[Git][security-tracker-team/security-tracker][master] Reserve DLA-3650-1 for audiofile
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 47381688 by Bastien Roucariès at 2023-11-12T21:45:17+00:00 Reserve DLA-3650-1 for audiofile - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -125852,7 +125852,6 @@ CVE-2022-24599 (In autofile Audio File Library 0.3.6, there exists one memory le - audiofile (bug #1008017) [bookworm] - audiofile (Minor issue) [bullseye] - audiofile (Minor issue) - [buster] - audiofile (Minor issue) [stretch] - audiofile (Minor issue) NOTE: https://github.com/mpruett/audiofile/issues/60 CVE-2022-24598 @@ -309082,7 +309081,6 @@ CVE-2019-13147 (In Audio File Library (aka audiofile) 0.3.6, there exists one NU - audiofile (low; bug #931343) [bookworm] - audiofile (Minor issue) [bullseye] - audiofile (Minor issue) - [buster] - audiofile (Minor issue) [stretch] - audiofile (Minor issue) [jessie] - audiofile (Minor issue, local DoS) NOTE: https://github.com/mpruett/audiofile/issues/54 = data/DLA/list = @@ -1,3 +1,6 @@ +[12 Nov 2023] DLA-3650-1 audiofile - security update + {CVE-2019-13147 CVE-2022-24599} + [buster] - audiofile 0.3.6-5+deb10u1 [08 Nov 2023] DLA-3649-1 python-urllib3 - security update {CVE-2023-45803} [buster] - python-urllib3 1.24.1-1+deb10u2 = data/dla-needed.txt = @@ -24,9 +24,6 @@ rather than remove/replace existing ones. amanda NOTE: 20230730: Added by Front-Desk (apo) -- -audiofile (rouca) - NOTE: 20230918: Added by Front-Desk (apo) --- bind9 (Thorsten Alteholz) NOTE: 20230921: Added by Front-Desk (apo) NOTE: 20231008: backporting patches View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47381688c37621b9803c86f5ba8db65aedfe40c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47381688c37621b9803c86f5ba8db65aedfe40c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-47037/airflow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e7b6dbd5 by Salvatore Bonaccorso at 2023-11-12T21:27:58+01:00 Add CVE-2023-47037/airflow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2023-6084 (A vulnerability was found in Tongda OA 2017 up to 11.9 and classified ...) NOT-FOR-US: Tongda OA CVE-2023-47037 (We failed to applyCVE-2023-40611 in 2.7.1 and this vulnerability was m ...) - TODO: check + - airflow (bug #819700) CVE-2023-5959 (A vulnerability, which was classified as problematic, was found in Bei ...) NOT-FOR-US: Beijing Baichuo Smart S85F Management Platform V31R02B10-01 CVE-2023-47390 (Headscale through 0.22.3 writes bearer tokens to info-level logs.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7b6dbd5720c294a9487b54ba72376088ca0d1ca -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7b6dbd5720c294a9487b54ba72376088ca0d1ca You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: db0284d2 by Salvatore Bonaccorso at 2023-11-12T21:27:30+01:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2023-6084 (A vulnerability was found in Tongda OA 2017 up to 11.9 and classified ...) - TODO: check + NOT-FOR-US: Tongda OA CVE-2023-47037 (We failed to applyCVE-2023-40611 in 2.7.1 and this vulnerability was m ...) TODO: check CVE-2023-5959 (A vulnerability, which was classified as problematic, was found in Bei ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db0284d25f0ad50f091deeda804c1618b95b1ec4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db0284d25f0ad50f091deeda804c1618b95b1ec4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 16fb70c1 by security tracker role at 2023-11-12T20:12:02+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-6084 (A vulnerability was found in Tongda OA 2017 up to 11.9 and classified ...) + TODO: check +CVE-2023-47037 (We failed to applyCVE-2023-40611 in 2.7.1 and this vulnerability was m ...) + TODO: check CVE-2023-5959 (A vulnerability, which was classified as problematic, was found in Bei ...) NOT-FOR-US: Beijing Baichuo Smart S85F Management Platform V31R02B10-01 CVE-2023-47390 (Headscale through 0.22.3 writes bearer tokens to info-level logs.) @@ -4774,7 +4778,7 @@ CVE-2023-42792 (Apache Airflow, in versions prior to 2.7.2, contains a security - airflow (bug #819700) CVE-2023-45348 (Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerabili ...) - airflow (bug #819700) -CVE-2023-42781 +CVE-2023-42781 (Apache Airflow, versions before 2.7.3, has a vulnerability that allows ...) - airflow (bug #819700) CVE-2023-42780 (Apache Airflow, versions prior to 2.7.2, contains a security vulnerabi ...) - airflow (bug #819700) @@ -43095,7 +43099,7 @@ CVE-2022-4908 (Inappropriate implementation in iFrame Sandbox in Google Chrome p - chromium 107.0.5304.68-1 [buster] - chromium (see DSA 5046) CVE-2022-4907 (Uninitialized Use in FFmpeg in Google Chrome prior to 108.0.5359.71 al ...) - {DSA-5293-1} + {DSA-5552-1 DSA-5293-1} - chromium 108.0.5359.71-1 [buster] - chromium (see DSA 5046) - ffmpeg 7:6.0-4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16fb70c135144aaada2a02fe5aac723628b497cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16fb70c135144aaada2a02fe5aac723628b497cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim netty in dsa-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: f70238ad by Markus Koschany at 2023-11-12T20:52:57+01:00 Claim netty in dsa-needed.txt - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -29,7 +29,7 @@ linux (carnil) nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- -netty +netty (apo) -- nghttp2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f70238ad164b805f14da30b776f2c5586b4426a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f70238ad164b805f14da30b776f2c5586b4426a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add Thorsten as FD 18-12 to 24-12
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: da44dab4 by Anton Gladky at 2023-11-12T20:50:04+01:00 LTS: add Thorsten as FD 18-12 to 24-12 - - - - - 1 changed file: - org/lts-frontdesk.2023.txt Changes: = org/lts-frontdesk.2023.txt = @@ -48,5 +48,5 @@ From 20-11 to 26-11:Ola Lundqvist From 27-11 to 03-12:Sylvain Beucler From 04-12 to 10-12:Thorsten Alteholz From 11-12 to 17-12:Utkarsh Gupta -From 18-12 to 24-12:Anton Gladky +From 18-12 to 24-12:Thorsten Alteholz From 25-12 to 31-12:Chris Lamb View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da44dab4615cce4ded1eb0909ed4e75eebc15d03 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da44dab4615cce4ded1eb0909ed4e75eebc15d03 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-42781/airflow
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b5a42cd7 by Salvatore Bonaccorso at 2023-11-12T20:44:32+01:00 Add CVE-2023-42781/airflow - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4774,6 +4774,8 @@ CVE-2023-42792 (Apache Airflow, in versions prior to 2.7.2, contains a security - airflow (bug #819700) CVE-2023-45348 (Apache Airflow, versions 2.7.0 and 2.7.1, is affected by a vulnerabili ...) - airflow (bug #819700) +CVE-2023-42781 + - airflow (bug #819700) CVE-2023-42780 (Apache Airflow, versions prior to 2.7.2, contains a security vulnerabi ...) - airflow (bug #819700) CVE-2023-5564 (Cross-site Scripting (XSS) - Stored in GitHub repository froxlor/froxl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5a42cd77ed61551a9022c5ec757f3372c887f49 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5a42cd77ed61551a9022c5ec757f3372c887f49 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 116d03f4 by Moritz Muehlenhoff at 2023-11-12T20:37:33+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -973,7 +973,7 @@ CVE-2023-46802 (e-Tax software Version3.0.10 and earlier improperly restricts XM CVE-2023-40207 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: WordPress plugin CVE-2023-38407 (bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read beyond ...) - - frr + - frr (bug #1055852) NOTE: https://github.com/FRRouting/frr/pull/12951 NOTE: https://github.com/FRRouting/frr/commit/7404a914b0cafe046703c8381903a80d3def8f8b (base_9.0) NOTE: https://github.com/FRRouting/frr/pull/12956 @@ -1045,10 +1045,10 @@ CVE-2023-47272 (Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS v - roundcube 1.6.5+dfsg-1 (bug #1055421) NOTE: https://github.com/roundcube/roundcubemail/commit/81ac3c342a4f288deb275590895b52ec3785cf8a (1.6.5) CVE-2023-47235 (An issue was discovered in FRRouting FRR through 9.0.1. A crash can oc ...) - - frr + - frr (bug #1055852) NOTE: https://github.com/FRRouting/frr/commit/6814f2e0138a6ea5e1f83bdd9085d9a7700b CVE-2023-47234 (An issue was discovered in FRRouting FRR through 9.0.1. A crash can oc ...) - - frr + - frr (bug #1055852) NOTE: https://github.com/FRRouting/frr/commit/c37119df45bbf4ef713bc10475af2ee06e12f3bf CVE-2023-47233 (The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf ...) - linux @@ -2414,11 +2414,11 @@ CVE-2023-5139 (Potential buffer overflow vulnerability at the following location CVE-2023-46754 (The admin panel for Obl.ong before 1.1.2 allows authorization bypass b ...) NOT-FOR-US: admin panel for Obl.ong CVE-2023-46753 (An issue was discovered in FRRouting FRR through 9.0.1. A crash can oc ...) - - frr + - frr (bug #1055852) NOTE: Fixed by: https://github.com/FRRouting/frr/commit/d8482bf011cb2b173e85b65b4bf3d5061250cdb9 (master) NOTE: Fixed by: https://github.com/FRRouting/frr/commit/21418d64af11553c402f932b0311c812d98ac3e4 (stable/8.5 branch) CVE-2023-46752 (An issue was discovered in FRRouting FRR through 9.0.1. It mishandles ...) - - frr + - frr (bug #1055852) NOTE: Fixed by: https://github.com/FRRouting/frr/commit/b08afc81c60607a4f736f418f2e3eb06087f1a35 (master) NOTE: Fixed by: https://github.com/FRRouting/frr/commit/30b5c2a434d25981e16792f6f50162beb517ae4d (stable/8.5 branch) CVE-2023-46668 (If Elastic Endpoint (v7.9.0 - v8.10.3) is configured to use a non-defa ...) @@ -3513,7 +3513,7 @@ CVE-2023-5688 (Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/mod CVE-2023-5687 (Cross-Site Request Forgery (CSRF) in GitHub repository mosparo/mosparo ...) NOT-FOR-US: mosparo CVE-2023-5686 (Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prio ...) - - radare2 + - radare2 (bug #1055854) NOTE: https://huntr.com/bounties/bbfe1f76-8fa1-4a8c-909d-65b16e970be0 NOTE: https://github.com/radareorg/radare2/commit/1bdda93e348c160c84e30da3637acef26d0348de CVE-2023-5618 (The Modern Footnotes plugin for WordPress is vulnerable to Stored Cros ...) @@ -9609,7 +9609,7 @@ CVE-2023-4914 (Relative Path Traversal in GitHub repository cecilapp/cecil prior CVE-2023-4913 (Cross-site Scripting (XSS) - Reflected in GitHub repository cecilapp/c ...) NOT-FOR-US: cecil.app CVE-2023-4759 (Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, al ...) - - jgit + - jgit (bug #1055853) [bookworm] - jgit (Minor issue) [bullseye] - jgit (Minor issue) [buster] - jgit (Minor issue. Only case-insensitive filesystems are affected) @@ -12034,7 +12034,7 @@ CVE-2023-41363 (In Cerebrate 1.14, a vulnerability in UserSettingsController all NOT-FOR-US: Cerebrate CVE-2023-41361 (An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does not ...) {DLA-3573-1} - - frr + - frr (bug #1055852) [bullseye] - frr (The vulnerable code was introduced later) NOTE: https://github.com/FRRouting/frr/pull/14241 NOTE: Fixed by: https://github.com/FRRouting/frr/commit/b4d09af9194d20a7f9f16995a062f5d8e3d32840 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/116d03f4bbd9d9bd37afb712b6022f76bcb88a34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/116d03f4bbd9d9bd37afb712b6022f76bcb88a34 You're receiving this email because of your account on salsa.debian.org. ___
[Git][security-tracker-team/security-tracker][master] ffmpeg DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 06a3ec13 by Moritz Mühlenhoff at 2023-11-12T19:39:09+01:00 ffmpeg DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[12 Nov 2023] DSA-5552-1 ffmpeg - security update + {CVE-2022-4907} + [bookworm] - ffmpeg 7:5.1.4-0+deb12u1 [09 Nov 2023] DSA-5551-1 chromium - security update {CVE-2023-5996} [bullseye] - chromium 119.0.6045.123-1~deb11u1 = data/dsa-needed.txt = @@ -17,8 +17,6 @@ cinder/oldstable fastdds Awaiting feedback from maintainer on bullseye status -- -ffmpeg/stable (jmm) --- gpac/oldstable (jmm) -- libreswan (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06a3ec13d156b2f0317fca420fce3c51e084e5f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06a3ec13d156b2f0317fca420fce3c51e084e5f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 24e76af0 by Moritz Muehlenhoff at 2023-11-12T19:34:58+01:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -3152,6 +3152,8 @@ CVE-2023-46602 (In International Color Consortium DemoIccMAX 79ecb74, there is a NOT-FOR-US: International Color Consortium DemoIccMAX CVE-2023-46332 (WebAssembly wabt 1.0.33 contains an Out-of-Bound Memory Write in DataS ...) - wabt (bug #1055299) + [bookworm] - wabt (Minor issue) + [bullseye] - wabt (Minor issue) NOTE: https://github.com/WebAssembly/wabt/issues/2311 CVE-2023-46331 (WebAssembly wabt 1.0.33 has an Out-of-Bound Memory Read in in DataSegm ...) - wabt (unimportant) @@ -9608,6 +9610,8 @@ CVE-2023-4913 (Cross-site Scripting (XSS) - Reflected in GitHub repository cecil NOT-FOR-US: cecil.app CVE-2023-4759 (Arbitrary File Overwrite in Eclipse JGit <= 6.6.0 In Eclipse JGit, al ...) - jgit + [bookworm] - jgit (Minor issue) + [bullseye] - jgit (Minor issue) [buster] - jgit (Minor issue. Only case-insensitive filesystems are affected) NOTE: https://git.eclipse.org/c/jgit/jgit.git/commit/?id=9072103f3b3cf64dd12ad2949836ab98f62dabf1 (v6.6.1.202309021850-r) NOTE: https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/11 @@ -43093,7 +43097,6 @@ CVE-2022-4907 (Uninitialized Use in FFmpeg in Google Chrome prior to 108.0.5359. - chromium 108.0.5359.71-1 [buster] - chromium (see DSA 5046) - ffmpeg 7:6.0-4 - [bookworm] - ffmpeg (Minor issue, wait until it lands in 5.1.x) [bullseye] - ffmpeg (Vulnerable code introduced later) [buster] - ffmpeg (Vulnerable code introduced later) NOTE: Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/e601ec3c1991ee09ff45db3be4d894e5774f6f2b (n6.0) = data/dsa-needed.txt = @@ -17,6 +17,8 @@ cinder/oldstable fastdds Awaiting feedback from maintainer on bullseye status -- +ffmpeg/stable (jmm) +-- gpac/oldstable (jmm) -- libreswan (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24e76af012b54053a8763f2746c36fb7ac797e69 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24e76af012b54053a8763f2746c36fb7ac797e69 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2023-37453/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dd167310 by Salvatore Bonaccorso at 2023-11-12T14:19:24+01:00 Update status for CVE-2023-37453/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19219,7 +19219,10 @@ CVE-2023-3456 (Vulnerability of kernel raw address leakage in the hang detector CVE-2023-37454 (An issue was discovered in the Linux kernel through 6.4.2. A crafted U ...) - linux CVE-2023-37453 (An issue was discovered in the USB subsystem in the Linux kernel throu ...) - - linux + - linux 6.5.3-1 + [bookworm] - linux 6.1.55-1 + [bullseye] - linux 5.10.197-1 + NOTE: https://git.kernel.org/linus/ff33299ec8bb80cdcc073ad9c506bd79bb2ed20b (6.6-rc1) CVE-2023-37260 (league/oauth2-server is an implementation of an OAuth 2.0 authorizatio ...) NOT-FOR-US: league/oauth2-server CVE-2023-37245 (Buffer overflow vulnerability in the modem pinctrl module. Successful ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd167310b7ebd0aceba63f23fca18167c9350713 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd167310b7ebd0aceba63f23fca18167c9350713 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2022-39282 and CVE-2022-39283 (freerdp2) - link to likely patch
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 818ee323 by Tobias Frost at 2023-11-12T12:47:57+01:00 CVE-2022-39282 and CVE-2022-39283 (freerdp2) - link to likely patch Note: It has not been confirmed if this is the correct patch, but comparing 2.8.0 and 2.8.1 identifies this commit as the very likely patch. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83283,11 +83283,13 @@ CVE-2022-39283 (FreeRDP is a free remote desktop protocol library and clients. A [bullseye] - freerdp2 (Minor issue) [buster] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-6cf9-3328-qrvh + NOTE: patch likely: https://github.com/FreeRDP/FreeRDP/commit/be793c3bb776c1bbda9156b427408d5a5eb00f70 (not confirmed by upstream) CVE-2022-39282 (FreeRDP is a free remote desktop protocol library and clients. FreeRDP ...) - freerdp2 2.8.1+dfsg1-1 (bug #1021659) [bullseye] - freerdp2 (Minor issue) [buster] - freerdp2 (Minor issue) NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c45q-wcpg-mxjq + NOTE: patch likely: https://github.com/FreeRDP/FreeRDP/commit/60aac2abf0740dd36b62712fba91498fd6e055fe (not confirmed by upstream) CVE-2022-39281 (fat_free_crm is a an open source, Ruby on Rails customer relationship ...) NOT-FOR-US: fat_free_crm CVE-2022-39280 (dparse is a parser for Python dependency files. dparse in versions bef ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/818ee3236b99ff1208e49754ca1793ea72a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/818ee3236b99ff1208e49754ca1793ea72a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2021-41160/freerdp2 - buster backport is not feasible, setting to ignored.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 54629370 by Tobias Frost at 2023-11-12T11:57:42+01:00 CVE-2021-41160/freerdp2 - buster backport is not feasible, setting to ignored. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -152928,10 +152928,11 @@ CVE-2021-41160 (FreeRDP is a free implementation of the Remote Desktop Protocol CVE-2021-41159 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 2.4.1+dfsg1-1 (bug #1001061) [bullseye] - freerdp2 (Minor issue) - [buster] - freerdp2 (Minor issue) + [buster] - freerdp2 (Patch is too instrusive to backport) - freerdp NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-vh34-m9h7-95xq NOTE: https://github.com/FreeRDP/FreeRDP/commit/d39a7ba5c38e3ba3b99b1558dc2ab0970cbfb0c5 (Stable 2.0 backports) + NOTE: The RFC gateway parsing code has been completly refactored, backporting to 2.3.x is not feasible. NOTE: https://github.com/FreeRDP/FreeRDP/commit/f0b44da67c09488178000725ff9f2729ccfdf9fe CVE-2021-41158 (FreeSWITCH is a Software Defined Telecom Stack enabling the digital tr ...) - freeswitch (bug #389591) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54629370e010f1a589026e4e865bad921b90f933 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54629370e010f1a589026e4e865bad921b90f933 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for openvpn issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e0d6b0f7 by Salvatore Bonaccorso at 2023-11-12T11:45:50+01:00 Track fixed version for openvpn issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,11 +9,11 @@ CVE-2023-4804 (Anunauthorized user could access debug features in Quantum HD Uni CVE-2023-47122 (Gitsign is software for keyless Git signing using Sigstore. In version ...) - gitsign (bug #1019518) CVE-2023-46850 (Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined ...) - - openvpn (bug #1055805) + - openvpn 2.6.7-1 (bug #1055805) NOTE: https://community.openvpn.net/openvpn/wiki/CVE-2023-46850 NOTE: https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/ CVE-2023-46849 (Using the --fragment option in certain configuration setups OpenVPN ve ...) - - openvpn (bug #1055805) + - openvpn 2.6.7-1 (bug #1055805) NOTE: https://community.openvpn.net/openvpn/wiki/CVE-2023-46849 NOTE: https://openvpn.net/security-advisory/access-server-security-update-cve-2023-46849-cve-2023-46850/ CVE-2023-6076 (A vulnerability classified as problematic was found in PHPGurukul Rest ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0d6b0f7dd36e13933c852afa58d04496c3d95cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e0d6b0f7dd36e13933c852afa58d04496c3d95cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust tracking for CVE-2021-32797
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1632ccaa by Salvatore Bonaccorso at 2023-11-12T09:37:03+01:00 Adjust tracking for CVE-2021-32797 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -174050,7 +174050,8 @@ CVE-2021-32798 (The Jupyter notebook is a web-based notebook environment for int NOTE: https://github.com/jupyter/notebook/security/advisories/GHSA-hwvq-6gjx-j797 NOTE: https://github.com/jupyter/notebook/commit/79fc76e890a8ec42f73a3d009e44ef84c14ef0d5 CVE-2021-32797 (JupyterLab is a user interface for Project Jupyter which will eventual ...) - - jupyterlab 4.0.8+ds1-1 + - jupyterlab (Fixed before initial upload to Debian) + NOTE: https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-4952-p58q-6crx CVE-2021-32796 (xmldom is an open source pure JavaScript W3C standard-based (XML DOM L ...) - node-xmldom 0.7.3-1 (bug #991612) [bullseye] - node-xmldom (Minor issue, too intrusive to backport) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1632ccaa6f62ebe5aaa1514aadf235449ba7b644 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1632ccaa6f62ebe5aaa1514aadf235449ba7b644 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits