[Git][security-tracker-team/security-tracker][master] Update information for some tcpreplay issues (fixed via unstable)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eca22a6d by Salvatore Bonaccorso at 2023-09-04T07:24:55+02:00 Update information for some tcpreplay issues (fixed via unstable) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25800,35 +25800,46 @@ CVE-2023-27791 CVE-2023-27790 RESERVED CVE-2023-27789 (An issue found in TCPprep v.4.4.3 allows a remote attacker to cause a ...) - - tcpreplay (unimportant) + - tcpreplay 4.4.4-1 (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/784 NOTE: https://github.com/appneta/tcpreplay/pull/783 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/df18c48812462ea802d639d2477887055666ee58 (v4.4.4) NOTE: Crash in CLI tool, no security impact CVE-2023-27788 (An issue found in TCPrewrite v.4.4.3 allows a remote attacker to cause ...) - - tcpreplay (unimportant) + - tcpreplay 4.4.4-1 (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/786 + NOTE: https://github.com/appneta/tcpreplay/pull/783 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/df18c48812462ea802d639d2477887055666ee58 (v4.4.4) NOTE: Crash in CLI tool, no security impact CVE-2023-27787 (An issue found in TCPprep v.4.4.3 allows a remote attacker to cause a ...) - - tcpreplay (unimportant) + - tcpreplay 4.4.4-1 (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/788 + NOTE: https://github.com/appneta/tcpreplay/pull/783 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/df18c48812462ea802d639d2477887055666ee58 (v4.4.4) NOTE: Crash in CLI tool, no security impact CVE-2023-27786 (An issue found in TCPprep v.4.4.3 allows a remote attacker to cause a ...) - - tcpreplay (unimportant) + - tcpreplay 4.4.4-1 (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/782 NOTE: https://github.com/appneta/tcpreplay/pull/783 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/df18c48812462ea802d639d2477887055666ee58 (v4.4.4) NOTE: Crash in CLI tool, no security impact CVE-2023-27785 (An issue found in TCPreplay TCPprep v.4.4.3 allows a remote attacker t ...) - - tcpreplay (unimportant) + - tcpreplay 4.4.4-1 (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/785 + NOTE: https://github.com/appneta/tcpreplay/pull/783 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/df18c48812462ea802d639d2477887055666ee58 (v4.4.4) NOTE: Crash in CLI tool, no security impact CVE-2023-27784 (An issue found in TCPReplay v.4.4.3 allows a remote attacker to cause ...) - - tcpreplay (unimportant) + - tcpreplay 4.4.4-1 (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/787 + NOTE: https://github.com/appneta/tcpreplay/pull/783 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/df18c48812462ea802d639d2477887055666ee58 (v4.4.4) NOTE: Crash in CLI tool, no security impact CVE-2023-27783 (An issue found in TCPreplay tcprewrite v.4.4.3 allows a remote attacke ...) - - tcpreplay (unimportant) + - tcpreplay 4.4.4-1 (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/780 NOTE: https://github.com/appneta/tcpreplay/pull/781 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/91009a551c2c59fe9079e217437bacbfd50e5450 (v4.4.4) NOTE: Crash in CLI tool, no security impact CVE-2023-27782 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eca22a6d18533b8bb21252c35a906752d0e69fb1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eca22a6d18533b8bb21252c35a906752d0e69fb1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take gerbv
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab946b5c by Adrian Bunk at 2023-09-04T00:10:27+03:00 dla: take gerbv - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,7 +76,7 @@ freeimage frr NOTE: 20230901: Added by Front-Desk (gladk) -- -gerbv +gerbv (Adrian Bunk) NOTE: 20230903: Added by Front-Desk (gladk) -- glib2.0 (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab946b5c94a9d9b472fe8fb9e8e51e635ae2208f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab946b5c94a9d9b472fe8fb9e8e51e635ae2208f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: claim elfutils
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 35903ee2 by Thorsten Alteholz at 2023-09-03T23:06:50+02:00 claim elfutils - - - - - 174dfdd8 by Thorsten Alteholz at 2023-09-03T23:08:42+02:00 claim file - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,10 +54,10 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -elfutils +elfutils (Thorsten Alteholz) NOTE: 20230903: Added by Front-Desk (gladk) -- -file +file (Thorsten Alteholz) NOTE: 20230901: Added by Front-Desk (gladk) -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b234121994c2f7f2312b963fbfbfac8cd470bed1...174dfdd851f6c57988873bb959b6eeeabba7274e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b234121994c2f7f2312b963fbfbfac8cd470bed1...174dfdd851f6c57988873bb959b6eeeabba7274e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b2341219 by security tracker role at 2023-09-03T20:12:15+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,4 +1,44 @@
-CVE-2023-41180
+CVE-2023-4751 (Heap-based Buffer Overflow in GitHub repository vim/vim prior
to 9.0.1 ...)
+ TODO: check
+CVE-2023-4740 (A vulnerability, which was classified as critical, was found in
IBOS O ...)
+ TODO: check
+CVE-2023-4739 (A vulnerability, which was classified as critical, has been
found in B ...)
+ TODO: check
+CVE-2023-3703 (Proscend Advice ICR Series routers FW version 1.76- CWE-1392:
Use of D ...)
+ TODO: check
+CVE-2023-39374 (ForeScout NAC SecureConnector version 11.2 -CWE-427:
Uncontrolled Sear ...)
+ TODO: check
+CVE-2023-39373 (A Hyundai model (2017) - CWE-294: Authentication Bypass by
Capture-rep ...)
+ TODO: check
+CVE-2023-39372 (StarTrinity Softswitch version 2023-02-16 -Multiple CSRF
(CWE-352))
+ TODO: check
+CVE-2023-39371 (StarTrinity Softswitch version 2023-02-16 -Open Redirect
(CWE-601))
+ TODO: check
+CVE-2023-39370 (StarTrinity Softswitch version 2023-02-16 -Persistent XSS
(CWE-79))
+ TODO: check
+CVE-2023-39369 (StarTrinity Softswitch version 2023-02-16- Multiple Reflected
XSS (CWE ...)
+ TODO: check
+CVE-2023-38521 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability
in Exif ...)
+ TODO: check
+CVE-2023-38518 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability
in Visu ...)
+ TODO: check
+CVE-2023-38517 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability
in Real ...)
+ TODO: check
+CVE-2023-38516 (Auth. (contributor+) Stored Cross-Site Scripting (XSS)
vulnerability i ...)
+ TODO: check
+CVE-2023-38482 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability
in Qual ...)
+ TODO: check
+CVE-2023-38476 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability
in Suit ...)
+ TODO: check
+CVE-2023-38387 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability
in Elas ...)
+ TODO: check
+CVE-2023-37222 (Farsight Tech Nordic AB ProVide version 14.5- Multiple XSS
vulnerabili ...)
+ TODO: check
+CVE-2023-37221 (7Twenty BOT - CWE-79: Improper Neutralization of Input During
Web Page ...)
+ TODO: check
+CVE-2023-37220 (Synel Terminals - CWE-494: Download of Code Without Integrity
Check)
+ TODO: check
+CVE-2023-41180 (Incorrect certificate validation in InvokeHTTP on Apache NiFi
MiNiFi C ...)
NOT-FOR-US: Apache NiFi
CVE-2023-4738 (Heap-based Buffer Overflow in GitHub repository vim/vim prior
to 9.0.1 ...)
- vim
@@ -714,7 +754,7 @@ CVE-2023-4585
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4585
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/#CVE-2023-4585
CVE-2023-4584
- {DSA-5485-1 DLA-3553-1}
+ {DSA-5488-1 DSA-5485-1 DLA-3553-1}
- firefox-esr 115.2.0esr-1
- firefox 117.0-1
- thunderbird 1:115.2.0-1
@@ -744,7 +784,7 @@ CVE-2023-4582
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4582
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/#CVE-2023-4582
CVE-2023-4581
- {DSA-5485-1 DLA-3553-1}
+ {DSA-5488-1 DSA-5485-1 DLA-3553-1}
- firefox-esr 115.2.0esr-1
- firefox 117.0-1
- thunderbird 1:115.2.0-1
@@ -804,7 +844,7 @@ CVE-2023-4576
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4576
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/#CVE-2023-4576
CVE-2023-4575
- {DSA-5485-1 DLA-3553-1}
+ {DSA-5488-1 DSA-5485-1 DLA-3553-1}
- firefox-esr 115.2.0esr-1
- firefox 117.0-1
- thunderbird 1:115.2.0-1
@@ -813,7 +853,7 @@ CVE-2023-4575
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4575
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/#CVE-2023-4575
CVE-2023-4574
- {DSA-5485-1 DLA-3553-1}
+ {DSA-5488-1 DSA-5485-1 DLA-3553-1}
- firefox-esr 115.2.0esr-1
- firefox 117.0-1
- thunderbird 1:115.2.0-1
@@ -822,7 +862,7 @@ CVE-2023-4574
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4574
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/#CVE-2023-4574
CVE-2023-4573
- {DSA-5485-1 DLA-3553-1}
+ {DSA-5488-1 DSA-5485-1 DLA-3553-1}
- firefox-esr 115.2.0esr-1
- firefox 117.0-1
- thunderbird 1:115.2.0-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b234121994c2f7f2312b963fbfbfac8cd470bed1
[Git][security-tracker-team/security-tracker][master] LTS: add elfutils to dla-needed
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b29cbb45 by Anton Gladky at 2023-09-03T21:25:34+02:00 LTS: add elfutils to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,6 +54,9 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +elfutils + NOTE: 20230903: Added by Front-Desk (gladk) +-- file NOTE: 20230901: Added by Front-Desk (gladk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29cbb455f01623885c8ef502dafe6089ac2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29cbb455f01623885c8ef502dafe6089ac2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-39663/mathjax
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb21ccf5 by Salvatore Bonaccorso at 2023-09-03T21:24:44+02:00 Add CVE-2023-39663/mathjax - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -656,7 +656,8 @@ CVE-2023-3251 (A pass-back vulnerability exists where an authenticated, remote a CVE-2023-39678 (A cross-site scripting (XSS) vulnerability in the device web interface ...) NOT-FOR-US: BDCOM OLT P3310D-2AC CVE-2023-39663 (Mathjax up to v2.7.9 was discovered to contain two Regular expression ...) - TODO: check + - mathjax + NOTE: https://github.com/mathjax/MathJax/issues/3074 CVE-2023-39616 (AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read mem ...) - aom 3.7.0~rc3-1 [bookworm] - aom (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb21ccf5ec44b49702b7d5c5671134cc5169db47 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb21ccf5ec44b49702b7d5c5671134cc5169db47 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 75287b5f by Salvatore Bonaccorso at 2023-09-03T21:23:20+02:00 Process two more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -220038,7 +220038,7 @@ CVE-2020-22614 CVE-2020-22613 RESERVED CVE-2020-22612 (Installer RCE on settings file write in MyBB before 1.8.22.) - TODO: check + NOT-FOR-US: MyBB CVE-2020-22611 RESERVED CVE-2020-22610 @@ -228054,7 +228054,7 @@ CVE-2020-18914 CVE-2020-18913 (EARCLINK ESPCMS-P8 was discovered to contain a SQL injection vulnerabi ...) NOT-FOR-US: EARCLINK ESPCMS-P8 CVE-2020-18912 (An issue found in Earcms Ear App v.20181124 allows a remote attacker t ...) - TODO: check + NOT-FOR-US: Earcms Ear App CVE-2020-18911 RESERVED CVE-2020-18910 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/75287b5fc4b4156f2277ed8b064c6cfc9ca84ec2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/75287b5fc4b4156f2277ed8b064c6cfc9ca84ec2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVe-2023-41180 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 29deaf1a by Salvatore Bonaccorso at 2023-09-03T21:20:56+02:00 Add CVe-2023-41180 as NFU - - - - - 67422a79 by Salvatore Bonaccorso at 2023-09-03T21:21:16+02:00 Revert LTS: mark CVE-2020-22217 as not-affected for jessie and stretch This reverts commit dec5bf5248e2327a541604610f3c040bdf072f31. This should be possible to do in the ELTS tracker itself. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-41180 + NOT-FOR-US: Apache NiFi CVE-2023-4738 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) - vim [bookworm] - vim (Minor issue) @@ -220872,8 +220874,6 @@ CVE-2020-22218 (An issue was discovered in function _libssh2_packet_add in libss NOTE: https://github.com/libssh2/libssh2/commit/642eec48ff3adfdb7a9e562b6d7fc865d1733f45 (libssh2-1.10.0) CVE-2020-22217 (Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via ...) - c-ares 1.17.1-1 - [jessie] - c-ares (vulnerable code is not present) - [stretch] - c-ares (vulnerable code is not present) NOTE: https://github.com/c-ares/c-ares/issues/333 NOTE: https://github.com/c-ares/c-ares/pull/332 NOTE: Fixed by: https://github.com/c-ares/c-ares/commit/1b98172b141fe874ad43e679e67506f9b2139043 (c-ares-1_17_0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dec5bf5248e2327a541604610f3c040bdf072f31...67422a7927471f774d397d903f0e6ec237116d1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dec5bf5248e2327a541604610f3c040bdf072f31...67422a7927471f774d397d903f0e6ec237116d1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add some packages into the dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ceae6e23 by Anton Gladky at 2023-09-03T21:14:46+02:00 LTS: add some packages into the dla-needed.txt - - - - - dec5bf52 by Anton Gladky at 2023-09-03T21:19:47+02:00 LTS: mark CVE-2020-22217 as not-affected for jessie and stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -220872,6 +220872,8 @@ CVE-2020-22218 (An issue was discovered in function _libssh2_packet_add in libss NOTE: https://github.com/libssh2/libssh2/commit/642eec48ff3adfdb7a9e562b6d7fc865d1733f45 (libssh2-1.10.0) CVE-2020-22217 (Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via ...) - c-ares 1.17.1-1 + [jessie] - c-ares (vulnerable code is not present) + [stretch] - c-ares (vulnerable code is not present) NOTE: https://github.com/c-ares/c-ares/issues/333 NOTE: https://github.com/c-ares/c-ares/pull/332 NOTE: Fixed by: https://github.com/c-ares/c-ares/commit/1b98172b141fe874ad43e679e67506f9b2139043 (c-ares-1_17_0) = data/dla-needed.txt = @@ -73,6 +73,9 @@ freeimage frr NOTE: 20230901: Added by Front-Desk (gladk) -- +gerbv + NOTE: 20230903: Added by Front-Desk (gladk) +-- glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) @@ -80,6 +83,9 @@ glib2.0 (santiago) NOTE: 20230807: idem. NOTE: 20230820: asked for review/test. -- +gsl + NOTE: 20230903: Added by Front-Desk (gladk) +-- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 @@ -91,6 +97,9 @@ imagemagick libreswan (Markus Koschany) NOTE: 20230817: Added by Front-Desk (ta) -- +libssh2 + NOTE: 20230903: Added by Front-Desk (gladk) +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- @@ -167,6 +176,9 @@ rails (utkarsh) NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) -- +ring + NOTE: 20230903: Added by Front-Desk (gladk) +-- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f2cbdbbbd71480032bd068740a244e3cae0520c...dec5bf5248e2327a541604610f3c040bdf072f31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f2cbdbbbd71480032bd068740a244e3cae0520c...dec5bf5248e2327a541604610f3c040bdf072f31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6f2cbdbb by Moritz Muehlenhoff at 2023-09-03T21:02:13+02:00
bullseye/bookworm triage
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,19 +1,23 @@
CVE-2023-4738 (Heap-based Buffer Overflow in GitHub repository vim/vim prior
to 9.0.1 ...)
- vim
+ [bookworm] - vim (Minor issue)
+ [bullseye] - vim (Minor issue)
NOTE: https://huntr.dev/bounties/9fc7dced-a7bb-4479-9718-f956df20f612/
NOTE:
https://github.com/vim/vim/commit/ced2c7394aafdc90fb7845e09b3a3fee23d48cb1
(v9.0.1848)
CVE-2023-4736 (Untrusted Search Path in GitHub repository vim/vim prior to
9.0.1833.)
- - vim
+ - vim (Windows-specific)
NOTE: https://huntr.dev/bounties/e1ce0995-4df4-4dec-9cd7-3136ac3e8e71/
NOTE:
https://github.com/vim/vim/commit/816fbcc262687b81fc46f82f7bbeb1453addfe0c
(v9.0.1833)
CVE-2023-4735 (Out-of-bounds Write in GitHub repository vim/vim prior to
9.0.1847.)
- - vim
+ - vim (unimportant)
NOTE: https://huntr.dev/bounties/fc83bde3-f621-42bd-aecb-8c1ae44cba51/
NOTE:
https://github.com/vim/vim/commit/889f6af37164775192e33b233a90e86fd3df0f57
(v9.0.1847)
+ NOTE: Crash in CLI tool, no security impact
CVE-2023-4734 (Integer Overflow or Wraparound in GitHub repository vim/vim
prior to 9 ...)
- - vim
+ - vim (unimportant)
NOTE: https://huntr.dev/bounties/688e4382-d2b6-439a-a54e-484780f82217/
NOTE:
https://github.com/vim/vim/commit/4c6fe2e2ea62469642ed1d80b16d39e616b25cf5
(v9.0.1846)
+ NOTE: Crash in CLI tool, no security impact
CVE-2023-39983 (A vulnerability that poses a potential risk of polluting the
MXsecurit ...)
NOT-FOR-US: MXsecurity
CVE-2023-39982 (A vulnerability has been identified in MXsecurity versions
prior to v1 ...)
@@ -1276,6 +1280,8 @@ CVE-2023-40217 (An issue was discovered in Python before
3.8.18, 3.9.x before 3.
NOTE: 2.
https://github.com/python/cpython/commit/592bacb6fc086c0453e818e9b95016e9fd47
CVE-2023-4380
- ansible
+ [bookworm] - ansible (Minor issue)
+ [bullseye] - ansible (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2232324
CVE-2023-4420 (A remote unprivileged attacker can intercept the communication
via e.g ...)
NOT-FOR-US: SICK LMS5xx
@@ -5762,11 +5768,13 @@ CVE-2023-3779 (The Essential Addons For Elementor
plugin for WordPress is vulner
NOT-FOR-US: WordPress plugin
CVE-2023-3300 (HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and
1.4.1 HTTP ...)
- nomad
+ [bullseye] - nomad (Will be removed in Bullseye 11.8)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2023-22-nomad-search-api-leaks-information-about-csi-plugins/56272
CVE-2023-3299 (HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL
policies ...)
- nomad (Specific to Nomad Enterprise)
CVE-2023-3072 (HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and
1.4.10 ACL ...)
- nomad
+ [bullseye] - nomad (Will be removed in Bullseye 11.8)
NOTE:
https://discuss.hashicorp.com/t/hcsec-2023-20-nomad-acl-policies-without-label-are-applied-to-unexpected-resources/56270
CVE-2023-37362 (Weintek Weincloud v0.13.6 could allow an attacker to abuse
the reg ...)
NOT-FOR-US: Weincloud
@@ -19742,11 +19750,15 @@ CVE-2023-29451 (Specially crafted string can cause a
buffer overrun in the JSON
CVE-2023-29450 (JavaScript pre-processing can be used by the attacker to gain
access t ...)
{DLA-3538-1}
- zabbix
+ [bookworm] - zabbix (Minor issue)
+ [bullseye] - zabbix (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-22588
NOTE: Patch for 5.0.32rc1:
https://github.com/zabbix/zabbix/commit/c3f1543e4
NOTE: Patch for 6.0.14rc2:
https://github.com/zabbix/zabbix/commit/76f6a80cb
CVE-2023-29449 (JavaScript preprocessing, webhooks and global scripts can
cause uncont ...)
- zabbix
+ [bookworm] - zabbix (Minor issue)
+ [bullseye] - zabbix (Minor issue)
[buster] - zabbix (vulnerable code introduced later)
NOTE: https://support.zabbix.com/browse/ZBX-22589
NOTE: Upstream patch for 5.0.32:
https://github.com/zabbix/zabbix/commit/e90b8a3c62
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f2cbdbbbd71480032bd068740a244e3cae0520c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f2cbdbbbd71480032bd068740a244e3cae0520c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c8ed3ca7 by Moritz Mühlenhoff at 2023-09-03T13:41:49+02:00
thunderbird DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[03 Sep 2023] DSA-5488-1 thunderbird - security update
+ {CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581 CVE-2023-4584}
+ [bullseye] - thunderbird 1:102.15.0-1~deb11u1
+ [bookworm] - thunderbird 1:102.15.0-1~deb12u1
[31 Aug 2023] DSA-5487-1 chromium - security update
{CVE-2023-4572}
[bullseye] - chromium 116.0.5845.140-1~deb11u1
=
data/dsa-needed.txt
=
@@ -80,8 +80,6 @@ salt/oldstable
--
samba/oldstable
--
-thunderbird (jmm)
---
tiff
--
trafficserver
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8ed3ca7f38d4040340ff2e8ba89509645566fb0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8ed3ca7f38d4040340ff2e8ba89509645566fb0
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-39562/gpac
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c6f4c613 by Salvatore Bonaccorso at 2023-09-03T09:00:27+02:00 Add CVE-2023-39562/gpac - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -971,7 +971,10 @@ CVE-2023-39652 (theme volty tvcmsvideotab up to v4.0.0 was discovered to contain CVE-2023-39578 (A stored cross-site scripting (XSS) vulnerability in the Create functi ...) NOT-FOR-US: Zenario CMS CVE-2023-39562 (GPAC v2.3-DEV-rev449-g5948e4f70-master was discovered to contain a hea ...) - TODO: check + - gpac + [buster] - gpac (EOL in buster LTS) + NOTE: https://github.com/gpac/gpac/issues/2537 + NOTE: https://github.com/gpac/gpac/commit/9024531ee8e6ae8318a8fe0cbb64710d1acc31f6 CVE-2023-39560 (ECTouch v2 was discovered to contain a SQL injection vulnerability via ...) NOT-FOR-US: ECTouch v2 CVE-2023-39348 (Spinnaker is an open source, multi-cloud continuous delivery platform. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6f4c6132b40e5e2dfadad23d5ae459a83b40200 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6f4c6132b40e5e2dfadad23d5ae459a83b40200 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f49568f8 by Salvatore Bonaccorso at 2023-09-03T09:00:01+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -126,9 +126,9 @@ CVE-2023-36328 (Integer Overflow vulnerability in mp_grow in libtom libtommath b NOTE: https://github.com/libtom/libtommath/pull/546 NOTE: https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 CVE-2023-36327 (Integer Overflow vulnerability in RELIC before commit 421f2e91cf2ba424 ...) - TODO: check + NOT-FOR-US: RELIC CVE-2023-36326 (Integer Overflow vulnerability in RELIC before commit 34580d840469361b ...) - TODO: check + NOT-FOR-US: RELIC CVE-2023-36187 (Buffer Overflow vulnerability in NETGEAR R6400v2 before version 1.0.4. ...) NOT-FOR-US: NETGEAR CVE-2023-36100 (An issue was discovered in IceCMS version 2.0.1, allows attackers to e ...) @@ -136,7 +136,7 @@ CVE-2023-36100 (An issue was discovered in IceCMS version 2.0.1, allows attacker CVE-2023-36088 (Server Side Request Forgery (SSRF) vulnerability in NebulaGraph Studio ...) NOT-FOR-US: NebulaGraph Studio CVE-2023-36076 (SQL Injection vulnerability in smanga version 3.1.9 and earlier, allow ...) - TODO: check + NOT-FOR-US: smanga CVE-2023-34011 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Shop ...) NOT-FOR-US: WordPress plugin CVE-2023-4647 (An issue has been discovered in GitLab affecting all versions starting ...) @@ -672,7 +672,7 @@ CVE-2023-39615 (Xmlsoft Libxml2 v2.11.0 was discovered to contain a global buffe NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9 NOTE: Followup: https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129 CVE-2023-39522 (goauthentik is an open-source Identity Provider. In affected versions ...) - TODO: check + NOT-FOR-US: authentik CVE-2023-39268 (A memory corruption vulnerability in ArubaOS-Switch could lead to unau ...) NOT-FOR-US: Aruba CVE-2023-39267 (An authenticated remote code execution vulnerability exists in the com ...) @@ -32532,7 +32532,7 @@ CVE-2023-25490 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-25489 RESERVED CVE-2023-25488 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Duc ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25487 (Cross-Site Request Forgery (CSRF) vulnerability in Pixelgrade PixTypes ...) NOT-FOR-US: WordPress plugin CVE-2023-25486 @@ -32554,7 +32554,7 @@ CVE-2023-25479 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-25478 (Cross-Site Request Forgery (CSRF) vulnerability in Jason Rouet Weather ...) NOT-FOR-US: WordPress plugin CVE-2023-25477 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Yotu ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25476 RESERVED CVE-2023-25475 (Cross-Site Request Forgery (CSRF) vulnerability in Vladimir Prelovac S ...) @@ -33617,11 +33617,11 @@ CVE-2023-25046 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-25045 RESERVED CVE-2023-25044 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Sumo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25043 RESERVED CVE-2023-25042 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Liam ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25041 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Cththeme ...) NOT-FOR-US: WordPress theme CVE-2023-25040 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) @@ -34655,9 +34655,9 @@ CVE-2023-24677 CVE-2023-24676 RESERVED CVE-2023-24675 (Cross Site Scripting Vulnerability in BluditCMS v.3.14.1 allows attack ...) - TODO: check + NOT-FOR-US: BluditCMS CVE-2023-24674 (Permissions vulnerability found in Bludit CMS v.4.0.0 allows local att ...) - TODO: check + NOT-FOR-US: BluditCMS CVE-2023-24673 RESERVED CVE-2023-24672 @@ -35700,7 +35700,7 @@ CVE-2023-24414 (Cross-Site Request Forgery (CSRF) vulnerability in RoboSoft Phot CVE-2023-24413 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I Thirte ...) NOT-FOR-US: WordPress plugin CVE-2023-24412 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Web- ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-24411 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) NOT-FOR-US: WordPress plugin CVE-2023-24410 @@ -48873,7 +48873,7 @@
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ca498473 by Salvatore Bonaccorso at 2023-09-03T08:33:05+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,15 +15,15 @@ CVE-2023-4734 (Integer Overflow or Wraparound in GitHub repository vim/vim prior NOTE: https://huntr.dev/bounties/688e4382-d2b6-439a-a54e-484780f82217/ NOTE: https://github.com/vim/vim/commit/4c6fe2e2ea62469642ed1d80b16d39e616b25cf5 (v9.0.1846) CVE-2023-39983 (A vulnerability that poses a potential risk of polluting the MXsecurit ...) - TODO: check + NOT-FOR-US: MXsecurity CVE-2023-39982 (A vulnerability has been identified in MXsecurity versions prior to v1 ...) - TODO: check + NOT-FOR-US: MXsecurity CVE-2023-39981 (A vulnerability that allows for unauthorized access has been discovere ...) - TODO: check + NOT-FOR-US: MXsecurity CVE-2023-39980 (A vulnerability that allows the unauthorized disclosure of authenticat ...) - TODO: check + NOT-FOR-US: MXsecurity CVE-2023-39979 (There is a vulnerability in MXsecurity versions prior to 1.0.1 that ca ...) - TODO: check + NOT-FOR-US: MXsecurity CVE-2023-4718 (The Font Awesome 4 Menus plugin for WordPress is vulnerable to Stored ...) NOT-FOR-US: Font Awesome 4 Menus plugin for WordPress CVE-2023-4722 (Integer Overflow or Wraparound in GitHub repository gpac/gpac prior to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca49847325848bbbdeea9fc8203f0b6268bae1c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca49847325848bbbdeea9fc8203f0b6268bae1c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new vim CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ba9d7731 by Salvatore Bonaccorso at 2023-09-03T08:32:20+02:00 Add new vim CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,19 @@ CVE-2023-4738 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) - TODO: check + - vim + NOTE: https://huntr.dev/bounties/9fc7dced-a7bb-4479-9718-f956df20f612/ + NOTE: https://github.com/vim/vim/commit/ced2c7394aafdc90fb7845e09b3a3fee23d48cb1 (v9.0.1848) CVE-2023-4736 (Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833.) - TODO: check + - vim + NOTE: https://huntr.dev/bounties/e1ce0995-4df4-4dec-9cd7-3136ac3e8e71/ + NOTE: https://github.com/vim/vim/commit/816fbcc262687b81fc46f82f7bbeb1453addfe0c (v9.0.1833) CVE-2023-4735 (Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.) - TODO: check + - vim + NOTE: https://huntr.dev/bounties/fc83bde3-f621-42bd-aecb-8c1ae44cba51/ + NOTE: https://github.com/vim/vim/commit/889f6af37164775192e33b233a90e86fd3df0f57 (v9.0.1847) CVE-2023-4734 (Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9 ...) - TODO: check + - vim + NOTE: https://huntr.dev/bounties/688e4382-d2b6-439a-a54e-484780f82217/ + NOTE: https://github.com/vim/vim/commit/4c6fe2e2ea62469642ed1d80b16d39e616b25cf5 (v9.0.1846) CVE-2023-39983 (A vulnerability that poses a potential risk of polluting the MXsecurit ...) TODO: check CVE-2023-39982 (A vulnerability has been identified in MXsecurity versions prior to v1 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba9d773191f81d5466f6a2a9a80752af1acf9ae2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba9d773191f81d5466f6a2a9a80752af1acf9ae2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
