[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-38559 and CVE-2023-38560 in ghostscript
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6946c625 by Salvatore Bonaccorso at 2023-09-14T07:04:08+02:00
Update information for CVE-2023-38559 and CVE-2023-38560 in ghostscript
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -6092,17 +6092,17 @@ CVE-2023-39109 (rconfig v3.9.4 was discovered to
contain a Server-Side Request F
CVE-2023-39108 (rconfig v3.9.4 was discovered to contain a Server-Side Request
Forgery ...)
NOT-FOR-US: rConfig
CVE-2023-38560 (An integer overflow flaw was found in pcl/pl/plfont.c:418 in
pl_glyph_ ...)
- - ghostscript (unimportant)
+ - ghostscript 10.02.0~dfsg-1 (unimportant)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706898
- NOTE:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b7eb1d0174cb25a0cd44a1c0706c2ed73fc95bef
+ NOTE:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b7eb1d0174cb25a0cd44a1c0706c2ed73fc95bef
(ghostpdl-10.02.0rc1)
NOTE: Issue in PCL support shipped sourcewise in src:ghostscript
CVE-2023-38559 (A buffer overflow flaw was found in base/gdevdevn.c:1973 in
devn_pcx_w ...)
{DLA-3519-1}
- - ghostscript (bug #1043033)
+ - ghostscript 10.02.0~dfsg-1 (bug #1043033)
[bookworm] - ghostscript (Minor issue; can be batched
together in a later update)
[bullseye] - ghostscript (Minor issue; can be batched
together in a later update)
NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706897
- NOTE:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f
+ NOTE:
https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f
(ghostpdl-10.02.0rc1)
CVE-2023-38357 (Session tokens in RWS WorldServer 11.7.3 and earlier have a
low entrop ...)
NOT-FOR-US: RWS WorldServer
CVE-2023-37478 (pnpm is a package manager. It is possible to construct a
tarball that, ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6946c62549a96053d915cfd043208e77cf168f03
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6946c62549a96053d915cfd043208e77cf168f03
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add several Debian bug references
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: facb9189 by Salvatore Bonaccorso at 2023-09-14T06:37:43+02:00 Add several Debian bug references - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -591,7 +591,7 @@ CVE-2023-42471 (The wave.ai.browser application through 1.0.35 for Android allow CVE-2023-42470 (The Imou Life com.mm.android.smartlifeiot application through 6.8.0 fo ...) NOT-FOR-US: Imou Life com.mm.android.smartlifeiot application CVE-2023-42467 (QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset ...) - - qemu + - qemu (bug #1051899) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Minor issue) NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1813 @@ -2877,7 +2877,7 @@ CVE-2023-40217 (An issue was discovered in Python before 3.8.18, 3.9.x before 3. NOTE: 1. https://github.com/python/cpython/commit/64f99350351bc46e016b2286f36ba7cd669b79e3 NOTE: 2. https://github.com/python/cpython/commit/592bacb6fc086c0453e818e9b95016e9fd47 CVE-2023-4380 - - ansible + - ansible (bug #1051897) [bookworm] - ansible (Minor issue) [bullseye] - ansible (Minor issue) [buster] - ansible (Minor issue) @@ -3500,7 +3500,7 @@ CVE-2023-4415 (A vulnerability was found in Ruijie RG-EW1200G 07161417 r483. It CVE-2023-4414 (A vulnerability was found in Beijing Baichuo Smart S85F Management Pla ...) NOT-FOR-US: Beijing Baichuo Smart S85F Management Platform CVE-2023-4413 (A vulnerability was found in rkhunter Rootkit Hunter 1.4.4/1.4.6. It h ...) - - rkhunter + - rkhunter (bug #1051896) [bookworm] - rkhunter (Minor issue) [bullseye] - rkhunter (Minor issue) [buster] - rkhunter (Minor issue) @@ -4099,7 +4099,7 @@ CVE-2023-35689 (In checkDebuggingDisallowed of DeviceVersionFragment.java, there CVE-2023-32358 (A type confusion issue was addressed with improved checks. This issue ...) NOT-FOR-US: Apple CVE-2023-4322 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prio ...) - - radare2 + - radare2 (bug #1051898) NOTE: https://github.com/radareorg/radare2/commit/ba919adb74ac368bf76b150a00347ded78b572dd NOTE: https://huntr.dev/bounties/06e2484c-d6f1-4497-af67-26549be9fffd CVE-2023-4321 (Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/co ...) @@ -50303,7 +50303,7 @@ CVE-2022-46647 CVE-2022-46646 RESERVED CVE-2022-46329 (Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi so ...) - - firmware-nonfree + - firmware-nonfree (bug #1051892) [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00766.html @@ -62771,13 +62771,13 @@ CVE-2022-43360 CVE-2022-43359 (Gifdec commit 1dcbae19363597314f6623010cc80abad4e47f7c was discovered ...) NOT-FOR-US: Gifdec CVE-2022-43358 (Stack overflow vulnerability in ast_selectors.cpp: in function Sass::C ...) - - libsass + - libsass (bug #1051895) [bookworm] - libsass (Minor issue) [bullseye] - libsass (Minor issue) [buster] - libsass (Minor issue) NOTE: https://github.com/sass/libsass/issues/3178 CVE-2022-43357 (Stack overflow vulnerability in ast_selectors.cpp in function Sass::Co ...) - - libsass + - libsass (bug #1051893) [bookworm] - libsass (Minor issue) [bullseye] - libsass (Minor issue) [buster] - libsass (Minor issue) @@ -67828,7 +67828,7 @@ CVE-2022-40971 (Incorrect default permissions for the Intel(R) HDMI Firmware Upd CVE-2022-40970 RESERVED CVE-2022-40964 (Improper access control for some Intel(R) PROSet/Wireless WiFi and Kil ...) - - firmware-nonfree + - firmware-nonfree (bug #1051892) [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00766.html @@ -77217,7 +77217,7 @@ CVE-2022-38092 CVE-2022-38087 (Exposure of resource to wrong sphere in BIOS firmware for some Intel(R ...) NOT-FOR-US: Intel CVE-2022-38076 (Improper input validation in some Intel(R) PROSet/Wireless WiFi and Ki ...) - - firmware-nonfree + - firmware-nonfree (bug #1051892) [bookworm] - firmware-nonfree (Non-free not supported) [bullseye] - firmware-nonfree (Non-free not supported) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00766.html @@ -77234,7 +77234,7 @@ CVE-2022-37329 (Uncontrolled search path in some Intel(R)
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 482c40cf by Salvatore Bonaccorso at 2023-09-14T05:44:29+02:00 Track fixed version via unstable for chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -372,37 +372,37 @@ CVE-2023-4890 (The JQuery Accordion Menu Widget for WordPress plugin for WordPre CVE-2023-4887 (The Google Maps Plugin by Intergeo for WordPress plugin for WordPress ...) NOT-FOR-US: Google Maps Plugin by Intergeo for WordPress plugin for WordPress CVE-2023-4909 (Inappropriate implementation in Interstitials in Google Chrome prior t ...) - - chromium + - chromium 117.0.5938.62-1 [buster] - chromium (see DSA 5046) CVE-2023-4908 (Inappropriate implementation in Picture in Picture in Google Chrome pr ...) - - chromium + - chromium 117.0.5938.62-1 [buster] - chromium (see DSA 5046) CVE-2023-4907 (Inappropriate implementation in Intents in Google Chrome on Android pr ...) - - chromium + - chromium 117.0.5938.62-1 [buster] - chromium (see DSA 5046) CVE-2023-4906 (Insufficient policy enforcement in Autofill in Google Chrome prior to ...) - - chromium + - chromium 117.0.5938.62-1 [buster] - chromium (see DSA 5046) CVE-2023-4905 (Inappropriate implementation in Prompts in Google Chrome prior to 117. ...) - - chromium + - chromium 117.0.5938.62-1 [buster] - chromium (see DSA 5046) CVE-2023-4904 (Insufficient policy enforcement in Downloads in Google Chrome prior to ...) - - chromium + - chromium 117.0.5938.62-1 [buster] - chromium (see DSA 5046) CVE-2023-4903 (Inappropriate implementation in Custom Mobile Tabs in Google Chrome on ...) - - chromium + - chromium 117.0.5938.62-1 [buster] - chromium (see DSA 5046) CVE-2023-4902 (Inappropriate implementation in Input in Google Chrome prior to 117.0. ...) - - chromium + - chromium 117.0.5938.62-1 [buster] - chromium (see DSA 5046) CVE-2023-4901 (Inappropriate implementation in Prompts in Google Chrome prior to 117. ...) - - chromium + - chromium 117.0.5938.62-1 [buster] - chromium (see DSA 5046) CVE-2023-4900 (Inappropriate implementation in Custom Tabs in Google Chrome on Androi ...) - - chromium + - chromium 117.0.5938.62-1 [buster] - chromium (see DSA 5046) CVE-2023-4863 (Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 ...) - - chromium (unimportant) + - chromium 117.0.5938.62-1 (unimportant) [buster] - chromium (see DSA 5046) - firefox 117.0.1-1 - firefox-esr 115.2.1esr-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/482c40cfdac9b63198ac99a83a6dd9f7a0af4baf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/482c40cfdac9b63198ac99a83a6dd9f7a0af4baf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: take freeimage
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 59a480aa by Anton Gladky at 2023-09-14T04:55:59+02:00 LTS: take freeimage - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -73,7 +73,7 @@ flac NOTE: 20230827: Added by Front-Desk (utkarsh) NOTE: 20230827: incoming DSA -- -freeimage +freeimage (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59a480aa246d00c144e9f84f1d70d79f569d0a85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59a480aa246d00c144e9f84f1d70d79f569d0a85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libwebp DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
238e04cb by Moritz Mühlenhoff at 2023-09-13T23:00:25+02:00
libwebp DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[13 Sep 2023] DSA-5497-1 libwebp - security update
+ {CVE-2023-4863}
+ [bookworm] - libwebp 1.2.4-0.2+deb12u1
[13 Sep 2023] DSA-5496-1 firefox-esr - security update
{CVE-2023-4863}
[bullseye] - firefox-esr 102.15.1esr-1~deb11u1
=
data/dsa-needed.txt
=
@@ -26,8 +26,6 @@ flac/oldstable
libreswan (jmm)
Maintainer prepared bookworm-security update, but needs work on
bullseye-security backports
--
-libwebp (jmm)
---
linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v5.10.y and 6.1.y versions
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/238e04cb17e864aa9125b041deeda0d17a365c69
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/238e04cb17e864aa9125b041deeda0d17a365c69
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-38039/curl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 31d8b4de by Salvatore Bonaccorso at 2023-09-13T22:49:24+02:00 Update information for CVE-2023-38039/curl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,11 @@ CVE-2023-38039 [HTTP headers eat all memory] - curl + [bookworm] - curl (Minor issue, can be fixed in point release) [bullseye] - curl (Vulnerable code not present) [buster] - curl (Vulnerable code not present) NOTE: https://www.openwall.com/lists/oss-security/2023/09/13/1 NOTE: https://curl.se/docs/CVE-2023-38039.html + NOTE: Introduced by: https://github.com/curl/curl/commit/7c8c723682d524ac9580b9ca3b71419163cb5660 (curl-7_83_0) NOTE: Experimental tag removed in: https://github.com/curl/curl/commit/4d94fac9f0d1dd02b8308291e4c47651142dc28b (curl-7_84_0) NOTE: Fixed by: https://github.com/curl/curl/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770 (curl-8_3_0) CVE-2023-4828 (An improper check for an exceptional condition in the Insider Threat M ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31d8b4de92564803f32c78a0301522841cc73c63 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/31d8b4de92564803f32c78a0301522841cc73c63 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-38039/curl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 81d7b0df by Salvatore Bonaccorso at 2023-09-13T22:47:35+02:00 Add CVE-2023-38039/curl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2023-38039 [HTTP headers eat all memory] + - curl + [bullseye] - curl (Vulnerable code not present) + [buster] - curl (Vulnerable code not present) + NOTE: https://www.openwall.com/lists/oss-security/2023/09/13/1 + NOTE: https://curl.se/docs/CVE-2023-38039.html + NOTE: Experimental tag removed in: https://github.com/curl/curl/commit/4d94fac9f0d1dd02b8308291e4c47651142dc28b (curl-7_84_0) + NOTE: Fixed by: https://github.com/curl/curl/commit/3ee79c1674fd6f99e8efca52cd7510e08b766770 (curl-8_3_0) CVE-2023-4828 (An improper check for an exceptional condition in the Insider Threat M ...) NOT-FOR-US: Insider Threat Management (ITM) Server CVE-2023-4803 (A reflected cross-site scripting vulnerability in the WriteWindowTitle ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81d7b0dfe0c375c5e7f63444a75a2ca5b03c289c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81d7b0dfe0c375c5e7f63444a75a2ca5b03c289c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 59f5a4d1 by Salvatore Bonaccorso at 2023-09-13T22:44:28+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,35 +1,35 @@ CVE-2023-4828 (An improper check for an exceptional condition in the Insider Threat M ...) - TODO: check + NOT-FOR-US: Insider Threat Management (ITM) Server CVE-2023-4803 (A reflected cross-site scripting vulnerability in the WriteWindowTitle ...) - TODO: check + NOT-FOR-US: Insider Threat Management (ITM) Server CVE-2023-4802 (A reflected cross-site scripting vulnerability in the UpdateInstalledS ...) - TODO: check + NOT-FOR-US: Insider Threat Management (ITM) Server CVE-2023-4801 (An improper certification validation vulnerability in the Insider Thre ...) - TODO: check + NOT-FOR-US: Insider Threat Management (ITM) Server CVE-2023-4785 (Lack of error handling in the TCP server in Google's gRPC starting ver ...) TODO: check CVE-2023-4701 (A Improper Privilege Management vulnerability through an incorrect use ...) - TODO: check + NOT-FOR-US: CodeMeter Runtime CVE-2023-42469 (The com.full.dialer.top.secure.encrypted application through 1.0.1 for ...) - TODO: check + NOT-FOR-US: com.full.dialer.top.secure.encrypted application CVE-2023-42468 (The com.cutestudio.colordialer application through 2.1.8-2 for Android ...) - TODO: check + NOT-FOR-US: com.cutestudio.colordialer application CVE-2023-41892 (Craft CMS is a platform for creating digital experiences. This is a hi ...) - TODO: check + NOT-FOR-US: Craft CMS CVE-2023-41081 (The mod_jk component of Apache Tomcat Connectorsin some circumstances, ...) TODO: check CVE-2023-40850 (netentsec NS-ASG 6.3 is vulnerable to Incorrect Access Control. There ...) - TODO: check + NOT-FOR-US: netentsec NS-ASG CVE-2023-40717 (A use of hard-coded credentials vulnerability [CWE-798] inFortiTester2 ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-40715 (A cleartext storage of sensitive information vulnerability [CWE-312] i ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-3935 (A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network ...) - TODO: check + NOT-FOR-US: Wibu CodeMeter Runtime CVE-2023-3588 (A stored Cross-site Scripting (XSS) vulnerability affecting Teamwork C ...) TODO: check CVE-2023-3280 (A problem with a protection mechanism in the Palo Alto Networks Cortex ...) - TODO: check + NOT-FOR-US: Palo Alto Networks CVE-2023-39916 (NLnet Labs\u2019 Routinator 0.9.0 up to and including 0.12.1 contains ...) TODO: check CVE-2023-39915 (NLnet Labs\u2019 Routinator up to and including version 0.12.1 may cra ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59f5a4d1ecc3f033f79ad0be5323fe65afb40831 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/59f5a4d1ecc3f033f79ad0be5323fe65afb40831 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] firefox-esr DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e4e412d7 by Moritz Mühlenhoff at 2023-09-13T22:42:28+02:00
firefox-esr DSA
- - - - -
1 changed file:
- data/DSA/list
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[13 Sep 2023] DSA-5496-1 firefox-esr - security update
+ {CVE-2023-4863}
+ [bullseye] - firefox-esr 102.15.1esr-1~deb11u1
+ [bookworm] - firefox-esr 102.15.1esr-1~deb12u1
[11 Sep 2023] DSA-5495-1 frr - security update
{CVE-2023-31490 CVE-2023-38802 CVE-2023-41358}
[bullseye] - frr 7.5.1-1.1+deb11u2
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4e412d76905f6b6eda393befc5a4a7536281317
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4e412d76905f6b6eda393befc5a4a7536281317
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for two CVEs for linux with unstable upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ba8f84b2 by Salvatore Bonaccorso at 2023-09-13T22:37:57+02:00
Track fixed version for two CVEs for linux with unstable upload
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -829,7 +829,7 @@ CVE-2023-4809 (In pf packet processing with a 'scrub
fragment reassemble' rule,
CVE-2023-4634 (The Media Library Assistant plugin for WordPress is vulnerable
to Loca ...)
NOT-FOR-US: Media Library Assistant plugin for WordPress
CVE-2023-4623 (A use-after-free vulnerability in the Linux kernel's net/sched:
sch_hf ...)
- - linux
+ - linux 6.5.3-1
NOTE:
https://git.kernel.org/linus/b3d26c5702c7d6c45456326e56d2ccf3f103e60f
CVE-2023-4622 (A use-after-free vulnerability in the Linux kernel's af_unix
component ...)
{DSA-5492-1}
@@ -30872,7 +30872,7 @@ CVE-2023-25779
CVE-2023-25777
RESERVED
CVE-2023-25775 (Improper access control in the Intel(R) Ethernet Controller
RDMA drive ...)
- - linux
+ - linux 6.5.3-1
[bullseye] - linux (Vulnerable code not present)
[buster] - linux (Vulnerable code not present)
NOTE:
https://git.kernel.org/linus/bb6d73d9add68ad270888db327514384dfa44958
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba8f84b25a1dd2b8ad5eaaf44a8a2bb57c407b84
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba8f84b25a1dd2b8ad5eaaf44a8a2bb57c407b84
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a8c0d558 by security tracker role at 2023-09-13T20:12:22+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,4 +1,56 @@
-CVE-2023-4039 [GCC's -fstack-protector fails to guard dynamic stack
allocations on ARM64]
+CVE-2023-4828 (An improper check for an exceptional condition in the Insider
Threat M ...)
+ TODO: check
+CVE-2023-4803 (A reflected cross-site scripting vulnerability in the
WriteWindowTitle ...)
+ TODO: check
+CVE-2023-4802 (A reflected cross-site scripting vulnerability in the
UpdateInstalledS ...)
+ TODO: check
+CVE-2023-4801 (An improper certification validation vulnerability in the
Insider Thre ...)
+ TODO: check
+CVE-2023-4785 (Lack of error handling in the TCP server in Google's gRPC
starting ver ...)
+ TODO: check
+CVE-2023-4701 (A Improper Privilege Management vulnerability through an
incorrect use ...)
+ TODO: check
+CVE-2023-42469 (The com.full.dialer.top.secure.encrypted application through
1.0.1 for ...)
+ TODO: check
+CVE-2023-42468 (The com.cutestudio.colordialer application through 2.1.8-2 for
Android ...)
+ TODO: check
+CVE-2023-41892 (Craft CMS is a platform for creating digital experiences. This
is a hi ...)
+ TODO: check
+CVE-2023-41081 (The mod_jk component of Apache Tomcat Connectorsin some
circumstances, ...)
+ TODO: check
+CVE-2023-40850 (netentsec NS-ASG 6.3 is vulnerable to Incorrect Access
Control. There ...)
+ TODO: check
+CVE-2023-40717 (A use of hard-coded credentials vulnerability [CWE-798]
inFortiTester2 ...)
+ TODO: check
+CVE-2023-40715 (A cleartext storage of sensitive information vulnerability
[CWE-312] i ...)
+ TODO: check
+CVE-2023-3935 (A heap buffer overflow vulnerability in Wibu CodeMeter Runtime
network ...)
+ TODO: check
+CVE-2023-3588 (A stored Cross-site Scripting (XSS) vulnerability affecting
Teamwork C ...)
+ TODO: check
+CVE-2023-3280 (A problem with a protection mechanism in the Palo Alto Networks
Cortex ...)
+ TODO: check
+CVE-2023-39916 (NLnet Labs\u2019 Routinator 0.9.0 up to and including 0.12.1
contains ...)
+ TODO: check
+CVE-2023-39915 (NLnet Labs\u2019 Routinator up to and including version 0.12.1
may cra ...)
+ TODO: check
+CVE-2023-39914 (NLnet Labs\u2019 bcder library up to and including version
0.7.2 panic ...)
+ TODO: check
+CVE-2023-38215 (Adobe Experience Manager versions 6.5.17 and earlier are
affected by a ...)
+ TODO: check
+CVE-2023-38214 (Adobe Experience Manager versions 6.5.17 and earlier are
affected by a ...)
+ TODO: check
+CVE-2023-36642 (An improper neutralization of special elements used in an OS
command v ...)
+ TODO: check
+CVE-2023-36638 (An improper privilege management vulnerability [CWE-269] in
FortiManag ...)
+ TODO: check
+CVE-2023-36634 (An incomplete filtering of one or more instances of special
elements v ...)
+ TODO: check
+CVE-2023-36551 (A exposure of sensitive information to an unauthorized actor
in Fortin ...)
+ TODO: check
+CVE-2023-34984 (A protection mechanism failure in Fortinet FortiWeb 7.2.0
through 7.2. ...)
+ TODO: check
+CVE-2023-4039 (A failure in the -fstack-protector feature in GCC-based
toolchains th ...)
- gcc-13 13.2.0-4
- gcc-12 12.3.0-9
- gcc-11 11.4.0-4
@@ -5242,7 +5294,7 @@ CVE-2023-4200 (A vulnerability has been found in
SourceCodester Inventory Manage
NOT-FOR-US: SourceCodester Inventory Management System
CVE-2023-4199 (A vulnerability, which was classified as critical, was found in
Source ...)
NOT-FOR-US: SourceCodester Inventory Management System
-CVE-2023-4155
+CVE-2023-4155 (A flaw was found in KVM AMD Secure Encrypted Virtualization
(SEV) in t ...)
{DSA-5492-1}
- linux 6.4.11-1
[bullseye] - linux (Vulnerable code not present)
@@ -6012,7 +6064,7 @@ CVE-2023-3385 (An issue has been discovered in GitLab
affecting all versions sta
- gitlab
CVE-2023-3364 (An issue has been discovered in GitLab CE/EE affecting all
versions st ...)
- gitlab
-CVE-2023-3301 [net: triggerable assertion due to race condition in hot-unplug]
+CVE-2023-3301 (A flaw was found in QEMU. The async nature of hot-unplug
enables a rac ...)
- qemu 1:8.0.3+dfsg-1
[bookworm] - qemu (Minor issue)
[bullseye] - qemu (Minor issue)
@@ -9804,7 +9856,7 @@ CVE-2023-35786 (Zoho ManageEngine ADManager Plus before
7183 allows admin users
NOT-FOR-US: Zoho
CVE-2023-34150 (** UNSUPPORTED WHEN ASSIGNED **Use of TikaEncodingDetector in
Apache A ...)
NOT-FOR-US: Apache Any23
-CVE-2023-3255 [VNC: infinite loop in inflate_buffer() leads to denial of
service]
+CVE-2023-3255 (A flaw was found in
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-4863/thunderbird via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ae9a149 by Salvatore Bonaccorso at 2023-09-13T21:41:51+02:00 Track fixed version for CVE-2023-4863/thunderbird via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -344,7 +344,7 @@ CVE-2023-4863 (Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845 [buster] - chromium (see DSA 5046) - firefox 117.0.1-1 - firefox-esr 115.2.1esr-1 - - thunderbird + - thunderbird 1:115.2.2-1 - libwebp (bug #1051787) NOTE: https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html NOTE: src:chromium builds against the system libwebp library View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ae9a14996c3613a21d1af09e57871af41be9bac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ae9a14996c3613a21d1af09e57871af41be9bac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track unfixed gpac issues as fallout from #1033116
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
7d0eae82 by Salvatore Bonaccorso at 2023-09-13T21:02:45+02:00
Track unfixed gpac issues as fallout from #1033116
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -33535,7 +33535,7 @@ CVE-2023-0771 (SQL Injection in GitHub repository
ampache/ampache prior to 5.5.7
- ampache
CVE-2023-0770 (Stack-based Buffer Overflow in GitHub repository gpac/gpac
prior to 2. ...)
{DSA-5411-1}
- - gpac (bug #1033116)
+ - gpac (bug #1033116; bug #1051866)
[buster] - gpac (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/e0fdeee5-7909-446e-9bd0-db80fd80e8dd
NOTE:
https://github.com/gpac/gpac/commit/c31941822ee275a35bc148382bafef1c53ec1c26
@@ -33625,7 +33625,7 @@ CVE-2023-0761 (The Clock In Portal- Staff & Attendance
Management WordPress plug
NOT-FOR-US: WordPress plugin
CVE-2023-0760 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior
to V2. ...)
{DSA-5452-1}
- - gpac (bug #1033116)
+ - gpac (bug #1033116; bug #1051866)
[buster] - gpac (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/d06223df-a473-4c82-96d0-23726b844b21
NOTE:
https://github.com/gpac/gpac/commit/ea7395f39f601a7750d48d606e9d10ea0b7beefe
@@ -39095,7 +39095,7 @@ CVE-2023-0360 (The Location Weather WordPress plugin
before 1.3.4 does not valid
CVE-2023-0359 (A missing nullptr-check in handle_ra_input can cause a
nullptr-deref.)
NOT-FOR-US: Zephyr
CVE-2023-0358 (Use After Free in GitHub repository gpac/gpac prior to
2.3.0-DEV.)
- - gpac (bug #1033116)
+ - gpac (bug #1033116; bug #1051866)
[bullseye] - gpac (Minor issue)
[buster] - gpac (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/93e128ed-253f-4c42-81ff-fbac7fd8f355
@@ -40845,17 +40845,17 @@ CVE-2023-23146
RESERVED
CVE-2023-23145 (GPAC version 2.2-rev0-gab012bbfb-master was discovered to
contain a me ...)
{DSA-5411-1}
- - gpac (bug #1033116)
+ - gpac (bug #1033116; bug #1051866)
[buster] - gpac (EOL in buster LTS)
NOTE:
https://github.com/gpac/gpac/commit/4ade98128cbc41d5115b97a41ca2e59529c8dd5f
CVE-2023-23144 (Integer overflow vulnerability in function
Q_DecCoordOnUnitSphere file ...)
{DSA-5411-1}
- - gpac (bug #1033116)
+ - gpac (bug #1033116; bug #1051866)
[buster] - gpac (EOL in buster LTS)
NOTE:
https://github.com/gpac/gpac/commit/3a2458a49b3e6399709d456d7b35e7a6f50cfb86
CVE-2023-23143 (Buffer overflow vulnerability in function avc_parse_slice in
file medi ...)
{DSA-5411-1}
- - gpac (bug #1033116)
+ - gpac (bug #1033116; bug #1051866)
[buster] - gpac (EOL in buster LTS)
NOTE:
https://github.com/gpac/gpac/commit/af6a5e7a96ee01a139cce6c9e4edfc069aad17a6
CVE-2023-23142
@@ -51405,7 +51405,7 @@ CVE-2022-4203 (A read buffer overrun can be triggered
in X.509 certificate verif
NOTE:
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=c927a3492698c254637da836762f9b1f86cffabc
(openssl-3.0.8)
CVE-2022-4202 (A vulnerability, which was classified as problematic, was found
in GPA ...)
{DSA-5411-1}
- - gpac (bug #1033116)
+ - gpac (bug #1033116; bug #1051866)
[buster] - gpac (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2333
NOTE:
https://github.com/gpac/gpac/commit/b3d821c4ae9ba62b3a194d9dcb5e99f17bd56908
@@ -54348,7 +54348,7 @@ CVE-2022-45344
RESERVED
CVE-2022-45343 (GPAC v2.1-DEV-rev478-g696e6f868-master was discovered to
contain a hea ...)
{DSA-5411-1}
- - gpac (bug #1033116)
+ - gpac (bug #1033116; bug #1051866)
[buster] - gpac (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2315
NOTE:
https://github.com/gpac/gpac/commit/1016912db5408b6f38e8eb715279493ae380d1c4
@@ -54473,7 +54473,7 @@ CVE-2022-45284
RESERVED
CVE-2022-45283 (GPAC MP4box v2.0.0 was discovered to contain a stack overflow
in the s ...)
{DSA-5411-1}
- - gpac (bug #1033116)
+ - gpac (bug #1033116; bug #1051866)
[buster] - gpac (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2295
NOTE:
https://github.com/gpac/gpac/commit/0fc714872ba4536a1190f93aa278b6e08f8c60df
@@ -54642,7 +54642,7 @@ CVE-2022-45203
RESERVED
CVE-2022-45202 (GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to
contain a sta ...)
{DSA-5411-1}
- - gpac (bug #1033116)
+ - gpac (bug #1033116; bug #1051866)
[buster] - gpac (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2296
NOTE: https://github.com/gpac/gpac/issues/2296#issuecomment-1303112783
@@ -63400,25 +63400,25 @@
[Git][security-tracker-team/security-tracker][master] Update references for CVE-2022-47022
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: da2d211f by Salvatore Bonaccorso at 2023-09-13T20:34:48+02:00 Update references for CVE-2022-47022 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48952,7 +48952,8 @@ CVE-2022-47022 (An issue was discovered in open-mpi hwloc 2.1.0 allows attackers [bullseye] - hwloc (Minor issue) [buster] - hwloc (Minor issue) NOTE: https://github.com/open-mpi/hwloc/issues/544 - NOTE: https://github.com/open-mpi/hwloc/commit/eec84f84d4c4a7af6ed2c57ba95a9256e56e73b4 + NOTE: https://github.com/open-mpi/hwloc/commit/ac1f8db9a0790d2bf153711ff4cbf6101f89aace (master) + NOTE: https://github.com/open-mpi/hwloc/commit/a62b8ba587b225d25d6ee05c705fbc44c55d1986 (hwloc-2.9.3rc1) NOTE: Additionally openmpi and mpich embedd hwloc, but issue seems negligible CVE-2022-47021 (A null pointer dereference issue was discovered in functions op_get_da ...) - opusfile 0.12-4 (bug #1030049) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da2d211ffc0d5b5d5789ac11962ceea9b573ab33 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da2d211ffc0d5b5d5789ac11962ceea9b573ab33 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mosquitto fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: afde2049 by Moritz Muehlenhoff at 2023-09-13T18:08:19+02:00 mosquitto fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25251,7 +25251,7 @@ CVE-2023-28371 (In Stellarium through 1.2, attackers can write to files that are CVE-2023-28368 (TP-Link L2 switch T2600G-28SQ firmware versions prior to 'T2600G-28SQ( ...) NOT-FOR-US: TP-Link CVE-2023-28366 (The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a ...) - - mosquitto + - mosquitto 2.0.17-1 NOTE: https://mosquitto.org/blog/2023/08/version-2-0-16-released/ NOTE: https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9 (v2.0.16) CVE-2023-28365 (A backup file vulnerability found in UniFi applications (Version 7.3.8 ...) @@ -33079,10 +33079,10 @@ CVE-2023-0810 (Cross-site Scripting (XSS) - Stored in GitHub repository btcpayse NOT-FOR-US: btcpayserver CVE-2023-0809 RESERVED - - mosquitto + - mosquitto 2.0.17-1 NOTE: https://mosquitto.org/blog/2023/08/version-2-0-16-released/ CVE-2023-3592 - - mosquitto + - mosquitto 2.0.17-1 NOTE: https://mosquitto.org/blog/2023/08/version-2-0-16-released/ NOTE: https://github.com/eclipse/mosquitto/commit/00b24e0eb0686e9a76feb71fdaee650cb7e612fa (v2.0.16) CVE-2023-0808 (A vulnerability was found in Deye/Revolt/Bosswerk Inverter MW3_15U_540 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afde204986b9911dcab5a7bdc4c4d43b87e23d37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afde204986b9911dcab5a7bdc4c4d43b87e23d37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] hwloc fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d100f2db by Moritz Muehlenhoff at 2023-09-13T17:58:53+02:00 hwloc fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48947,7 +48947,7 @@ CVE-2022-47024 (A null pointer dereference issue was discovered in function gui_ CVE-2022-47023 RESERVED CVE-2022-47022 (An issue was discovered in open-mpi hwloc 2.1.0 allows attackers to ca ...) - - hwloc + - hwloc 2.9.3-1 [bookworm] - hwloc (Minor issue) [bullseye] - hwloc (Minor issue) [buster] - hwloc (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d100f2db6b5d7b084789d81488321e4749fc8831 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d100f2db6b5d7b084789d81488321e4749fc8831 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gcc-12/gcc-13 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: be206ea3 by Moritz Muehlenhoff at 2023-09-13T17:01:52+02:00 gcc-12/gcc-13 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,6 +1,6 @@ CVE-2023-4039 [GCC's -fstack-protector fails to guard dynamic stack allocations on ARM64] - - gcc-13 - - gcc-12 + - gcc-13 13.2.0-4 + - gcc-12 12.3.0-9 - gcc-11 11.4.0-4 - gcc-10 - gcc-9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be206ea31cdb49d8d8787bfa14541cd1e59f635e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be206ea31cdb49d8d8787bfa14541cd1e59f635e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add more GCC source package names
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 79241176 by Moritz Muehlenhoff at 2023-09-13T16:57:55+02:00 Add more GCC source package names - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,11 @@ CVE-2023-4039 [GCC's -fstack-protector fails to guard dynamic stack allocations on ARM64] + - gcc-13 + - gcc-12 - gcc-11 11.4.0-4 + - gcc-10 + - gcc-9 + - gcc-8 + - gcc-7 NOTE: https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf CVE-2023-4928 (SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1.) NOT-FOR-US: icms2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/792411766aa4650e0880ed2858ba2478174b50b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/792411766aa4650e0880ed2858ba2478174b50b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new GCC issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e020cd5b by Moritz Muehlenhoff at 2023-09-13T16:55:38+02:00 new GCC issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2023-4039 [GCC's -fstack-protector fails to guard dynamic stack allocations on ARM64] + - gcc-11 11.4.0-4 + NOTE: https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf CVE-2023-4928 (SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1.) NOT-FOR-US: icms2 CVE-2023-4917 (The Leyka plugin for WordPress is vulnerable to Sensitive Information ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e020cd5b043a0081e25a462c004ec68e802c38fa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e020cd5b043a0081e25a462c004ec68e802c38fa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3566-1 for ruby-rails-html-sanitizer
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
273bed5f by Sylvain Beucler at 2023-09-13T16:33:57+02:00
Reserve DLA-3566-1 for ruby-rails-html-sanitizer
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -119838,7 +119838,6 @@ CVE-2022-23521 (Git is distributed revision control
system. gitattributes are a
NOTE:
https://github.com/git/git/files/10430260/X41-OSTIF-Gitlab-Git-Security-Audit-20230117-public.pdf
CVE-2022-23520 (rails-html-sanitizer is responsible for sanitizing HTML
fragments in R ...)
- ruby-rails-html-sanitizer 1.4.4-1 (bug #1027153)
- [buster] - ruby-rails-html-sanitizer (Minor issue)
NOTE:
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8
NOTE:
https://github.com/flavorjones/loofah/blob/main/docs/2022-10-decision-on-cdata-nodes.md
NOTE:
https://github.com/rails/rails-html-sanitizer/commit/e6d52d3b6db99d07399498b1287997302d444a8d
(v1.4.4)
@@ -119848,7 +119847,6 @@ CVE-2022-23520 (rails-html-sanitizer is responsible
for sanitizing HTML fragment
NOTE: Replaces CVE-2022-32209 fix, requires 'cdata_escape' from
ruby-loofah >= 2.19.1.
CVE-2022-23519 (rails-html-sanitizer is responsible for sanitizing HTML
fragments in R ...)
- ruby-rails-html-sanitizer 1.4.4-1 (bug #1027153)
- [buster] - ruby-rails-html-sanitizer (Minor issue can be
fixed later)
NOTE:
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h
NOTE:
https://github.com/flavorjones/loofah/blob/main/docs/2022-10-decision-on-cdata-nodes.md
NOTE:
https://github.com/rails/rails-html-sanitizer/commit/e6d52d3b6db99d07399498b1287997302d444a8d
(v1.4.4)
@@ -119864,7 +119862,6 @@ CVE-2022-23518 (rails-html-sanitizer is responsible
for sanitizing HTML fragment
NOTE:
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m
CVE-2022-23517 (rails-html-sanitizer is responsible for sanitizing HTML
fragments in R ...)
- ruby-rails-html-sanitizer 1.4.4-1 (bug #1027153)
- [buster] - ruby-rails-html-sanitizer (Minor issue)
NOTE:
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w
NOTE:
https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979
CVE-2022-23516 (Loofah is a general library for manipulating and transforming
HTML/XML ...)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[13 Sep 2023] DLA-3566-1 ruby-rails-html-sanitizer - security update
+ {CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520}
+ [buster] - ruby-rails-html-sanitizer 1.0.4-1+deb10u2
[13 Sep 2023] DLA-3565-1 ruby-loofah - security update
{CVE-2022-23514 CVE-2022-23515 CVE-2022-23516}
[buster] - ruby-loofah 2.2.3-1+deb10u2
=
data/dla-needed.txt
=
@@ -196,11 +196,6 @@ rails
ring
NOTE: 20230903: Added by Front-Desk (gladk)
--
-ruby-rails-html-sanitizer (Sylvain Beucler)
- NOTE: 20221231: Added by Front-Desk (ola)
- NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with
appropriate methods. (utkarsh)
- NOTE: 20230808: utkarsh mentions on IRC he's busy with other packages, this
is "free to claim atm". (Beuc/front-desk)
---
ruby-rmagick
NOTE: 20230808: Added by Front-Desk on rouca's (imagemagick package
maintainer) request (Beuc)
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/273bed5fb52396ff536194926cbe3fa0e5a63464
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/273bed5fb52396ff536194926cbe3fa0e5a63464
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3565-1 for ruby-loofah
Sylvain Beucler pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
81bdd03c by Sylvain Beucler at 2023-09-13T16:31:15+02:00
Reserve DLA-3565-1 for ruby-loofah
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -119870,7 +119870,6 @@ CVE-2022-23517 (rails-html-sanitizer is responsible
for sanitizing HTML fragment
CVE-2022-23516 (Loofah is a general library for manipulating and transforming
HTML/XML ...)
- ruby-loofah 2.19.1-1 (bug #1026083)
[bullseye] - ruby-loofah (Minor issue)
- [buster] - ruby-loofah (Minor issue)
NOTE:
https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
NOTE:
https://github.com/flavorjones/loofah/commit/86f7f6364491b0099d215db858ecdc0c89ded040
CVE-2022-23515 (Loofah is a general library for manipulating and transforming
HTML/XML ...)
@@ -119881,7 +119880,6 @@ CVE-2022-23515 (Loofah is a general library for
manipulating and transforming HT
CVE-2022-23514 (Loofah is a general library for manipulating and transforming
HTML/XML ...)
- ruby-loofah 2.19.1-1 (bug #1026083)
[bullseye] - ruby-loofah (Minor issue)
- [buster] - ruby-loofah (Minor issue)
NOTE:
https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
NOTE:
https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
CVE-2022-23513 (Pi-Hole is a network-wide ad blocking via your own Linux
hardware, Adm ...)
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[13 Sep 2023] DLA-3565-1 ruby-loofah - security update
+ {CVE-2022-23514 CVE-2022-23515 CVE-2022-23516}
+ [buster] - ruby-loofah 2.2.3-1+deb10u2
[12 Sep 2023] DLA-3564-1 e2guardian - security update
{CVE-2021-44273}
[buster] - e2guardian 5.3.1-1+deb10u1
=
data/dla-needed.txt
=
@@ -196,13 +196,6 @@ rails
ring
NOTE: 20230903: Added by Front-Desk (gladk)
--
-ruby-loofah (Sylvain Beucler)
- NOTE: 20221231: Added by Front-Desk (ola)
- NOTE: 20230313: Pinged Daniel re. patches in repo ^. (lamby)
- NOTE: 20230403: See "RFC: ruby-loofah 2.2.3-1+deb10u2" thread on debian-lts
list. (lamby)
- NOTE: 20230403: Everything ready in git, just waiting for
ruby-rails-html-sanitizer/utkarsh (dleidert/inactive)
- NOTE: 20230808: utkarsh mentions on IRC he's busy with other packages, this
is "free to claim atm". (Beuc/front-desk)
---
ruby-rails-html-sanitizer (Sylvain Beucler)
NOTE: 20221231: Added by Front-Desk (ola)
NOTE: 20230303: this cannot be fixed unless ruby-loofah is fixed with
appropriate methods. (utkarsh)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81bdd03c3f7b9030c12f516a656c43d983daec28
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/81bdd03c3f7b9030c12f516a656c43d983daec28
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes which entered unstable from the experimental upload
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3764bf7d by Salvatore Bonaccorso at 2023-09-13T14:03:45+02:00
Track fixes which entered unstable from the experimental upload
Note that some of the CVEs in #1033116 are still not fixed and neither
bugs #1036701 and #1034890 status (which were previously reopened but
without any feedback yet, and now re-closed with the unstable uplaod,
but no changes related to those).
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -23302,7 +23302,7 @@ CVE-2023-1656 (Cleartext Transmission of Sensitive
Information vulnerability in
NOT-FOR-US: ForgeRock
CVE-2023-1655 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior
to 2.4 ...)
[experimental] - gpac 2.2.1+dfsg1-1
- - gpac (bug #1034187)
+ - gpac 2.2.1+dfsg1-2 (bug #1034187)
[bullseye] - gpac (Vulnerable code not present)
[buster] - gpac (Vulnerable code not present)
NOTE: https://huntr.dev/bounties/05f1d1de-bbfd-43fe-bdf9-7f73419ce7c9
@@ -23311,7 +23311,7 @@ CVE-2023-1655 (Heap-based Buffer Overflow in GitHub
repository gpac/gpac prior t
CVE-2023-1654 (Denial of Service in GitHub repository gpac/gpac prior to
2.4.0.)
{DSA-5411-1}
[experimental] - gpac 2.2.1+dfsg1-1
- - gpac (bug #1034187)
+ - gpac 2.2.1+dfsg1-2 (bug #1034187)
[buster] - gpac (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/33652b56-128f-41a7-afcc-10641f69ff14
NOTE:
https://github.com/gpac/gpac/commit/2c055153d401b8c49422971e3a0159869652d3da
@@ -24764,7 +24764,7 @@ CVE-2023-1453 (A vulnerability was found in Watchdog
Anti-Virus 1.4.214.0. It ha
CVE-2023-1452 (A vulnerability was found in GPAC
2.3-DEV-rev35-gbbca86917-master. It ...)
{DSA-5411-1}
[experimental] - gpac 2.2.1+dfsg1-1
- - gpac (bug #1034187)
+ - gpac 2.2.1+dfsg1-2 (bug #1034187)
[buster] - gpac (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2386
NOTE:
https://github.com/gpac/gpac/commit/a5efec8187de02d1f0a412140b0bf030a6747d3f
@@ -24776,7 +24776,7 @@ CVE-2023-1450 (A vulnerability was found in MP4v2 2.1.2
and classified as proble
CVE-2023-1449 (A vulnerability has been found in GPAC
2.3-DEV-rev35-gbbca86917-master ...)
{DSA-5411-1}
[experimental] - gpac 2.2.1+dfsg1-1
- - gpac (bug #1034187)
+ - gpac 2.2.1+dfsg1-2 (bug #1034187)
[buster] - gpac (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2387
NOTE:
https://github.com/gpac/gpac/commit/8ebbfd61c73d61a2913721a492e5a81fb8d9f9a9
@@ -24784,7 +24784,7 @@ CVE-2023-1449 (A vulnerability has been found in GPAC
2.3-DEV-rev35-gbbca86917-m
CVE-2023-1448 (A vulnerability, which was classified as problematic, was found
in GPA ...)
{DSA-5411-1}
[experimental] - gpac 2.2.1+dfsg1-1
- - gpac (bug #1034187)
+ - gpac 2.2.1+dfsg1-2 (bug #1034187)
[buster] - gpac (EOL in buster LTS)
NOTE: https://github.com/gpac/gpac/issues/2388
NOTE:
https://github.com/gpac/gpac/commit/8db20cb634a546c536c31caac94e1f74b778b463
@@ -32435,7 +32435,7 @@ CVE-2023-0867 (Multiple stored and reflected cross-site
scripting vulnerabilitie
CVE-2023-0866 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior
to 2.3 ...)
{DSA-5411-1}
[experimental] - gpac 2.2.1+dfsg1-1
- - gpac (bug #1033116)
+ - gpac 2.2.1+dfsg1-2 (bug #1033116)
[buster] - gpac (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/7d3c5792-d20b-4cb6-9c6d-bb14f3430d7f
NOTE:
https://github.com/gpac/gpac/commit/b964fe4226f1424cf676d5822ef898b6b01f5937
@@ -32883,7 +32883,7 @@ CVE-2023-0820 (The User Role by BestWebSoft WordPress
plugin before 1.6.7 does n
CVE-2023-0819 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior
to v2. ...)
{DSA-5411-1}
[experimental] - gpac 2.2.1+dfsg1-1
- - gpac (bug #1033116)
+ - gpac 2.2.1+dfsg1-2 (bug #1033116)
[buster] - gpac (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/35793610-dccc-46c8-9f55-6a24c621e4ef
NOTE:
https://github.com/gpac/gpac/commit/d067ab3ccdeaa340e8c045a0fd5bcfc22b809e8f
@@ -32891,14 +32891,14 @@ CVE-2023-0819 (Heap-based Buffer Overflow in GitHub
repository gpac/gpac prior t
CVE-2023-0818 (Off-by-one Error in GitHub repository gpac/gpac prior to
v2.3.0-DEV.)
{DSA-5411-1}
[experimental] - gpac 2.2.1+dfsg1-1
- - gpac (bug #1033116)
+ - gpac 2.2.1+dfsg1-2 (bug #1033116)
[buster] - gpac (EOL in buster LTS)
NOTE: https://huntr.dev/bounties/038e7472-f3e9-46c2-9aea-d6dafb62a18a
NOTE:
https://github.com/gpac/gpac/commit/377ab25f3e502db2934a9cf4b54739e1c89a02ff
NOTE:
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: af662c41 by Salvatore Bonaccorso at 2023-09-13T11:04:37+02:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2023-4928 (SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1.) - TODO: check + NOT-FOR-US: icms2 CVE-2023-4917 (The Leyka plugin for WordPress is vulnerable to Sensitive Information ...) NOT-FOR-US: Leyka plugin for WordPress CVE-2023-4916 (The Login with phone number plugin for WordPress is vulnerable to Cros ...) @@ -7,15 +7,15 @@ CVE-2023-4916 (The Login with phone number plugin for WordPress is vulnerable to CVE-2023-4915 (The WP User Control plugin for WordPress is vulnerable to unauthorized ...) NOT-FOR-US: WP User Control plugin for WordPress CVE-2023-4400 (A password management vulnerability in Skyhigh Secure Web Gateway (SWG ...) - TODO: check + NOT-FOR-US: Skyhigh Secure Web Gateway (SWG) CVE-2023-4213 (The Simplr Registration Form Plus+ plugin for WordPress is vulnerable ...) NOT-FOR-US: Simplr Registration Form Plus+ plugin for WordPress CVE-2023-4153 (The BAN Users plugin for WordPress is vulnerable to privilege escalati ...) NOT-FOR-US: BAN Users plugin for WordPress CVE-2023-41423 (Cross Site Scripting vulnerability in WP Githuber MD plugin v.1.16.2 a ...) - TODO: check + NOT-FOR-US: WP Githuber MD plugin CVE-2023-39073 (An issue in SNMP Web Pro v.1.1 allows a remote attacker to execute arb ...) - TODO: check + NOT-FOR-US: SNMP Web Pro CVE-2023-3867 [ksmbd: add missing compound request handing in some commands] - linux 6.4.11-1 [bookworm] - linux 6.1.52-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af662c412c11244d2327e0b1ccc528dc9098da6d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af662c412c11244d2327e0b1ccc528dc9098da6d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f66883fc by Salvatore Bonaccorso at 2023-09-13T10:56:23+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,17 +1,17 @@ CVE-2023-4928 (SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1.) TODO: check CVE-2023-4917 (The Leyka plugin for WordPress is vulnerable to Sensitive Information ...) - TODO: check + NOT-FOR-US: Leyka plugin for WordPress CVE-2023-4916 (The Login with phone number plugin for WordPress is vulnerable to Cros ...) - TODO: check + NOT-FOR-US: Login with phone number plugin for WordPress CVE-2023-4915 (The WP User Control plugin for WordPress is vulnerable to unauthorized ...) - TODO: check + NOT-FOR-US: WP User Control plugin for WordPress CVE-2023-4400 (A password management vulnerability in Skyhigh Secure Web Gateway (SWG ...) TODO: check CVE-2023-4213 (The Simplr Registration Form Plus+ plugin for WordPress is vulnerable ...) - TODO: check + NOT-FOR-US: Simplr Registration Form Plus+ plugin for WordPress CVE-2023-4153 (The BAN Users plugin for WordPress is vulnerable to privilege escalati ...) - TODO: check + NOT-FOR-US: BAN Users plugin for WordPress CVE-2023-41423 (Cross Site Scripting vulnerability in WP Githuber MD plugin v.1.16.2 a ...) TODO: check CVE-2023-39073 (An issue in SNMP Web Pro v.1.1 allows a remote attacker to execute arb ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f66883fc713964d9ebfa6d5b589add029d4a6a88 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f66883fc713964d9ebfa6d5b589add029d4a6a88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50d36829 by security tracker role at 2023-09-13T08:12:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2023-4928 (SQL Injection in GitHub repository instantsoft/icms2 prior to 2.16.1.) + TODO: check +CVE-2023-4917 (The Leyka plugin for WordPress is vulnerable to Sensitive Information ...) + TODO: check +CVE-2023-4916 (The Login with phone number plugin for WordPress is vulnerable to Cros ...) + TODO: check +CVE-2023-4915 (The WP User Control plugin for WordPress is vulnerable to unauthorized ...) + TODO: check +CVE-2023-4400 (A password management vulnerability in Skyhigh Secure Web Gateway (SWG ...) + TODO: check +CVE-2023-4213 (The Simplr Registration Form Plus+ plugin for WordPress is vulnerable ...) + TODO: check +CVE-2023-4153 (The BAN Users plugin for WordPress is vulnerable to privilege escalati ...) + TODO: check +CVE-2023-41423 (Cross Site Scripting vulnerability in WP Githuber MD plugin v.1.16.2 a ...) + TODO: check +CVE-2023-39073 (An issue in SNMP Web Pro v.1.1 allows a remote attacker to execute arb ...) + TODO: check CVE-2023-3867 [ksmbd: add missing compound request handing in some commands] - linux 6.4.11-1 [bookworm] - linux 6.1.52-1 @@ -19,7 +37,7 @@ CVE-2023-3865 [ksmbd: fix out-of-bound read in smb2_write] [buster] - linux (Vulnerable code not present) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-980/ NOTE: https://git.kernel.org/linus/5fe7f7b78290638806211046a99f031ff26164e1 (6.4) -CVE-2023-4813 [potential use-after-free in gaih_inet()] +CVE-2023-4813 (A flaw was found in glibc. In an uncommon situation, the gaih_inet fun ...) - glibc 2.36-3 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28931 NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=1c37b8022e8763fedbb3f79c02e05c6acfe5a215 (glibc-2.36) @@ -282,34 +300,34 @@ CVE-2023-4890 (The JQuery Accordion Menu Widget for WordPress plugin for WordPre NOT-FOR-US: JQuery Accordion Menu Widget for WordPress plugin for WordPress CVE-2023-4887 (The Google Maps Plugin by Intergeo for WordPress plugin for WordPress ...) NOT-FOR-US: Google Maps Plugin by Intergeo for WordPress plugin for WordPress -CVE-2023-4909 +CVE-2023-4909 (Inappropriate implementation in Interstitials in Google Chrome prior t ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-4908 +CVE-2023-4908 (Inappropriate implementation in Picture in Picture in Google Chrome pr ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-4907 +CVE-2023-4907 (Inappropriate implementation in Intents in Google Chrome on Android pr ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-4906 +CVE-2023-4906 (Insufficient policy enforcement in Autofill in Google Chrome prior to ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-4905 +CVE-2023-4905 (Inappropriate implementation in Prompts in Google Chrome prior to 117. ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-4904 +CVE-2023-4904 (Insufficient policy enforcement in Downloads in Google Chrome prior to ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-4903 +CVE-2023-4903 (Inappropriate implementation in Custom Mobile Tabs in Google Chrome on ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-4902 +CVE-2023-4902 (Inappropriate implementation in Input in Google Chrome prior to 117.0. ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-4901 +CVE-2023-4901 (Inappropriate implementation in Prompts in Google Chrome prior to 117. ...) - chromium [buster] - chromium (see DSA 5046) -CVE-2023-4900 +CVE-2023-4900 (Inappropriate implementation in Custom Tabs in Google Chrome on Androi ...) - chromium [buster] - chromium (see DSA 5046) CVE-2023-4863 (Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 ...) @@ -45812,8 +45830,8 @@ CVE-2022-47639 RESERVED CVE-2022-47638 RESERVED -CVE-2022-47637 - RESERVED +CVE-2022-47637 (The installer in XAMPP through 8.1.12 allows local users to write to t ...) + TODO: check CVE-2022-47636 (A DLL hijacking vulnerability has been discovered in OutSystems Servic ...) NOT-FOR-US: OutSystems Service Studio CVE-2022-47635 (Wildix WMS 6 before 6.02.20221216, WMS 5 before 5.04.20221214, and WMS ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50d36829fffaa781d66eabe1883e10bd8d7aedc1 -- View it on GitLab:
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-3867/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 67e6c742 by Salvatore Bonaccorso at 2023-09-13T09:57:00+02:00 Add CVE-2023-3867/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,10 @@ +CVE-2023-3867 [ksmbd: add missing compound request handing in some commands] + - linux 6.4.11-1 + [bookworm] - linux 6.1.52-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-981/ + NOTE: https://git.kernel.org/linus/7b7d709ef7cf285309157fb94c33f625dd22c5e1 (6.5-rc1) CVE-2023-3866 [ksmbd: validate session id and tree id in the compound request] - linux 6.3.11-1 [bookworm] - linux 6.1.37-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67e6c742c79939d030d6d599294fa07d64859364 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67e6c742c79939d030d6d599294fa07d64859364 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-3865/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 389b05b2 by Salvatore Bonaccorso at 2023-09-13T09:48:44+02:00 Add CVE-2023-3865/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,6 +5,13 @@ CVE-2023-3866 [ksmbd: validate session id and tree id in the compound request] [buster] - linux (Vulnerable code not present) NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-979/ NOTE: https://git.kernel.org/linus/5005bcb4219156f1bf7587b185080ec1da08518e (6.4) +CVE-2023-3865 [ksmbd: fix out-of-bound read in smb2_write] + - linux 6.3.11-1 + [bookworm] - linux 6.1.37-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-980/ + NOTE: https://git.kernel.org/linus/5fe7f7b78290638806211046a99f031ff26164e1 (6.4) CVE-2023-4813 [potential use-after-free in gaih_inet()] - glibc 2.36-3 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28931 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/389b05b26f8702dbc8bde28b11060687b8f2093e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/389b05b26f8702dbc8bde28b11060687b8f2093e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-3866/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 953cd96b by Salvatore Bonaccorso at 2023-09-13T09:40:50+02:00 Add CVE-2023-3866/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,10 @@ +CVE-2023-3866 [ksmbd: validate session id and tree id in the compound request] + - linux 6.3.11-1 + [bookworm] - linux 6.1.37-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-979/ + NOTE: https://git.kernel.org/linus/5005bcb4219156f1bf7587b185080ec1da08518e (6.4) CVE-2023-4813 [potential use-after-free in gaih_inet()] - glibc 2.36-3 NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28931 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/953cd96bdeb61712c2fe1bda83c85964431651f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/953cd96bdeb61712c2fe1bda83c85964431651f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4813/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ee1fd6ea by Salvatore Bonaccorso at 2023-09-13T09:00:27+02:00 Add CVE-2023-4813/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-4813 [potential use-after-free in gaih_inet()] + - glibc 2.36-3 + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=28931 + NOTE: Fixed by: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=1c37b8022e8763fedbb3f79c02e05c6acfe5a215 (glibc-2.36) CVE-2023-4806 [potential use-after-free in getaddrinfo()] - glibc NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30843 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee1fd6ead25e733aeca728785c4cdd251d9004b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee1fd6ead25e733aeca728785c4cdd251d9004b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4806/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 02dce254 by Salvatore Bonaccorso at 2023-09-13T08:56:45+02:00 Add CVE-2023-4806/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2023-4806 [potential use-after-free in getaddrinfo()] + - glibc + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30843 CVE-2023-4527 [Stack read overflow in getaddrinfo in no- mode] - glibc [bullseye] - glibc (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02dce25417d09d96e0f3c54ed2c23a7015789404 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02dce25417d09d96e0f3c54ed2c23a7015789404 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4527/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 086a6100 by Salvatore Bonaccorso at 2023-09-13T08:55:17+02:00 Add CVE-2023-4527/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2023-4527 [Stack read overflow in getaddrinfo in no- mode] + - glibc + [bullseye] - glibc (Vulnerable code not present) + [buster] - glibc (Vulnerable code not present) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=30842 + NOTE: Introduced by: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=f282cdbe7f436c75864e5640a409a10485e9abb2 (glibc-2.36) CVE-2023-4921 (A use-after-free vulnerability in the Linux kernel's net/sched: sch_qf ...) - linux NOTE: https://kernel.dance/#8fc134fee27f2263988ae38920bc03da416b03d8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/086a6100d874cfeb7c7066f1564de769cd0f13ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/086a6100d874cfeb7c7066f1564de769cd0f13ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Document status for libwebp in dsa-needed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cf4b5a2 by Salvatore Bonaccorso at 2023-09-13T08:44:53+02:00 Document status for libwebp in dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -26,7 +26,7 @@ flac/oldstable libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- -libwebp +libwebp (jmm) -- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cf4b5a2c42b256da2e5ce59d9f6f7757cc3b04b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cf4b5a2c42b256da2e5ce59d9f6f7757cc3b04b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 67106e95 by Salvatore Bonaccorso at 2023-09-13T08:44:07+02:00 Add chromium to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -17,6 +17,8 @@ audiofile -- cacti -- +chromium (jmm) +-- cinder/oldstable -- flac/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67106e9517607450a35eb816565a3e67674a54d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67106e9517607450a35eb816565a3e67674a54d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new set of chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2892e5da by Salvatore Bonaccorso at 2023-09-13T08:37:17+02:00 Add new set of chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -248,6 +248,36 @@ CVE-2023-4890 (The JQuery Accordion Menu Widget for WordPress plugin for WordPre NOT-FOR-US: JQuery Accordion Menu Widget for WordPress plugin for WordPress CVE-2023-4887 (The Google Maps Plugin by Intergeo for WordPress plugin for WordPress ...) NOT-FOR-US: Google Maps Plugin by Intergeo for WordPress plugin for WordPress +CVE-2023-4909 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2023-4908 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2023-4907 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2023-4906 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2023-4905 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2023-4904 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2023-4903 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2023-4902 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2023-4901 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2023-4900 + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-4863 (Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 ...) - chromium (unimportant) [buster] - chromium (see DSA 5046) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2892e5da34fc5d21eed339f758c4cbed3bd0cce8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2892e5da34fc5d21eed339f758c4cbed3bd0cce8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
