[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
dba73b9e by Moritz Mühlenhoff at 2023-08-05T22:32:25+02:00
thunderbird DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[05 Aug 2023] DSA-5469-1 thunderbird - security update
+ {CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049
CVE-2023-4050 CVE-2023-4055 CVE-2023-4056}
+ [bullseye] - thunderbird 1:102.14.0-1~deb11u1
+ [bookworm] - thunderbird 1:102.14.0-1~deb12u1
[05 Aug 2023] DSA-5468-1 webkit2gtk - security update
{CVE-2023-38133 CVE-2023-38572 CVE-2023-38592 CVE-2023-38594
CVE-2023-38595 CVE-2023-38597 CVE-2023-38599 CVE-2023-38600 CVE-2023-38611}
[bullseye] - webkit2gtk 2.40.5-1~deb11u1
=
data/dsa-needed.txt
=
@@ -88,8 +88,6 @@ sox
all issues unfixed upstream
for CVE-2023-34432, rest can be ignored
--
-thunderbird (jmm)
---
tiff
--
wpewebkit/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dba73b9e42d72a15eb28d5bbfbba2dc5dfe1b6df
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dba73b9e42d72a15eb28d5bbfbba2dc5dfe1b6df
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13aba867 by Salvatore Bonaccorso at 2023-08-05T22:16:32+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,17 +5,17 @@ CVE-2023-4188 (SQL Injection in GitHub repository instantsoft/icms2 prior to 2.1 CVE-2023-4187 (Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/i ...) TODO: check CVE-2023-4170 (A vulnerability was found in DedeBIZ 6.2.10. It has been rated as prob ...) - TODO: check + NOT-FOR-US: DedeBIZ CVE-2023-4169 (A vulnerability was found in Ruijie RG-EW1200G 1.0(1)B1P5. It has been ...) - TODO: check + NOT-FOR-US: Ruijie RG-EW1200G CVE-2023-4168 (A vulnerability was found in Templatecookie Adlisting 2.14.0. It has b ...) - TODO: check + NOT-FOR-US: Templatecookie Adlisting CVE-2023-4167 (A vulnerability was found in Media Browser Emby Server 4.7.13.0 and cl ...) - TODO: check + NOT-FOR-US: Media Browser Emby Server CVE-2023-4166 (A vulnerability has been found in Tongda OA and classified as critical ...) - TODO: check + NOT-FOR-US: Tongda OA CVE-2023-4165 (A vulnerability, which was classified as critical, was found in Tongda ...) - TODO: check + NOT-FOR-US: Tongda OA CVE-2023-39508 (Execution with Unnecessary Privileges, : Exposure of Sensitive Informa ...) - airflow (bug #819700) CVE-2023-39346 (LinuxASMCallGraph is software for drawing the call graph of the progra ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13aba8675d71cbbfd0cc6b854fa4f3718eb588ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13aba8675d71cbbfd0cc6b854fa4f3718eb588ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
02063b9a by security tracker role at 2023-08-05T20:11:48+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,21 @@
+CVE-2023-4189 (Cross-site Scripting (XSS) - Reflected in GitHub repository
instantsof ...)
+ TODO: check
+CVE-2023-4188 (SQL Injection in GitHub repository instantsoft/icms2 prior to
2.16.1-g ...)
+ TODO: check
+CVE-2023-4187 (Cross-site Scripting (XSS) - Stored in GitHub repository
instantsoft/i ...)
+ TODO: check
+CVE-2023-4170 (A vulnerability was found in DedeBIZ 6.2.10. It has been rated
as prob ...)
+ TODO: check
+CVE-2023-4169 (A vulnerability was found in Ruijie RG-EW1200G 1.0(1)B1P5. It
has been ...)
+ TODO: check
+CVE-2023-4168 (A vulnerability was found in Templatecookie Adlisting 2.14.0.
It has b ...)
+ TODO: check
+CVE-2023-4167 (A vulnerability was found in Media Browser Emby Server 4.7.13.0
and cl ...)
+ TODO: check
+CVE-2023-4166 (A vulnerability has been found in Tongda OA and classified as
critical ...)
+ TODO: check
+CVE-2023-4165 (A vulnerability, which was classified as critical, was found in
Tongda ...)
+ TODO: check
CVE-2023-39508 (Execution with Unnecessary Privileges, : Exposure of Sensitive
Informa ...)
- airflow (bug #819700)
CVE-2023-39346 (LinuxASMCallGraph is software for drawing the call graph of
the progra ...)
@@ -949,14 +967,16 @@ CVE-2023-38604 (An out-of-bounds write issue was
addressed with improved input v
CVE-2023-38601 (This issue was addressed by removing the vulnerable code. This
issue i ...)
NOT-FOR-US: Apple
CVE-2023-38599 (A logic issue was addressed with improved state management.
This issue ...)
+ {DSA-5468-1}
- webkit2gtk 2.40.5-1
- [buster] - webkit2gtk (webkit2gtk EOL in buster)
+ [buster] - webkit2gtk (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
[bookworm] - wpewebkit (wpewebkit not covered by security
support in Bookworm)
NOTE: https://webkitgtk.org/security/WSA-2023-0007.html
CVE-2023-38598 (A use-after-free issue was addressed with improved memory
management. ...)
NOT-FOR-US: Apple
CVE-2023-38592 (A logic issue was addressed with improved restrictions. This
issue is ...)
+ {DSA-5468-1}
- webkit2gtk 2.40.5-1
[buster] - webkit2gtk (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
@@ -1072,6 +1092,7 @@ CVE-2023-3956 (The InstaWP Connect plugin for WordPress
is vulnerable to unautho
CVE-2023-3451
REJECTED
CVE-2023-38611 (The issue was addressed with improved memory handling. This
issue is f ...)
+ {DSA-5468-1}
- webkit2gtk 2.40.5-1
[buster] - webkit2gtk (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
@@ -1086,24 +1107,28 @@ CVE-2023-38603 (The issue was addressed with improved
checks. This issue is fixe
CVE-2023-38602 (A permissions issue was addressed with additional
restrictions. This i ...)
NOT-FOR-US: Apple
CVE-2023-38600 (The issue was addressed with improved checks. This issue is
fixed in i ...)
+ {DSA-5468-1}
- webkit2gtk 2.40.5-1
[buster] - webkit2gtk (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
[bookworm] - wpewebkit (wpewebkit not covered by security
support in Bookworm)
NOTE: https://webkitgtk.org/security/WSA-2023-0007.html
CVE-2023-38597 (The issue was addressed with improved checks. This issue is
fixed in i ...)
+ {DSA-5468-1}
- webkit2gtk 2.40.5-1
[buster] - webkit2gtk (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
[bookworm] - wpewebkit (wpewebkit not covered by security
support in Bookworm)
NOTE: https://webkitgtk.org/security/WSA-2023-0007.html
CVE-2023-38595 (The issue was addressed with improved checks. This issue is
fixed in i ...)
+ {DSA-5468-1}
- webkit2gtk 2.40.5-1
[buster] - webkit2gtk (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
[bookworm] - wpewebkit (wpewebkit not covered by security
support in Bookworm)
NOTE: https://webkitgtk.org/security/WSA-2023-0007.html
CVE-2023-38594 (The issue was addressed with improved checks. This issue is
fixed in i ...)
+ {DSA-5468-1}
- webkit2gtk 2.40.5-1
[buster] - webkit2gtk (webkit2gtk EOL in buster)
- wpewebkit 2.40.5-1
@@ -1114,6 +1139,7 @@ CVE-2023-38593 (A logic issue was addressed with improved
checks. This issue is
CVE-2023-38580 (The issue was addressed with improved memory handling. This
issue is f ...)
NOT-FOR-US: Apple
CVE-2023-38572 (The issue was addressed with improved checks. This issue is
fixed in i ...)
+ {DSA-5468-1}
- webkit2gtk 2.40.5-1
[buster] - webkit2gtk (webkit2gtk EOL
[Git][security-tracker-team/security-tracker][master] Mark new CVEs for webkit2gtk as end-of-line for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d4af5b20 by Anton Gladky at 2023-08-05T21:20:50+02:00 Mark new CVEs for webkit2gtk as end-of-line for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -950,6 +950,7 @@ CVE-2023-38601 (This issue was addressed by removing the vulnerable code. This i NOT-FOR-US: Apple CVE-2023-38599 (A logic issue was addressed with improved state management. This issue ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -957,6 +958,7 @@ CVE-2023-38598 (A use-after-free issue was addressed with improved memory manage NOT-FOR-US: Apple CVE-2023-38592 (A logic issue was addressed with improved restrictions. This issue is ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -1071,6 +1073,7 @@ CVE-2023-3451 REJECTED CVE-2023-38611 (The issue was addressed with improved memory handling. This issue is f ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -1084,21 +1087,25 @@ CVE-2023-38602 (A permissions issue was addressed with additional restrictions. NOT-FOR-US: Apple CVE-2023-38600 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38597 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38595 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38594 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -1108,6 +1115,7 @@ CVE-2023-38580 (The issue was addressed with improved memory handling. This issu NOT-FOR-US: Apple CVE-2023-38572 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html @@ -1136,6 +1144,7 @@ CVE-2023-38136 (The issue was addressed with improved memory handling. This issu NOT-FOR-US: Apple CVE-2023-38133 (The issue was addressed with improved checks. This issue is fixed in i ...) - webkit2gtk 2.40.5-1 + [buster] - webkit2gtk (webkit2gtk EOL in buster) - wpewebkit 2.40.5-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) NOTE: https://webkitgtk.org/security/WSA-2023-0007.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4af5b202196a67e6599e5e8fbd6476c653b6409 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d4af5b202196a67e6599e5e8fbd6476c653b6409 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] webkit2gtk DSA-5468-1
Alberto Garcia pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1a9cfa08 by Alberto Garcia at 2023-08-05T21:05:22+03:00
webkit2gtk DSA-5468-1
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[05 Aug 2023] DSA-5468-1 webkit2gtk - security update
+ {CVE-2023-38133 CVE-2023-38572 CVE-2023-38592 CVE-2023-38594
CVE-2023-38595 CVE-2023-38597 CVE-2023-38599 CVE-2023-38600 CVE-2023-38611}
+ [bullseye] - webkit2gtk 2.40.5-1~deb11u1
+ [bookworm] - webkit2gtk 2.40.5-1~deb12u1
[04 Aug 2023] DSA-5467-1 chromium - security update
{CVE-2023-4068 CVE-2023-4069 CVE-2023-4070 CVE-2023-4071 CVE-2023-4072
CVE-2023-4073 CVE-2023-4074 CVE-2023-4075 CVE-2023-4076 CVE-2023-4077
CVE-2023-4078}
[bullseye] - chromium 115.0.5790.170-1~deb11u1
=
data/dsa-needed.txt
=
@@ -92,8 +92,6 @@ thunderbird (jmm)
--
tiff
--
-webkit2gtk
---
wpewebkit/oldstable
--
xrdp/oldstable
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a9cfa0854b64aff21560f9845b5bd92831abad5
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1a9cfa0854b64aff21560f9845b5bd92831abad5
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove listing of CVE-2023-33460 from burp update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
74a93347 by Salvatore Bonaccorso at 2023-08-05T17:22:01+02:00
Remove listing of CVE-2023-33460 from burp update
See 234607e8c5b3 (remove burp tracking for CVE-2023-33460, not a
security issue).
- - - - -
1 changed file:
- data/DLA/list
Changes:
=
data/DLA/list
=
@@ -1,5 +1,5 @@
[05 Aug 2023] DLA-3516-1 burp - security update
- {CVE-2017-16516 CVE-2022-24795 CVE-2023-33460}
+ {CVE-2017-16516 CVE-2022-24795}
[buster] - burp 2.1.32-2+deb10u1
[04 Aug 2023] DLA-3515-1 cjose - security update
{CVE-2023-37464}
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74a9334735e725a83ef1d47b45524b9994b77a02
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74a9334735e725a83ef1d47b45524b9994b77a02
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3516-1 for burp
Sean Whitton pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8534398f by Sean Whitton at 2023-08-05T16:16:22+01:00
Reserve DLA-3516-1 for burp
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[05 Aug 2023] DLA-3516-1 burp - security update
+ {CVE-2017-16516 CVE-2022-24795 CVE-2023-33460}
+ [buster] - burp 2.1.32-2+deb10u1
[04 Aug 2023] DLA-3515-1 cjose - security update
{CVE-2023-37464}
[buster] - cjose 0.6.1+dfsg1-1+deb10u1
=
data/dla-needed.txt
=
@@ -24,9 +24,6 @@ rather than remove/replace existing ones.
amanda (Thorsten Alteholz)
NOTE: 20230730: Added by Front-Desk (apo)
--
-burp (Sean Whitton)
- NOTE: 20230804: Added by Front-Desk (gladk)
---
cairosvg (gladk)
NOTE: 20230323: Added by Front-Desk (gladk)
NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport
the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8534398fbb0a09286d84ecd223b6eb42eade1918
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8534398fbb0a09286d84ecd223b6eb42eade1918
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additional reference for CVE-2023-38497/{cargo,rust-cargo}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1e203445 by Salvatore Bonaccorso at 2023-08-05T14:46:45+02:00
Add additional reference for CVE-2023-38497/{cargo,rust-cargo}
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -174,6 +174,7 @@ CVE-2023-38497 (Cargo downloads the Rust project\u2019s
dependencies and compile
- rust-cargo
NOTE: https://www.openwall.com/lists/oss-security/2023/08/03/2
NOTE:
https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497
+ NOTE:
https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87
CVE-2023-4147 [netfilter: nf_tables: disallow rule addition to bound chain via
NFTA_RULE_CHAIN_ID]
- linux
[buster] - linux (Vulnerable code not present)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e2034458627f010fd56f59c2bcd363c0231e2c8
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e2034458627f010fd56f59c2bcd363c0231e2c8
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Associate CVE-2023-38497 with cargo and rust-cargo
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 456ed89d by Salvatore Bonaccorso at 2023-08-05T14:45:28+02:00 Associate CVE-2023-38497 with cargo and rust-cargo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -170,9 +170,10 @@ CVE-2023-36131 (PHPJabbers Availability Booking Calendar 5.0 is vulnerable to In CVE-2023-33665 (ai-dev aitable before v0.2.2 was discovered to contain a SQL injection ...) NOT-FOR-US: ai-dev aitable CVE-2023-38497 (Cargo downloads the Rust project\u2019s dependencies and compiles the ...) - - rustc + - cargo + - rust-cargo NOTE: https://www.openwall.com/lists/oss-security/2023/08/03/2 - TODO: check details + NOTE: https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497 CVE-2023-4147 [netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID] - linux [buster] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/456ed89d469bf8b483866b24d7a62b9156e1017d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/456ed89d469bf8b483866b24d7a62b9156e1017d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim burp in dla-needed.txt
Sean Whitton pushed to branch master at Debian Security Tracker / security-tracker Commits: 83264a5c by Sean Whitton at 2023-08-05T10:58:13+01:00 LTS: claim burp in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -24,7 +24,7 @@ rather than remove/replace existing ones. amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) -- -burp +burp (Sean Whitton) NOTE: 20230804: Added by Front-Desk (gladk) -- cairosvg (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83264a5cafdd443cffee518d9c82bfe201072ba5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83264a5cafdd443cffee518d9c82bfe201072ba5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f3813706 by Salvatore Bonaccorso at 2023-08-05T11:51:42+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2023-39508 (Execution with Unnecessary Privileges, : Exposure of Sensitive Informa ...) - airflow (bug #819700) CVE-2023-39346 (LinuxASMCallGraph is software for drawing the call graph of the progra ...) - TODO: check + NOT-FOR-US: LinuxASMCallGraph CVE-2023-38943 (ShuiZe_0x727 v1.0 was discovered to contain a remote command execution ...) - TODO: check + NOT-FOR-US: ShuiZe_0x727 CVE-2023-36095 (An issue in Harrison Chase langchain v.0.0.194 allows an attacker to e ...) - TODO: check + NOT-FOR-US: Harrison Chase langchain CVE-2023-33367 (A SQL injection vulnerability exists in Control ID IDSecure 4.7.26.0 a ...) - TODO: check + NOT-FOR-US: Control ID IDSecure CVE-2023-4159 (Unrestricted Upload of File with Dangerous Type in GitHub repository o ...) NOT-FOR-US: omeka-s CVE-2023-4158 (Cross-site Scripting (XSS) - Stored in GitHub repository omeka/omeka-s ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f38137069d60753b51dfde2fdf8332e0a5118651 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f38137069d60753b51dfde2fdf8332e0a5118651 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-39508/airflow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ebf3acd6 by Salvatore Bonaccorso at 2023-08-05T11:47:56+02:00 Add CVE-2023-39508/airflow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2023-39508 (Execution with Unnecessary Privileges, : Exposure of Sensitive Informa ...) - TODO: check + - airflow (bug #819700) CVE-2023-39346 (LinuxASMCallGraph is software for drawing the call graph of the progra ...) TODO: check CVE-2023-38943 (ShuiZe_0x727 v1.0 was discovered to contain a remote command execution ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebf3acd6019c0b809a21f26dd49718228d72dd8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ebf3acd6019c0b809a21f26dd49718228d72dd8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 81bbc9bc by security tracker role at 2023-08-05T08:12:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,13 @@ +CVE-2023-39508 (Execution with Unnecessary Privileges, : Exposure of Sensitive Informa ...) + TODO: check +CVE-2023-39346 (LinuxASMCallGraph is software for drawing the call graph of the progra ...) + TODO: check +CVE-2023-38943 (ShuiZe_0x727 v1.0 was discovered to contain a remote command execution ...) + TODO: check +CVE-2023-36095 (An issue in Harrison Chase langchain v.0.0.194 allows an attacker to e ...) + TODO: check +CVE-2023-33367 (A SQL injection vulnerability exists in Control ID IDSecure 4.7.26.0 a ...) + TODO: check CVE-2023-4159 (Unrestricted Upload of File with Dangerous Type in GitHub repository o ...) NOT-FOR-US: omeka-s CVE-2023-4158 (Cross-site Scripting (XSS) - Stored in GitHub repository omeka/omeka-s ...) @@ -20519,7 +20529,7 @@ CVE-2023-28096 (OpenSIPS, a Session Initiation Protocol (SIP) server implementat NOT-FOR-US: OpenSIPS CVE-2023-28095 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) NOT-FOR-US: OpenSIPS -CVE-2023-28094 (Pega platform clients who are using versions 6.1 through 8.8.3 and hav ...) +CVE-2023-28094 (Pega platform clients who are using versions 7.4 through 8.8.x and hav ...) NOT-FOR-US: Pega CVE-2023-28093 (A user with a compromised configuration can start an unsigned binary a ...) NOT-FOR-US: Pegasystems @@ -43899,8 +43909,8 @@ CVE-2022-46784 (SquaredUp Dashboard Server SCOM edition before 5.7.1 GA allows o NOT-FOR-US: SquaredUp Dashboard Server CVE-2022-46783 RESERVED -CVE-2022-46782 - RESERVED +CVE-2022-46782 (An issue was discovered in Stormshield SSL VPN Client before 3.2.0. A ...) + TODO: check CVE-2022-46781 (An issue was discovered in the Arm Mali GPU Kernel Driver. A non-privi ...) NOT-FOR-US: Arm Mali GPU Kernel Driver CVE-2022-46780 @@ -207368,8 +207378,8 @@ CVE-2020-26084 (A vulnerability in the REST API of Cisco Edge Fog Fabric could a NOT-FOR-US: Cisco CVE-2020-26083 (A vulnerability in the web-based management interface of Cisco Identit ...) NOT-FOR-US: Cisco -CVE-2020-26082 - RESERVED +CVE-2020-26082 (A vulnerability in the zip decompression engine of Cisco AsyncOS Softw ...) + TODO: check CVE-2020-26081 (Multiple vulnerabilities in the web UI of Cisco IoT Field Network Dire ...) NOT-FOR-US: Cisco CVE-2020-26080 (A vulnerability in the user management functionality of Cisco IoT Fiel ...) @@ -207402,10 +207412,10 @@ CVE-2020-26067 RESERVED CVE-2020-26066 RESERVED -CVE-2020-26065 - RESERVED -CVE-2020-26064 - RESERVED +CVE-2020-26065 (A vulnerability in the web-based management interface of Cisco SD-WAN ...) + TODO: check +CVE-2020-26064 (A vulnerability in the web UI of Cisco SD-WAN vManage Software could a ...) + TODO: check CVE-2020-26063 RESERVED CVE-2020-26062 @@ -213385,8 +213395,8 @@ CVE-2020-23566 (Irfanview v4.53 was discovered to contain an infinity loop via J NOT-FOR-US: IrfanView CVE-2020-23565 (Irfanview v4.53 allows attackers to execute arbitrary code via a craft ...) NOT-FOR-US: IrfanView -CVE-2020-23564 - RESERVED +CVE-2020-23564 (File Upload vulnerability in SEMCMS 3.9 allows remote attackers to run ...) + TODO: check CVE-2020-23563 (IrfanView 4.54 allows a user-mode write access violation starting at F ...) NOT-FOR-US: IrfanView CVE-2020-23562 (IrfanView 4.54 allows a user-mode write access violation starting at F ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81bbc9bc6d380973bd14526eafef12858d61 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81bbc9bc6d380973bd14526eafef12858d61 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4156/gawk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 558eb2f9 by Salvatore Bonaccorso at 2023-08-05T09:27:58+02:00 Add CVE-2023-4156/gawk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,6 +4,11 @@ CVE-2023-4158 (Cross-site Scripting (XSS) - Stored in GitHub repository omeka/om NOT-FOR-US: omeka-s CVE-2023-4157 (Improper Input Validation in GitHub repository omeka/omeka-s prior to ...) NOT-FOR-US: omeka-s +CVE-2023-4156 [heap out of bound read in builtin.c] + - gawk 1:5.2.1-1 + [bullseye] - gawk (Minor issue) + NOTE: https://mail.gnu.org/archive/html/bug-gawk/2022-08/msg0.html + NOTE: https://mail.gnu.org/archive/html/bug-gawk/2022-08/msg00023.html CVE-2023-4135 (A heap out-of-bounds memory read flaw was found in the virtual nvme de ...) - qemu [bookworm] - qemu (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/558eb2f95c1f77c1975557bab3a3c766ec7d1fa0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/558eb2f95c1f77c1975557bab3a3c766ec7d1fa0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Re-associate some older NFUs to now packaged matrix-sydent
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b29b5232 by Salvatore Bonaccorso at 2023-08-05T08:03:28+02:00 Re-associate some older NFUs to now packaged matrix-sydent - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -167209,13 +167209,17 @@ CVE-2021-29435 (trestle-auth is an authentication plugin for the Trestle admin f CVE-2021-29434 (Wagtail is a Django content management system. In affected versions of ...) NOT-FOR-US: wagtail CVE-2021-29433 (Sydent is a reference Matrix identity server. In Sydent versions 2.2.0 ...) - NOT-FOR-US: Matrix Sydent + - matrix-sydent (Fixed before initial upload to Debian) + NOTE: https://github.com/matrix-org/sydent/security/advisories/GHSA-pw4v-gr34-2553 CVE-2021-29432 (Sydent is a reference matrix identity server. A malicious user could a ...) - NOT-FOR-US: Matrix Sydent + - matrix-sydent (Fixed before initial upload to Debian) + NOTE: https://github.com/matrix-org/sydent/security/advisories/GHSA-mh74-4m5g-fcjx CVE-2021-29431 (Sydent is a reference Matrix identity server. Sydent can be induced to ...) - NOT-FOR-US: Matrix Sydent + - matrix-sydent (Fixed before initial upload to Debian) + NOTE: https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4 CVE-2021-29430 (Sydent is a reference Matrix identity server. Sydent does not limit th ...) - NOT-FOR-US: Matrix Sydent + - matrix-sydent (Fixed before initial upload to Debian) + NOTE: https://github.com/matrix-org/sydent/security/advisories/GHSA-wmg4-8cp2-hpg9 CVE-2021-29429 (In Gradle before version 7.0, files created with open permissions in t ...) - gradle (bug #987284) [bookworm] - gradle (Minor issue) @@ -297953,7 +297957,7 @@ CVE-2019-11342 CVE-2019-11341 (On certain Samsung P(9.0) phones, an attacker with physical access can ...) NOT-FOR-US: Samsung CVE-2019-11340 (util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registrati ...) - NOT-FOR-US: Matrix Sydent + - matrix-sydent (Fixed before initial upload to Debian) CVE-2019-11339 (The studio profile decoder in libavcodec/mpeg4videodec.c in FFmpeg 4.0 ...) - ffmpeg 7:4.1.3-1 [stretch] - ffmpeg (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29b52322e61d3cc3c0eb908ddf717f41cebe39b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29b52322e61d3cc3c0eb908ddf717f41cebe39b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
