[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-4104/mozillavpn
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5a3 by Salvatore Bonaccorso at 2023-08-04T07:29:35+02:00 Add Debian bug reference for CVE-2023-4104/mozillavpn - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -191,7 +191,7 @@ CVE-2023-32764 (Fabasoft Cloud Enterprise Client 23.3.0.130 allows a user to esc CVE-2023-2754 (The Cloudflare WARP client for Windows assigns loopback IPv4 addresses ...) TODO: check CVE-2023-4104 - - mozillavpn + - mozillavpn (bug #1043004) NOTE: https://www.openwall.com/lists/oss-security/2023/08/03/1 NOTE: https://github.com/mozilla-mobile/mozilla-vpn-client/pull/7055 NOTE: https://github.com/mozilla-mobile/mozilla-vpn-client/commit/6933a07164cd69636889403c959ac2c2b115e0f6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5a3ac74a8fa337ea11fc478d36dcaf36373 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5a3ac74a8fa337ea11fc478d36dcaf36373 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix indentation for CVE-2023-4132/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0690b12b by Salvatore Bonaccorso at 2023-08-04T07:13:12+02:00 Fix indentation for CVE-2023-4132/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20,7 +20,7 @@ CVE-2023-4133 (A use-after-free vulnerability was found in the cxgb4 driver in t - linux 6.3.7-1 NOTE: https://git.kernel.org/linus/e50b9b9e8610d47b7c22529443e45a16b1ea3a15 (6.3) CVE-2023-4132 (A use-after-free vulnerability was found in the siano smsusb module in ...) -- linux 6.4.4-1 + - linux 6.4.4-1 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2221707 NOTE: https://git.kernel.org/linus/ebad8e731c1c06adf04621d6fd327b860c0861b5 (6.3-rc1) NOTE: https://git.kernel.org/linus/6f489a966fbeb0da63d45c2c66a8957eab604bf6 (6.5-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0690b12bbd2d07bab1f554b4e1b8402c5460765d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0690b12bbd2d07bab1f554b4e1b8402c5460765d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for ntpsec update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 96dfa18a by Salvatore Bonaccorso at 2023-08-04T07:11:07+02:00 Reserve DSA number for ntpsec update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[04 Aug 2023] DSA-5466-1 ntpsec - security update + {CVE-2023-4012} + [bookworm] - ntpsec 1.2.2+dfsg1-1+deb12u1 [03 Aug 2023] DSA-5465-1 python-django - security update {CVE-2023-36053} [bullseye] - python-django 2:2.2.28-1~deb11u2 = data/dsa-needed.txt = @@ -42,8 +42,6 @@ nodejs -- nova/oldstable -- -ntpsec (carnil) --- openjdk-11/oldstable (jmm) needs asmtools backport in bullseye -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96dfa18a53a98b7ea2c598a3a762bab53ce2c4ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96dfa18a53a98b7ea2c598a3a762bab53ce2c4ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4012 for ntpsec issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a0237619 by Salvatore Bonaccorso at 2023-08-04T07:00:49+02:00 Add CVE-2023-4012 for ntpsec issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -664,11 +664,12 @@ CVE-2023-32226 (Sysaid - CWE-552: Files or Directories Accessible to External P NOT-FOR-US: SysAid CVE-2023-32225 (Sysaid - CWE-434: Unrestricted Upload of File with Dangerous Type - A ...) NOT-FOR-US: SysAid -CVE-2023- [crash on NTS requests] +CVE-2023-4012 [crash on NTS requests] - ntpsec 1.2.2+dfsg1-2 (bug #1038422) [bullseye] - ntpsec (Vulnerable code introduced later) [buster] - ntpsec (Vulnerable code introduced later) NOTE: https://gitlab.com/NTPsec/ntpsec/-/issues/794 + NOTE: https://blog.ntpsec.org/2023/08/03/version-1.2.2a.html CVE-2023-38988 (An issue in the delete function in the OaNotifyController class of jee ...) NOT-FOR-US: jeesite CVE-2023-3598 (Out of bounds read and write in ANGLE in Google Chrome prior to 114.0. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a023761902a44d0e28623da641bf3b6b33e9e4dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a023761902a44d0e28623da641bf3b6b33e9e4dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-38497/rustc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b76922b8 by Salvatore Bonaccorso at 2023-08-04T06:48:29+02:00 Add CVE-2023-38497/rustc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-38497 [Cargo does not respect umask when extracting packages] + - rustc + NOTE: https://www.openwall.com/lists/oss-security/2023/08/03/2 + TODO: check details CVE-2023-4147 [netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID] - linux [buster] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b76922b8d47bd96995283e9d4d09ff8909f73579 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b76922b8d47bd96995283e9d4d09ff8909f73579 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4134/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b139d31 by Salvatore Bonaccorso at 2023-08-04T06:35:30+02:00 Add CVE-2023-4134/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,6 +8,10 @@ CVE-2023-4138 (Allocation of Resources Without Limits or Throttling in GitHub re - rdiffweb (bug #969974) CVE-2023-4136 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: CrafterCMS +CVE-2023-4134 [Input: cyttsp4_core - change del_timer_sync() to timer_shutdown_sync()] + - linux 6.4.4-1 (unimportant) + NOTE: https://git.kernel.org/linus/dbe836576f12743a7d2d170ad4ad4fd324c4d47a (6.5-rc1) + NOTE: TOUCHSCREEN_CYTTSP4_CORE not enabled in Debian CVE-2023-4133 (A use-after-free vulnerability was found in the cxgb4 driver in the Li ...) - linux 6.3.7-1 NOTE: https://git.kernel.org/linus/e50b9b9e8610d47b7c22529443e45a16b1ea3a15 (6.3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b139d31fd3437a60c18dea95a43cda37c509e34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b139d31fd3437a60c18dea95a43cda37c509e34 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4147/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e33dbb19 by Salvatore Bonaccorso at 2023-08-04T06:29:01+02:00 Add CVE-2023-4147/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-4147 [netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID] + - linux + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/0ebc1064e4874d5987722a2ddbc18f94aa53b211 (6.5-rc4) CVE-2023-4145 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/custo ...) NOT-FOR-US: pimcore/customer-data-framework CVE-2023-4138 (Allocation of Resources Without Limits or Throttling in GitHub reposit ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e33dbb195aabf77460960fb95d1d19307e4ddd21 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e33dbb195aabf77460960fb95d1d19307e4ddd21 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-3180/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 193919a1 by Salvatore Bonaccorso at 2023-08-04T06:22:10+02:00 Add CVE-2023-3180/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -63,7 +63,9 @@ CVE-2023-3346 (Buffer Copy without Checking Size of Input ('Classic Buffer Overf CVE-2023-3329 (SpiderControl SCADA Webserver versions 2.08 and prior are vulnerable t ...) TODO: check CVE-2023-3180 (A flaw was found in the QEMU virtual crypto device while handling data ...) - TODO: check + - qemu + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/04b9b37edda85964cca033a48dcc0298036782f2 (v2.8.0-rc0) + NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-08/msg00401.html CVE-2023-39144 (Element55 KnowMore appliances version 21 and older was discovered to s ...) TODO: check CVE-2023-39121 (emlog v2.1.9 was discovered to contain a SQL injection vulnerability v ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/193919a1edf13615b03597d300caa1c3bd5283ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/193919a1edf13615b03597d300caa1c3bd5283ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct the reference for CVE-2023-38560
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dd9aceb9 by Salvatore Bonaccorso at 2023-08-04T06:06:26+02:00 Correct the reference for CVE-2023-38560 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -350,7 +350,7 @@ CVE-2023-39108 (rconfig v3.9.4 was discovered to contain a Server-Side Request F NOT-FOR-US: rConfig CVE-2023-38560 (An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_ ...) - ghostscript - NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706897 + NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706898 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b7eb1d0174cb25a0cd44a1c0706c2ed73fc95bef CVE-2023-38559 (A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_w ...) - ghostscript View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd9aceb9dea47d490d733685b418dd9c094eaf3a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd9aceb9dea47d490d733685b418dd9c094eaf3a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take ghostscript
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab840cc4 by Adrian Bunk at 2023-08-04T01:47:07+03:00 dla: take ghostscript - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,7 +52,7 @@ dogecoin firefox-esr (Emilio) NOTE: 20230802: Added by pochu -- -ghostscript +ghostscript (Adrian Bunk) NOTE: 20230803: Added by Front-Desk (gladk) -- glib2.0 (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab840cc4adbf1dd54e818ddadcdbb37ddb731076 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab840cc4adbf1dd54e818ddadcdbb37ddb731076 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4132/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: afcd48da by Salvatore Bonaccorso at 2023-08-03T22:49:54+02:00 Add CVE-2023-4132/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,7 +8,10 @@ CVE-2023-4133 (A use-after-free vulnerability was found in the cxgb4 driver in t - linux 6.3.7-1 NOTE: https://git.kernel.org/linus/e50b9b9e8610d47b7c22529443e45a16b1ea3a15 (6.3) CVE-2023-4132 (A use-after-free vulnerability was found in the siano smsusb module in ...) - TODO: check +- linux 6.4.4-1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2221707 + NOTE: https://git.kernel.org/linus/ebad8e731c1c06adf04621d6fd327b860c0861b5 (6.3-rc1) + NOTE: https://git.kernel.org/linus/6f489a966fbeb0da63d45c2c66a8957eab604bf6 (6.5-rc1) CVE-2023-4127 (Race Condition within a Thread in GitHub repository answerdev/answer p ...) NOT-FOR-US: answerdev/answer CVE-2023-4126 (Insufficient Session Expiration in GitHub repository answerdev/answer ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afcd48da5354d6882dcff1f251b3480b66d2df36 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afcd48da5354d6882dcff1f251b3480b66d2df36 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4133/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2bdfb610 by Salvatore Bonaccorso at 2023-08-03T22:47:33+02:00 Add CVE-2023-4133/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,8 @@ CVE-2023-4138 (Allocation of Resources Without Limits or Throttling in GitHub re CVE-2023-4136 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: CrafterCMS CVE-2023-4133 (A use-after-free vulnerability was found in the cxgb4 driver in the Li ...) - TODO: check + - linux 6.3.7-1 + NOTE: https://git.kernel.org/linus/e50b9b9e8610d47b7c22529443e45a16b1ea3a15 (6.3) CVE-2023-4132 (A use-after-free vulnerability was found in the siano smsusb module in ...) TODO: check CVE-2023-4127 (Race Condition within a Thread in GitHub repository answerdev/answer p ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bdfb610f4fa286b420c64a0a7146d1f38926bdc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2bdfb610f4fa286b420c64a0a7146d1f38926bdc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add ghostscript
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 61ad503e by Anton Gladky at 2023-08-03T22:44:45+02:00 LTS: add ghostscript - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -52,6 +52,9 @@ dogecoin firefox-esr (Emilio) NOTE: 20230802: Added by pochu -- +ghostscript + NOTE: 20230803: Added by Front-Desk (gladk) +-- glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ad503edf06a0cac65995f5cb084447c726104c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ad503edf06a0cac65995f5cb084447c726104c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Django DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e065ac2b by Moritz Mühlenhoff at 2023-08-03T22:42:51+02:00 Django DSA - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -10889,6 +10889,7 @@ CVE-2023-31048 CVE-2023-31047 (In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, i ...) {DLA-3415-1} - python-django 3:3.2.19-1 (bug #1035467) + [bullseye] - python-django 2:2.2.28-1~deb11u2 NOTE: https://www.djangoproject.com/weblog/2023/may/03/security-releases/ NOTE: https://github.com/django/django/commit/fb4c55d9ec4bb812a7fb91fa20510d91645e411b (main) NOTE: https://github.com/django/django/commit/eed53d0011622e70b936e203005f0e6f4ac48965 (3.2.19) @@ -30616,6 +30617,7 @@ CVE-2023-0526 (The Post Shortcode WordPress plugin through 2.0.9 does not valida CVE-2023-24580 (An issue was discovered in the Multipart Request Parser in Django 3.2 ...) {DLA-3329-1} - python-django 3:3.2.18-1 (bug #1031290) + [bullseye] - python-django 2:2.2.28-1~deb11u2 NOTE: https://www.djangoproject.com/weblog/2023/feb/14/security-releases/ NOTE: https://github.com/django/django/commit/a665ed5179f5bbd3db95ce67286d0192eff041d8 (3.2.18) CVE-2023-24579 (McAfee Total Protection prior to 16.0.51 allows attackers to trick a v ...) @@ -32414,6 +32416,7 @@ CVE-2022-48279 (In ModSecurity before 2.9.6 and 3.x before 3.0.8, HTTP multipart CVE-2023-23969 (In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, t ...) {DLA-3306-1} - python-django 3:3.2.17-1 (bug #1030251) + [bullseye] - python-django 2:2.2.28-1~deb11u2 NOTE: https://www.openwall.com/lists/oss-security/2023/02/01/4 NOTE: https://github.com/django/django/commit/c7e0151fdf33e1b11d488b6f67b94fdf3a30614a (3.2.17) CVE-2023-23968 = data/DSA/list = @@ -1,3 +1,7 @@ +[03 Aug 2023] DSA-5465-1 python-django - security update + {CVE-2023-36053} + [bullseye] - python-django 2:2.2.28-1~deb11u2 + [bookworm] - python-django 3:3.2.19-1+deb12u1 [03 Aug 2023] DSA-5464-1 firefox-esr - security update {CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049 CVE-2023-4050 CVE-2023-4055 CVE-2023-4056} [bullseye] - firefox-esr 102.14.0esr-1~deb11u1 = data/dsa-needed.txt = @@ -60,8 +60,6 @@ php-horde-turba/oldstable -- py7zr/oldstable -- -python-django (jmm) --- python-glance-store/oldstable -- python-os-brick/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e065ac2bb8b92d7b847e7568c5dffde4ec89337d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e065ac2bb8b92d7b847e7568c5dffde4ec89337d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: CVE-2023-34478 mark as no-dsa
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 16b66fa0 by Anton Gladky at 2023-08-03T22:38:57+02:00 LTS: CVE-2023-34478 mark as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1552,6 +1552,7 @@ CVE-2023-34478 (Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible - shiro [bookworm] - shiro (Minor issue) [bullseye] - shiro (Minor issue) + [buster] - shiro (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/07/24/4 CVE-2023-34429 (Weintek Weincloud v0.13.6 could allow an attacker to cause a denia ...) NOT-FOR-US: Weincloud View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16b66fa05d33782cb17cf1ffb8569b1e7e1712ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16b66fa05d33782cb17cf1ffb8569b1e7e1712ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4138/rdiffweb, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f586cd29 by Salvatore Bonaccorso at 2023-08-03T22:32:30+02:00 Add CVE-2023-4138/rdiffweb, itped - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2023-4145 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/custo ...) NOT-FOR-US: pimcore/customer-data-framework CVE-2023-4138 (Allocation of Resources Without Limits or Throttling in GitHub reposit ...) - TODO: check + - rdiffweb (bug #969974) CVE-2023-4136 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: CrafterCMS CVE-2023-4133 (A use-after-free vulnerability was found in the cxgb4 driver in the Li ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f586cd29e610b5bcf88b6d5381b4619c61d95e82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f586cd29e610b5bcf88b6d5381b4619c61d95e82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9aaeb948 by Salvatore Bonaccorso at 2023-08-03T22:31:47+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,45 +1,45 @@ CVE-2023-4145 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/custo ...) - TODO: check + NOT-FOR-US: pimcore/customer-data-framework CVE-2023-4138 (Allocation of Resources Without Limits or Throttling in GitHub reposit ...) TODO: check CVE-2023-4136 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: CrafterCMS CVE-2023-4133 (A use-after-free vulnerability was found in the cxgb4 driver in the Li ...) TODO: check CVE-2023-4132 (A use-after-free vulnerability was found in the siano smsusb module in ...) TODO: check CVE-2023-4127 (Race Condition within a Thread in GitHub repository answerdev/answer p ...) - TODO: check + NOT-FOR-US: answerdev/answer CVE-2023-4126 (Insufficient Session Expiration in GitHub repository answerdev/answer ...) - TODO: check + NOT-FOR-US: answerdev/answer CVE-2023-4125 (Weak Password Requirements in GitHub repository answerdev/answer prior ...) - TODO: check + NOT-FOR-US: answerdev/answer CVE-2023-4124 (Missing Authorization in GitHub repository answerdev/answer prior to v ...) - TODO: check + NOT-FOR-US: answerdev/answer CVE-2023-4121 (A vulnerability was found in Beijing Baichuo Smart S85F Management Pla ...) - TODO: check + NOT-FOR-US: Beijing Baichuo Smart S85F Management Platform CVE-2023-4120 (A vulnerability was found in Beijing Baichuo Smart S85F Management Pla ...) - TODO: check + NOT-FOR-US: Beijing Baichuo Smart S85F Management Platform CVE-2023-4119 (A vulnerability has been found in Academy LMS 6.0 and classified as pr ...) - TODO: check + NOT-FOR-US: Academy LMS CVE-2023-4118 (A vulnerability, which was classified as problematic, was found in Cut ...) TODO: check CVE-2023-4117 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: PHP Jabbers Rental Property Booking CVE-2023-4116 (A vulnerability classified as problematic was found in PHP Jabbers Tax ...) - TODO: check + NOT-FOR-US: PHP Jabbers Taxi Booking CVE-2023-4115 (A vulnerability classified as problematic has been found in PHP Jabber ...) - TODO: check + NOT-FOR-US: PHP Jabbers Cleaning Business CVE-2023-4114 (A vulnerability was found in PHP Jabbers Night Club Booking Software 1 ...) - TODO: check + NOT-FOR-US: PHP Jabbers Night Club Booking Software CVE-2023-4113 (A vulnerability was found in PHP Jabbers Service Booking Script 1.0. I ...) - TODO: check + NOT-FOR-US: PHP Jabbers Service Booking Script CVE-2023-4112 (A vulnerability was found in PHP Jabbers Shuttle Booking Software 1.0. ...) - TODO: check + NOT-FOR-US: PHP Jabbers Shuttle Booking Software CVE-2023-4111 (A vulnerability was found in PHP Jabbers Bus Reservation System 1.1 an ...) - TODO: check + NOT-FOR-US: PHP Jabbers Bus Reservation System CVE-2023-4110 (A vulnerability has been found in PHP Jabbers Availability Booking Cal ...) - TODO: check + NOT-FOR-US: PHP Jabbers Availability Booking Calendar CVE-2023-3932 (An issue has been discovered in GitLab EE affecting all versions start ...) TODO: check CVE-2023-3766 (A vulnerability was discovered in the odoh-rs rust crate that stems fr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9aaeb948a34ccc778aaace3e552820843170f8fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9aaeb948a34ccc778aaace3e552820843170f8fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e19a95ef by security tracker role at 2023-08-03T20:21:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,177 @@ +CVE-2023-4145 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/custo ...) + TODO: check +CVE-2023-4138 (Allocation of Resources Without Limits or Throttling in GitHub reposit ...) + TODO: check +CVE-2023-4136 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-4133 (A use-after-free vulnerability was found in the cxgb4 driver in the Li ...) + TODO: check +CVE-2023-4132 (A use-after-free vulnerability was found in the siano smsusb module in ...) + TODO: check +CVE-2023-4127 (Race Condition within a Thread in GitHub repository answerdev/answer p ...) + TODO: check +CVE-2023-4126 (Insufficient Session Expiration in GitHub repository answerdev/answer ...) + TODO: check +CVE-2023-4125 (Weak Password Requirements in GitHub repository answerdev/answer prior ...) + TODO: check +CVE-2023-4124 (Missing Authorization in GitHub repository answerdev/answer prior to v ...) + TODO: check +CVE-2023-4121 (A vulnerability was found in Beijing Baichuo Smart S85F Management Pla ...) + TODO: check +CVE-2023-4120 (A vulnerability was found in Beijing Baichuo Smart S85F Management Pla ...) + TODO: check +CVE-2023-4119 (A vulnerability has been found in Academy LMS 6.0 and classified as pr ...) + TODO: check +CVE-2023-4118 (A vulnerability, which was classified as problematic, was found in Cut ...) + TODO: check +CVE-2023-4117 (A vulnerability, which was classified as problematic, has been found i ...) + TODO: check +CVE-2023-4116 (A vulnerability classified as problematic was found in PHP Jabbers Tax ...) + TODO: check +CVE-2023-4115 (A vulnerability classified as problematic has been found in PHP Jabber ...) + TODO: check +CVE-2023-4114 (A vulnerability was found in PHP Jabbers Night Club Booking Software 1 ...) + TODO: check +CVE-2023-4113 (A vulnerability was found in PHP Jabbers Service Booking Script 1.0. I ...) + TODO: check +CVE-2023-4112 (A vulnerability was found in PHP Jabbers Shuttle Booking Software 1.0. ...) + TODO: check +CVE-2023-4111 (A vulnerability was found in PHP Jabbers Bus Reservation System 1.1 an ...) + TODO: check +CVE-2023-4110 (A vulnerability has been found in PHP Jabbers Availability Booking Cal ...) + TODO: check +CVE-2023-3932 (An issue has been discovered in GitLab EE affecting all versions start ...) + TODO: check +CVE-2023-3766 (A vulnerability was discovered in the odoh-rs rust crate that stems fr ...) + TODO: check +CVE-2023-3749 (A local user could edit the VideoEdge configuration file and interfere ...) + TODO: check +CVE-2023-3669 (A missing Brute-Force protection in CODESYS Development System prior t ...) + TODO: check +CVE-2023-3663 (In CODESYS Development System versions from 3.5.11.20 and before 3.5.1 ...) + TODO: check +CVE-2023-3662 (In CODESYS Development System versions from 3.5.17.0 and prior to 3.5. ...) + TODO: check +CVE-2023-3348 (The Wrangler command line tool (<=wrangler@3.1.0) was affected by a di ...) + TODO: check +CVE-2023-3346 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ...) + TODO: check +CVE-2023-3329 (SpiderControl SCADA Webserver versions 2.08 and prior are vulnerable t ...) + TODO: check +CVE-2023-3180 (A flaw was found in the QEMU virtual crypto device while handling data ...) + TODO: check +CVE-2023-39144 (Element55 KnowMore appliances version 21 and older was discovered to s ...) + TODO: check +CVE-2023-39121 (emlog v2.1.9 was discovered to contain a SQL injection vulnerability v ...) + TODO: check +CVE-2023-39114 (ngiflib commit 84a75 was discovered to contain a segmentation violatio ...) + TODO: check +CVE-2023-39113 (ngiflib commit fb271 was discovered to contain a segmentation violatio ...) + TODO: check +CVE-2023-39097 (WebBoss.io CMS v3.7.0.1 contains a stored cross-site scripting (XSS) v ...) + TODO: check +CVE-2023-39096 (WebBoss.io CMS v3.7.0.1 contains a stored Cross-Site Scripting (XSS) v ...) + TODO: check +CVE-2023-39075 (Renault Zoe EV 2021 automotive infotainment system versions 283C35202R ...) + TODO: check +CVE-2023-38958 (An access control issue in ZKTeco BioAccess IVS v3.3.1 allows unauthen ...) + TODO: check +CVE-2023-38956 (A path traversal vulnerability in ZKTeco BioAccess IVS v3.3.1 allows u ...) + TODO: check +CVE-2023-38955 (ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to obtain ...) + TODO: check
[Git][security-tracker-team/security-tracker][master] Track thunderbird fixes via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 01e263ff by Salvatore Bonaccorso at 2023-08-03T22:18:24+02:00 Track thunderbird fixes via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -207,7 +207,7 @@ CVE-2023-4057 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, and [bookworm] - firefox-esr (Only affects Firefox ESR 115.1) [bullseye] - firefox-esr (Only affects Firefox ESR 115.1) [buster] - firefox-esr (Only affects Firefox ESR 115.1) - - thunderbird + - thunderbird 1:115.1.0-1 [bookworm] - thunderbird (Only affects Thunderbird 115.1) [bullseye] - thunderbird (Only affects Thunderbird 115.1) [buster] - thunderbird (Only affects Thunderbird 115.1) @@ -217,7 +217,7 @@ CVE-2023-4057 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, and CVE-2023-4056 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 - - thunderbird + - thunderbird 1:115.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4056 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4056 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4056 @@ -226,7 +226,7 @@ CVE-2023-4056 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Fir CVE-2023-4055 (When the number of cookies per domain was exceeded in `document.cookie ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 - - thunderbird + - thunderbird 1:115.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4055 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4055 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4055 @@ -257,7 +257,7 @@ CVE-2023-4051 (A website could have obscured the full screen notification by usi CVE-2023-4050 (In some cases, an untrusted input stream was copied to a stack buffer ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 - - thunderbird + - thunderbird 1:115.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4050 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4050 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4050 @@ -266,7 +266,7 @@ CVE-2023-4050 (In some cases, an untrusted input stream was copied to a stack bu CVE-2023-4049 (Race conditions in reference counting code were found through code ins ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 - - thunderbird + - thunderbird 1:115.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4049 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4049 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4049 @@ -275,7 +275,7 @@ CVE-2023-4049 (Race conditions in reference counting code were found through cod CVE-2023-4048 (An out-of-bounds read could have led to an exploitable crash when pars ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 - - thunderbird + - thunderbird 1:115.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4048 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4048 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4048 @@ -284,7 +284,7 @@ CVE-2023-4048 (An out-of-bounds read could have led to an exploitable crash when CVE-2023-4047 (A bug in popup notifications delay calculation could have made it poss ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 - - thunderbird + - thunderbird 1:115.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4047 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4047 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4047 @@ -293,7 +293,7 @@ CVE-2023-4047 (A bug in popup notifications delay calculation could have made it CVE-2023-4046 (In some circumstances, a stale value could have been used for a global ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 - - thunderbird + - thunderbird 1:115.1.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4046 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4046 NOTE:
[Git][security-tracker-team/security-tracker][master] Add thunderbird to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d22a6e0 by Salvatore Bonaccorso at 2023-08-03T22:16:16+02:00 Add thunderbird to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -95,6 +95,8 @@ sox all issues unfixed upstream for CVE-2023-34432, rest can be ignored -- +thunderbird (jmm) +-- tiff -- wpewebkit/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d22a6e0296d83ae43fb87201597a9bea39caacf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d22a6e0296d83ae43fb87201597a9bea39caacf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Followup thunderbird entries with mfsa2023-33
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 36f7d264 by Salvatore Bonaccorso at 2023-08-03T22:15:27+02:00 Followup thunderbird entries with mfsa2023-33 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -207,8 +207,13 @@ CVE-2023-4057 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, and [bookworm] - firefox-esr (Only affects Firefox ESR 115.1) [bullseye] - firefox-esr (Only affects Firefox ESR 115.1) [buster] - firefox-esr (Only affects Firefox ESR 115.1) + - thunderbird + [bookworm] - thunderbird (Only affects Thunderbird 115.1) + [bullseye] - thunderbird (Only affects Thunderbird 115.1) + [buster] - thunderbird (Only affects Thunderbird 115.1) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4057 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4057 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4057 CVE-2023-4056 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 @@ -217,6 +222,7 @@ CVE-2023-4056 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Fir NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4056 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4056 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4056 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4056 CVE-2023-4055 (When the number of cookies per domain was exceeded in `document.cookie ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 @@ -225,6 +231,7 @@ CVE-2023-4055 (When the number of cookies per domain was exceeded in `document.c NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4055 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4055 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4055 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4055 CVE-2023-4054 (When opening appref-ms files, Firefox did not warn the user that these ...) - firefox (Affects only Firefox on Windows) - firefox-esr (Affects only Firefox on Windows) @@ -233,14 +240,17 @@ CVE-2023-4054 (When opening appref-ms files, Firefox did not warn the user that NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4054 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4054 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4054 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4054 CVE-2023-4053 (A website could have obscured the full screen notification by using a ...) - firefox 116.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4053 CVE-2023-4052 (The Firefox updater created a directory writable by non-privileged use ...) - firefox (Affects only Firefox on Windows) - firefox-esr (Affects only Firefox ESR 115.0.1 on Windows) + - thunderbird (Affects only Thunderbird on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4052 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4052 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4052 CVE-2023-4051 (A website could have obscured the full screen notification by using th ...) - firefox 116.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4051 @@ -252,6 +262,7 @@ CVE-2023-4050 (In some cases, an untrusted input stream was copied to a stack bu NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4050 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4050 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4050 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4050 CVE-2023-4049 (Race conditions in reference counting code were found through code ins ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 @@ -260,6 +271,7 @@ CVE-2023-4049 (Race conditions in reference counting code were found through cod NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4049 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4049 NOTE:
[Git][security-tracker-team/security-tracker][master] Add thunderbird from mfsa2023-32
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb2b5965 by Salvatore Bonaccorso at 2023-08-03T22:11:32+02:00 Add thunderbird from mfsa2023-32 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -212,21 +212,27 @@ CVE-2023-4057 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, and CVE-2023-4056 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0, Firefox ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4056 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4056 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4056 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4056 CVE-2023-4055 (When the number of cookies per domain was exceeded in `document.cookie ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4055 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4055 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4055 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4055 CVE-2023-4054 (When opening appref-ms files, Firefox did not warn the user that these ...) - firefox (Affects only Firefox on Windows) - firefox-esr (Affects only Firefox on Windows) + - thunderbird (Affects only Thunderbird on Windows) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4054 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4054 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4054 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4054 CVE-2023-4053 (A website could have obscured the full screen notification by using a ...) - firefox 116.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4053 @@ -241,39 +247,51 @@ CVE-2023-4051 (A website could have obscured the full screen notification by usi CVE-2023-4050 (In some cases, an untrusted input stream was copied to a stack buffer ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4050 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4050 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4050 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4050 CVE-2023-4049 (Race conditions in reference counting code were found through code ins ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4049 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4049 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4049 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4049 CVE-2023-4048 (An out-of-bounds read could have led to an exploitable crash when pars ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4048 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4048 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4048 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4048 CVE-2023-4047 (A bug in popup notifications delay calculation could have made it poss ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4047 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-30/#CVE-2023-4047 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4047 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4047 CVE-2023-4046 (In some circumstances, a stale value could have been used for a global ...) - firefox 116.0-1 - firefox-esr 115.1.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4046 NOTE:
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2022-4907/ffmpeg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 86f0e8f2 by Salvatore Bonaccorso at 2023-08-03T21:34:27+02:00 Update information for CVE-2022-4907/ffmpeg - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27074,9 +27074,9 @@ CVE-2022-4907 (Uninitialized Use in FFmpeg in Google Chrome prior to 108.0.5359. [buster] - chromium (see DSA 5046) - ffmpeg 7:6.0-4 [bookworm] - ffmpeg (Minor issue, wait until it lands in 5.1.x) - [bullseye] - ffmpeg (Minor issue, wait until it lands in 4.3.x) + [bullseye] - ffmpeg (Vulnerable code introduced later) [buster] - ffmpeg (Vulnerable code introduced later) - NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/e601ec3c1991ee09ff45db3be4d894e5774f6f2b (n6.0) + NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/e601ec3c1991ee09ff45db3be4d894e5774f6f2b (n6.0) NOTE: Introduced by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/c3bf53fab2165f52b3f71412664668dd75e10a0f (n5.1) CVE-2022-4906 (Inappropriate implementation in Blink in Google Chrome prior to 108.0. ...) {DSA-5293-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86f0e8f2d45b94c8339dc4a1fe273c9e5195e5ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86f0e8f2d45b94c8339dc4a1fe273c9e5195e5ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add references for CVE-2023-4104/mozillavpn
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d66f0fd6 by Salvatore Bonaccorso at 2023-08-03T21:27:25+02:00 Add references for CVE-2023-4104/mozillavpn - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,6 +1,8 @@ CVE-2023-4104 - mozillavpn NOTE: https://www.openwall.com/lists/oss-security/2023/08/03/1 + NOTE: https://github.com/mozilla-mobile/mozilla-vpn-client/pull/7055 + NOTE: https://github.com/mozilla-mobile/mozilla-vpn-client/commit/6933a07164cd69636889403c959ac2c2b115e0f6 CVE-2023-3971 NOT-FOR-US: Red Hat Ansible Automation Controller CVE-2023-34320 [arm: Guests can trigger a deadlock on Cortex-A77] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d66f0fd6f9505b54af7b1501e09dbc52e8fa8811 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d66f0fd6f9505b54af7b1501e09dbc52e8fa8811 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream commit for CVE-2023-3978
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 82233059 by Salvatore Bonaccorso at 2023-08-03T21:20:38+02:00 Add upstream commit for CVE-2023-3978 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49,6 +49,7 @@ CVE-2023-3978 (Text nodes not in the HTML namespace are incorrectly literally re NOTE: https://go.dev/cl/514896 NOTE: https://go.dev/issue/61615 NOTE: https://pkg.go.dev/vuln/GO-2023-1988 + NOTE: https://github.com/golang/net/commit/8ffa475fbdb33da97e8bf79cc5791ee8751fca5e (v0.13.0) CVE-2023-3470 (Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generat ...) NOT-FOR-US: F5 BIG-IP CVE-2023-3426 (The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82233059859de1435f259348dcad54d6bc1206ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82233059859de1435f259348dcad54d6bc1206ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-25435/tiff: reference prior CVE fixed with same patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 259dd1c5 by Sylvain Beucler at 2023-08-03T19:59:30+02:00 CVE-2023-25435/tiff: reference prior CVE fixed with same patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -28032,6 +28032,7 @@ CVE-2023-25435 (libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContig [buster] - tiff 4.1.0+git191117-2~deb10u7 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/518 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/69818e2f2d246e6631ac2a2da692c3706b849c38 (v4.5.1rc1) + NOTE: Same fix as CVE-2023-0795 CVE-2023-25434 (libtiff 4.5.0 is vulnerable to Buffer Overflow via extractContigSample ...) - tiff 4.5.0-5 [bullseye] - tiff 4.2.0-1+deb11u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/259dd1c5210ff7bc2c69f6480f827c3d7cd7c65c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/259dd1c5210ff7bc2c69f6480f827c3d7cd7c65c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] firefox-esr DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d6c4e882 by Moritz Mühlenhoff at 2023-08-03T19:22:59+02:00 firefox-esr DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[03 Aug 2023] DSA-5464-1 firefox-esr - security update + {CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049 CVE-2023-4050 CVE-2023-4055 CVE-2023-4056} + [bullseye] - firefox-esr 102.14.0esr-1~deb11u1 + [bookworm] - firefox-esr 102.14.0esr-1~deb12u1 [30 Jul 2023] DSA-5463-1 thunderbird - security update {CVE-2023-3417} [bullseye] - thunderbird 1:102.13.1-1~deb11u1 = data/dsa-needed.txt = @@ -21,8 +21,6 @@ cjose -- cinder/oldstable -- -firefox-esr (jmm) --- frr (aron) maintainer proposed to update to 8.4.4 for bookworm, which might be a good idea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6c4e8824eb8c8c6186938f339b6b4e6d1924c82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6c4e8824eb8c8c6186938f339b6b4e6d1924c82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] rxvt-unicode fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 908e093e by Moritz Mühlenhoff at 2023-08-03T17:46:44+02:00 rxvt-unicode fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -45618,7 +45618,7 @@ CVE-2022-43464 (Hidden functionality vulnerability in UDR-JA1604/UDR-JA1608/UDR- CVE-2022-4171 (The demon image annotation plugin for WordPress is vulnerable to impro ...) NOT-FOR-US: demon image annotation plugin for WordPress CVE-2022-4170 (The rxvt-unicode package is vulnerable to a remote code execution, in ...) - - rxvt-unicode (bug #1025489) + - rxvt-unicode 9.31-1 (bug #1025489) [bookworm] - rxvt-unicode (Minor issue) [bullseye] - rxvt-unicode (Vulnerable code introduced later) [buster] - rxvt-unicode (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/908e093e933fd14b6e76291c2f9355e624217248 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/908e093e933fd14b6e76291c2f9355e624217248 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add cakephp to embeded code copy
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: ac4addff by Bastien Roucariès at 2023-08-03T15:09:14+00:00 Add cakephp to embeded code copy - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -3817,3 +3817,6 @@ php-font-lib llhttp (ITP: #977716) - python-aiohttp (embed) + +cakephp + - zoneminder (embed; bug #1042970) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac4addff0c2463411d84d4da349c526817181eed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac4addff0c2463411d84d4da349c526817181eed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-4907/ffmpeg: buster not-affected
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f583338 by Sylvain Beucler at 2023-08-03T13:30:14+02:00 CVE-2022-4907/ffmpeg: buster not-affected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27072,7 +27072,9 @@ CVE-2022-4907 (Uninitialized Use in FFmpeg in Google Chrome prior to 108.0.5359. - ffmpeg 7:6.0-4 [bookworm] - ffmpeg (Minor issue, wait until it lands in 5.1.x) [bullseye] - ffmpeg (Minor issue, wait until it lands in 4.3.x) + [buster] - ffmpeg (Vulnerable code introduced later) NOTE: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/e601ec3c1991ee09ff45db3be4d894e5774f6f2b (n6.0) + NOTE: Introduced by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/c3bf53fab2165f52b3f71412664668dd75e10a0f (n5.1) CVE-2022-4906 (Inappropriate implementation in Blink in Google Chrome prior to 108.0. ...) {DSA-5293-1} - chromium 108.0.5359.71-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f5833386d7f41d06befbed3d2adb298547ae0de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f5833386d7f41d06befbed3d2adb298547ae0de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark chef debian package not-affected by CVE-2023-28864
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 16c3addf by Bastien Roucariès at 2023-08-03T11:01:47+00:00 Mark chef debian package not-affected by CVE-2023-28864 Chef-server upstream package was removed from chef debian package in 201207 after reintroduction of chef in 201205 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17220,6 +17220,7 @@ CVE-2023-28865 RESERVED CVE-2023-28864 (Progress Chef Infra Server before 15.7 allows a local attacker to expl ...) - chef + [buster] - chef (chef package does not include upstream chef-server) NOTE: https://blog.mondoo.com/chef-infra-server-cve-2023-28864-impact-and-remediation NOTE: https://github.com/chef/chef-server/blob/8a2dc82148844767f7c7728633a03dcee812e56a/omnibus/files/server-ctl-cookbooks/infra-server/recipes/oc_bifrost.rb#L42 NOTE: Fixed by: https://github.com/chef/chef-server/commit/985dfee99044ff477dbc08462b6d69add70f8608 (15.7.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16c3addf684ddf5da8d7aa9d7fc751415fbcd4a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16c3addf684ddf5da8d7aa9d7fc751415fbcd4a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c38d4e5 by Moritz Mühlenhoff at 2023-08-03T12:51:59+02:00 chromium fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,37 +9,37 @@ CVE-2023-34320 [arm: Guests can trigger a deadlock on Cortex-A77] NOTE: https://www.openwall.com/lists/oss-security/2023/08/01/1 NOTE: https://xenbits.xen.org/xsa/advisory-436.html CVE-2023-4078 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4077 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4076 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4075 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4074 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4073 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4072 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4071 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4070 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4069 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4068 - - chromium + - chromium 115.0.5790.170-1 [buster] - chromium (see DSA 5046) CVE-2023-4067 (The Bus Ticket Booking with Seat Reservation plugin for WordPress is v ...) NOT-FOR-US: Bus Ticket Booking with Seat Reservation plugin for WordPress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c38d4e51c0a215e4cd5cfc46eaf7d3428ad84af -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c38d4e51c0a215e4cd5cfc46eaf7d3428ad84af You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new mozillavpn issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fbdf866 by Moritz Mühlenhoff at 2023-08-03T12:23:01+02:00 new mozillavpn issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2023-4104 + - mozillavpn + NOTE: https://www.openwall.com/lists/oss-security/2023/08/03/1 CVE-2023-3971 NOT-FOR-US: Red Hat Ansible Automation Controller CVE-2023-34320 [arm: Guests can trigger a deadlock on Cortex-A77] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fbdf866b70bde0207a7db466b5c20b6e07722c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fbdf866b70bde0207a7db466b5c20b6e07722c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-28864/chef: reference patch
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d9720f53 by Sylvain Beucler at 2023-08-03T12:10:41+02:00 CVE-2023-28864/chef: reference patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17219,6 +17219,7 @@ CVE-2023-28864 (Progress Chef Infra Server before 15.7 allows a local attacker t - chef NOTE: https://blog.mondoo.com/chef-infra-server-cve-2023-28864-impact-and-remediation NOTE: https://github.com/chef/chef-server/blob/8a2dc82148844767f7c7728633a03dcee812e56a/omnibus/files/server-ctl-cookbooks/infra-server/recipes/oc_bifrost.rb#L42 + NOTE: Fixed by: https://github.com/chef/chef-server/commit/985dfee99044ff477dbc08462b6d69add70f8608 (15.7.0) NOTE: only chef-server removed since 201207 CVE-2023-28863 (AMI MegaRAC SPx12 and SPx13 devices have Insufficient Verification of ...) NOT-FOR-US: AMI View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9720f53a6b8a954d896b70b50aa518956f11bae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9720f53a6b8a954d896b70b50aa518956f11bae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new golang-golang-x-net issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a025ce3 by Moritz Mühlenhoff at 2023-08-03T10:57:53+02:00 new golang-golang-x-net issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41,7 +41,11 @@ CVE-2023-4068 CVE-2023-4067 (The Bus Ticket Booking with Seat Reservation plugin for WordPress is v ...) NOT-FOR-US: Bus Ticket Booking with Seat Reservation plugin for WordPress CVE-2023-3978 (Text nodes not in the HTML namespace are incorrectly literally rendere ...) - TODO: check + - golang-golang-x-net + - golang-golang-x-net-dev + NOTE: https://go.dev/cl/514896 + NOTE: https://go.dev/issue/61615 + NOTE: https://pkg.go.dev/vuln/GO-2023-1988 CVE-2023-3470 (Specific F5 BIG-IP platforms with Cavium Nitrox FIPS HSM cards generat ...) NOT-FOR-US: F5 BIG-IP CVE-2023-3426 (The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a025ce381597335dbca4b85fdf962ec335abd00 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a025ce381597335dbca4b85fdf962ec335abd00 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c02bba9 by Moritz Mühlenhoff at 2023-08-03T10:17:07+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61,7 +61,7 @@ CVE-2023-36858 (An insufficient verification of data vulnerability exists in BIG CVE-2023-36494 (Audit logs on F5OS-A may contain undisclosed sensitive information. No ...) NOT-FOR-US: F5 BIG-IP CVE-2023-36081 (Cross Site Scripting vulnerability in GatesAIr Flexiva FM Transmitter/ ...) - TODO: check + NOT-FOR-US: GatesAIr Flexiva FM Transmitter CVE-2023-33383 (Shelly 4PM Pro four-channel smart switch 0.11.0 allows an attacker to ...) NOT-FOR-US: Shelly 4PM Pro four-channel smart switch CVE-2023-33257 (Verint Engagement Management 15.3 Update 2023R2 is vulnerable to HTML ...) @@ -24675,33 +24675,33 @@ CVE-2023-26453 CVE-2023-26452 RESERVED CVE-2023-26451 (Functions with insufficient randomness were used to generate authoriza ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2023-26450 (The "OX Count" web service did not specify a media-type when processin ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2023-26449 (The "OX Chat" web service did not specify a media-type when processing ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2023-26448 (Custom log-in and log-out locations are used-defined as jslob but were ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2023-26447 (The "upsell" widget for the portal allows to specify a product descrip ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2023-26446 (The users clientID at "application passwords" was not sanitized or esc ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2023-26445 (Frontend themes are defined by user-controllable jslob settings and co ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2023-26444 RESERVED CVE-2023-26443 (Full-text autocomplete search allows user-provided SQL syntax to be in ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2023-26442 (In case Cacheservice was configured to use a sproxyd object-storage ba ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2023-26441 (Cacheservice did not correctly check if relative cache object were poi ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2023-26440 (The cacheservice API could be abused to indirectly inject parameters w ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2023-26439 (The cacheservice API could be abused to inject parameters with SQL syn ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2023-26438 (External service lookups for a number of protocols were vulnerable to ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2023-26437 (Denial of service vulnerability in PowerDNS Recursor allows authoritat ...) - pdns-recursor 4.8.4-1 (bug #1033941) [bullseye] - pdns-recursor (Minor issue) @@ -24723,7 +24723,7 @@ CVE-2023-26432 (When adding an external mail account, processing of SMTP "capabi CVE-2023-26431 (IPv4-mapped IPv6 addresses did not get recognized as "local" by the co ...) NOT-FOR-US: OX App Suite CVE-2023-26430 (Attackers with access to user accounts can inject arbitrary control ch ...) - TODO: check + NOT-FOR-US: OX App Suite CVE-2023-26429 (Control characters were not removed when exporting user feedback conte ...) NOT-FOR-US: OX App Suite CVE-2023-26428 (Attackers can successfully request arbitrary snippet IDs, including E- ...) @@ -24949,9 +24949,9 @@ CVE-2023-26319 CVE-2023-26318 RESERVED CVE-2023-26317 (A vulnerability has been discovered in Xiaomi routers that could allow ...) - TODO: check + NOT-FOR-US: Xiaomi CVE-2023-26316 (A XSS vulnerability exists in the Xiaomi cloud service Application pro ...) - TODO: check + NOT-FOR-US: Xiaomi CVE-2023-26315 RESERVED CVE-2023-0979 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) @@ -44281,9 +44281,9 @@ CVE-2022-46487 CVE-2022-46486 RESERVED CVE-2022-46485 (Data Illusion Survey Software Solutions ngSurvey version 2.4.28 and be ...) - TODO: check + NOT-FOR-US: ngSurvey CVE-2022-46484 (Information disclosure in password protected surveys in Data Illusion ...) - TODO: check + NOT-FOR-US: ngSurvey CVE-2022-46483 RESERVED CVE-2022-46482 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c02bba9e44c1f9c9035851a330de5c8d8fa6681 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c02bba9e44c1f9c9035851a330de5c8d8fa6681 You're receiving this email because of your account on
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 92acefda by Moritz Mühlenhoff at 2023-08-03T10:11:40+02:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-3971 + NOT-FOR-US: Red Hat Ansible Automation Controller CVE-2023-34320 [arm: Guests can trigger a deadlock on Cortex-A77] - xen [buster] - xen (DSA 4677-1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92acefdac866458b399586201d159dc3449e9391 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92acefdac866458b399586201d159dc3449e9391 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2023-21400/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 25dea8d7 by Salvatore Bonaccorso at 2023-08-03T08:57:11+02:00 Update information on CVE-2023-21400/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49715,8 +49715,13 @@ CVE-2023-21402 CVE-2023-21401 RESERVED CVE-2023-21400 (In multiple functions of io_uring.c, there is a possible kernel memor ...) - NOT-FOR-US: Android/Pixel kernel - NOTE: Apparently a Pixel-specific issue, no source release + - linux 5.18.2-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://source.android.com/security/bulletin/pixel/2023-07-01 + NOTE: https://yanglingxi1993.github.io/dirty_pagetable/dirty_pagetable.html + NOTE: https://www.openwall.com/lists/oss-security/2023/07/14/2 + NOTE: https://www.openwall.com/lists/oss-security/2023/07/25/9 + NOTE: https://twitter.com/VAR10CK/status/1683303642173153280 CVE-2023-21399 (there is a possible way to bypass cryptographic assurances due to a lo ...) NOT-FOR-US: Android/Pixel kernel CVE-2023-21398 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25dea8d743ef646d8f76e249fb2f76a60b18e1f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25dea8d743ef646d8f76e249fb2f76a60b18e1f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-34320/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 408ac4ea by Salvatore Bonaccorso at 2023-08-03T08:21:14+02:00 Add CVE-2023-34320/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,8 @@ +CVE-2023-34320 [arm: Guests can trigger a deadlock on Cortex-A77] + - xen + [buster] - xen (DSA 4677-1) + NOTE: https://www.openwall.com/lists/oss-security/2023/08/01/1 + NOTE: https://xenbits.xen.org/xsa/advisory-436.html CVE-2023-4078 - chromium [buster] - chromium (see DSA 5046) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/408ac4ea49f425761e9ee1056ca3a0cb4e0d61a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/408ac4ea49f425761e9ee1056ca3a0cb4e0d61a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits