Moritz Mühlenhoff at 2023-08-03T12:51:59+02:00 chromium fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,37 +9,37 @@ CVE-2023-34320 [arm: Guests can trigger a deadlock on Cortex-A77] NOTE: https://www.openwall.com/lists/oss-security/2023/08/01/1 NOTE: https://xenbits.xen.org/xsa/advisory-436.html CVE-2023-4078 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4077 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4076 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4075 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4074 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4073 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4072 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4071 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4070 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4069 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4068 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4067 (The Bus Ticket Booking with Seat Reservation plugin for WordPress is v ...) NOT-FOR-US: Bus Ticket Booking with Seat Reservation plugin for WordPress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c38d4e51c0a215e4cd5cfc46eaf7d3428ad84af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c38d4e51c0a215e4cd5cfc46eaf7d3428ad84af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new mozillavpn issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fbdf866 by Moritz Mühlenhoff at 2023-08-03T12:23:01+02:00 new mozillavpn issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2023-4104 + - mozillavpn + NOTE: https://www.openwall.com/lists/oss-security/2023/08/03/1 CVE-2023-3971 NOT-FOR-US: Red Hat Ansible Automation Controller CVE-2023-34320 [arm: Guests can trigger a deadlock on Cortex-A77] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fbdf866b70bde0207a7db466b5c20b6e07722c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fbdf866b70bde0207a7db466b5c20b6e07722c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-28864/chef: reference patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d9720f53 by Sylvain Beucler at 2023-08-03T12:10:41+02:00 CVE-2023-28864/chef: reference patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17219,6 +17219,7 @@ CVE-2023-28864 (Progress Chef Infra Server before 15.7 allows a local attacker t - chef NOTE: https://blog.mondoo.com/chef-infra-server-cve-2023-28864-impact-and-remediation NOTE: https://github.com/chef/chef-server/blob/8a2dc82148844767f7c7728633a03dcee812e56a/omnibus/files/server-ctl-cookbooks/infra-server/recipes/oc_bifrost.rb#L42 + NOTE: Fixed by: https://github.com/chef/chef-server/commit/985dfee99044ff477dbc08462b6d69add70f8608 (15.7.0) NOTE: only chef-server removed since 201207 CVE-2023-28863 (AMI MegaRAC SPx12 and SPx13 devices have Insufficient Verification of ...) NOT-FOR-US: AMI View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9720f53a6b8a954d896b70b50aa518956f11bae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9720f53a6b8a954d896b70b50aa518956f11bae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new golang-golang-x-net issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a025ce3 by Moritz Mühlenhoff at 2023-08-03T10:57:53+02:00 new golang-golang-x-net issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41,7 +41,11 @@ CVE-2023-4068 CVE-2023-4067 (The Bus Ticket Booking with Seat Reservation plugin for WordPress is v ...) NOT-FOR-US: Bus Ticket Booking with Seat Reservation plugin for WordPress CVE-2023-3978 (Text nodes not in the HTML namespace are incorrectly literally rendere ...) - TODO: check + - golang-golang-x-net + - golang-golang-x-net-dev + NOTE: https://go.dev/cl/514896 + NOTE: https://go.dev/issue/61615 + NOTE: https://pkg.go.dev/vuln/GO-2023-1988 CVE-2023-3470 (Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generat ...) NOT-FOR-US: F5 BIG-IP CVE-2023-3426 (The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a025ce381597335dbca4b85fdf962ec335abd00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a025ce381597335dbca4b85fdf962ec335abd00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9c02bba9 by Moritz Mühlenhoff at 2023-08-03T10:17:07+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -61,7 +61,7 @@ CVE-2023-36858 (An insufficient verification of data
vulnerability exists in BIG
CVE-2023-36494 (Audit logs on F5OS-A may contain undisclosed sensitive
information. No ...)
NOT-FOR-US: F5 BIG-IP
CVE-2023-36081 (Cross Site Scripting vulnerability in GatesAIr Flexiva FM
Transmitter/ ...)
- TODO: check
+ NOT-FOR-US: GatesAIr Flexiva FM Transmitter
CVE-2023-33383 (Shelly 4PM Pro four-channel smart switch 0.11.0 allows an
attacker to ...)
NOT-FOR-US: Shelly 4PM Pro four-channel smart switch
CVE-2023-33257 (Verint Engagement Management 15.3 Update 2023R2 is vulnerable
to HTML ...)
@@ -24675,33 +24675,33 @@ CVE-2023-26453
CVE-2023-26452
RESERVED
CVE-2023-26451 (Functions with insufficient randomness were used to generate
authoriza ...)
- TODO: check
+ NOT-FOR-US: OX App Suite
CVE-2023-26450 (The "OX Count" web service did not specify a media-type when
processin ...)
- TODO: check
+ NOT-FOR-US: OX App Suite
CVE-2023-26449 (The "OX Chat" web service did not specify a media-type when
processing ...)
- TODO: check
+ NOT-FOR-US: OX App Suite
CVE-2023-26448 (Custom log-in and log-out locations are used-defined as jslob
but were ...)
- TODO: check
+ NOT-FOR-US: OX App Suite
CVE-2023-26447 (The "upsell" widget for the portal allows to specify a product
descrip ...)
- TODO: check
+ NOT-FOR-US: OX App Suite
CVE-2023-26446 (The users clientID at "application passwords" was not
sanitized or esc ...)
- TODO: check
+ NOT-FOR-US: OX App Suite
CVE-2023-26445 (Frontend themes are defined by user-controllable jslob
settings and co ...)
- TODO: check
+ NOT-FOR-US: OX App Suite
CVE-2023-26444
RESERVED
CVE-2023-26443 (Full-text autocomplete search allows user-provided SQL syntax
to be in ...)
- TODO: check
+ NOT-FOR-US: OX App Suite
CVE-2023-26442 (In case Cacheservice was configured to use a sproxyd
object-storage ba ...)
- TODO: check
+ NOT-FOR-US: OX App Suite
CVE-2023-26441 (Cacheservice did not correctly check if relative cache object
were poi ...)
- TODO: check
+ NOT-FOR-US: OX App Suite
CVE-2023-26440 (The cacheservice API could be abused to indirectly inject
parameters w ...)
- TODO: check
+ NOT-FOR-US: OX App Suite
CVE-2023-26439 (The cacheservice API could be abused to inject parameters with
SQL syn ...)
- TODO: check
+ NOT-FOR-US: OX App Suite
CVE-2023-26438 (External service lookups for a number of protocols were
vulnerable to ...)
- TODO: check
+ NOT-FOR-US: OX App Suite
CVE-2023-26437 (Denial of service vulnerability in PowerDNS Recursor allows
authoritat ...)
- pdns-recursor 4.8.4-1 (bug #1033941)
[bullseye] - pdns-recursor (Minor issue)
@@ -24723,7 +24723,7 @@ CVE-2023-26432 (When adding an external mail account,
processing of SMTP "capabi
CVE-2023-26431 (IPv4-mapped IPv6 addresses did not get recognized as "local"
by the co ...)
NOT-FOR-US: OX App Suite
CVE-2023-26430 (Attackers with access to user accounts can inject arbitrary
control ch ...)
- TODO: check
+ NOT-FOR-US: OX App Suite
CVE-2023-26429 (Control characters were not removed when exporting user
feedback conte ...)
NOT-FOR-US: OX App Suite
CVE-2023-26428 (Attackers can successfully request arbitrary snippet IDs,
including E- ...)
@@ -24949,9 +24949,9 @@ CVE-2023-26319
CVE-2023-26318
RESERVED
CVE-2023-26317 (A vulnerability has been discovered in Xiaomi routers that
could allow ...)
- TODO: check
+ NOT-FOR-US: Xiaomi
CVE-2023-26316 (A XSS vulnerability exists in the Xiaomi cloud service
Application pro ...)
- TODO: check
+ NOT-FOR-US: Xiaomi
CVE-2023-26315
RESERVED
CVE-2023-0979 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
@@ -44281,9 +44281,9 @@ CVE-2022-46487
CVE-2022-46486
RESERVED
CVE-2022-46485 (Data Illusion Survey Software Solutions ngSurvey version
2.4.28 and be ...)
- TODO: check
+ NOT-FOR-US: ngSurvey
CVE-2022-46484 (Information disclosure in password protected surveys in Data
Illusion ...)
- TODO: check
+ NOT-FOR-US: ngSurvey
CVE-2022-46483
RESERVED
CVE-2022-46482
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c02bba9e44c1f9c9035851a330de5c8d8fa6681
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c02bba9e44c1f9c9035851a330de5c8d8fa6681
You're receiving this email because of your account on
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 92acefda by Moritz Mühlenhoff at 2023-08-03T10:11:40+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-3971 + NOT-FOR-US: Red Hat Ansible Automation Controller CVE-2023-34320 [arm: Guests can trigger a deadlock on Cortex-A77] - xen [buster] - xen (DSA 4677-1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92acefdac866458b399586201d159dc3449e9391 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92acefdac866458b399586201d159dc3449e9391 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2023-21400/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 25dea8d7 by Salvatore Bonaccorso at 2023-08-03T08:57:11+02:00 Update information on CVE-2023-21400/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49715,8 +49715,13 @@ CVE-2023-21402 CVE-2023-21401 RESERVED CVE-2023-21400 (In multiple functions of io_uring.c, there is a possible kernel memor ...) - NOT-FOR-US: Android/Pixel kernel - NOTE: Apparently a Pixel-specific issue, no source release + - linux 5.18.2-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://source.android.com/security/bulletin/pixel/2023-07-01 + NOTE: https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html + NOTE: https://www.openwall.com/lists/oss-security/2023/07/14/2 + NOTE: https://www.openwall.com/lists/oss-security/2023/07/25/9 + NOTE: https://twitter.com/VAR10CK/status/1683303642173153280 CVE-2023-21399 (there is a possible way to bypass cryptographic assurances due to a lo ...) NOT-FOR-US: Android/Pixel kernel CVE-2023-21398 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25dea8d743ef646d8f76e249fb2f76a60b18e1f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25dea8d743ef646d8f76e249fb2f76a60b18e1f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-34320/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 408ac4ea by Salvatore Bonaccorso at 2023-08-03T08:21:14+02:00 Add CVE-2023-34320/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,8 @@ +CVE-2023-34320 [arm: Guests can trigger a deadlock on Cortex-A77] + - xen + [buster] - xen (DSA 4677-1) + NOTE: https://www.openwall.com/lists/oss-security/2023/08/01/1 + NOTE: https://xenbits.xen.org/xsa/advisory-436.html CVE-2023-4078 - chromium [buster] - chromium (see DSA 5046) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/408ac4ea49f425761e9ee1056ca3a0cb4e0d61a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/408ac4ea49f425761e9ee1056ca3a0cb4e0d61a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
