[Git][security-tracker-team/security-tracker][master] LTS: take freeimage
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: ce2e749f by Anton Gladky at 2023-11-02T06:13:42+01:00 LTS: take freeimage - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -62,7 +62,7 @@ flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -freeimage +freeimage (gladk) NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce2e749f378fb03929164cf665a4e30f232c2d9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce2e749f378fb03929164cf665a4e30f232c2d9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2023-46407/ffmpeg
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dac6f700 by Salvatore Bonaccorso at 2023-11-01T22:26:23+01:00 Update status for CVE-2023-46407/ffmpeg The issue is located in the libavcodec/jpegxl_parser.c only recently added to ffmpeg and not present up to ffmpeg//6.0 as present in unstable. As such we can mark it not-affected, vulnerable code introduce later. This should be safe as upstream has introduced the issue and fixed it while developing a new upstream version, so there wont be any released version with the issue in future. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -736,12 +736,11 @@ CVE-2023-46604 (Apache ActiveMQ is vulnerable to Remote Code Execution.The vulne NOTE: https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt NOTE: http://www.openwall.com/lists/oss-security/2023/10/27/5 CVE-2023-46407 (FFmpeg prior to commit bf814 was discovered to contain an out of bound ...) - - ffmpeg + - ffmpeg (Vulnerable code introduced later) NOTE: Introduced by: https://github.com/FFmpeg/FFmpeg/commit/f7ac3512f5b5cb8eb149f37300b43461d8e93af3 NOTE: Fixed by: https://github.com/FFmpeg/FFmpeg/commit/bf814387f42e9b0dea9d75c03db4723c88e7d962 NOTE: https://patchwork.ffmpeg.org/project/ffmpeg/patch/20231015004924.597746-1-leo.izen%40gmail.com/ NOTE: https://patchwork.ffmpeg.org/project/ffmpeg/patch/20231013014959.536776-1-leo.izen%40gmail.com/ - TODO: check details for released versions CVE-2023-46394 (A stored cross-site scripting (XSS) vulnerability in /home/user/edit_s ...) NOT-FOR-US: gougucms CVE-2023-46393 (gougucms v4.08.18 was discovered to contain a password reset poisoning ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dac6f70057e7a6d83a3079a06c732f4bf39ccd9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dac6f70057e7a6d83a3079a06c732f4bf39ccd9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e9af14f by Salvatore Bonaccorso at 2023-11-01T21:45:44+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26643,21 +26643,21 @@ CVE-2022-48463 CVE-2022-48462 RESERVED CVE-2022-48461 (In sensor driver, there is a possible out of bounds write due to a mis ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2022-48460 (In setting service, there is a possible undefined behavior due to inco ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2022-48459 (In TeleService, there is a possible system crash due to improper input ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2022-48458 (In TeleService, there is a possible system crash due to improper input ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2022-48457 (In TeleService, there is a possible system crash due to improper input ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2022-48456 (In camera driver, there is a possible out of bounds write due to a inc ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2022-48455 (In wifi service, there is a possible out of bounds write due to a miss ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2022-48454 (In wifi service, there is a possible out of bounds write due to a miss ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2022-48453 (In camera driver, there is a possible out of bounds write due to a mis ...) NOT-FOR-US: Unisoc CVE-2022-48452 (In Ifaa service, there is a possible missing permission check. This co ...) @@ -31043,21 +31043,21 @@ CVE-2023-1722 (Yoga Class Registration System version 1.0 allows an administrato CVE-2023-1721 (Yoga Class Registration System version 1.0 allows an administrator to ...) NOT-FOR-US: Yoga Class Registration System CVE-2023-1720 (Lack of mime type response header in Bitrix24 22.0.300 allows authenti ...) - TODO: check + NOT-FOR-US: Bitrix24 CVE-2023-1719 (Global variable extraction in bitrix/modules/main/tools.php in Bitrix2 ...) - TODO: check + NOT-FOR-US: Bitrix24 CVE-2023-1718 (Improper file stream access in /desktop_app/file.ajax.php?action=uploa ...) - TODO: check + NOT-FOR-US: Bitrix24 CVE-2023-1717 (Prototype pollution in bitrix/templates/bitrix24/components/bitrix/men ...) - TODO: check + NOT-FOR-US: Bitrix24 CVE-2023-1716 (Cross-site scripting (XSS) vulnerability in Invoice Edit Page in Bitri ...) - TODO: check + NOT-FOR-US: Bitrix24 CVE-2023-1715 (A logic error when using mb_strpos() to check for potential XSS payloa ...) - TODO: check + NOT-FOR-US: Bitrix24 CVE-2023-1714 (Unsafe variable extraction in bitrix/modules/main/classes/general/user ...) - TODO: check + NOT-FOR-US: Bitrix24 CVE-2023-1713 (Insecure temporary file creation in bitrix/modules/crm/lib/order/impor ...) - TODO: check + NOT-FOR-US: Bitrix24 CVE-2023-1712 (Use of Hard-coded, Security-relevant Constants in GitHub repository de ...) NOT-FOR-US: deepset-ai haystack CVE-2023-1711 (A vulnerability exists in a FOXMAN-UN and UNEM logging component, it o ...) @@ -68606,7 +68606,7 @@ CVE-2023-20266 (A vulnerability in Cisco Emergency Responder, Cisco Unified Comm CVE-2023-20265 RESERVED CVE-2023-20264 (A vulnerability in the implementation of Security Assertion Markup Lan ...) - TODO: check + NOT-FOR-US: Cisco CVE-2023-20263 (A vulnerability in the web-based management interface of Cisco HyperFl ...) NOT-FOR-US: Cisco CVE-2023-20262 (A vulnerability in the SSH service of Cisco Catalyst SD-WAN Manager co ...) @@ -68622,9 +68622,9 @@ CVE-2023-20258 CVE-2023-20257 RESERVED CVE-2023-20256 (Multiple vulnerabilities in the per-user-override feature of Cisco Ada ...) - TODO: check + NOT-FOR-US: Cisco CVE-2023-20255 (A vulnerability in an API of the Web Bridge feature of Cisco Meeting S ...) - TODO: check + NOT-FOR-US: Cisco CVE-2023-20254 (A vulnerability in the session management system of the Cisco Catalyst ...) NOT-FOR-US: Cisco CVE-2023-20253 (A vulnerability in the command line interface (cli) management interfa ...) @@ -68640,13 +68640,13 @@ CVE-2023-20249 CVE-2023-20248 RESERVED CVE-2023-20247 (A vulnerability in the remote access SSL VPN feature of Cisco Adaptive ...) - TODO: check + NOT-FOR-US: Cisco CVE-2023-20246 (Multiple Cisco products are affected by a vulnerability in Snort acces ...) TODO: check CVE-2023-20245 (Multiple vulnerabilities in the per-user-override feature of Cisco Ada ...) - TODO: check + NOT-FOR-US: Cisco CVE-2023-20244 (A vulnerability in the internal packet processing of Cisco Firepower T ...) - TODO:
[Git][security-tracker-team/security-tracker][master] Fix spacing between CVE and temporary description
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aa784afb by Salvatore Bonaccorso at 2023-11-01T21:44:42+01:00 Fix spacing between CVE and temporary description - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1821,7 +1821,7 @@ CVE-2023- [SQUID-2021:8 Denial of Service in Gopher gateway] NOTE: https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3 (SQUID_6_0_1) NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33f NOTE: https://megamansec.github.io/Squid-Security-Audit/gopher-nullpointer.html -CVE-2023-46724 [Squid: Buffer UnderRead in SSL CN Parsing] +CVE-2023-46724 [Squid: Buffer UnderRead in SSL CN Parsing] - squid [buster] - squid (Doesn't build with OpenSSL yet) NOTE: https://github.com/squid-cache/squid/commit/792ef23e6e1c05780fe17f733859eef6eb8c8be3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa784afb0fa13dc429b0ab3cb1ef73dde8ca5156 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa784afb0fa13dc429b0ab3cb1ef73dde8ca5156 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-46846/squid assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 34648c8e by Salvatore Bonaccorso at 2023-11-01T21:37:48+01:00 CVE-2023-46846/squid assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1843,7 +1843,7 @@ CVE-2023-5824 [SQUID-2023:2 Multiple issues in HTTP response caching] - squid (bug #1054537) - squid3 NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255 -CVE-2023- [SQUID-2023:1 Request/Response smuggling in HTTP/1.1 and ICAP] +CVE-2023-46846 [SQUID-2023:1 Request/Response smuggling in HTTP/1.1 and ICAP] - squid (bug #1054537) - squid3 NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/34648c8ec9fc7f87fed15ba161b51122a7ae8469 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/34648c8ec9fc7f87fed15ba161b51122a7ae8469 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-46848/squid assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 412896fd by Salvatore Bonaccorso at 2023-11-01T21:36:40+01:00 CVE-2023-46848/squid assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1827,7 +1827,7 @@ CVE-2023-46724 [Squid: Buffer UnderRead in SSL CN Parsing] NOTE: https://github.com/squid-cache/squid/commit/792ef23e6e1c05780fe17f733859eef6eb8c8be3 NOTE: https://megamansec.github.io/Squid-Security-Audit/ssl-bufferunderread.html NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3 -CVE-2023- [SQUID-2023:5 Denial of Service in FTP] +CVE-2023-46848 [SQUID-2023:5 Denial of Service in FTP] - squid (bug #1054537) [bullseye] - squid (Vulnerable code not present) [buster] - squid (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/412896fdf9681cd16bc2a112f3e908fc729e0c9e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/412896fdf9681cd16bc2a112f3e908fc729e0c9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-5824/squid assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 73e3604a by Salvatore Bonaccorso at 2023-11-01T21:35:02+01:00 CVE-2023-5824/squid assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1839,7 +1839,7 @@ CVE-2023-46847 [SQUID-2023:3 Denial of Service in HTTP Digest Authentication] NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g NOTE: https://github.com/squid-cache/squid/commit/052cf082b0faaef4eaaa4e94119d7a1437aac4a3 NOTE: https://megamansec.github.io/Squid-Security-Audit/digest-overflow.html -CVE-2023- [SQUID-2023:2 Multiple issues in HTTP response caching] +CVE-2023-5824 [SQUID-2023:2 Multiple issues in HTTP response caching] - squid (bug #1054537) - squid3 NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-543m-w2m2-g255 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73e3604ae10a180cb68c8122e1f201ad93d52984 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73e3604ae10a180cb68c8122e1f201ad93d52984 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE assigned for CVE-2023-46847/squid
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c80ccb4 by Salvatore Bonaccorso at 2023-11-01T21:34:06+01:00 CVE assigned for CVE-2023-46847/squid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1833,7 +1833,7 @@ CVE-2023- [SQUID-2023:5 Denial of Service in FTP] [buster] - squid (Vulnerable code not present) - squid3 (Vulnerable code not present) NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-2g3c-pg7q-g59w -CVE-2023- [SQUID-2023:3 Denial of Service in HTTP Digest Authentication] +CVE-2023-46847 [SQUID-2023:3 Denial of Service in HTTP Digest Authentication] - squid (bug #1054537) - squid3 NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-phqj-m8gv-cq4g View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c80ccb44555d29eeff23869279a0462518e02a7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c80ccb44555d29eeff23869279a0462518e02a7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove "not public yet" note
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bc1e8236 by Salvatore Bonaccorso at 2023-11-01T21:32:57+01:00 Remove not public yet note - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1826,7 +1826,7 @@ CVE-2023-46724 [Squid: Buffer UnderRead in SSL CN Parsing] [buster] - squid (Doesn't build with OpenSSL yet) NOTE: https://github.com/squid-cache/squid/commit/792ef23e6e1c05780fe17f733859eef6eb8c8be3 NOTE: https://megamansec.github.io/Squid-Security-Audit/ssl-bufferunderread.html - NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3 (not public yet) + NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-73m6-jm96-c6r3 CVE-2023- [SQUID-2023:5 Denial of Service in FTP] - squid (bug #1054537) [bullseye] - squid (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc1e82365ab3b7141b896cf81c993207d2e60351 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bc1e82365ab3b7141b896cf81c993207d2e60351 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-46724/squid assigned
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 837dbd01 by Salvatore Bonaccorso at 2023-11-01T21:31:40+01:00 CVE-2023-46724/squid assigned - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31,8 +31,6 @@ CVE-2023-46927 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-ove NOTE: https://github.com/gpac/gpac/commit/a7b467b151d9b54badbc4dd71e7a366b7c391817 CVE-2023-46911 (There is a Cross Site Scripting (XSS) vulnerability in the choose_styl ...) NOT-FOR-US: Jspxcms -CVE-2023-46724 (Squid is a caching proxy for the Web. Due to an Improper Validation of ...) - TODO: check CVE-2023-46482 (SQL injection vulnerability in wuzhicms v.4.1.0 allows a remote attack ...) NOT-FOR-US: wuzhicms CVE-2023-42750 (In gnss service, there is a possible out of bounds write due to a miss ...) @@ -1823,7 +1821,7 @@ CVE-2023- [SQUID-2021:8 Denial of Service in Gopher gateway] NOTE: https://github.com/squid-cache/squid/commit/6ea12e8fb590ac6959e9356a81aa3370576568c3 (SQUID_6_0_1) NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-cg5h-v6vc-w33f NOTE: https://megamansec.github.io/Squid-Security-Audit/gopher-nullpointer.html -CVE-2023- [Squid: Buffer UnderRead in SSL CN Parsing] +CVE-2023-46724 [Squid: Buffer UnderRead in SSL CN Parsing] - squid [buster] - squid (Doesn't build with OpenSSL yet) NOTE: https://github.com/squid-cache/squid/commit/792ef23e6e1c05780fe17f733859eef6eb8c8be3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/837dbd013cfedc915bfb5ae7c0390ec927d3f35f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/837dbd013cfedc915bfb5ae7c0390ec927d3f35f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0c583ae9 by Salvatore Bonaccorso at 2023-11-01T21:30:07+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12,7 +12,7 @@ CVE-2023-5627 (A vulnerability has been identified in NPort 6000 Series, making CVE-2023-5358 (Improper access control in Report log filters feature in Devolutions S ...) NOT-FOR-US: Devolutions CVE-2023-4452 (A vulnerability has been identified in the EDR-810, EDR-G902, and EDR- ...) - TODO: check + NOT-FOR-US: Moxa CVE-2023-46931 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow ...) - gpac NOTE: https://github.com/gpac/gpac/issues/2664 @@ -30,75 +30,75 @@ CVE-2023-46927 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-ove NOTE: https://github.com/gpac/gpac/issues/2657 NOTE: https://github.com/gpac/gpac/commit/a7b467b151d9b54badbc4dd71e7a366b7c391817 CVE-2023-46911 (There is a Cross Site Scripting (XSS) vulnerability in the choose_styl ...) - TODO: check + NOT-FOR-US: Jspxcms CVE-2023-46724 (Squid is a caching proxy for the Web. Due to an Improper Validation of ...) TODO: check CVE-2023-46482 (SQL injection vulnerability in wuzhicms v.4.1.0 allows a remote attack ...) - TODO: check + NOT-FOR-US: wuzhicms CVE-2023-42750 (In gnss service, there is a possible out of bounds write due to a miss ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42655 (In sim service, there is a possible way to write permission usage reco ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42654 (In dm service, there is a possible missing permission check. This coul ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42653 (In faceid service, there is a possible out of bounds write due to a mi ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42652 (In engineermode, there is a possible missing permission check. This co ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42651 (In engineermode, there is a possible missing permission check. This co ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42650 (In engineermode, there is a possible missing permission check. This co ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42649 (In engineermode, there is a possible missing permission check. This co ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42648 (In engineermode, there is a possible missing permission check. This co ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42647 (In Ifaa service, there is a possible way to write permission usage rec ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42646 (In Ifaa service, there is a possible missing permission check. This co ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42645 (In sim service, there is a possible way to write permission usage reco ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42644 (In dm service, there is a possible missing permission check. This coul ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42643 (In validationtools, there is a possible missing permission check. This ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42642 (In validationtools, there is a possible missing permission check. This ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42641 (In validationtools, there is a possible missing permission check. This ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42640 (In validationtools, there is a possible missing permission check. This ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42639 (In validationtools, there is a possible missing permission check. This ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42638 (In validationtools, there is a possible missing permission check. This ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42637 (In validationtools, there is a possible missing permission check. This ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42636 (In validationtools, there is a possible missing permission check. This ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42635 (In validationtools, there is a possible missing permission check. This ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42634 (In validationtools, there is a possible missing permission check. This ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42633 (In validationtools, there is a possible missing permission check. This ...) - TODO: check + NOT-FOR-US: Unisoc CVE-2023-42632 (In validationtools, there is a possible missing permission check. This ...) -
[Git][security-tracker-team/security-tracker][master] Process three more gpac issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f4464538 by Salvatore Bonaccorso at 2023-11-01T21:26:22+01:00 Process three more gpac issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18,11 +18,17 @@ CVE-2023-46931 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-ove NOTE: https://github.com/gpac/gpac/issues/2664 NOTE: https://github.com/gpac/gpac/commit/671976fccc971b3dff8d3dcf6ebd600472ca64bf CVE-2023-46930 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box i ...) - TODO: check + - gpac + NOTE: https://github.com/gpac/gpac/issues/2666 + NOTE: https://github.com/gpac/gpac/commit/3809955065afa3da1ad580012ec43deadbb0f2c8 CVE-2023-46928 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box i ...) - TODO: check + - gpac + NOTE: https://github.com/gpac/gpac/issues/2661 + NOTE: https://github.com/gpac/gpac/commit/0753bf6d867343a80a044bf47a27d0b7accc8bf1 CVE-2023-46927 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow ...) - TODO: check + - gpac + NOTE: https://github.com/gpac/gpac/issues/2657 + NOTE: https://github.com/gpac/gpac/commit/a7b467b151d9b54badbc4dd71e7a366b7c391817 CVE-2023-46911 (There is a Cross Site Scripting (XSS) vulnerability in the choose_styl ...) TODO: check CVE-2023-46724 (Squid is a caching proxy for the Web. Due to an Improper Validation of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f446453872a9b14b5527866479e11ac13c595ddc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f446453872a9b14b5527866479e11ac13c595ddc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-46931/gpac
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5f960b89 by Salvatore Bonaccorso at 2023-11-01T21:23:52+01:00 Add CVE-2023-46931/gpac - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14,7 +14,9 @@ CVE-2023-5358 (Improper access control in Report log filters feature in Devoluti CVE-2023-4452 (A vulnerability has been identified in the EDR-810, EDR-G902, and EDR- ...) TODO: check CVE-2023-46931 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow ...) - TODO: check + - gpac + NOTE: https://github.com/gpac/gpac/issues/2664 + NOTE: https://github.com/gpac/gpac/commit/671976fccc971b3dff8d3dcf6ebd600472ca64bf CVE-2023-46930 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box i ...) TODO: check CVE-2023-46928 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a SEGV in gpac/MP4Box i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f960b8906bf2382e4bc51b571cc6df8bf0e7f1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5f960b8906bf2382e4bc51b571cc6df8bf0e7f1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a50f2813 by Salvatore Bonaccorso at 2023-11-01T21:23:24+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,13 +4,13 @@ CVE-2023-5849 (Integer overflow in USB in Google Chrome prior to 119.0.6045.105 CVE-2023-5847 (Under certain conditions, a low privileged attacker could load a speci ...) TODO: check CVE-2023-5766 (A remote code execution vulnerability in Remote Desktop Manager 2023.2 ...) - TODO: check + NOT-FOR-US: Devolutions Remote Desktop Manager CVE-2023-5765 (Improper access control in the password analyzer feature in Devolution ...) - TODO: check + NOT-FOR-US: Devolutions Remote Desktop Manager CVE-2023-5627 (A vulnerability has been identified in NPort 6000 Series, making the a ...) - TODO: check + NOT-FOR-US: Moxa CVE-2023-5358 (Improper access control in Report log filters feature in Devolutions S ...) - TODO: check + NOT-FOR-US: Devolutions CVE-2023-4452 (A vulnerability has been identified in the EDR-810, EDR-G902, and EDR- ...) TODO: check CVE-2023-46931 (GPAC 2.3-DEV-rev605-gfc9e29089-master contains a heap-buffer-overflow ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a50f2813b6f30f6ab60d424d83ffacae2c3a59da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a50f2813b6f30f6ab60d424d83ffacae2c3a59da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add one additional chromium issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 14211f5d by Salvatore Bonaccorso at 2023-11-01T21:20:57+01:00 Add one additional chromium issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2023-5849 (Integer overflow in USB in Google Chrome prior to 119.0.6045.105 allow ...) - TODO: check + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-5847 (Under certain conditions, a low privileged attacker could load a speci ...) TODO: check CVE-2023-5766 (A remote code execution vulnerability in Remote Desktop Manager 2023.2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14211f5d22de59d4b988c0a5f214289cf3ae0907 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14211f5d22de59d4b988c0a5f214289cf3ae0907 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 448a5c69 by security tracker role at 2023-11-01T20:17:38+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = The diff for this file was not included because it is too large. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/448a5c698f23a7420ed506a361a17dbdaa03fa79 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/448a5c698f23a7420ed506a361a17dbdaa03fa79 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 56eca282 by security tracker role at 2023-11-01T20:17:33+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = The diff for this file was not included because it is too large. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56eca282a5421b771c3ab5bdf2d1cb5d0638164b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56eca282a5421b771c3ab5bdf2d1cb5d0638164b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] wordpress fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
70ed6280 by Moritz Muehlenhoff at 2023-11-01T21:05:35+01:00
wordpress fixed in sid
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -3183,15 +3183,15 @@ CVE-2023-41680 (A improper neutralization of input
during web page generation ('
CVE-2023-40682 (IBM App Connect Enterprise 12.0.1.0 through 12.0.8.0 contains
an unspe ...)
NOT-FOR-US: OVM
CVE-2023- [Other security issues from wordpress 6.3.2]
- - wordpress
+ - wordpress 6.3.2+dfsg1-1
NOTE:
https://wordpress.org/documentation/wordpress-version/version-6-3-2/
CVE-2023-3 (Exposure of Sensitive Information to an Unauthorized Actor in
WordPres ...)
- - wordpress
+ - wordpress 6.3.2+dfsg1-1
NOTE:
https://wordpress.org/documentation/wordpress-version/version-6-3-2/
CVE-2023-39960 (Nextcloud Server provides data storage for Nextcloud, an open
source c ...)
- nextcloud-server (bug #941708)
CVE-2023-38000 (Auth. Stored (contributor+) Cross-Site Scripting (XSS)
vulnerability i ...)
- - wordpress
+ - wordpress 6.3.2+dfsg1-1
NOTE:
https://wordpress.org/documentation/wordpress-version/version-6-3-2/
CVE-2023-34977 (A cross-site scripting (XSS) vulnerability has been reported
to affect ...)
NOT-FOR-US: QNAP
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70ed628081bbf6b689d4547571427d8ef4d854cd
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70ed628081bbf6b689d4547571427d8ef4d854cd
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-46695/python-django
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f131531d by Salvatore Bonaccorso at 2023-11-01T21:04:27+01:00 Add CVE-2023-46695/python-django - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2023-46695 + - python-django (Only an issue on windows) + NOTE: https://www.djangoproject.com/weblog/2023/nov/01/security-releases/ CVE-2023-5831 - gitlab CVE-2023-4700 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f131531ddc35d545eb9fda550a9ca48d09ed4251 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f131531ddc35d545eb9fda550a9ca48d09ed4251 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for mysql-8.0 issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: be8ce851 by Salvatore Bonaccorso at 2023-11-01T20:37:00+01:00 Track fixed version for mysql-8.0 issues fixed via unstable The listing of CVEs from the debian/changelog does not look correct, some CVEs were included which were fixed earlier and one not affecting mylsql-8.0 but only 8.1. Skip those. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54671,11 +54671,11 @@ CVE-2023-22116 CVE-2023-22115 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.34-1 CVE-2023-22114 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1055034) + - mysql-8.0 8.0.35-1 (bug #1055034) CVE-2023-22113 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.34-1 CVE-2023-22112 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1055034) + - mysql-8.0 8.0.35-1 (bug #1055034) CVE-2023-22111 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.34-1 CVE-2023-22110 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) @@ -54693,7 +54693,7 @@ CVE-2023-22105 (Vulnerability in the BI Publisher product of Oracle Analytics (c CVE-2023-22104 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.33-1 CVE-2023-22103 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1055034) + - mysql-8.0 8.0.35-1 (bug #1055034) CVE-2023-22102 (Vulnerability in the MySQL Connectors product of Oracle MySQL (compone ...) - mysql-connector-java CVE-2023-22101 (Vulnerability in the Oracle WebLogic Server product of Oracle Fusion M ...) @@ -54705,7 +54705,7 @@ CVE-2023-22099 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virt CVE-2023-22098 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 7.0.12-dfsg-1 CVE-2023-22097 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1055034) + - mysql-8.0 8.0.35-1 (bug #1055034) CVE-2023-22096 (Vulnerability in the Java VM component of Oracle Database Server. Sup ...) NOT-FOR-US: Oracle CVE-2023-22095 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) @@ -54715,7 +54715,7 @@ CVE-2023-22094 (Vulnerability in the MySQL Installer product of Oracle MySQL (co CVE-2023-22093 (Vulnerability in the Oracle iRecruitment product of Oracle E-Business ...) NOT-FOR-US: Oracle CVE-2023-22092 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1055034) + - mysql-8.0 8.0.35-1 (bug #1055034) CVE-2023-22091 (Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE ...) - openjdk-17 17.0.9+9-1 CVE-2023-22090 (Vulnerability in the PeopleSoft Enterprise CC Common Application Objec ...) @@ -54731,7 +54731,7 @@ CVE-2023-22086 (Vulnerability in the Oracle WebLogic Server product of Oracle Fu CVE-2023-22085 (Vulnerability in the Hospitality OPERA 5 Property Services product of ...) NOT-FOR-US: Oracle CVE-2023-22084 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1055034) + - mysql-8.0 8.0.35-1 (bug #1055034) CVE-2023-22083 (Vulnerability in the Oracle Enterprise Session Border Controller produ ...) NOT-FOR-US: Oracle CVE-2023-22082 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) @@ -54745,9 +54745,9 @@ CVE-2023-22081 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK prod CVE-2023-22080 (Vulnerability in the PeopleSoft Enterprise PeopleTools product of Orac ...) NOT-FOR-US: Oracle CVE-2023-22079 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1055034) + - mysql-8.0 8.0.35-1 (bug #1055034) CVE-2023-22078 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - - mysql-8.0 (bug #1055034) + - mysql-8.0 8.0.35-1 (bug #1055034) CVE-2023-22077 (Vulnerability in the Oracle Database Recovery Manager component of Ora ...) NOT-FOR-US: Oracle CVE-2023-22076 (Vulnerability in the Oracle Applications Framework product of Oracle E ...) @@ -54763,19 +54763,19 @@ CVE-2023-22072 (Vulnerability in the Oracle WebLogic Server product of Oracle Fu CVE-2023-22071 (Vulnerability in the PL/SQL component of Oracle Database Server. Supp ...) NOT-FOR-US: Oracle CVE-2023-22070 (Vulnerability in the MySQL Server product of Oracle MySQL (component:
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-5871/libnbd via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0224e674 by Salvatore Bonaccorso at 2023-11-01T20:34:06+01:00 Track fixed version for CVE-2023-5871/libnbd via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5756,7 +5756,7 @@ CVE-2023-32477 (Dell Common Event Enabler 8.9.8.2 for Windows and prior, contain CVE-2023-5256 (In certain scenarios, Drupal's JSON:API module will output error backt ...) - drupal7 CVE-2023-5871 [generator: Fix assertion in ext-mode BLOCK_STATUS] - - libnbd (bug #1055170) + - libnbd 1.18.1-1 (bug #1055170) [bookworm] - libnbd (Vulnerable code not present) [bullseye] - libnbd (Vulnerable code not present) NOTE: https://lists.libguestfs.org/archives/list/gues...@lists.libguestfs.org/thread/PFVUCMPFQUDC23JXSCUUPXIGDZ7XCFMD/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0224e674a5563c92a0c16fb5ebe69e3a3455b11d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0224e674a5563c92a0c16fb5ebe69e3a3455b11d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
08a79f4a by Moritz Muehlenhoff at 2023-11-01T20:25:02+01:00
bugnums
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -354,7 +354,7 @@ CVE-2019-25155 (DOMPurify before 1.0.11 allows reverse
tabnabbing in demos/hooks
CVE-2015-20110 (JHipster generator-jhipster before 2.23.0 allows a timing
attack again ...)
NOT-FOR-US: JHipster generator-jhipster
CVE-2023-34049 [allows an attacker to force Salt-SSH to run their script]
- - salt
+ - salt (bug #1055179)
NOTE:
https://saltproject.io/security-announcements/2023-10-27-advisory/index.html
CVE-2023-5844 (Unverified Password Change in GitHub repository
pimcore/admin-ui-class ...)
NOT-FOR-US: Pimcore admin-ui-classic-bundle
@@ -4565,7 +4565,7 @@ CVE-2023-43810 (OpenTelemetry, also known as OTel for
short, is a vendor-neutral
CVE-2023-43058 (IBM Robotic Process Automation 23.0.9 is vulnerable to
privilege escal ...)
NOT-FOR-US: IBM
CVE-2023-42445 (Gradle is a build tool with a focus on build automation and
support fo ...)
- - gradle
+ - gradle (bug #1055176)
[bookworm] - gradle (Minor issue)
[bullseye] - gradle (Minor issue)
[buster] - gradle (Minor issue)
@@ -4695,7 +4695,7 @@ CVE-2023-44828 (D-Link DIR-823G A1V1.0.2B05 was
discovered to contain a buffer o
CVE-2023-44390 (HtmlSanitizer is a .NET library for cleaning HTML fragments
and docume ...)
NOT-FOR-US: HtmlSanitizer .NET library
CVE-2023-44387 (Gradle is a build tool with a focus on build automation and
support fo ...)
- - gradle
+ - gradle (bug #1055177)
[bookworm] - gradle (Minor issue)
[bullseye] - gradle (Minor issue)
[buster] - gradle (Minor issue, requires local access to
build machine)
@@ -29366,7 +29366,7 @@ CVE-2023-29460 (An arbitrary code execution
vulnerability contained in Rockwell
CVE-2023-29459 (The laola.redbull application through 5.1.9-R for Android
exposes the ...)
NOT-FOR-US: laola.redbull
CVE-2023-29458 (Duktape is an 3rd-party embeddable JavaScript engine, with a
focus on ...)
- - zabbix
+ - zabbix (bug #1055175)
[bookworm] - zabbix (Minor issue)
[bullseye] - zabbix (Minor issue)
[buster] - zabbix (vulnerable code introduced later)
@@ -29375,34 +29375,34 @@ CVE-2023-29458 (Duktape is an 3rd-party embeddable
JavaScript engine, with a foc
NOTE: duktape library introduced with
https://github.com/zabbix/zabbix/commit/d43b04665c1ade5b4a9f49db750b8ca6c82e9de2
(5.0.0alpha1)
CVE-2023-29457 (Reflected XSS attacks, occur when a malicious script is
reflected off ...)
{DLA-3538-1}
- - zabbix
+ - zabbix (bug #1055175)
[bookworm] - zabbix (Minor issue)
[bullseye] - zabbix (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-22988
CVE-2023-29456 (URL validation scheme receives input from a user and then
parses it to ...)
{DLA-3538-1}
- - zabbix
+ - zabbix (bug #1055175)
[bookworm] - zabbix (Minor issue)
[bullseye] - zabbix (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-22987
CVE-2023-29455 (Reflected XSS attacks, also known as non-persistent attacks,
occur whe ...)
{DLA-3538-1}
- - zabbix
+ - zabbix (bug #1055175)
[bookworm] - zabbix (Minor issue)
[bullseye] - zabbix (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-22986
CVE-2023-29454 (Stored or persistent cross-site scripting (XSS) is a type of
XSS where ...)
{DLA-3538-1}
- - zabbix
+ - zabbix (bug #1055175)
[bookworm] - zabbix (Minor issue)
[bullseye] - zabbix (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-22985
CVE-2023-29453 (Templates do not properly consider backticks (`) as Javascript
string ...)
- - zabbix
+ - zabbix (bug #1055175)
[buster] - zabbix (buster does not have the Go agent)
NOTE: https://support.zabbix.com/browse/ZBX-23388
CVE-2023-29452 (Currently, geomap configuration (Administration -> General ->
Geograph ...)
- - zabbix
+ - zabbix (bug #1055175)
[bookworm] - zabbix (Minor issue)
[bullseye] - zabbix (vulnerable code introduced later)
[buster] - zabbix (vulnerable code introduced later)
@@ -29411,20 +29411,20 @@ CVE-2023-29452 (Currently, geomap configuration
(Administration -> General -> Ge
NOTE: vulnerable geopmap widget introduced in version with
https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2
(6.0.0alpha6)
CVE-2023-29451 (Specially crafted string can cause a buffer overrun in the
JSON parser ...)
{DLA-3538-1}
- - zabbix
+ - zabbix (bug
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-5871/libnbd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2b9eb20 by Salvatore Bonaccorso at 2023-11-01T17:18:56+01:00 Add Debian bug reference for CVE-2023-5871/libnbd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5756,7 +5756,7 @@ CVE-2023-32477 (Dell Common Event Enabler 8.9.8.2 for Windows and prior, contain CVE-2023-5256 (In certain scenarios, Drupal's JSON:API module will output error backt ...) - drupal7 CVE-2023-5871 [generator: Fix assertion in ext-mode BLOCK_STATUS] - - libnbd + - libnbd (bug #1055170) [bookworm] - libnbd (Vulnerable code not present) [bullseye] - libnbd (Vulnerable code not present) NOTE: https://lists.libguestfs.org/archives/list/gues...@lists.libguestfs.org/thread/PFVUCMPFQUDC23JXSCUUPXIGDZ7XCFMD/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2b9eb207b22688b35a8c7dcb4bde63e8e03b500 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2b9eb207b22688b35a8c7dcb4bde63e8e03b500 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2023-5871/libnbd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2886b330 by Salvatore Bonaccorso at 2023-11-01T17:12:33+01:00 Update information on CVE-2023-5871/libnbd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5759,8 +5759,10 @@ CVE-2023-5871 [generator: Fix assertion in ext-mode BLOCK_STATUS] - libnbd [bookworm] - libnbd (Vulnerable code not present) [bullseye] - libnbd (Vulnerable code not present) + NOTE: https://lists.libguestfs.org/archives/list/gues...@lists.libguestfs.org/thread/PFVUCMPFQUDC23JXSCUUPXIGDZ7XCFMD/ NOTE: Introduced by: https://gitlab.com/nbdkit/libnbd/-/commit/20dadb0e10fc7236c763e3cf8c55fcc92ef28623 (v1.17.4) - NOTE: Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6 + NOTE: Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/177308adb17e81fce7c0f2b2fcf655c5c0b6a4d6 (master) + NOTE: Fixed by: https://gitlab.com/nbdkit/libnbd/-/commit/4451e5b61ca07771ceef3e012223779e7a0c7701 (stable-1.18) CVE-2023-5215 (A flaw was found in libnbd. A server can reply with a block size large ...) - libnbd 1.16.5-1 [bookworm] - libnbd (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2886b33017fd86b3e99eb9f66d9812d254f395e7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2886b33017fd86b3e99eb9f66d9812d254f395e7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag for upstream commit for CVE-2023-43796
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ff4ee75 by Salvatore Bonaccorso at 2023-11-01T17:07:06+01:00 Add upstream tag for upstream commit for CVE-2023-43796 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -253,7 +253,7 @@ CVE-2023-45955 (An issue discovered in Nanoleaf Light strip v3.5.10 allows attac CVE-2023-43796 (Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 a ...) - matrix-synapse NOTE: https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575 - NOTE: https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f + NOTE: https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f (v1.95.1) CVE-2023-42658 (Archive command in Chef InSpec prior to 4.56.58 and 5.22.29 allow loca ...) NOT-FOR-US: Chef InSpec CVE-2023-42425 (An issue in Turing Video Turing Edge+ EVC5FD v.1.38.6 allows remote at ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ff4ee75c44c093d4380acf6096c612dceac86cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ff4ee75c44c093d4380acf6096c612dceac86cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2023-31022 for 460.x version packages
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 25f2acd9 by Salvatore Bonaccorso at 2023-11-01T17:03:41+01:00 Update status for CVE-2023-31022 for 460.x version packages - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24935,8 +24935,9 @@ CVE-2023-31022 - nvidia-graphics-drivers-tesla-470 (bug #1055142) [bookworm] - nvidia-graphics-drivers-tesla-470 (Non-free not supported) [bullseye] - nvidia-graphics-drivers-tesla-470 (Non-free not supported) - - nvidia-graphics-drivers-tesla-460 (bug #1055141) + - nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1055141) [bullseye] - nvidia-graphics-drivers-tesla-460 (Non-free not supported) + NOTE: 460.106.00-3 turned the package into a metapackage to aid switching to nvidia-graphics-drivers-tesla-470 - nvidia-graphics-drivers-tesla-450 (bug #1055140) [bullseye] - nvidia-graphics-drivers-tesla-450 (Non-free not supported) - nvidia-graphics-drivers-tesla-418 (bug #1055139) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25f2acd9c7326967507100c4df41918be40dc193 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/25f2acd9c7326967507100c4df41918be40dc193 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Slighty update affected status for CVE-2023-46239
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e36edc9 by Salvatore Bonaccorso at 2023-11-01T17:00:26+01:00 Slighty update affected status for CVE-2023-46239 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -239,11 +239,9 @@ CVE-2023-46245 (Kimai is a web-based multi-user time-tracking application. Versi CVE-2023-46240 (CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 v ...) NOT-FOR-US: CodeIgniter CVE-2023-46239 (quic-go is an implementation of the QUIC protocol in Go. Starting in v ...) - - golang-github-lucas-clemente-quic-go 0.37.4-1 - [bookworm] - golang-github-lucas-clemente-quic-go (Only affects 0.37.x) - [bullseye] - golang-github-lucas-clemente-quic-go (Only affects 0.37.x) + - golang-github-lucas-clemente-quic-go (Vulnerable version never in a unstable release; only affects 0.37.x) NOTE: https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h - NOTE: https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617 + NOTE: https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617 (v0.37.3) CVE-2023-46237 (FOG is a free open-source cloning/imaging/rescue suite/inventory manag ...) NOT-FOR-US: FOG CVE-2023-46236 (FOG is a free open-source cloning/imaging/rescue suite/inventory manag ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e36edc925a866c73a79fbcc33fc71ab4e07c752 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5e36edc925a866c73a79fbcc33fc71ab4e07c752 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Move notes about version to a NOTE entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e525540f by Salvatore Bonaccorso at 2023-11-01T16:54:08+01:00 Move notes about version to a NOTE entry - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -1473,7 +1473,8 @@ libparagui1.1 enet - sauerbraten (embed; #497194) - - assaultcube (embed; #1018947, uses version 1.3.6, slightly modified) + - assaultcube (modified-embed; #1018947) + NOTE: assaultcube uses version 1.3.6 eglibc - glibc (old-version) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e525540f800b9428fd2bbc32271c39c9d6bdd070 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e525540f800b9428fd2bbc32271c39c9d6bdd070 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
49ac3735 by Salvatore Bonaccorso at 2023-11-01T16:51:57+01:00
Process two NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -497443,7 +497443,7 @@ CVE-2015-2970 (index.php in LEMON-S PHP Simple Oekaki
BBS before 1.21 allows rem
CVE-2015-2969 (Cross-site scripting (XSS) vulnerability in index.php in
LEMON-S PHP S ...)
NOT-FOR-US: Oekaki BBS
CVE-2015-2968 (LINE@ for Android version 1.0.0 and LINE@ for iOS version 1.0.0
are vu ...)
- TODO: check
+ NOT-FOR-US: LINE apps for Android and iOS
CVE-2015-2966 (Directory traversal vulnerability in the Droidware UK Explorer+
File M ...)
NOT-FOR-US: Droidware UK Explorer+ File Manager application for Android
CVE-2015-2965 (Directory traversal vulnerability in osCommerce Japanese
2.2ms1j-R8 an ...)
@@ -504420,7 +504420,7 @@ CVE-2015-0899 (The MultiPageValidator implementation
in Apache Struts 1 1.1 thro
CVE-2015-0898 (futomi CGI Cafe MP Form Mail CGI eCommerce before 2.0.12 on
Windows al ...)
NOT-FOR-US: futomi CGI Cafe MP Form Mail CGI eCommerce
CVE-2015-0897 (LINE for Android version 5.0.2 and earlier and LINE for iOS
version 5. ...)
- TODO: check
+ NOT-FOR-US: LINE apps for Android and iOS
CVE-2015-0896 (Multiple cross-site scripting (XSS) vulnerabilities in
eXtplorer befor ...)
{DLA-453-1 DLA-296-1}
- extplorer (bug #783231)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49ac373566cf7ee4824bb73b16dcf8668cc1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49ac373566cf7ee4824bb73b16dcf8668cc1
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage horizon for buster LTS (CVE-2022-45582)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b94efe1 by Chris Lamb at 2023-11-01T16:26:53+01:00 data/dla-needed.txt: Triage horizon for buster LTS (CVE-2022-45582) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -78,6 +78,10 @@ galera-3 (Adrian Bunk) NOTE: 20231028: Added by Front-Desk (gladk) NOTE: 20231028: Acc. to CVE notes the open issue is fixed in 26.4.12. Please, try to find a corresponding commit and try to backport it. Otherwise - no-dsa. (gladk) -- +horizon + NOTE: 20231101: Added by Front-Desk (lamby) + NOTE: 20231101: Sync with bullseye (CVE-2022-45582). (lamby) +-- i2p NOTE: 20230809: Added by Front-Desk (Beuc) NOTE: 20230809: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/28 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b94efe12e658f9655a6e9c589879f76199cdf27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8b94efe12e658f9655a6e9c589879f76199cdf27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage lwip for buster LTS (CVE-2020-22283 & CVE-2020-22284)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c68b7606 by Chris Lamb at 2023-11-01T16:24:51+01:00 data/dla-needed.txt: Triage lwip for buster LTS (CVE-2020-22283 CVE-2020-22284) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -113,6 +113,10 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- +lwip + NOTE: 20231101: Added by Front-Desk (lamby) + NOTE: 20231101: Sync with bullseye (CVE-2020-22283 & CVE-2020-22284). (lamby) +-- mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c68b7606c6d10db9f594eab1d21ee36e9b7de093 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c68b7606c6d10db9f594eab1d21ee36e9b7de093 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 11 commits: Triage CVE-2023-31022 in nvidia-graphics-drivers for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 24d48946 by Chris Lamb at 2023-11-01T16:17:35+01:00 Triage CVE-2023-31022 in nvidia-graphics-drivers for buster LTS. - - - - - a29108c9 by Chris Lamb at 2023-11-01T16:18:55+01:00 Triage CVE-2023-31022 in nvidia-graphics-drivers-legacy-390xx for buster LTS. - - - - - 5e574f7f by Chris Lamb at 2023-11-01T16:19:20+01:00 Triage CVE-2023-40217 in pypy3 for buster LTS. - - - - - e6fb2459 by Chris Lamb at 2023-11-01T16:19:40+01:00 Triage CVE-2023-5574 in xorg-server for buster LTS. - - - - - 9e242514 by Chris Lamb at 2023-11-01T16:19:59+01:00 Triage CVE-2023-46586 in weborf for buster LTS. - - - - - 141fbf0f by Chris Lamb at 2023-11-01T16:20:20+01:00 Triage CVE-2023-46137 in twisted for buster LTS. - - - - - de0f775a by Chris Lamb at 2023-11-01T16:20:36+01:00 Triage CVE-2023-46316 in traceroute for buster LTS. - - - - - 908afea2 by Chris Lamb at 2023-11-01T16:21:01+01:00 Triage CVE-2023-5752 in python-pip for buster LTS. - - - - - 46ec7f45 by Chris Lamb at 2023-11-01T16:21:37+01:00 Triage CVE-2023-39325 in golang-1.11 for buster LTS. - - - - - 35acb928 by Chris Lamb at 2023-11-01T16:22:36+01:00 Triage CVE-2023-31022 in nvidia-graphics-drivers-legacy-340xx for buster LTS. - - - - - b66fc533 by Chris Lamb at 2023-11-01T16:23:17+01:00 Triage CVE-2023-45818 CVE-2023-45819 in tinymce for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -915,6 +915,7 @@ CVE-2023-46137 (Twisted is an event-based framework for internet applications. P - twisted (bug #1054913) [bookworm] - twisted (Minor issue) [bullseye] - twisted (Minor issue) + [buster] - twisted (Minor issue) NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm CVE-2023-46134 (D-Tale is the combination of a Flask back-end and a React front-end to ...) NOT-FOR-US: D-Tale @@ -1227,6 +1228,7 @@ CVE-2023-5752 (When installing a package from a Mercurial VCS URL (ie "pip inst - python-pip 23.3+dfsg-1 [bookworm] - python-pip (Minor issue) [bullseye] - python-pip (Minor issue) + [buster] - python-pip (Minor issue) NOTE: https://github.com/pypa/pip/pull/12306 NOTE: https://mail.python.org/archives/list/security-annou...@python.org/thread/F4PL35U6X4VVHZ5ILJU3PWUWN7H7LZXL/ CVE-2023-5311 (The WP EXtra plugin for WordPress is vulnerable to unauthorized modifi ...) @@ -1334,6 +1336,7 @@ CVE-2023-5574 (A use-after-free flaw was found in xorg-x11-server-Xvfb. This iss - xorg-server [bookworm] - xorg-server (Minor issue) [bullseye] - xorg-server (Minor issue) + [buster] - xorg-server (Minor issue) NOTE: https://lists.x.org/archives/xorg-announce/2023-October/003430.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1189 CVE-2023-5380 (A use-after-free flaw was found in the xorg-x11-server. An X server cr ...) @@ -1649,11 +1652,13 @@ CVE-2023-46316 (In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper - traceroute 1:2.1.3-1 [bookworm] - traceroute (Minor issue) [bullseye] - traceroute (Minor issue) + [buster] - traceroute (Minor issue) NOTE: https://sourceforge.net/projects/traceroute/files/traceroute/traceroute-2.1.3/ CVE-2023-46586 - weborf 1.0-1 (bug #1054417) [bookworm] - weborf (Minor issue) [bullseye] - weborf (Minor issue) + [buster] - weborf (Minor issue) NOTE: https://github.com/ltworf/weborf/pull/88 NOTE: Fixed by: https://github.com/ltworf/weborf/commit/49824204add55aab0568d90a6b1e7c822d32120d (1.0) CVE-2023-5702 (A vulnerability was found in Viessmann Vitogate 300 up to 2.1.3.0 and ...) @@ -2132,8 +2137,10 @@ CVE-2023-45821 (Artifact Hub is a web-based application that enables finding, in NOT-FOR-US: Artifact Hub CVE-2023-45819 (TinyMCE is an open source rich text editor. A cross-site scripting (XS ...) - tinymce + [buster] - tinymce (Minor issue) CVE-2023-45818 (TinyMCE is an open source rich text editor. A mutation cross-site scri ...) - tinymce + [buster] - tinymce (Minor issue) CVE-2023-45815 (ArchiveBox is an open source self-hosted web archiving system. Any use ...) NOT-FOR-US: ArchiveBox CVE-2023-45471 (The QAD Search Server is vulnerable to Stored Cross-Site Scripting (XS ...) @@ -3608,6 +3615,7 @@ CVE-2023-39325 (A malicious HTTP/2 client which rapidly creates requests and imm - golang-1.15 [bullseye] - golang-1.15 (Minor issue) - golang-1.11 + [buster] - golang-1.11 (Minor issue) NOTE: https://github.com/golang/go/issues/63417 CVE-2023-5473 (Use after free in Cast in Google Chrome prior to 118.0.5993.70 allowed ...)
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
9eb509ca by Moritz Muehlenhoff at 2023-11-01T15:26:56+01:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -269,7 +269,7 @@ CVE-2023-40050 (Upload profile either through API or user
interface in Chef Auto
CVE-2023-38994 (An issue in Univention UCS v.5.0 allows a local attacker to
execute ar ...)
NOT-FOR-US: Univention
CVE-2023-37966 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
- TODO: check
+ NOT-FOR-US: Solwin Infotech
CVE-2023-37832 (A lack of rate limiting in Elenos ETG150 FM transmitter v3.12
allows a ...)
NOT-FOR-US: Elenos
CVE-2023-37831 (An issue discovered in Elenos ETG150 FM transmitter v3.12
allows attac ...)
@@ -1252,7 +1252,7 @@ CVE-2023-46136 (Werkzeug is a comprehensive WSGI web
application library. If an
NOTE:
https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
NOTE:
https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1
(3.0.1)
CVE-2023-46135 (rs-stellar-strkey is a Rust lib for encode/decode of Stellar
Strkeys. ...)
- TODO: check
+ NOT-FOR-US: rs-stellar-strkey
CVE-2023-46126 (Fides is an open-source privacy engineering platform for
managing the ...)
NOT-FOR-US: Fides
CVE-2023-46125 (Fides is an open-source privacy engineering platform for
managing the ...)
@@ -1262,7 +1262,7 @@ CVE-2023-46124 (Fides is an open-source privacy
engineering platform for managin
CVE-2023-46123 (jumpserver is an open source bastion machine, professional
operation a ...)
NOT-FOR-US: JumpServer
CVE-2023-46120 (The RabbitMQ Java client library allows Java and JVM-based
application ...)
- TODO: check
+ NOT-FOR-US: RabbitMQ Java client library
CVE-2023-46119 (Parse Server is an open source backend that can be deployed to
any inf ...)
NOT-FOR-US: Parse Server
CVE-2023-46118 (RabbitMQ is a multi-protocol messaging and streaming broker.
HTTP API ...)
@@ -1317,7 +1317,7 @@ CVE-2023-37283 (Under a very specific and highly
unrecommended configuration, au
CVE-2023-36085 (The sisqualWFM 7.1.319.103 thru 7.1.319.111 for Android, has a
host he ...)
NOT-FOR-US: sisqualWFM
CVE-2023-34085 (When an AWS DynamoDB table is used for user attribute storage,
it is p ...)
- TODO: check
+ NOT-FOR-US: AWS
CVE-2023-34056 (vCenter Server contains a partial information disclosure
vulnerability ...)
NOT-FOR-US: VMware
CVE-2023-34048 (vCenter Server contains an out-of-bounds write vulnerability
in the im ...)
@@ -1616,7 +1616,7 @@ CVE-2023-46331 (WebAssembly wabt 1.0.33 has an
Out-of-Bound Memory Read in in Da
CVE-2023-46127 (Frappe is a full-stack web application framework that uses
Python and ...)
NOT-FOR-US: Frappe Framework
CVE-2023-46122 (sbt is a build tool for Scala, Java, and others. Given a
specially cra ...)
- TODO: check
+ NOT-FOR-US: sbt
CVE-2023-43074 (Dell Unity 5.3 contain(s) an Arbitrary File Creation
vulnerability. A ...)
NOT-FOR-US: Dell
CVE-2023-43067 (Dell Unity prior to 5.3 contains an XML External Entity
injection vuln ...)
@@ -2631,7 +2631,7 @@ CVE-2023-42628 (Stored cross-site scripting (XSS)
vulnerability in the Wiki widg
CVE-2023-42627 (Multiple stored cross-site scripting (XSS) vulnerabilities in
the Comm ...)
NOT-FOR-US: Liferay
CVE-2023-39902 (A software vulnerability has been identified in the U-Boot
Secondary P ...)
- TODO: check
+ NOT-FOR-US: NXP
CVE-2023-37537 (An unquoted service path vulnerability in HCL AppScan
Presence, deploy ...)
NOT-FOR-US: HCL
CVE-2023-4399 (Grafana is an open-source platform for monitoring and
observability. ...)
@@ -24371,7 +24371,7 @@ CVE-2023-31214
CVE-2023-31213 (Auth. (contributor+) Stored Cross-Site Scripting (XSS)
vulnerability i ...)
NOT-FOR-US: WordPress plugin
CVE-2023-31212 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-31211
RESERVED
CVE-2023-31210
@@ -31841,7 +31841,7 @@ CVE-2023-28779 (Unauth. Reflected Cross-Site Scripting
(XSS) vulnerability in Vl
CVE-2023-28778 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability
in Best ...)
NOT-FOR-US: WordPress plugin
CVE-2023-28777 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2023-28776 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in
I Thirte ...)
NOT-FOR-US: Lightbox plugin
CVE-2023-28775
@@ -39623,7 +39623,7 @@ CVE-2023-26221
CVE-2023-26220 (The Spotfire Library component of TIBCO Software Inc.'s
Spotfire Analy ...)
NOT-FOR-US: TIBCO
[Git][security-tracker-team/security-tracker][master] new synapse issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: be0a7971 by Moritz Muehlenhoff at 2023-11-01T15:12:18+01:00 new synapse issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -253,7 +253,9 @@ CVE-2023-46235 (FOG is a free open-source cloning/imaging/rescue suite/inventory CVE-2023-45955 (An issue discovered in Nanoleaf Light strip v3.5.10 allows attackers t ...) NOT-FOR-US: Nanoleaf Light strip CVE-2023-43796 (Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 a ...) - TODO: check + - matrix-synapse + NOTE: https://github.com/matrix-org/synapse/security/advisories/GHSA-mp92-3jfm-3575 + NOTE: https://github.com/matrix-org/synapse/commit/daec55e1fe120c564240c5386e77941372bf458f CVE-2023-42658 (Archive command in Chef InSpec prior to 4.56.58 and 5.22.29 allow loca ...) NOT-FOR-US: Chef InSpec CVE-2023-42425 (An issue in Turing Video Turing Edge+ EVC5FD v.1.38.6 allows remote at ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be0a797113c8d7ee1e963bdcdeb18774a52a407f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/be0a797113c8d7ee1e963bdcdeb18774a52a407f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new pypdf issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 340d8569 by Moritz Muehlenhoff at 2023-11-01T14:43:12+01:00 new pypdf issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -225,7 +225,11 @@ CVE-2023-46256 (PX4-Autopilot provides PX4 flight control solution for drones. I CVE-2023-46255 (SpiceDB is an open source, Google Zanzibar-inspired database for creat ...) NOT-FOR-US: SpiceDB CVE-2023-46250 (pypdf is a free and open-source pure-python PDF library. An attacker w ...) - TODO: check + - pypdf (Vulnerable code not yet present) + - pypdf2 (Vulnerable code not yet present) + NOTE: https://github.com/py-pdf/pypdf/security/advisories/GHSA-wjcc-cq79-p63f + NOTE: https://github.com/py-pdf/pypdf/pull/2264 + NOTE: https://github.com/py-pdf/pypdf/commit/9b23ac3c9619492570011d551d521690de9a3e2d (3.17.0) CVE-2023-46249 (authentik is an open-source Identity Provider. Prior to versions 2023. ...) NOT-FOR-US: authentik CVE-2023-46248 (Cody is an artificial intelligence (AI) coding assistant. The Cody AI ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/340d856964feafacbcc64101145cda05fef28c01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/340d856964feafacbcc64101145cda05fef28c01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] freerdp2 spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
3ee9bb40 by Moritz Mühlenhoff at 2023-11-01T12:20:14+01:00
freerdp2 spu
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=
data/CVE/list
=
@@ -9773,12 +9773,16 @@ CVE-2023-41034 (Eclipse Leshan is a device management
server and client Java imp
CVE-2023-40589 (FreeRDP is a free implementation of the Remote Desktop
Protocol (RDP), ...)
{DLA-3606-1}
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
+ [bookworm] - freerdp2 (Minor issue)
+ [bullseye] - freerdp2 (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gc34-mw6m-g42x
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/16141a30f983dd6f7a6e5b0356084171942c9416
(3.0.0-beta3)
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/c659973bb4cd65c065f2fe1a807dbc6805c684c6
(2.11.0)
CVE-2023-39356 (FreeRDP is a free implementation of the Remote Desktop
Protocol (RDP), ...)
{DLA-3606-1}
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
+ [bookworm] - freerdp2 (Minor issue)
+ [bullseye] - freerdp2 (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5v5-qhj5-mh6m
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/889348a86e49bc8f1351ed6496d847b32db5f86e
(2.11.0)
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/23db2f4e6ba71f1c10c543f24de595d7340adb46
(2.11.1)
@@ -9790,29 +9794,39 @@ CVE-2023-39355 (FreeRDP is a free implementation of the
Remote Desktop Protocol
CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop
Protocol (RDP), ...)
{DLA-3606-1}
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
+ [bookworm] - freerdp2 (Minor issue)
+ [bullseye] - freerdp2 (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c3r2-pxxp-f8r6
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/82ac0164f330c08ddd9a6ef6f3dbf846c4b79def
(2.11.0)
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/9a1ee1bae5a9561f5031a7b69129f10458b62d4a
(2.11.0)
CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop
Protocol (RDP), ...)
{DLA-3606-1}
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
+ [bookworm] - freerdp2 (Minor issue)
+ [bullseye] - freerdp2 (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/efa0567c027239b901ccdc590b9e229e0111c68b
(2.11.0)
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/9ed6d6baede27d5006e0e4c9bec8e506f695cb6a
(2.11.0)
CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop
Protocol (RDP), ...)
{DLA-3606-1}
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
+ [bookworm] - freerdp2 (Minor issue)
+ [bullseye] - freerdp2 (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/7daaba3c1411f71ac7260d01216ab8f8d3687c65
(3.0.0-beta1)
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/856ecaa463e963ecfebc9734423d69139e7b3916
(2.11.0)
CVE-2023-39351 (FreeRDP is a free implementation of the Remote Desktop
Protocol (RDP), ...)
{DLA-3606-1}
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
+ [bookworm] - freerdp2 (Minor issue)
+ [bullseye] - freerdp2 (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q9x9-cqjc-rgwq
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/99e243cdbc31f66b5c917452c8fed3276e8bdcd5
(2.11.0)
CVE-2023-39350 (FreeRDP is a free implementation of the Remote Desktop
Protocol (RDP), ...)
{DLA-3606-1}
- freerdp2 2.11.2+dfsg1-1 (bug #1051638)
+ [bookworm] - freerdp2 (Minor issue)
+ [bullseye] - freerdp2 (Minor issue)
NOTE:
https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-rrrv-3w42-pffh
NOTE:
https://github.com/FreeRDP/FreeRDP/commit/7ece410ce5b5660b9191e1ccb6835158afa11822
(2.11.0)
CVE-2023-34392 (A Missing Authentication for Critical Function vulnerability
in the Sc ...)
=
data/next-point-update.txt
=
@@ -22,3 +22,27 @@ CVE-2023-42117
[bookworm] - exim4 4.96-15+deb12u3
CVE-2023-42119
[bookworm] - exim4 4.96-15+deb12u3
+CVE-2023-39350
+ [bookworm] - freerdp2 2.11.2+dfsg1-1~deb12u1
+CVE-2023-39351
+ [bookworm] - freerdp2 2.11.2+dfsg1-1~deb12u1
+CVE-2023-39352
+ [bookworm] - freerdp2 2.11.2+dfsg1-1~deb12u1
+CVE-2023-39353
+ [bookworm] - freerdp2 2.11.2+dfsg1-1~deb12u1
+CVE-2023-39354
+ [bookworm] - freerdp2 2.11.2+dfsg1-1~deb12u1
+CVE-2023-39356
+ [bookworm] -
[Git][security-tracker-team/security-tracker][master] exim4 spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 97d0d9c9 by Moritz Mühlenhoff at 2023-11-01T12:15:46+01:00 exim4 spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -18,3 +18,7 @@ CVE-2023-46586 [bookworm] - weborf 0.19-3 CVE-2023-3724 [bookworm] - wolfssl 5.5.4-2+deb12u1 +CVE-2023-42117 + [bookworm] - exim4 4.96-15+deb12u3 +CVE-2023-42119 + [bookworm] - exim4 4.96-15+deb12u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97d0d9c97779d42d1464830a4dd641264b23a901 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97d0d9c97779d42d1464830a4dd641264b23a901 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new nvidia issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8cf6aab9 by Moritz Muehlenhoff at 2023-11-01T11:32:08+01:00 new nvidia issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24897,6 +24897,26 @@ CVE-2023-31023 NOT-FOR-US: NVIDIA CVE-2023-31022 RESERVED + - nvidia-graphics-drivers (bug #1055136) + [bookworm] - nvidia-graphics-drivers (Non-free not supported) + [bullseye] - nvidia-graphics-drivers (Non-free not supported) + - nvidia-open-gpu-kernel-modules (bug #1055144) + [bookworm] - nvidia-open-gpu-kernel-modules (Non-free not supported) + - nvidia-graphics-drivers-tesla (bug #1055143) + [bookworm] - nvidia-graphics-drivers-tesla (Non-free not supported) + - nvidia-graphics-drivers-tesla-470 (bug #1055142) + [bookworm] - nvidia-graphics-drivers-tesla-470 (Non-free not supported) + [bullseye] - nvidia-graphics-drivers-tesla-470 (Non-free not supported) + - nvidia-graphics-drivers-tesla-460 (bug #1055141) + [bullseye] - nvidia-graphics-drivers-tesla-460 (Non-free not supported) + - nvidia-graphics-drivers-tesla-450 (bug #1055140) + [bullseye] - nvidia-graphics-drivers-tesla-450 (Non-free not supported) + - nvidia-graphics-drivers-tesla-418 (bug #1055139) + [bullseye] - nvidia-graphics-drivers-tesla-418 (Non-free not supported) + - nvidia-graphics-drivers-legacy-390xx (bug #1055138) + [bullseye] - nvidia-graphics-drivers-legacy-390xx (Non-free not supported) + - nvidia-graphics-drivers-legacy-340xx (bug #1055137) + NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5491 CVE-2023-31021 RESERVED NOT-FOR-US: NVIDIA (vGPU not packaged in Debian) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cf6aab9b0bcd39ad1396cf89526195133b121b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cf6aab9b0bcd39ad1396cf89526195133b121b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new golang-github-lucas-clemente-quic-go issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: db8aafdc by Moritz Muehlenhoff at 2023-11-01T10:52:12+01:00 new golang-github-lucas-clemente-quic-go issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -235,7 +235,11 @@ CVE-2023-46245 (Kimai is a web-based multi-user time-tracking application. Versi CVE-2023-46240 (CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 v ...) NOT-FOR-US: CodeIgniter CVE-2023-46239 (quic-go is an implementation of the QUIC protocol in Go. Starting in v ...) - TODO: check + - golang-github-lucas-clemente-quic-go 0.37.4-1 + [bookworm] - golang-github-lucas-clemente-quic-go (Only affects 0.37.x) + [bullseye] - golang-github-lucas-clemente-quic-go (Only affects 0.37.x) + NOTE: https://github.com/quic-go/quic-go/security/advisories/GHSA-3q6m-v84f-6p9h + NOTE: https://github.com/quic-go/quic-go/commit/b6a4725b60f1fe04e8f1ddcc3114e290fcea1617 CVE-2023-46237 (FOG is a free open-source cloning/imaging/rescue suite/inventory manag ...) NOT-FOR-US: FOG CVE-2023-46236 (FOG is a free open-source cloning/imaging/rescue suite/inventory manag ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db8aafdcd0860568b3d59ceba6353d8ad0f1d514 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db8aafdcd0860568b3d59ceba6353d8ad0f1d514 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: afdbd377 by Moritz Muehlenhoff at 2023-11-01T10:44:12+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24880,34 +24880,37 @@ CVE-2023-31028 RESERVED CVE-2023-31027 RESERVED - NOT-FOR-US: Nvidia + NOT-FOR-US: NVIDIA CVE-2023-31026 RESERVED + NOT-FOR-US: NVIDIA (vGPU not packaged in Debian) CVE-2023-31025 RESERVED CVE-2023-31024 RESERVED CVE-2023-31023 RESERVED - NOT-FOR-US: Nvidia + NOT-FOR-US: NVIDIA CVE-2023-31022 RESERVED CVE-2023-31021 RESERVED + NOT-FOR-US: NVIDIA (vGPU not packaged in Debian) CVE-2023-31020 RESERVED - NOT-FOR-US: Nvidia + NOT-FOR-US: NVIDIA CVE-2023-31019 RESERVED - NOT-FOR-US: Nvidia + NOT-FOR-US: NVIDIA CVE-2023-31018 RESERVED + NOT-FOR-US: NVIDIA (vGPU not packaged in Debian) CVE-2023-31017 RESERVED - NOT-FOR-US: Nvidia + NOT-FOR-US: NVIDIA CVE-2023-31016 RESERVED - NOT-FOR-US: Nvidia + NOT-FOR-US: NVIDIA CVE-2023-31015 (NVIDIA DGX H100 BMC contains a vulnerability in the REST service where ...) NOT-FOR-US: NVIDIA DGX H100 BMC CVE-2023-31014 (NVIDIA GeForce Now for Android contains a vulnerability in the game la ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afdbd3774ff7094cb99d869043f6153bad2fba31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afdbd3774ff7094cb99d869043f6153bad2fba31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] golang-golang-x-image fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ae69ddf by Moritz Muehlenhoff at 2023-11-01T10:25:28+01:00 golang-golang-x-image fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29561,7 +29561,7 @@ CVE-2023-29409 (Extremely large RSA keys in certificate chains can cause a clien [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI CVE-2023-29408 (The TIFF decoder does not place a limit on the size of compressed tile ...) - - golang-golang-x-image (bug #1043159) + - golang-golang-x-image 0.11.0-1 (bug #1043159) [bookworm] - golang-golang-x-image (Minor issue) [bullseye] - golang-golang-x-image (Minor issue) [buster] - golang-golang-x-image (Limited support, minor issue, DoS) @@ -29569,7 +29569,7 @@ CVE-2023-29408 (The TIFF decoder does not place a limit on the size of compresse NOTE: https://go.dev/cl/514897 NOTE: https://github.com/golang/image/commit/cb227cd2c919b27c6206fe0c1041a8bcc677949d (v0.10.0) CVE-2023-29407 (A maliciously-crafted image can cause excessive CPU consumption in dec ...) - - golang-golang-x-image (bug #1043159) + - golang-golang-x-image 0.11.0-1 (bug #1043159) [bookworm] - golang-golang-x-image (Minor issue) [bullseye] - golang-golang-x-image (Minor issue) [buster] - golang-golang-x-image (Limited support, minor issue, DoS) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ae69ddfe917518f79153141edc3c627b0fe2c19 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ae69ddfe917518f79153141edc3c627b0fe2c19 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new gitlab issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 68776e1b by Moritz Muehlenhoff at 2023-11-01T10:00:18+01:00 new gitlab issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2023-5831 + - gitlab +CVE-2023-4700 + - gitlab (Specific to EE) +CVE-2023-5600 + - gitlab (Specific to EE) +CVE-2023-3246 + - gitlab +CVE-2023-3909 + - gitlab +CVE-2023-5825 + - gitlab +CVE-2023-3399 + - gitlab CVE-2023-5904 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) NOT-FOR-US: pkp-lib CVE-2023-5903 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68776e1b2e94c18826fc873254831d03f7a28864 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68776e1b2e94c18826fc873254831d03f7a28864 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1914d378 by Moritz Muehlenhoff at 2023-11-01T09:48:23+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24866,6 +24866,7 @@ CVE-2023-31028 RESERVED CVE-2023-31027 RESERVED + NOT-FOR-US: Nvidia CVE-2023-31026 RESERVED CVE-2023-31025 @@ -24874,20 +24875,25 @@ CVE-2023-31024 RESERVED CVE-2023-31023 RESERVED + NOT-FOR-US: Nvidia CVE-2023-31022 RESERVED CVE-2023-31021 RESERVED CVE-2023-31020 RESERVED + NOT-FOR-US: Nvidia CVE-2023-31019 RESERVED + NOT-FOR-US: Nvidia CVE-2023-31018 RESERVED CVE-2023-31017 RESERVED + NOT-FOR-US: Nvidia CVE-2023-31016 RESERVED + NOT-FOR-US: Nvidia CVE-2023-31015 (NVIDIA DGX H100 BMC contains a vulnerability in the REST service where ...) NOT-FOR-US: NVIDIA DGX H100 BMC CVE-2023-31014 (NVIDIA GeForce Now for Android contains a vulnerability in the game la ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1914d378741691f4f37aee9d8d4faafea88ea2a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1914d378741691f4f37aee9d8d4faafea88ea2a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9925c273 by Moritz Muehlenhoff at 2023-11-01T09:38:50+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,85 +1,85 @@ CVE-2023-5904 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5903 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5902 (Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib pri ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5901 (Unrestricted Upload of File with Dangerous Type in GitHub repository p ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5900 (Missing Authorization in GitHub repository pkp/pkp-lib prior to 3.3.0- ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5899 (Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib pri ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5898 (Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib pri ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5897 (Cross-Site Request Forgery (CSRF) in GitHub repository pkp/customLocal ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5896 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5895 (Cross-site Scripting (XSS) - DOM in GitHub repository pkp/pkp-lib prio ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5894 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/ojs prior ...) - TODO: check + NOT-FOR-US: Open Journal System CVE-2023-5893 (Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib pri ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5892 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5891 (Cross-site Scripting (XSS) - Reflected in GitHub repository pkp/pkp-li ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5890 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5889 (Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-5516 (Poorly constructed webap requests and URI components with special char ...) - TODO: check + NOT-FOR-US: Hitachi CVE-2023-5515 (The responses for web queries with certain parameters disclose interna ...) - TODO: check + NOT-FOR-US: Hitachi CVE-2023-5514 (The response messages received from the eSOMS report generation using ...) - TODO: check + NOT-FOR-US: Hitachi CVE-2023-5306 (Online Blood Donation Management System v1.0 is vulnerable to multiple ...) - TODO: check + NOT-FOR-US: Online Blood Donation Management System CVE-2023-4198 (Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unaut ...) - TODO: check + - dolibarr CVE-2023-4197 (Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to stri ...) - TODO: check + - dolibarr CVE-2023-47099 (An issue was discovered in Virtualmin 7.7. The Create Virtual Server f ...) - TODO: check + NOT-FOR-US: Virtualmin CVE-2023-47098 (An issue was discovered in Virtualmin 7.7. A Stored Cross-Site Scripti ...) - TODO: check + NOT-FOR-US: Virtualmin CVE-2023-47097 (An issue was discovered in Virtualmin 7.7. The Server Templates featur ...) - TODO: check + NOT-FOR-US: Virtualmin CVE-2023-47096 (An issue was discovered in Virtualmin 7.7. The Cloudmin Services Clien ...) - TODO: check + NOT-FOR-US: Virtualmin CVE-2023-47095 (An issue was discovered in Virtualmin 7.7. The Custom Fields feature o ...) - TODO: check + NOT-FOR-US: Virtualmin CVE-2023-47094 (An issue was discovered in Virtualmin 7.7. A Stored Cross-Site Scripti ...) - TODO: check + NOT-FOR-US: Virtualmin CVE-2023-46485 (An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote att ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-46484 (An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote att ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-46378 (Stored Cross Site Scripting (XSS) vulnerability in MiniCMS 1.1.1 allow ...) - TODO: check + NOT-FOR-US: MiniCMS CVE-2023-46278 (Uncontrolled resource consumption vulnerability in Cybozu Remote Servi ...) - TODO: check + NOT-FOR-US: Cybozu CVE-2023-44486 (Online Blood Donation Management System v1.0 is vulnerable to multiple ...) -
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1c89f7ce by security tracker role at 2023-11-01T08:12:06+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,85 @@ +CVE-2023-5904 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) + TODO: check +CVE-2023-5903 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) + TODO: check +CVE-2023-5902 (Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib pri ...) + TODO: check +CVE-2023-5901 (Unrestricted Upload of File with Dangerous Type in GitHub repository p ...) + TODO: check +CVE-2023-5900 (Missing Authorization in GitHub repository pkp/pkp-lib prior to 3.3.0- ...) + TODO: check +CVE-2023-5899 (Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib pri ...) + TODO: check +CVE-2023-5898 (Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib pri ...) + TODO: check +CVE-2023-5897 (Cross-Site Request Forgery (CSRF) in GitHub repository pkp/customLocal ...) + TODO: check +CVE-2023-5896 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) + TODO: check +CVE-2023-5895 (Cross-site Scripting (XSS) - DOM in GitHub repository pkp/pkp-lib prio ...) + TODO: check +CVE-2023-5894 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/ojs prior ...) + TODO: check +CVE-2023-5893 (Cross-Site Request Forgery (CSRF) in GitHub repository pkp/pkp-lib pri ...) + TODO: check +CVE-2023-5892 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) + TODO: check +CVE-2023-5891 (Cross-site Scripting (XSS) - Reflected in GitHub repository pkp/pkp-li ...) + TODO: check +CVE-2023-5890 (Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib p ...) + TODO: check +CVE-2023-5889 (Insufficient Session Expiration in GitHub repository pkp/pkp-lib prior ...) + TODO: check +CVE-2023-5516 (Poorly constructed webap requests and URI components with special char ...) + TODO: check +CVE-2023-5515 (The responses for web queries with certain parameters disclose interna ...) + TODO: check +CVE-2023-5514 (The response messages received from the eSOMS report generation using ...) + TODO: check +CVE-2023-5306 (Online Blood Donation Management System v1.0 is vulnerable to multiple ...) + TODO: check +CVE-2023-4198 (Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unaut ...) + TODO: check +CVE-2023-4197 (Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to stri ...) + TODO: check +CVE-2023-47099 (An issue was discovered in Virtualmin 7.7. The Create Virtual Server f ...) + TODO: check +CVE-2023-47098 (An issue was discovered in Virtualmin 7.7. A Stored Cross-Site Scripti ...) + TODO: check +CVE-2023-47097 (An issue was discovered in Virtualmin 7.7. The Server Templates featur ...) + TODO: check +CVE-2023-47096 (An issue was discovered in Virtualmin 7.7. The Cloudmin Services Clien ...) + TODO: check +CVE-2023-47095 (An issue was discovered in Virtualmin 7.7. The Custom Fields feature o ...) + TODO: check +CVE-2023-47094 (An issue was discovered in Virtualmin 7.7. A Stored Cross-Site Scripti ...) + TODO: check +CVE-2023-46485 (An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote att ...) + TODO: check +CVE-2023-46484 (An issue in TOTOlink X6000R V9.4.0cu.852_B20230719 allows a remote att ...) + TODO: check +CVE-2023-46378 (Stored Cross Site Scripting (XSS) vulnerability in MiniCMS 1.1.1 allow ...) + TODO: check +CVE-2023-46278 (Uncontrolled resource consumption vulnerability in Cybozu Remote Servi ...) + TODO: check +CVE-2023-44486 (Online Blood Donation Management System v1.0 is vulnerable to multiple ...) + TODO: check +CVE-2023-44485 (Online Blood Donation Management System v1.0 is vulnerable to multiple ...) + TODO: check +CVE-2023-44484 (Online Blood Donation Management System v1.0 is vulnerable to multiple ...) + TODO: check +CVE-2023-43295 (Cross Site Request Forgery vulnerability in Click Studios (SA) Pty Ltd ...) + TODO: check +CVE-2023-39695 (Insufficient session expiration in Elenos ETG150 FM Transmitter v3.12 ...) + TODO: check +CVE-2023-39610 (An issue in TP-Link Tapo C100 v1.1.15 Build 211130 Rel.15378n(4555) an ...) + TODO: check +CVE-2023-37833 (Improper access control in Elenos ETG150 FM transmitter v3.12 allows a ...) + TODO: check +CVE-2023-2622 (Authenticated clients can read arbitrary files on the MAIN Computer sy ...) + TODO: check +CVE-2023-2621 (The McFeeder server (distributed as part of SSW package), is susceptib ...) + TODO:
[Git][security-tracker-team/security-tracker][master] document embedded-code copy of enet in assaultcube.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: f9985ab0 by Tobias Frost at 2023-11-01T08:19:49+01:00 document embedded-code copy of enet in assaultcube. - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -1473,6 +1473,7 @@ libparagui1.1 enet - sauerbraten (embed; #497194) + - assaultcube (embed; #1018947, uses version 1.3.6, slightly modified) eglibc - glibc (old-version) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9985ab0a4f983544996e7a5ac50017a1cfe461f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9985ab0a4f983544996e7a5ac50017a1cfe461f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
