[Git][security-tracker-team/security-tracker][master] Update information for some tcpreplay issues (fixed via unstable)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eca22a6d by Salvatore Bonaccorso at 2023-09-04T07:24:55+02:00 Update information for some tcpreplay issues (fixed via unstable) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25800,35 +25800,46 @@ CVE-2023-27791 CVE-2023-27790 RESERVED CVE-2023-27789 (An issue found in TCPprep v.4.4.3 allows a remote attacker to cause a ...) - - tcpreplay (unimportant) + - tcpreplay 4.4.4-1 (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/784 NOTE: https://github.com/appneta/tcpreplay/pull/783 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/df18c48812462ea802d639d2477887055666ee58 (v4.4.4) NOTE: Crash in CLI tool, no security impact CVE-2023-27788 (An issue found in TCPrewrite v.4.4.3 allows a remote attacker to cause ...) - - tcpreplay (unimportant) + - tcpreplay 4.4.4-1 (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/786 + NOTE: https://github.com/appneta/tcpreplay/pull/783 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/df18c48812462ea802d639d2477887055666ee58 (v4.4.4) NOTE: Crash in CLI tool, no security impact CVE-2023-27787 (An issue found in TCPprep v.4.4.3 allows a remote attacker to cause a ...) - - tcpreplay (unimportant) + - tcpreplay 4.4.4-1 (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/788 + NOTE: https://github.com/appneta/tcpreplay/pull/783 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/df18c48812462ea802d639d2477887055666ee58 (v4.4.4) NOTE: Crash in CLI tool, no security impact CVE-2023-27786 (An issue found in TCPprep v.4.4.3 allows a remote attacker to cause a ...) - - tcpreplay (unimportant) + - tcpreplay 4.4.4-1 (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/782 NOTE: https://github.com/appneta/tcpreplay/pull/783 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/df18c48812462ea802d639d2477887055666ee58 (v4.4.4) NOTE: Crash in CLI tool, no security impact CVE-2023-27785 (An issue found in TCPreplay TCPprep v.4.4.3 allows a remote attacker t ...) - - tcpreplay (unimportant) + - tcpreplay 4.4.4-1 (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/785 + NOTE: https://github.com/appneta/tcpreplay/pull/783 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/df18c48812462ea802d639d2477887055666ee58 (v4.4.4) NOTE: Crash in CLI tool, no security impact CVE-2023-27784 (An issue found in TCPReplay v.4.4.3 allows a remote attacker to cause ...) - - tcpreplay (unimportant) + - tcpreplay 4.4.4-1 (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/787 + NOTE: https://github.com/appneta/tcpreplay/pull/783 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/df18c48812462ea802d639d2477887055666ee58 (v4.4.4) NOTE: Crash in CLI tool, no security impact CVE-2023-27783 (An issue found in TCPreplay tcprewrite v.4.4.3 allows a remote attacke ...) - - tcpreplay (unimportant) + - tcpreplay 4.4.4-1 (unimportant) NOTE: https://github.com/appneta/tcpreplay/issues/780 NOTE: https://github.com/appneta/tcpreplay/pull/781 + NOTE: Fixed by: https://github.com/appneta/tcpreplay/commit/91009a551c2c59fe9079e217437bacbfd50e5450 (v4.4.4) NOTE: Crash in CLI tool, no security impact CVE-2023-27782 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eca22a6d18533b8bb21252c35a906752d0e69fb1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eca22a6d18533b8bb21252c35a906752d0e69fb1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take gerbv
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab946b5c by Adrian Bunk at 2023-09-04T00:10:27+03:00 dla: take gerbv - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,7 +76,7 @@ freeimage frr NOTE: 20230901: Added by Front-Desk (gladk) -- -gerbv +gerbv (Adrian Bunk) NOTE: 20230903: Added by Front-Desk (gladk) -- glib2.0 (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab946b5c94a9d9b472fe8fb9e8e51e635ae2208f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab946b5c94a9d9b472fe8fb9e8e51e635ae2208f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: claim elfutils
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 35903ee2 by Thorsten Alteholz at 2023-09-03T23:06:50+02:00 claim elfutils - - - - - 174dfdd8 by Thorsten Alteholz at 2023-09-03T23:08:42+02:00 claim file - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,10 +54,10 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -elfutils +elfutils (Thorsten Alteholz) NOTE: 20230903: Added by Front-Desk (gladk) -- -file +file (Thorsten Alteholz) NOTE: 20230901: Added by Front-Desk (gladk) -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b234121994c2f7f2312b963fbfbfac8cd470bed1...174dfdd851f6c57988873bb959b6eeeabba7274e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b234121994c2f7f2312b963fbfbfac8cd470bed1...174dfdd851f6c57988873bb959b6eeeabba7274e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b2341219 by security tracker role at 2023-09-03T20:12:15+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,44 @@ -CVE-2023-41180 +CVE-2023-4751 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) + TODO: check +CVE-2023-4740 (A vulnerability, which was classified as critical, was found in IBOS O ...) + TODO: check +CVE-2023-4739 (A vulnerability, which was classified as critical, has been found in B ...) + TODO: check +CVE-2023-3703 (Proscend Advice ICR Series routers FW version 1.76- CWE-1392: Use of D ...) + TODO: check +CVE-2023-39374 (ForeScout NAC SecureConnector version 11.2 -CWE-427: Uncontrolled Sear ...) + TODO: check +CVE-2023-39373 (A Hyundai model (2017) - CWE-294: Authentication Bypass by Capture-rep ...) + TODO: check +CVE-2023-39372 (StarTrinity Softswitch version 2023-02-16 -Multiple CSRF (CWE-352)) + TODO: check +CVE-2023-39371 (StarTrinity Softswitch version 2023-02-16 -Open Redirect (CWE-601)) + TODO: check +CVE-2023-39370 (StarTrinity Softswitch version 2023-02-16 -Persistent XSS (CWE-79)) + TODO: check +CVE-2023-39369 (StarTrinity Softswitch version 2023-02-16- Multiple Reflected XSS (CWE ...) + TODO: check +CVE-2023-38521 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Exif ...) + TODO: check +CVE-2023-38518 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Visu ...) + TODO: check +CVE-2023-38517 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Real ...) + TODO: check +CVE-2023-38516 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) + TODO: check +CVE-2023-38482 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Qual ...) + TODO: check +CVE-2023-38476 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Suit ...) + TODO: check +CVE-2023-38387 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Elas ...) + TODO: check +CVE-2023-37222 (Farsight Tech Nordic AB ProVide version 14.5- Multiple XSS vulnerabili ...) + TODO: check +CVE-2023-37221 (7Twenty BOT - CWE-79: Improper Neutralization of Input During Web Page ...) + TODO: check +CVE-2023-37220 (Synel Terminals - CWE-494: Download of Code Without Integrity Check) + TODO: check +CVE-2023-41180 (Incorrect certificate validation in InvokeHTTP on Apache NiFi MiNiFi C ...) NOT-FOR-US: Apache NiFi CVE-2023-4738 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) - vim @@ -714,7 +754,7 @@ CVE-2023-4585 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4585 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/#CVE-2023-4585 CVE-2023-4584 - {DSA-5485-1 DLA-3553-1} + {DSA-5488-1 DSA-5485-1 DLA-3553-1} - firefox-esr 115.2.0esr-1 - firefox 117.0-1 - thunderbird 1:115.2.0-1 @@ -744,7 +784,7 @@ CVE-2023-4582 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4582 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/#CVE-2023-4582 CVE-2023-4581 - {DSA-5485-1 DLA-3553-1} + {DSA-5488-1 DSA-5485-1 DLA-3553-1} - firefox-esr 115.2.0esr-1 - firefox 117.0-1 - thunderbird 1:115.2.0-1 @@ -804,7 +844,7 @@ CVE-2023-4576 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4576 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/#CVE-2023-4576 CVE-2023-4575 - {DSA-5485-1 DLA-3553-1} + {DSA-5488-1 DSA-5485-1 DLA-3553-1} - firefox-esr 115.2.0esr-1 - firefox 117.0-1 - thunderbird 1:115.2.0-1 @@ -813,7 +853,7 @@ CVE-2023-4575 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4575 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/#CVE-2023-4575 CVE-2023-4574 - {DSA-5485-1 DLA-3553-1} + {DSA-5488-1 DSA-5485-1 DLA-3553-1} - firefox-esr 115.2.0esr-1 - firefox 117.0-1 - thunderbird 1:115.2.0-1 @@ -822,7 +862,7 @@ CVE-2023-4574 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-36/#CVE-2023-4574 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-38/#CVE-2023-4574 CVE-2023-4573 - {DSA-5485-1 DLA-3553-1} + {DSA-5488-1 DSA-5485-1 DLA-3553-1} - firefox-esr 115.2.0esr-1 - firefox 117.0-1 - thunderbird 1:115.2.0-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b234121994c2f7f2312b963fbfbfac8cd470bed1
[Git][security-tracker-team/security-tracker][master] LTS: add elfutils to dla-needed
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b29cbb45 by Anton Gladky at 2023-09-03T21:25:34+02:00 LTS: add elfutils to dla-needed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,6 +54,9 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +elfutils + NOTE: 20230903: Added by Front-Desk (gladk) +-- file NOTE: 20230901: Added by Front-Desk (gladk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29cbb455f01623885c8ef502dafe6089ac2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29cbb455f01623885c8ef502dafe6089ac2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-39663/mathjax
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eb21ccf5 by Salvatore Bonaccorso at 2023-09-03T21:24:44+02:00 Add CVE-2023-39663/mathjax - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -656,7 +656,8 @@ CVE-2023-3251 (A pass-back vulnerability exists where an authenticated, remote a CVE-2023-39678 (A cross-site scripting (XSS) vulnerability in the device web interface ...) NOT-FOR-US: BDCOM OLT P3310D-2AC CVE-2023-39663 (Mathjax up to v2.7.9 was discovered to contain two Regular expression ...) - TODO: check + - mathjax + NOTE: https://github.com/mathjax/MathJax/issues/3074 CVE-2023-39616 (AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read mem ...) - aom 3.7.0~rc3-1 [bookworm] - aom (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb21ccf5ec44b49702b7d5c5671134cc5169db47 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/eb21ccf5ec44b49702b7d5c5671134cc5169db47 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 75287b5f by Salvatore Bonaccorso at 2023-09-03T21:23:20+02:00 Process two more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -220038,7 +220038,7 @@ CVE-2020-22614 CVE-2020-22613 RESERVED CVE-2020-22612 (Installer RCE on settings file write in MyBB before 1.8.22.) - TODO: check + NOT-FOR-US: MyBB CVE-2020-22611 RESERVED CVE-2020-22610 @@ -228054,7 +228054,7 @@ CVE-2020-18914 CVE-2020-18913 (EARCLINK ESPCMS-P8 was discovered to contain a SQL injection vulnerabi ...) NOT-FOR-US: EARCLINK ESPCMS-P8 CVE-2020-18912 (An issue found in Earcms Ear App v.20181124 allows a remote attacker t ...) - TODO: check + NOT-FOR-US: Earcms Ear App CVE-2020-18911 RESERVED CVE-2020-18910 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/75287b5fc4b4156f2277ed8b064c6cfc9ca84ec2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/75287b5fc4b4156f2277ed8b064c6cfc9ca84ec2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVe-2023-41180 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 29deaf1a by Salvatore Bonaccorso at 2023-09-03T21:20:56+02:00 Add CVe-2023-41180 as NFU - - - - - 67422a79 by Salvatore Bonaccorso at 2023-09-03T21:21:16+02:00 Revert LTS: mark CVE-2020-22217 as not-affected for jessie and stretch This reverts commit dec5bf5248e2327a541604610f3c040bdf072f31. This should be possible to do in the ELTS tracker itself. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-41180 + NOT-FOR-US: Apache NiFi CVE-2023-4738 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) - vim [bookworm] - vim (Minor issue) @@ -220872,8 +220874,6 @@ CVE-2020-22218 (An issue was discovered in function _libssh2_packet_add in libss NOTE: https://github.com/libssh2/libssh2/commit/642eec48ff3adfdb7a9e562b6d7fc865d1733f45 (libssh2-1.10.0) CVE-2020-22217 (Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via ...) - c-ares 1.17.1-1 - [jessie] - c-ares (vulnerable code is not present) - [stretch] - c-ares (vulnerable code is not present) NOTE: https://github.com/c-ares/c-ares/issues/333 NOTE: https://github.com/c-ares/c-ares/pull/332 NOTE: Fixed by: https://github.com/c-ares/c-ares/commit/1b98172b141fe874ad43e679e67506f9b2139043 (c-ares-1_17_0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dec5bf5248e2327a541604610f3c040bdf072f31...67422a7927471f774d397d903f0e6ec237116d1d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/dec5bf5248e2327a541604610f3c040bdf072f31...67422a7927471f774d397d903f0e6ec237116d1d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: LTS: add some packages into the dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ceae6e23 by Anton Gladky at 2023-09-03T21:14:46+02:00 LTS: add some packages into the dla-needed.txt - - - - - dec5bf52 by Anton Gladky at 2023-09-03T21:19:47+02:00 LTS: mark CVE-2020-22217 as not-affected for jessie and stretch - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -220872,6 +220872,8 @@ CVE-2020-22218 (An issue was discovered in function _libssh2_packet_add in libss NOTE: https://github.com/libssh2/libssh2/commit/642eec48ff3adfdb7a9e562b6d7fc865d1733f45 (libssh2-1.10.0) CVE-2020-22217 (Buffer overflow vulnerability in c-ares before 1_16_1 thru 1_17_0 via ...) - c-ares 1.17.1-1 + [jessie] - c-ares (vulnerable code is not present) + [stretch] - c-ares (vulnerable code is not present) NOTE: https://github.com/c-ares/c-ares/issues/333 NOTE: https://github.com/c-ares/c-ares/pull/332 NOTE: Fixed by: https://github.com/c-ares/c-ares/commit/1b98172b141fe874ad43e679e67506f9b2139043 (c-ares-1_17_0) = data/dla-needed.txt = @@ -73,6 +73,9 @@ freeimage frr NOTE: 20230901: Added by Front-Desk (gladk) -- +gerbv + NOTE: 20230903: Added by Front-Desk (gladk) +-- glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) @@ -80,6 +83,9 @@ glib2.0 (santiago) NOTE: 20230807: idem. NOTE: 20230820: asked for review/test. -- +gsl + NOTE: 20230903: Added by Front-Desk (gladk) +-- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 @@ -91,6 +97,9 @@ imagemagick libreswan (Markus Koschany) NOTE: 20230817: Added by Front-Desk (ta) -- +libssh2 + NOTE: 20230903: Added by Front-Desk (gladk) +-- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- @@ -167,6 +176,9 @@ rails (utkarsh) NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) -- +ring + NOTE: 20230903: Added by Front-Desk (gladk) +-- ruby-loofah NOTE: 20221231: Added by Front-Desk (ola) NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f2cbdbbbd71480032bd068740a244e3cae0520c...dec5bf5248e2327a541604610f3c040bdf072f31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/6f2cbdbbbd71480032bd068740a244e3cae0520c...dec5bf5248e2327a541604610f3c040bdf072f31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f2cbdbb by Moritz Muehlenhoff at 2023-09-03T21:02:13+02:00 bullseye/bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,19 +1,23 @@ CVE-2023-4738 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) - vim + [bookworm] - vim (Minor issue) + [bullseye] - vim (Minor issue) NOTE: https://huntr.dev/bounties/9fc7dced-a7bb-4479-9718-f956df20f612/ NOTE: https://github.com/vim/vim/commit/ced2c7394aafdc90fb7845e09b3a3fee23d48cb1 (v9.0.1848) CVE-2023-4736 (Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833.) - - vim + - vim (Windows-specific) NOTE: https://huntr.dev/bounties/e1ce0995-4df4-4dec-9cd7-3136ac3e8e71/ NOTE: https://github.com/vim/vim/commit/816fbcc262687b81fc46f82f7bbeb1453addfe0c (v9.0.1833) CVE-2023-4735 (Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.) - - vim + - vim (unimportant) NOTE: https://huntr.dev/bounties/fc83bde3-f621-42bd-aecb-8c1ae44cba51/ NOTE: https://github.com/vim/vim/commit/889f6af37164775192e33b233a90e86fd3df0f57 (v9.0.1847) + NOTE: Crash in CLI tool, no security impact CVE-2023-4734 (Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9 ...) - - vim + - vim (unimportant) NOTE: https://huntr.dev/bounties/688e4382-d2b6-439a-a54e-484780f82217/ NOTE: https://github.com/vim/vim/commit/4c6fe2e2ea62469642ed1d80b16d39e616b25cf5 (v9.0.1846) + NOTE: Crash in CLI tool, no security impact CVE-2023-39983 (A vulnerability that poses a potential risk of polluting the MXsecurit ...) NOT-FOR-US: MXsecurity CVE-2023-39982 (A vulnerability has been identified in MXsecurity versions prior to v1 ...) @@ -1276,6 +1280,8 @@ CVE-2023-40217 (An issue was discovered in Python before 3.8.18, 3.9.x before 3. NOTE: 2. https://github.com/python/cpython/commit/592bacb6fc086c0453e818e9b95016e9fd47 CVE-2023-4380 - ansible + [bookworm] - ansible (Minor issue) + [bullseye] - ansible (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2232324 CVE-2023-4420 (A remote unprivileged attacker can intercept the communication via e.g ...) NOT-FOR-US: SICK LMS5xx @@ -5762,11 +5768,13 @@ CVE-2023-3779 (The Essential Addons For Elementor plugin for WordPress is vulner NOT-FOR-US: WordPress plugin CVE-2023-3300 (HashiCorp Nomad and Nomad Enterprise 0.11.0 up to 1.5.6 and 1.4.1 HTTP ...) - nomad + [bullseye] - nomad (Will be removed in Bullseye 11.8) NOTE: https://discuss.hashicorp.com/t/hcsec-2023-22-nomad-search-api-leaks-information-about-csi-plugins/56272 CVE-2023-3299 (HashiCorp Nomad Enterprise 1.2.11 up to 1.5.6, and 1.4.10 ACL policies ...) - nomad (Specific to Nomad Enterprise) CVE-2023-3072 (HashiCorp Nomad and Nomad Enterprise 0.7.0 up to 1.5.6 and 1.4.10 ACL ...) - nomad + [bullseye] - nomad (Will be removed in Bullseye 11.8) NOTE: https://discuss.hashicorp.com/t/hcsec-2023-20-nomad-acl-policies-without-label-are-applied-to-unexpected-resources/56270 CVE-2023-37362 (Weintek Weincloud v0.13.6 could allow an attacker to abuse the reg ...) NOT-FOR-US: Weincloud @@ -19742,11 +19750,15 @@ CVE-2023-29451 (Specially crafted string can cause a buffer overrun in the JSON CVE-2023-29450 (JavaScript pre-processing can be used by the attacker to gain access t ...) {DLA-3538-1} - zabbix + [bookworm] - zabbix (Minor issue) + [bullseye] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-22588 NOTE: Patch for 5.0.32rc1: https://github.com/zabbix/zabbix/commit/c3f1543e4 NOTE: Patch for 6.0.14rc2: https://github.com/zabbix/zabbix/commit/76f6a80cb CVE-2023-29449 (JavaScript preprocessing, webhooks and global scripts can cause uncont ...) - zabbix + [bookworm] - zabbix (Minor issue) + [bullseye] - zabbix (Minor issue) [buster] - zabbix (vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-22589 NOTE: Upstream patch for 5.0.32: https://github.com/zabbix/zabbix/commit/e90b8a3c62 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f2cbdbbbd71480032bd068740a244e3cae0520c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f2cbdbbbd71480032bd068740a244e3cae0520c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c8ed3ca7 by Moritz Mühlenhoff at 2023-09-03T13:41:49+02:00 thunderbird DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[03 Sep 2023] DSA-5488-1 thunderbird - security update + {CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581 CVE-2023-4584} + [bullseye] - thunderbird 1:102.15.0-1~deb11u1 + [bookworm] - thunderbird 1:102.15.0-1~deb12u1 [31 Aug 2023] DSA-5487-1 chromium - security update {CVE-2023-4572} [bullseye] - chromium 116.0.5845.140-1~deb11u1 = data/dsa-needed.txt = @@ -80,8 +80,6 @@ salt/oldstable -- samba/oldstable -- -thunderbird (jmm) --- tiff -- trafficserver View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8ed3ca7f38d4040340ff2e8ba89509645566fb0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c8ed3ca7f38d4040340ff2e8ba89509645566fb0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-39562/gpac
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c6f4c613 by Salvatore Bonaccorso at 2023-09-03T09:00:27+02:00 Add CVE-2023-39562/gpac - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -971,7 +971,10 @@ CVE-2023-39652 (theme volty tvcmsvideotab up to v4.0.0 was discovered to contain CVE-2023-39578 (A stored cross-site scripting (XSS) vulnerability in the Create functi ...) NOT-FOR-US: Zenario CMS CVE-2023-39562 (GPAC v2.3-DEV-rev449-g5948e4f70-master was discovered to contain a hea ...) - TODO: check + - gpac + [buster] - gpac (EOL in buster LTS) + NOTE: https://github.com/gpac/gpac/issues/2537 + NOTE: https://github.com/gpac/gpac/commit/9024531ee8e6ae8318a8fe0cbb64710d1acc31f6 CVE-2023-39560 (ECTouch v2 was discovered to contain a SQL injection vulnerability via ...) NOT-FOR-US: ECTouch v2 CVE-2023-39348 (Spinnaker is an open source, multi-cloud continuous delivery platform. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6f4c6132b40e5e2dfadad23d5ae459a83b40200 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c6f4c6132b40e5e2dfadad23d5ae459a83b40200 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f49568f8 by Salvatore Bonaccorso at 2023-09-03T09:00:01+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -126,9 +126,9 @@ CVE-2023-36328 (Integer Overflow vulnerability in mp_grow in libtom libtommath b NOTE: https://github.com/libtom/libtommath/pull/546 NOTE: https://github.com/libtom/libtommath/commit/beba892bc0d4e4ded4d667ab1d2a94f4d75109a9 CVE-2023-36327 (Integer Overflow vulnerability in RELIC before commit 421f2e91cf2ba424 ...) - TODO: check + NOT-FOR-US: RELIC CVE-2023-36326 (Integer Overflow vulnerability in RELIC before commit 34580d840469361b ...) - TODO: check + NOT-FOR-US: RELIC CVE-2023-36187 (Buffer Overflow vulnerability in NETGEAR R6400v2 before version 1.0.4. ...) NOT-FOR-US: NETGEAR CVE-2023-36100 (An issue was discovered in IceCMS version 2.0.1, allows attackers to e ...) @@ -136,7 +136,7 @@ CVE-2023-36100 (An issue was discovered in IceCMS version 2.0.1, allows attacker CVE-2023-36088 (Server Side Request Forgery (SSRF) vulnerability in NebulaGraph Studio ...) NOT-FOR-US: NebulaGraph Studio CVE-2023-36076 (SQL Injection vulnerability in smanga version 3.1.9 and earlier, allow ...) - TODO: check + NOT-FOR-US: smanga CVE-2023-34011 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Shop ...) NOT-FOR-US: WordPress plugin CVE-2023-4647 (An issue has been discovered in GitLab affecting all versions starting ...) @@ -672,7 +672,7 @@ CVE-2023-39615 (Xmlsoft Libxml2 v2.11.0 was discovered to contain a global buffe NOTE: Fixed by: https://gitlab.gnome.org/GNOME/libxml2/-/commit/d0c3f01e110d54415611c5fa0040cdf4a56053f9 NOTE: Followup: https://gitlab.gnome.org/GNOME/libxml2/-/commit/235b15a590eecf97b09e87bdb7e4f8333e9de129 CVE-2023-39522 (goauthentik is an open-source Identity Provider. In affected versions ...) - TODO: check + NOT-FOR-US: authentik CVE-2023-39268 (A memory corruption vulnerability in ArubaOS-Switch could lead to unau ...) NOT-FOR-US: Aruba CVE-2023-39267 (An authenticated remote code execution vulnerability exists in the com ...) @@ -32532,7 +32532,7 @@ CVE-2023-25490 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-25489 RESERVED CVE-2023-25488 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Duc ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25487 (Cross-Site Request Forgery (CSRF) vulnerability in Pixelgrade PixTypes ...) NOT-FOR-US: WordPress plugin CVE-2023-25486 @@ -32554,7 +32554,7 @@ CVE-2023-25479 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-25478 (Cross-Site Request Forgery (CSRF) vulnerability in Jason Rouet Weather ...) NOT-FOR-US: WordPress plugin CVE-2023-25477 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Yotu ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25476 RESERVED CVE-2023-25475 (Cross-Site Request Forgery (CSRF) vulnerability in Vladimir Prelovac S ...) @@ -33617,11 +33617,11 @@ CVE-2023-25046 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-25045 RESERVED CVE-2023-25044 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Sumo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25043 RESERVED CVE-2023-25042 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Liam ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25041 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Cththeme ...) NOT-FOR-US: WordPress theme CVE-2023-25040 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) @@ -34655,9 +34655,9 @@ CVE-2023-24677 CVE-2023-24676 RESERVED CVE-2023-24675 (Cross Site Scripting Vulnerability in BluditCMS v.3.14.1 allows attack ...) - TODO: check + NOT-FOR-US: BluditCMS CVE-2023-24674 (Permissions vulnerability found in Bludit CMS v.4.0.0 allows local att ...) - TODO: check + NOT-FOR-US: BluditCMS CVE-2023-24673 RESERVED CVE-2023-24672 @@ -35700,7 +35700,7 @@ CVE-2023-24414 (Cross-Site Request Forgery (CSRF) vulnerability in RoboSoft Phot CVE-2023-24413 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I Thirte ...) NOT-FOR-US: WordPress plugin CVE-2023-24412 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Web- ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-24411 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) NOT-FOR-US: WordPress plugin CVE-2023-24410 @@ -48873,7 +48873,7 @@
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ca498473 by Salvatore Bonaccorso at 2023-09-03T08:33:05+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,15 +15,15 @@ CVE-2023-4734 (Integer Overflow or Wraparound in GitHub repository vim/vim prior NOTE: https://huntr.dev/bounties/688e4382-d2b6-439a-a54e-484780f82217/ NOTE: https://github.com/vim/vim/commit/4c6fe2e2ea62469642ed1d80b16d39e616b25cf5 (v9.0.1846) CVE-2023-39983 (A vulnerability that poses a potential risk of polluting the MXsecurit ...) - TODO: check + NOT-FOR-US: MXsecurity CVE-2023-39982 (A vulnerability has been identified in MXsecurity versions prior to v1 ...) - TODO: check + NOT-FOR-US: MXsecurity CVE-2023-39981 (A vulnerability that allows for unauthorized access has been discovere ...) - TODO: check + NOT-FOR-US: MXsecurity CVE-2023-39980 (A vulnerability that allows the unauthorized disclosure of authenticat ...) - TODO: check + NOT-FOR-US: MXsecurity CVE-2023-39979 (There is a vulnerability in MXsecurity versions prior to 1.0.1 that ca ...) - TODO: check + NOT-FOR-US: MXsecurity CVE-2023-4718 (The Font Awesome 4 Menus plugin for WordPress is vulnerable to Stored ...) NOT-FOR-US: Font Awesome 4 Menus plugin for WordPress CVE-2023-4722 (Integer Overflow or Wraparound in GitHub repository gpac/gpac prior to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca49847325848bbbdeea9fc8203f0b6268bae1c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca49847325848bbbdeea9fc8203f0b6268bae1c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new vim CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ba9d7731 by Salvatore Bonaccorso at 2023-09-03T08:32:20+02:00 Add new vim CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,19 @@ CVE-2023-4738 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) - TODO: check + - vim + NOTE: https://huntr.dev/bounties/9fc7dced-a7bb-4479-9718-f956df20f612/ + NOTE: https://github.com/vim/vim/commit/ced2c7394aafdc90fb7845e09b3a3fee23d48cb1 (v9.0.1848) CVE-2023-4736 (Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833.) - TODO: check + - vim + NOTE: https://huntr.dev/bounties/e1ce0995-4df4-4dec-9cd7-3136ac3e8e71/ + NOTE: https://github.com/vim/vim/commit/816fbcc262687b81fc46f82f7bbeb1453addfe0c (v9.0.1833) CVE-2023-4735 (Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847.) - TODO: check + - vim + NOTE: https://huntr.dev/bounties/fc83bde3-f621-42bd-aecb-8c1ae44cba51/ + NOTE: https://github.com/vim/vim/commit/889f6af37164775192e33b233a90e86fd3df0f57 (v9.0.1847) CVE-2023-4734 (Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9 ...) - TODO: check + - vim + NOTE: https://huntr.dev/bounties/688e4382-d2b6-439a-a54e-484780f82217/ + NOTE: https://github.com/vim/vim/commit/4c6fe2e2ea62469642ed1d80b16d39e616b25cf5 (v9.0.1846) CVE-2023-39983 (A vulnerability that poses a potential risk of polluting the MXsecurit ...) TODO: check CVE-2023-39982 (A vulnerability has been identified in MXsecurity versions prior to v1 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba9d773191f81d5466f6a2a9a80752af1acf9ae2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba9d773191f81d5466f6a2a9a80752af1acf9ae2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits