[Git][security-tracker-team/security-tracker][master] Take libreoffice in dla-needed.txt
Santiago R.R. pushed to branch master at Debian Security Tracker / security-tracker Commits: 52f1eb24 by Santiago Ruano Rincón at 2023-08-06T19:53:54-03:00 Take libreoffice in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -83,7 +83,7 @@ libhtmlcleaner-java (Markus Koschany) NOTE: 20230806: https://github.com/amplafi/htmlcleaner/issues/13#issuecomment-1597626510 NOTE: 20230806: Please, check the upper link, whether the patch can be got (gladk) -- -libreoffice +libreoffice (santiago) NOTE: 20230530: Added by Front-Desk (pochu) NOTE: 20230718: http://people.debian.org/~abhijith/upload/lo (abhijith) NOTE: 20230718: CVE-2023-2255.diff fails to build. (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f1eb249789c2a133c792bf2abd8ae3773e419a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52f1eb249789c2a133c792bf2abd8ae3773e419a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Claim hdf5 and libhtmlcleaner-java in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 31e15e03 by Markus Koschany at 2023-08-07T00:22:52+02:00 Claim hdf5 and libhtmlcleaner-java in dla-needed.txt - - - - - e06f3d17 by Markus Koschany at 2023-08-07T00:25:15+02:00 Triage remaining CVE for openimageio as no-dsa Minor issues - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -31202,6 +31202,7 @@ CVE-2023-24473 (An information disclosure vulnerability exists in the TGAInput:: - openimageio (bug #1034150) [bookworm] - openimageio (Minor issue) [bullseye] - openimageio (Minor issue) + [buster] - openimageio (Minor issue) NOTE: https://github.com/OpenImageIO/oiio/pull/3768 NOTE: https://github.com/OpenImageIO/oiio/commit/759fcd392d130c12ae476857e1ed2a91bcf2686b (master) NOTE: https://github.com/OpenImageIO/oiio/commit/209bb4c327b2a8be08f41c1a213dfe9001f0b5d0 (v2.4.8.1) @@ -31219,6 +31220,7 @@ CVE-2023-22845 (An out-of-bounds read vulnerability exists in the TGAInput::deco - openimageio (bug #1034150) [bookworm] - openimageio (Minor issue) [bullseye] - openimageio (Minor issue) + [buster] - openimageio (Minor issue) NOTE: https://github.com/OpenImageIO/oiio/pull/3768 NOTE: https://github.com/OpenImageIO/oiio/commit/759fcd392d130c12ae476857e1ed2a91bcf2686b (master) NOTE: https://github.com/OpenImageIO/oiio/commit/209bb4c327b2a8be08f41c1a213dfe9001f0b5d0 (v2.4.8.1) = data/dla-needed.txt = @@ -62,7 +62,7 @@ glib2.0 (santiago) NOTE: 20230710: WIP (santiago) NOTE: 20230724: buster should be ready. need if it's possible to run same reporter's fuzz test -- -hdf5 +hdf5 (Markus Koschany) NOTE: 20230318: Added by Front-Desk (utkarsh) NOTE: 20230318: Consider fixing all the no-dsa and postponed issues as well. (utkarsh) NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably @@ -78,7 +78,7 @@ imagemagick NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- -libhtmlcleaner-java +libhtmlcleaner-java (Markus Koschany) NOTE: 20230806: Added by Front-Desk (gladk) NOTE: 20230806: https://github.com/amplafi/htmlcleaner/issues/13#issuecomment-1597626510 NOTE: 20230806: Please, check the upper link, whether the patch can be got (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e7424d3b91318bf9ee796f6be175c61e93684d5e...e06f3d1715ca8c01dabd773a7ec93c8e77b81d6a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/e7424d3b91318bf9ee796f6be175c61e93684d5e...e06f3d1715ca8c01dabd773a7ec93c8e77b81d6a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3518-1 for openimageio
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e7424d3b by Markus Koschany at 2023-08-07T00:16:21+02:00
Reserve DLA-3518-1 for openimageio
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[07 Aug 2023] DLA-3518-1 openimageio - security update
+ {CVE-2022-41649 CVE-2022-41684 CVE-2022-41794 CVE-2022-41837
CVE-2023-24472 CVE-2023-36183}
+ [buster] - openimageio 2.0.5~dfsg0-1+deb10u2
[06 Aug 2023] DLA-3517-1 pdfcrack - security update
{CVE-2020-22336}
[buster] - pdfcrack 0.16-3+deb10u1
=
data/dla-needed.txt
=
@@ -116,10 +116,6 @@ nvidia-cuda-toolkit
open-vm-tools (Abhijith PA)
NOTE: 20230731: Added by Front-Desk (apo)
--
-openimageio (Markus Koschany)
- NOTE: 20230406: Re-added due to regressions (apo)
- NOTE: 20230612: Backporting is mostly done, but still some failures. (gladk)
---
openjdk-11 (Emilio)
NOTE: 20230419: Added by Front-Desk (ola)
NOTE: 20230522: waiting for sid update (pochu)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7424d3b91318bf9ee796f6be175c61e93684d5e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7424d3b91318bf9ee796f6be175c61e93684d5e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
16f66a18 by Moritz Muehlenhoff at 2023-08-06T23:51:57+02:00
bullseye/bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -243,7 +243,11 @@ CVE-2023-33665 (ai-dev aitable before v0.2.2 was
discovered to contain a SQL inj
NOT-FOR-US: ai-dev aitable
CVE-2023-38497 (Cargo downloads the Rust project\u2019s dependencies and
compiles the ...)
- cargo
+ [bookworm] - cargo (Minor issue)
+ [bullseye] - cargo (Minor issue)
- rust-cargo
+ [bookworm] - rust-cargo (Minor issue)
+ [bullseye] - rust-cargo (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/08/03/2
NOTE:
https://github.com/rust-lang/wg-security-response/tree/main/patches/CVE-2023-38497
NOTE:
https://github.com/rust-lang/cargo/security/advisories/GHSA-j3xp-wfr4-hx87
@@ -527,7 +531,7 @@ CVE-2023-33383 (Shelly 4PM Pro four-channel smart switch
0.11.0 allows an attack
CVE-2023-33257 (Verint Engagement Management 15.3 Update 2023R2 is vulnerable
to HTML ...)
NOT-FOR-US: Verint Engagement Management
CVE-2023-4016 (Under some circumstances, this weakness allows a user who has
access t ...)
- - procps (bug #1042887)
+ - procps (bug #1042887)
NOTE: https://gitlab.com/procps-ng/procps/-/issues/297
CVE-2023-3739 (Insufficient validation of untrusted input in Chromad in Google
Chrome ...)
{DSA-5456-1}
@@ -1553,6 +1557,7 @@ CVE-2023-3248 (The All-in-one Floating Contact Form
WordPress plugin before 2.1.
NOT-FOR-US: WordPress plugin
CVE-2023-38060 (Improper Input Validation vulnerability in the ContentType
parameter f ...)
- znuny 6.5.3-1
+ NOTE:
https://github.com/znuny/Znuny/commit/355800e68c1560c1d098ec0953ee9940d2d1f836
CVE-2023-38058 (An improper privilege check in the OTRS ticket move action in
the agen ...)
NOT-FOR-US: OTRS
NOTE: Issue is listed as specific to 8.x, so won't affect Znuny which
forked from 6.x
@@ -1949,6 +1954,8 @@ CVE-2023-37733 (An arbitrary file upload vulnerability in
tduck-platform v4.0 al
NOT-FOR-US: Grav CMStduck-platform
CVE-2023-37276 (aiohttp is an asynchronous HTTP client/server framework for
asyncio an ...)
- python-aiohttp
+ [bookworm] - python-aiohttp (Minor issue)
+ [bullseye] - python-aiohttp (Minor issue)
NOTE:
https://github.com/aio-libs/aiohttp/security/advisories/GHSA-45c4-8wx5-qw6w
NOTE:
https://github.com/aio-libs/aiohttp/commit/9337fb3f2ab2b5f38d7e98a194bde6f7e3d16c40
NOTE: https://hackerone.com/reports/2001873
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16f66a182d0737180f801c002ac8fda900a19a6d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16f66a182d0737180f801c002ac8fda900a19a6d
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add gawk
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: d9c15ff2 by Anton Gladky at 2023-08-06T22:34:53+02:00 LTS: add gawk - - - - - 1da15071 by Anton Gladky at 2023-08-06T22:37:52+02:00 LTS: add libhtmlcleaner-java - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -49,6 +49,11 @@ dogecoin firefox-esr (Emilio) NOTE: 20230802: Added by pochu -- +gawk + NOTE: 20230806: Added by Front-Desk (gladk) + NOTE: 20230806: Please, check, whether CVE is applicable for buster + NOTE: 20230806: poc are available in the mailing list (gladk) +-- ghostscript (Adrian Bunk) NOTE: 20230803: Added by Front-Desk (gladk) -- @@ -73,6 +78,11 @@ imagemagick NOTE: 20230622: Added by Front-Desk (Beuc) NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) -- +libhtmlcleaner-java + NOTE: 20230806: Added by Front-Desk (gladk) + NOTE: 20230806: https://github.com/amplafi/htmlcleaner/issues/13#issuecomment-1597626510 + NOTE: 20230806: Please, check the upper link, whether the patch can be got (gladk) +-- libreoffice NOTE: 20230530: Added by Front-Desk (pochu) NOTE: 20230718: http://people.debian.org/~abhijith/upload/lo (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fcf9282efdb89459070b0d18c2db15bc5264d3ef...1da15071a3d33dd9831419435ba35e6a1a49e6f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fcf9282efdb89459070b0d18c2db15bc5264d3ef...1da15071a3d33dd9831419435ba35e6a1a49e6f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
fcf9282e by security tracker role at 2023-08-06T20:12:17+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,19 @@
+CVE-2023-4196 (Cross-site Scripting (XSS) - Stored in GitHub repository
cockpit-hq/co ...)
+ TODO: check
+CVE-2023-4195 (PHP Remote File Inclusion in GitHub repository
cockpit-hq/cockpit prio ...)
+ TODO: check
+CVE-2023-4186 (A vulnerability was found in SourceCodester Pharmacy Management
System ...)
+ TODO: check
+CVE-2023-4185 (A vulnerability was found in SourceCodester Online Hospital
Management ...)
+ TODO: check
+CVE-2023-4184 (A vulnerability was found in SourceCodester Inventory
Management Syste ...)
+ TODO: check
+CVE-2023-4183 (A vulnerability has been found in SourceCodester Inventory
Management ...)
+ TODO: check
+CVE-2023-4182 (A vulnerability, which was classified as critical, was found in
Source ...)
+ TODO: check
+CVE-2023-4181 (A vulnerability, which was classified as critical, has been
found in S ...)
+ TODO: check
CVE-2023-4190 (Insufficient Session Expiration in GitHub repository
admidio/admidio p ...)
NOT-FOR-US: admidio
CVE-2023-4180 (A vulnerability classified as critical was found in
SourceCodester Fre ...)
@@ -28083,7 +28099,7 @@ CVE-2023-25579 (Nextcloud server is a self hosted home
cloud product. In affecte
CVE-2023-25578 (Starlite is an Asynchronous Server Gateway Interface (ASGI)
framework. ...)
NOT-FOR-US: Starlite
CVE-2023-25577 (Werkzeug is a comprehensive WSGI web application library.
Prior to ver ...)
- {DLA-3346-1}
+ {DSA-5470-1 DLA-3346-1}
- python-werkzeug 2.2.2-3 (bug #1031370)
NOTE:
https://github.com/pallets/werkzeug/commit/fe899d0cdf767a7289a8bf746b7f72c2907a1b4b
(2.2.3)
NOTE:
https://github.com/pallets/werkzeug/commit/09449ee77934a0c883f5959785864ecae6aaa2c9
(2.2.3)
@@ -32817,7 +32833,7 @@ CVE-2023-23936 (Undici is an HTTP/1.1 client for
Node.js. Starting with version
CVE-2023-23935 (Discourse is an open-source messaging platform. In versions
3.0.1 and ...)
NOT-FOR-US: Discourse
CVE-2023-23934 (Werkzeug is a comprehensive WSGI web application library.
Browsers may ...)
- {DLA-3346-1}
+ {DSA-5470-1 DLA-3346-1}
- python-werkzeug 2.2.2-3 (bug #1031370)
NOTE:
https://github.com/pallets/werkzeug/commit/8c2b4b82d0cade0d37e6a88e2cd2413878e8ebd4
(2.2.3)
NOTE:
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q
@@ -216072,6 +216088,7 @@ CVE-2020-22338
CVE-2020-22337
RESERVED
CVE-2020-22336 (An issue was discovered in pdfcrack 0.17 thru 0.18, allows
attackers t ...)
+ {DLA-3517-1}
- pdfcrack 0.19-1
NOTE: https://sourceforge.net/p/pdfcrack/bugs/12/
CVE-2020-22335
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcf9282efdb89459070b0d18c2db15bc5264d3ef
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fcf9282efdb89459070b0d18c2db15bc5264d3ef
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-38686/matrix-sydent
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b4c7afd5 by Salvatore Bonaccorso at 2023-08-06T21:37:57+02:00 Add Debian bug reference for CVE-2023-38686/matrix-sydent - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -127,7 +127,7 @@ CVE-2023-38689 (Logistics Pipes is a modification (a.k.a. mod) for the computer CVE-2023-38688 (twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, ...) TODO: check CVE-2023-38686 (Sydent is an identity server for the Matrix communications protocol. P ...) - - matrix-sydent + - matrix-sydent (bug #1043162) NOTE: https://github.com/matrix-org/sydent/pull/574 NOTE: https://github.com/matrix-org/sydent/commit/1cd748307c6b168b66154e6c4db715d4b9551261 (v2.5.6) NOTE: https://github.com/matrix-org/sydent/security/advisories/GHSA-p6hw-wm59-3g5g View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4c7afd5479c51575b430513a397bc4f70bf07eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4c7afd5479c51575b430513a397bc4f70bf07eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-3978/golang-golang-x-net
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cdf25024 by Salvatore Bonaccorso at 2023-08-06T21:37:08+02:00 Add Debian bug reference for CVE-2023-3978/golang-golang-x-net - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -480,7 +480,7 @@ CVE-2023-4068 (Type Confusion in V8 in Google Chrome prior to 115.0.5790.170 all CVE-2023-4067 (The Bus Ticket Booking with Seat Reservation plugin for WordPress is v ...) NOT-FOR-US: Bus Ticket Booking with Seat Reservation plugin for WordPress CVE-2023-3978 (Text nodes not in the HTML namespace are incorrectly literally rendere ...) - - golang-golang-x-net + - golang-golang-x-net (bug #1043163) - golang-golang-x-net-dev NOTE: https://go.dev/cl/514896 NOTE: https://go.dev/issue/61615 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdf2502403523ccf389353816ce0b936b907593e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdf2502403523ccf389353816ce0b936b907593e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-2940{7,8}/golang-golang-x-image
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ce98abaf by Salvatore Bonaccorso at 2023-08-06T21:31:19+02:00
Add Debian bug reference for CVE-2023-2940{7,8}/golang-golang-x-image
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -15846,12 +15846,12 @@ CVE-2023-29409 (Extremely large RSA keys in
certificate chains can cause a clien
[buster] - golang-1.11 (Limited support, follow bullseye
DSAs/point-releases)
NOTE: https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI
CVE-2023-29408 (The TIFF decoder does not place a limit on the size of
compressed tile ...)
- - golang-golang-x-image
+ - golang-golang-x-image (bug #1043159)
NOTE: https://go.dev/issue/61582
NOTE: https://go.dev/cl/514897
NOTE:
https://github.com/golang/image/commit/cb227cd2c919b27c6206fe0c1041a8bcc677949d
(v0.10.0)
CVE-2023-29407 (A maliciously-crafted image can cause excessive CPU
consumption in dec ...)
- - golang-golang-x-image
+ - golang-golang-x-image (bug #1043159)
NOTE: https://go.dev/issue/61581
NOTE: https://go.dev/cl/514897
NOTE:
https://github.com/golang/image/commit/cb227cd2c919b27c6206fe0c1041a8bcc677949d
(v0.10.0)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce98abaf0b31e45ff45e1a3707a1ccb9d10f4b3e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce98abaf0b31e45ff45e1a3707a1ccb9d10f4b3e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for tmate-ssh-server issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a28b3f92 by Salvatore Bonaccorso at 2023-08-06T21:21:58+02:00 Track fixed version via unstable for tmate-ssh-server issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -124335,13 +124335,13 @@ CVE-2021-44515 (Zoho ManageEngine Desktop Central is vulnerable to authenticatio CVE-2021-44514 (OpUtils in Zoho ManageEngine OpManager 12.5 before 125490 mishandles a ...) NOT-FOR-US: ManageEngine CVE-2021-44513 (Insecure creation of temporary directories in tmate-ssh-server 2.3.0 a ...) - - tmate-ssh-server (bug #1001225) + - tmate-ssh-server 2.3.0-68-gd7334ee4-1 (bug #1001225) [bullseye] - tmate-ssh-server (Minor issue) NOTE: Fixed by: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596 NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2 NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1189388 CVE-2021-44512 (World-writable permissions on the /tmp/tmate/sessions directory in tma ...) - - tmate-ssh-server (bug #1001225) + - tmate-ssh-server 2.3.0-68-gd7334ee4-1 (bug #1001225) [bullseye] - tmate-ssh-server (Minor issue) NOTE: Fixed by: https://github.com/tmate-io/tmate-ssh-server/commit/1c020d1f5ca462f5b150b46a027aaa1bbe3c9596 NOTE: https://www.openwall.com/lists/oss-security/2021/12/06/2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a28b3f926060a3aa0cf9b3c3637a6195717f5082 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a28b3f926060a3aa0cf9b3c3637a6195717f5082 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for python-werkzeug update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3a3b35de by Salvatore Bonaccorso at 2023-08-06T14:34:00+02:00
Reserve DSA number for python-werkzeug update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[06 Aug 2023] DSA-5470-1 python-werkzeug - security update
+ {CVE-2023-23934 CVE-2023-25577}
+ [bullseye] - python-werkzeug 1.0.1+dfsg1-2+deb11u1
[05 Aug 2023] DSA-5469-1 thunderbird - security update
{CVE-2023-4045 CVE-2023-4046 CVE-2023-4047 CVE-2023-4048 CVE-2023-4049
CVE-2023-4050 CVE-2023-4055 CVE-2023-4056}
[bullseye] - thunderbird 1:102.14.0-1~deb11u1
=
data/dsa-needed.txt
=
@@ -59,8 +59,6 @@ python-glance-store/oldstable
--
python-os-brick/oldstable
--
-python-werkzeug/oldstable (carnil)
---
ring
might make sense to rebase to current version
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a3b35de372c5554edb6d92db0ca0590d268f04f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a3b35de372c5554edb6d92db0ca0590d268f04f
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b5227678 by Salvatore Bonaccorso at 2023-08-06T14:06:07+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,41 +1,41 @@ CVE-2023-4190 (Insufficient Session Expiration in GitHub repository admidio/admidio p ...) - TODO: check + NOT-FOR-US: admidio CVE-2023-4180 (A vulnerability classified as critical was found in SourceCodester Fre ...) - TODO: check + NOT-FOR-US: SourceCodester Free Hospital Management System for Small Practices CVE-2023-4179 (A vulnerability classified as critical has been found in SourceCodeste ...) - TODO: check + NOT-FOR-US: SourceCodester Free Hospital Management System for Small Practices CVE-2023-4177 (A vulnerability was found in EmpowerID up to 7.205.0.0. It has been ra ...) - TODO: check + NOT-FOR-US: EmpowerID CVE-2023-4176 (A vulnerability was found in SourceCodester Hospital Management System ...) - TODO: check + NOT-FOR-US: SourceCodester Hospital Management System CVE-2023-4175 (A vulnerability was found in mooSocial mooTravel 3.1.8 and classified ...) - TODO: check + NOT-FOR-US: mooSocial mooTravel CVE-2023-4174 (A vulnerability has been found in mooSocial mooStore 3.1.6 and classif ...) - TODO: check + NOT-FOR-US: mooSocial mooStore CVE-2023-4173 (A vulnerability, which was classified as problematic, was found in moo ...) - TODO: check + NOT-FOR-US: mooSocial mooStore CVE-2023-4172 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: Chengdu Flash Flood Disaster Monitoring and Warning System CVE-2023-4171 (A vulnerability classified as problematic was found in Chengdu Flash F ...) - TODO: check + NOT-FOR-US: Chengdu Flash Flood Disaster Monitoring and Warning System CVE-2023-37874 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerabilityin Dimit ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-37873 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooComme ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-37581 (Insufficient input validation and sanitation in Weblog Category name, ...) - TODO: check + NOT-FOR-US: Apache Roller CVE-2023-36689 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPFactor ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-36686 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CartFlow ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-36678 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WP-b ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-34377 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Jose ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-34010 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability insubmodule ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-32600 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-4189 (Cross-site Scripting (XSS) - Reflected in GitHub repository instantsof ...) TODO: check CVE-2023-4188 (SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1-g ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b52276784a7e46af27ed8041e8e121755acb278f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b52276784a7e46af27ed8041e8e121755acb278f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3517-1 for pdfcrack
Adrian Bunk pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
0db57fd3 by Adrian Bunk at 2023-08-06T14:42:04+03:00
Reserve DLA-3517-1 for pdfcrack
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[06 Aug 2023] DLA-3517-1 pdfcrack - security update
+ {CVE-2020-22336}
+ [buster] - pdfcrack 0.16-3+deb10u1
[05 Aug 2023] DLA-3516-1 burp - security update
{CVE-2017-16516 CVE-2022-24795}
[buster] - burp 2.1.32-2+deb10u1
=
data/dla-needed.txt
=
@@ -121,9 +121,6 @@ openjdk-11 (Emilio)
openssl (gladk)
NOTE: 20230731: Added by Front-Desk (apo)
--
-pdfcrack (Adrian Bunk)
- NOTE: 20230731: Added by Front-Desk (apo)
---
poppler (Adrian Bunk)
NOTE: 20230804: Added by Front-Desk (gladk)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0db57fd36c75ff163199d16b6387ca302ca5f16e
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0db57fd36c75ff163199d16b6387ca302ca5f16e
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
2eea82c4 by security tracker role at 2023-08-06T08:12:25+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,41 @@
+CVE-2023-4190 (Insufficient Session Expiration in GitHub repository
admidio/admidio p ...)
+ TODO: check
+CVE-2023-4180 (A vulnerability classified as critical was found in
SourceCodester Fre ...)
+ TODO: check
+CVE-2023-4179 (A vulnerability classified as critical has been found in
SourceCodeste ...)
+ TODO: check
+CVE-2023-4177 (A vulnerability was found in EmpowerID up to 7.205.0.0. It has
been ra ...)
+ TODO: check
+CVE-2023-4176 (A vulnerability was found in SourceCodester Hospital Management
System ...)
+ TODO: check
+CVE-2023-4175 (A vulnerability was found in mooSocial mooTravel 3.1.8 and
classified ...)
+ TODO: check
+CVE-2023-4174 (A vulnerability has been found in mooSocial mooStore 3.1.6 and
classif ...)
+ TODO: check
+CVE-2023-4173 (A vulnerability, which was classified as problematic, was found
in moo ...)
+ TODO: check
+CVE-2023-4172 (A vulnerability, which was classified as problematic, has been
found i ...)
+ TODO: check
+CVE-2023-4171 (A vulnerability classified as problematic was found in Chengdu
Flash F ...)
+ TODO: check
+CVE-2023-37874 (Auth. (admin+) Stored Cross-Site Scripting (XSS)
vulnerabilityin Dimit ...)
+ TODO: check
+CVE-2023-37873 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in
WooComme ...)
+ TODO: check
+CVE-2023-37581 (Insufficient input validation and sanitation in Weblog
Category name, ...)
+ TODO: check
+CVE-2023-36689 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in
WPFactor ...)
+ TODO: check
+CVE-2023-36686 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in
CartFlow ...)
+ TODO: check
+CVE-2023-36678 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability
in WP-b ...)
+ TODO: check
+CVE-2023-34377 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability
in Jose ...)
+ TODO: check
+CVE-2023-34010 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability
insubmodule ...)
+ TODO: check
+CVE-2023-32600 (Auth. (contributor+) Stored Cross-Site Scripting (XSS)
vulnerability i ...)
+ TODO: check
CVE-2023-4189 (Cross-site Scripting (XSS) - Reflected in GitHub repository
instantsof ...)
TODO: check
CVE-2023-4188 (SQL Injection in GitHub repository instantsoft/icms2 prior to
2.16.1-g ...)
@@ -612,7 +650,7 @@ CVE-2023-4057 (Memory safety bugs present in Firefox 115,
Firefox ESR 115.0, and
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-31/#CVE-2023-4057
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4057
CVE-2023-4056 (Memory safety bugs present in Firefox 115, Firefox ESR 115.0,
Firefox ...)
- {DSA-5464-1}
+ {DSA-5469-1 DSA-5464-1}
- firefox 116.0-1
- firefox-esr 115.1.0esr-1
- thunderbird 1:115.1.0-1
@@ -622,7 +660,7 @@ CVE-2023-4056 (Memory safety bugs present in Firefox 115,
Firefox ESR 115.0, Fir
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4056
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4056
CVE-2023-4055 (When the number of cookies per domain was exceeded in
`document.cookie ...)
- {DSA-5464-1}
+ {DSA-5469-1 DSA-5464-1}
- firefox 116.0-1
- firefox-esr 115.1.0esr-1
- thunderbird 1:115.1.0-1
@@ -654,7 +692,7 @@ CVE-2023-4051 (A website could have obscured the full
screen notification by usi
- firefox 116.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/#CVE-2023-4051
CVE-2023-4050 (In some cases, an untrusted input stream was copied to a stack
buffer ...)
- {DSA-5464-1}
+ {DSA-5469-1 DSA-5464-1}
- firefox 116.0-1
- firefox-esr 115.1.0esr-1
- thunderbird 1:115.1.0-1
@@ -664,7 +702,7 @@ CVE-2023-4050 (In some cases, an untrusted input stream was
copied to a stack bu
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4050
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-33/#CVE-2023-4050
CVE-2023-4049 (Race conditions in reference counting code were found through
code ins ...)
- {DSA-5464-1}
+ {DSA-5469-1 DSA-5464-1}
- firefox 116.0-1
- firefox-esr 115.1.0esr-1
- thunderbird 1:115.1.0-1
@@ -674,7 +712,7 @@ CVE-2023-4049 (Race conditions in reference counting code
were found through cod
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-32/#CVE-2023-4049
NOTE:
