date:20231127

[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-21428 as not-affected for stretch

2023-11-27 Thread Anton Gladky (@gladk)



Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6619bfa5 by Anton Gladky at 2023-11-28T06:52:43+01:00
Mark CVE-2020-21428 as not-affected for stretch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -236803,6 +236803,7 @@ CVE-2020-21429
 CVE-2020-21428 (Buffer Overflow vulnerability in function LoadRGB in 
PluginDDS.cpp in  ...)
{DLA-3662-1}
- freeimage 3.18.0+ds2-10 (bug #1051738)
+   [stretch] - freeimage  (vulnerable code is not present)
NOTE: https://sourceforge.net/p/freeimage/bugs/299/
NOTE: Fixed with r1877 from 
http://svn.code.sf.net/p/freeimage/svn/FreeImage/
 CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in 
PluginB ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6619bfa58413f9d3459f33f21a696aa0da67fb3b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6619bfa58413f9d3459f33f21a696aa0da67fb3b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-22084 for MariaDB

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c7192f64 by Salvatore Bonaccorso at 2023-11-28T06:45:53+01:00
Add CVE-2023-22084 for MariaDB

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -58834,7 +58834,11 @@ CVE-2023-22086 (Vulnerability in the Oracle WebLogic 
Server product of Oracle Fu
 CVE-2023-22085 (Vulnerability in the Hospitality OPERA 5 Property Services 
product of  ...)
NOT-FOR-US: Oracle
 CVE-2023-22084 (Vulnerability in the MySQL Server product of Oracle MySQL 
(component:  ...)
+   - mariadb 1:10.11.6-1
+   - mariadb-10.5 
+   - mariadb-10.3 
- mysql-8.0 8.0.35-1 (bug #1055034)
+   NOTE: Fixed in MariaDB: 11.2.2, 11.1.3, 11.0.4, 10.11.6, 10.10.7, 
10.6.16, 10.5.23, 10.4.32
 CVE-2023-22083 (Vulnerability in the Oracle Enterprise Session Border 
Controller produ ...)
NOT-FOR-US: Oracle
 CVE-2023-22082 (Vulnerability in the Oracle Business Intelligence Enterprise 
Edition p ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7192f648062ed78b9007854a5bafbc96ae7417b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7192f648062ed78b9007854a5bafbc96ae7417b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Remove duplicate tracking of pending update for glewlwyd

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
88bfac79 by Salvatore Bonaccorso at 2023-11-28T06:30:30+01:00
Remove duplicate tracking of pending update for glewlwyd

- - - - -


1 changed file:

- data/next-oldstable-point-update.txt


Changes:

=
data/next-oldstable-point-update.txt
=
@@ -101,8 +101,3 @@ CVE-2023-43887
 CVE-2023-47471
[bullseye] - libde265 1.0.11-0+deb11u2
 CVE-2022-27240
-   [bullseye] - glewlwyd 2.5.2-2+deb11u3
-CVE-2022-29967
-   [bullseye] - glewlwyd 2.5.2-2+deb11u3
-CVE-2023-49208
-   [bullseye] - glewlwyd 2.5.2-2+deb11u3



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88bfac7964bb967f7c0747b612132cd1963daaef

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88bfac7964bb967f7c0747b612132cd1963daaef
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-45360/mediawiki as no-dsa for buster.

2023-11-27 Thread Guilhem Moulin (@guilhem)



Guilhem Moulin pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b37cad8d by Guilhem Moulin at 2023-11-28T01:18:00+01:00
Mark CVE-2023-45360/mediawiki as no-dsa for buster.

Prior to 1.32 all sysops could edit sitewide CSS/JS hence inject XSS via
MediaWiki:Common.js or similar.  This was changed in 1.32 following
https://phabricator.wikimedia.org/T120886 and 
https://phabricator.wikimedia.org/T190015.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -8240,6 +8240,7 @@ CVE-2023-40310 (SAP PowerDesignerClient- version 16.7, 
does not sufficiently val
 CVE-2023-45360 (An issue was discovered in MediaWiki before 1.35.12, 1.36.x 
through 1. ...)
{DSA-5520-1}
- mediawiki 1:1.39.5-1
+   [buster] - mediawiki  (Minor issue: prior to 1.32 any sysop 
could edit sitewide CSS/JS anyway)
NOTE: https://phabricator.wikimedia.org/T340221
 CVE-2023-45362 (An issue was discovered in DifferenceEngine.php in MediaWiki 
before 1. ...)
{DSA-5520-1}



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b37cad8dfadbfb7305099cd54f45db51545b6a87

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b37cad8dfadbfb7305099cd54f45db51545b6a87
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3670-1 for minizip

2023-11-27 Thread Thorsten Alteholz (@alteholz)



Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
72ec5d16 by Thorsten Alteholz at 2023-11-28T00:03:01+01:00
Reserve DLA-3670-1 for minizip

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[28 Nov 2023] DLA-3670-1 minizip - security update
+   {CVE-2023-45853}
+   [buster] - minizip 1.1-8+deb10u1
 [27 Nov 2023] DLA-3669-1 cryptojs - security update
{CVE-2023-46233}
[buster] - cryptojs 3.1.2+dfsg-2+deb10u1


=
data/dla-needed.txt
=
@@ -120,9 +120,6 @@ linux-5.10
 mediawiki (guilhem)
   NOTE: 20231011: Added by Front-Desk (ta)
 --
-minizip (Thorsten Alteholz)
-  NOTE: 20231117: Added by Front-Desk (apo)
---
 netatalk (gladk)
   NOTE: 20231119: Added by Front-Desk (apo)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72ec5d16fe9ef63249c0f4241b957568c05603be

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72ec5d16fe9ef63249c0f4241b957568c05603be
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] glewlwyd ospu

2023-11-27 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
582f7bbb by Moritz Mühlenhoff at 2023-11-27T22:48:24+01:00
glewlwyd ospu

- - - - -


1 changed file:

- data/next-oldstable-point-update.txt


Changes:

=
data/next-oldstable-point-update.txt
=
@@ -100,3 +100,9 @@ CVE-2023-43887
[bullseye] - libde265 1.0.11-0+deb11u2
 CVE-2023-47471
[bullseye] - libde265 1.0.11-0+deb11u2
+CVE-2022-27240
+   [bullseye] - glewlwyd 2.5.2-2+deb11u3
+CVE-2022-29967
+   [bullseye] - glewlwyd 2.5.2-2+deb11u3
+CVE-2023-49208
+   [bullseye] - glewlwyd 2.5.2-2+deb11u3



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/582f7bbb191727ba48c6c1f9daf9b7bebc5031d0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/582f7bbb191727ba48c6c1f9daf9b7bebc5031d0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] nvidia-graphics-drivers-tesla,glewlwyd spu

2023-11-27 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
114358ee by Moritz Mühlenhoff at 2023-11-27T22:45:57+01:00
nvidia-graphics-drivers-tesla,glewlwyd spu

- - - - -


2 changed files:

- data/CVE/list
- data/next-point-update.txt


Changes:

=
data/CVE/list
=
@@ -256,6 +256,8 @@ CVE-2023-49210 (The openssl (aka node-openssl) NPM package 
through 2.0.0 was cha
NOT-FOR-US: malicious node module
 CVE-2023-49208 (scheme/webauthn.c in Glewlwyd SSO server before 2.7.6 has a 
possible b ...)
- glewlwyd 2.7.6+ds-1
+   [bookworm] - glewlwyd  (Minor issue)
+   [bullseye] - glewlwyd  (Minor issue)
[buster] - glewlwyd  (Vulnerable code not present)
NOTE: 
https://github.com/babelouest/glewlwyd/commit/f9d8c06aae8dfe17e761b18b577ff169e059e812
 (v2.7.6)
 CVE-2023-41812 (Unrestricted Upload of File with Dangerous Type vulnerability 
in Pando ...)


=
data/next-point-update.txt
=
@@ -78,6 +78,7 @@ CVE-2023-31022
[bookworm] - nvidia-graphics-drivers-tesla-470 470.223.02-1~deb12u1
[bookworm] - nvidia-open-gpu-kernel-modules 525.147.05-1~deb12u1
[bookworm] - nvidia-graphics-drivers 525.147.05-1~deb12u1
+   [bookworm] - nvidia-graphics-drivers-tesla 525.147.05-3~deb12u1
 CVE-2022-48521
[bookworm] - opendkim 2.11.0~beta2-8+deb12u1
 CVE-2023-47038
@@ -90,3 +91,5 @@ CVE-2023-43887
[bookworm] - libde265 1.0.11-1+deb12u1
 CVE-2023-47471
[bookworm] - libde265 1.0.11-1+deb12u1
+CVE-2023-49208
+   [bookworm] - glewlwyd 2.7.5-3+deb12u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/114358ee6c813424c4afc9f247c89012d38c3751

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/114358ee6c813424c4afc9f247c89012d38c3751
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] libde265 spu/ospu

2023-11-27 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
96805904 by Moritz Mühlenhoff at 2023-11-27T22:42:05+01:00
libde265 spu/ospu

- - - - -


3 changed files:

- data/CVE/list
- data/next-oldstable-point-update.txt
- data/next-point-update.txt


Changes:

=
data/CVE/list
=
@@ -1399,6 +1399,8 @@ CVE-2023-47638
REJECTED
 CVE-2023-43887 (Libde265 v1.0.12 was discovered to contain multiple buffer 
overflows v ...)
- libde265 1.0.13-1
+   [bookworm] - libde265  (Minor issue)
+   [bullseye] - libde265  (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/418
NOTE: 
https://github.com/strukturag/libde265/commit/63b596c915977f038eafd7647d1db25488a8c133
 (v1.0.13)
 CVE-2023-47471 (Buffer Overflow vulnerability in strukturag libde265 v1.10.12 
allows a ...)


=
data/next-oldstable-point-update.txt
=
@@ -92,3 +92,11 @@ CVE-2023-31022
[bullseye] - nvidia-graphics-drivers-tesla-470 470.223.02-1~deb11u1
 CVE-2023-47038
[bullseye] - perl 5.32.1-4+deb11u3
+CVE-2023-27102
+   [bullseye] - libde265 1.0.11-0+deb11u2
+CVE-2023-27103
+   [bullseye] - libde265 1.0.11-0+deb11u2
+CVE-2023-43887
+   [bullseye] - libde265 1.0.11-0+deb11u2
+CVE-2023-47471
+   [bullseye] - libde265 1.0.11-0+deb11u2


=
data/next-point-update.txt
=
@@ -82,3 +82,11 @@ CVE-2022-48521
[bookworm] - opendkim 2.11.0~beta2-8+deb12u1
 CVE-2023-47038
[bookworm] - perl 5.36.0-7+deb12u1
+CVE-2023-27102
+   [bookworm] - libde265 1.0.11-1+deb12u1
+CVE-2023-27103
+   [bookworm] - libde265 1.0.11-1+deb12u1
+CVE-2023-43887
+   [bookworm] - libde265 1.0.11-1+deb12u1
+CVE-2023-47471
+   [bookworm] - libde265 1.0.11-1+deb12u1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96805904c5ecf7893354dd65fbeae32140400728

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96805904c5ecf7893354dd65fbeae32140400728
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process two more Mattermost CVEs

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
470b6a71 by Salvatore Bonaccorso at 2023-11-27T22:07:26+01:00
Process two more Mattermost CVEs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -88,7 +88,7 @@ CVE-2023-47168 (Mattermost fails to properly check a redirect 
URL parameter allo
 CVE-2023-45223 (Mattermost fails to properly validate the "Show Full Name" 
option in a ...)
- mattermost-server  (bug #823556)
 CVE-2023-43754 (Mattermost fails to check whether the \u201cAllow users to 
view archiv ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2023-42000 (Arcserve UDP prior to 9.2 contains a path traversal 
vulnerability in c ...)
NOT-FOR-US: Arcserve
 CVE-2023-41999 (An authentication bypass exists in Arcserve UDP prior to 
version 9.2.  ...)
@@ -108,7 +108,7 @@ CVE-2023-38573 (A use-after-free vulnerability exists in 
the way Foxit Reader 12
 CVE-2023-35985 (An arbitrary file creation vulnerability exists in the 
Javascript expo ...)
NOT-FOR-US: Foxit Reader
 CVE-2023-35075 (Mattermost fails to use innerText /textContentwhen setting the 
channel ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2023-32616 (A use-after-free vulnerability exists in the way Foxit Reader 
12.1.2.1 ...)
NOT-FOR-US: Foxit Reader
 CVE-2023-31275 (An uninitialized pointer use vulnerability exists in the 
functionality ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/470b6a71a69797c1a66957dbb0e3b8f5ccb469d7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/470b6a71a69797c1a66957dbb0e3b8f5ccb469d7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process more NFUs

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5d8763a1 by Salvatore Bonaccorso at 2023-11-27T22:06:44+01:00
Process more NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -54,11 +54,11 @@ CVE-2023-4642 (The kk Star Ratings WordPress plugin before 
5.4.6 does not implem
 CVE-2023-4590 (Buffer overflow vulnerability in Frhed hex editor, affecting 
version 1 ...)
TODO: check
 CVE-2023-4514 (The Mmm Simple File List WordPress plugin through 2.3 does not 
validat ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-4297 (The Mmm Simple File List WordPress plugin through 2.3 does not 
validat ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-4252 (The EventPrime WordPress plugin through 3.2.9 specifies the 
price of a ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-49316 (In Math/BinaryField.php in phpseclib before 3.0.34, 
excessively large  ...)
- php-phpseclib3  (bug #1057008)
NOTE: Fixed by: 
https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f
 (3.0.34)
@@ -90,31 +90,31 @@ CVE-2023-45223 (Mattermost fails to properly validate the 
"Show Full Name" optio
 CVE-2023-43754 (Mattermost fails to check whether the \u201cAllow users to 
view archiv ...)
TODO: check
 CVE-2023-42000 (Arcserve UDP prior to 9.2 contains a path traversal 
vulnerability in c ...)
-   TODO: check
+   NOT-FOR-US: Arcserve
 CVE-2023-41999 (An authentication bypass exists in Arcserve UDP prior to 
version 9.2.  ...)
-   TODO: check
+   NOT-FOR-US: Arcserve
 CVE-2023-41998 (Arcserve UDP prior to 9.2 contained a vulnerability in 
thecom.ca.arcfl ...)
-   TODO: check
+   NOT-FOR-US: Arcserve
 CVE-2023-41257 (A type confusion vulnerability exists in the way Foxit Reader 
12.1.2.1 ...)
-   TODO: check
+   NOT-FOR-US: Foxit Reader
 CVE-2023-40703 (Mattermost fails to properly limit the characters allowed in 
different ...)
- mattermost-server  (bug #823556)
 CVE-2023-40194 (An arbitrary file creation vulnerability exists in the 
Javascript expo ...)
-   TODO: check
+   NOT-FOR-US: Foxit Reader
 CVE-2023-39542 (A code execution vulnerability exists in the Javascript saveAs 
API of  ...)
-   TODO: check
+   NOT-FOR-US: Foxit Reader
 CVE-2023-38573 (A use-after-free vulnerability exists in the way Foxit Reader 
12.1.2.1 ...)
-   TODO: check
+   NOT-FOR-US: Foxit Reader
 CVE-2023-35985 (An arbitrary file creation vulnerability exists in the 
Javascript expo ...)
-   TODO: check
+   NOT-FOR-US: Foxit Reader
 CVE-2023-35075 (Mattermost fails to use innerText /textContentwhen setting the 
channel ...)
TODO: check
 CVE-2023-32616 (A use-after-free vulnerability exists in the way Foxit Reader 
12.1.2.1 ...)
-   TODO: check
+   NOT-FOR-US: Foxit Reader
 CVE-2023-31275 (An uninitialized pointer use vulnerability exists in the 
functionality ...)
-   TODO: check
+   NOT-FOR-US: WPS Office
 CVE-2023-2707 (The gAppointments WordPress plugin through 1.9.5.1 does not 
sanitise a ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-43701 (Improper payload validation and an improper REST API response 
type, ma ...)
NOT-FOR-US: Apache Superset
 CVE-2023-42501 (Unnecessary read permissions within the Gamma role would allow 
authent ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d8763a1767fe536c826d66cbffcf176d4047bd7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d8763a1767fe536c826d66cbffcf176d4047bd7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process two more Mattermost issues

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fa15386d by Salvatore Bonaccorso at 2023-11-27T22:01:34+01:00
Process two more Mattermost issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -86,7 +86,7 @@ CVE-2023-47865 (Mattermost fails to check if hardened mode is 
enabled when overr
 CVE-2023-47168 (Mattermost fails to properly check a redirect URL parameter 
allowing f ...)
- mattermost-server  (bug #823556)
 CVE-2023-45223 (Mattermost fails to properly validate the "Show Full Name" 
option in a ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2023-43754 (Mattermost fails to check whether the \u201cAllow users to 
view archiv ...)
TODO: check
 CVE-2023-42000 (Arcserve UDP prior to 9.2 contains a path traversal 
vulnerability in c ...)
@@ -98,7 +98,7 @@ CVE-2023-41998 (Arcserve UDP prior to 9.2 contained a 
vulnerability in thecom.ca
 CVE-2023-41257 (A type confusion vulnerability exists in the way Foxit Reader 
12.1.2.1 ...)
TODO: check
 CVE-2023-40703 (Mattermost fails to properly limit the characters allowed in 
different ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2023-40194 (An arbitrary file creation vulnerability exists in the 
Javascript expo ...)
TODO: check
 CVE-2023-39542 (A code execution vulnerability exists in the Javascript saveAs 
API of  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa15386d6c6c7f8e31d7363ebce8910a2d2adea3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa15386d6c6c7f8e31d7363ebce8910a2d2adea3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-49316

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1e0a7dfe by Salvatore Bonaccorso at 2023-11-27T21:59:43+01:00
Add Debian bug reference for CVE-2023-49316

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -60,7 +60,7 @@ CVE-2023-4297 (The Mmm Simple File List WordPress plugin 
through 2.3 does not va
 CVE-2023-4252 (The EventPrime WordPress plugin through 3.2.9 specifies the 
price of a ...)
TODO: check
 CVE-2023-49316 (In Math/BinaryField.php in phpseclib before 3.0.34, 
excessively large  ...)
-   - php-phpseclib3 
+   - php-phpseclib3  (bug #1057008)
NOTE: Fixed by: 
https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f
 (3.0.34)
TODO: check if affecting ldap-account-manager or unused path
 CVE-2023-49047 (Tenda AX1803 v1.0.0.1 contains a stack overflow via the 
devName parame ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e0a7dfe2060fa2d0046352b736d0f1e03f6555a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e0a7dfe2060fa2d0046352b736d0f1e03f6555a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-49316/php-phpseclib3

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
14073db3 by Salvatore Bonaccorso at 2023-11-27T21:49:42+01:00
Add CVE-2023-49316/php-phpseclib3

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -60,7 +60,9 @@ CVE-2023-4297 (The Mmm Simple File List WordPress plugin 
through 2.3 does not va
 CVE-2023-4252 (The EventPrime WordPress plugin through 3.2.9 specifies the 
price of a ...)
TODO: check
 CVE-2023-49316 (In Math/BinaryField.php in phpseclib before 3.0.34, 
excessively large  ...)
-   TODO: check
+   - php-phpseclib3 
+   NOTE: Fixed by: 
https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f
 (3.0.34)
+   TODO: check if affecting ldap-account-manager or unused path
 CVE-2023-49047 (Tenda AX1803 v1.0.0.1 contains a stack overflow via the 
devName parame ...)
NOT-FOR-US: Tenda
 CVE-2023-49046 (Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows 
a remote ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14073db3047bd5548656c1d82eace80aa5a1d969

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14073db3047bd5548656c1d82eace80aa5a1d969
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some CVEs in Mattermost (mark as mattermost-server)

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
20820142 by Salvatore Bonaccorso at 2023-11-27T21:39:42+01:00
Process some CVEs in Mattermost (mark as mattermost-server)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -6,7 +6,7 @@ CVE-2023-6254 (A Vulnerability in OTRS AgentInterface and 
ExternalInterface allo
NOT-FOR-US: OTRS
NOTE: Issue is listed as specific to 8.x, so won't affect Znuny which 
forked from 6.x
 CVE-2023-6202 (Mattermost fails to perform proper authorization in the 
/plugins/focal ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2023-5974 (The WPB Show Core WordPress plugin through 2.2 is vulnerable to 
server ...)
NOT-FOR-US: WordPress plugin
 CVE-2023-5958 (The POST SMTP Mailer WordPress plugin before 2.7.1 does not 
escape ema ...)
@@ -76,13 +76,13 @@ CVE-2023-49029 (Cross Site Scripting vulnerability in 
smpn1smg absis v.2017-10-1
 CVE-2023-49028 (Cross Site Scripting vulnerability in smpn1smg absis 
v.2017-10-19 and  ...)
TODO: check
 CVE-2023-48369 (Mattermost fails to limit the log size of server logs allowing 
an atta ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2023-48268 (Mattermost fails tolimit the amount of data extracted from 
compressed  ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2023-47865 (Mattermost fails to check if hardened mode is enabled when 
overriding  ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2023-47168 (Mattermost fails to properly check a redirect URL parameter 
allowing f ...)
-   TODO: check
+   - mattermost-server  (bug #823556)
 CVE-2023-45223 (Mattermost fails to properly validate the "Show Full Name" 
option in a ...)
TODO: check
 CVE-2023-43754 (Mattermost fails to check whether the \u201cAllow users to 
view archiv ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/208201425661fa13fde07aaa0dc7fbf010748588

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/208201425661fa13fde07aaa0dc7fbf010748588
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6287/check-mk

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5699fdbb by Salvatore Bonaccorso at 2023-11-27T21:39:05+01:00
Add CVE-2023-6287/check-mk

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,7 +1,7 @@
 CVE-2023-6329 ([PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on 
[PLATF ...)
NOT-FOR-US: Control iD iDSecure
 CVE-2023-6287 (Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance 
before ...)
-   TODO: check
+   - check-mk 
 CVE-2023-6254 (A Vulnerability in OTRS AgentInterface and ExternalInterface 
allows th ...)
NOT-FOR-US: OTRS
NOTE: Issue is listed as specific to 8.x, so won't affect Znuny which 
forked from 6.x



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5699fdbb9c4f6ccde061e1f3eee3e228d464f1ac

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5699fdbb9c4f6ccde061e1f3eee3e228d464f1ac
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some new NFUs

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e9b9abcf by Salvatore Bonaccorso at 2023-11-27T21:37:51+01:00
Process some new NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,55 +1,56 @@
 CVE-2023-6329 ([PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on 
[PLATF ...)
-   TODO: check
+   NOT-FOR-US: Control iD iDSecure
 CVE-2023-6287 (Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance 
before ...)
TODO: check
 CVE-2023-6254 (A Vulnerability in OTRS AgentInterface and ExternalInterface 
allows th ...)
-   TODO: check
+   NOT-FOR-US: OTRS
+   NOTE: Issue is listed as specific to 8.x, so won't affect Znuny which 
forked from 6.x
 CVE-2023-6202 (Mattermost fails to perform proper authorization in the 
/plugins/focal ...)
TODO: check
 CVE-2023-5974 (The WPB Show Core WordPress plugin through 2.2 is vulnerable to 
server ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5958 (The POST SMTP Mailer WordPress plugin before 2.7.1 does not 
escape ema ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5942 (The Medialist WordPress plugin before 1.4.1 does not validate 
and esca ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5906 (The Job Manager & Career WordPress plugin before 1.4.4 contains 
a vuln ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5845 (The Simple Social Media Share Buttons WordPress plugin before 
5.1.1 le ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5738 (The WordPress Backup & Migration WordPress plugin before 1.4.4 
does no ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5737 (The WordPress Backup & Migration WordPress plugin before 1.4.4 
does no ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5653 (The WassUp Real Time Analytics WordPress plugin through 1.9.4.5 
does n ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5641 (The Martins Free & Easy SEO BackLink Link Building Network 
WordPress p ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5620 (The Web Push Notifications WordPress plugin before 4.35.0 does 
not pre ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5611 (The Seraphinite Accelerator WordPress plugin before 2.20.32 
does not h ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5607 (An improper limitation of a path name to a restricted directory 
(path  ...)
-   TODO: check
+   NOT-FOR-US: Trellix
 CVE-2023-5604 (The Asgaros Forum WordPress plugin before 2.7.1 allows forum 
administr ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5560 (The WP-UserOnline WordPress plugin before 2.88.3 does not 
sanitise and ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5559 (The 10Web Booster WordPress plugin before 2.24.18 does not 
validate th ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5525 (The Limit Login Attempts Reloaded WordPress plugin before 
2.25.26 is m ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5325 (The Woocommerce Vietnam Checkout WordPress plugin before 2.0.6 
does no ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5239 (The Security & Malware scan by CleanTalk WordPress plugin 
before 2.121 ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-5209 (The WordPress Online Booking and Scheduling Plugin WordPress 
plugin be ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-4931 (Uncontrolled search path element vulnerability in Plesk 
Installer affe ...)
-   TODO: check
+   NOT-FOR-US: Plesk Installer
 CVE-2023-4922 (The WPB Show Core WordPress plugin through 2.2 is vulnerable to 
a loca ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-4642 (The kk Star Ratings WordPress plugin before 5.4.6 does not 
implement a ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-4590 (Buffer overflow vulnerability in Frhed hex editor, affecting 
version 1 ...)
TODO: check
 CVE-2023-4514 (The Mmm Simple File List WordPress plugin through 2.3 does not 
validat ...)
@@ -61,15 +62,15 @@ CVE-2023-4252 (The EventPrime WordPress plugin through 
3.2.9 specifies the price
 CVE-2023-49316 (In Math/BinaryField.php in phpseclib before 3.0.34, 
excessively large  ...)
TODO: check
 CVE-2023-49047 (Tenda AX1803 v1.0.0.1 contains a stack overflow via the 
devName parame ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2023-49046 (Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows 
a remote ...)
-   TODO: check
+   NOT-FOR-US: Tenda
 CVE-2023-49043 (Buffer Overflow

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-44034/linux

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2e769efd by Salvatore Bonaccorso at 2023-11-27T21:26:09+01:00
Track fixed version for CVE-2022-44034/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -71171,7 +71171,7 @@ CVE-2022-44036 (In b2evolution 7.2.5, if configured 
with admins_can_manipulate_s
 CVE-2022-44035
RESERVED
 CVE-2022-44034 (An issue was discovered in the Linux kernel through 6.0.6. 
drivers/cha ...)
-   - linux  (unimportant)
+   - linux 6.4.4-1 (unimportant)
NOTE: https://lore.kernel.org/lkml/20220916050333.GA188358@ubuntu/
NOTE: https://lore.kernel.org/lkml/20220919101825.GA313940@ubuntu/
NOTE: Negligible security impact, would need physical access to 
"exploit"



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e769efd6aa0cec4d41be7f7c730eeb0bd41731f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e769efd6aa0cec4d41be7f7c730eeb0bd41731f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4d3813e2 by security tracker role at 2023-11-27T20:23:34+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,8 +1,122 @@
-CVE-2023-43701
+CVE-2023-6329 ([PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on 
[PLATF ...)
+   TODO: check
+CVE-2023-6287 (Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance 
before ...)
+   TODO: check
+CVE-2023-6254 (A Vulnerability in OTRS AgentInterface and ExternalInterface 
allows th ...)
+   TODO: check
+CVE-2023-6202 (Mattermost fails to perform proper authorization in the 
/plugins/focal ...)
+   TODO: check
+CVE-2023-5974 (The WPB Show Core WordPress plugin through 2.2 is vulnerable to 
server ...)
+   TODO: check
+CVE-2023-5958 (The POST SMTP Mailer WordPress plugin before 2.7.1 does not 
escape ema ...)
+   TODO: check
+CVE-2023-5942 (The Medialist WordPress plugin before 1.4.1 does not validate 
and esca ...)
+   TODO: check
+CVE-2023-5906 (The Job Manager & Career WordPress plugin before 1.4.4 contains 
a vuln ...)
+   TODO: check
+CVE-2023-5845 (The Simple Social Media Share Buttons WordPress plugin before 
5.1.1 le ...)
+   TODO: check
+CVE-2023-5738 (The WordPress Backup & Migration WordPress plugin before 1.4.4 
does no ...)
+   TODO: check
+CVE-2023-5737 (The WordPress Backup & Migration WordPress plugin before 1.4.4 
does no ...)
+   TODO: check
+CVE-2023-5653 (The WassUp Real Time Analytics WordPress plugin through 1.9.4.5 
does n ...)
+   TODO: check
+CVE-2023-5641 (The Martins Free & Easy SEO BackLink Link Building Network 
WordPress p ...)
+   TODO: check
+CVE-2023-5620 (The Web Push Notifications WordPress plugin before 4.35.0 does 
not pre ...)
+   TODO: check
+CVE-2023-5611 (The Seraphinite Accelerator WordPress plugin before 2.20.32 
does not h ...)
+   TODO: check
+CVE-2023-5607 (An improper limitation of a path name to a restricted directory 
(path  ...)
+   TODO: check
+CVE-2023-5604 (The Asgaros Forum WordPress plugin before 2.7.1 allows forum 
administr ...)
+   TODO: check
+CVE-2023-5560 (The WP-UserOnline WordPress plugin before 2.88.3 does not 
sanitise and ...)
+   TODO: check
+CVE-2023-5559 (The 10Web Booster WordPress plugin before 2.24.18 does not 
validate th ...)
+   TODO: check
+CVE-2023-5525 (The Limit Login Attempts Reloaded WordPress plugin before 
2.25.26 is m ...)
+   TODO: check
+CVE-2023-5325 (The Woocommerce Vietnam Checkout WordPress plugin before 2.0.6 
does no ...)
+   TODO: check
+CVE-2023-5239 (The Security & Malware scan by CleanTalk WordPress plugin 
before 2.121 ...)
+   TODO: check
+CVE-2023-5209 (The WordPress Online Booking and Scheduling Plugin WordPress 
plugin be ...)
+   TODO: check
+CVE-2023-4931 (Uncontrolled search path element vulnerability in Plesk 
Installer affe ...)
+   TODO: check
+CVE-2023-4922 (The WPB Show Core WordPress plugin through 2.2 is vulnerable to 
a loca ...)
+   TODO: check
+CVE-2023-4642 (The kk Star Ratings WordPress plugin before 5.4.6 does not 
implement a ...)
+   TODO: check
+CVE-2023-4590 (Buffer overflow vulnerability in Frhed hex editor, affecting 
version 1 ...)
+   TODO: check
+CVE-2023-4514 (The Mmm Simple File List WordPress plugin through 2.3 does not 
validat ...)
+   TODO: check
+CVE-2023-4297 (The Mmm Simple File List WordPress plugin through 2.3 does not 
validat ...)
+   TODO: check
+CVE-2023-4252 (The EventPrime WordPress plugin through 3.2.9 specifies the 
price of a ...)
+   TODO: check
+CVE-2023-49316 (In Math/BinaryField.php in phpseclib before 3.0.34, 
excessively large  ...)
+   TODO: check
+CVE-2023-49047 (Tenda AX1803 v1.0.0.1 contains a stack overflow via the 
devName parame ...)
+   TODO: check
+CVE-2023-49046 (Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows 
a remote ...)
+   TODO: check
+CVE-2023-49043 (Buffer Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows 
a remot ...)
+   TODO: check
+CVE-2023-49042 (Heap Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a 
remote  ...)
+   TODO: check
+CVE-2023-49040 (An issue in Tneda AX1803 v.1.0.0.1 allows a remote attacker to 
execute ...)
+   TODO: check
+CVE-2023-49029 (Cross Site Scripting vulnerability in smpn1smg absis 
v.2017-10-19 and  ...)
+   TODO: check
+CVE-2023-49028 (Cross Site Scripting vulnerability in smpn1smg absis 
v.2017-10-19 and  ...)
+   TODO: check
+CVE-2023-48369 (Mattermost fails to limit the log size of server logs allowing 
an atta ...)
+   TODO: check
+CVE-2023-48268 (Mattermost fails tolimit the amount of data extracted from 
compressed  ...)
+   TODO: check
+CVE-2023-47865 (Mattermost fails to check if hardened mode is enabled when 
overriding  ...)
+

[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2023-6121/linux

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3710ef67 by Salvatore Bonaccorso at 2023-11-27T21:09:43+01:00
Add reference for CVE-2023-6121/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1062,6 +1062,7 @@ CVE-2023-6121 (An out-of-bounds read vulnerability was 
found in the NVMe-oF/TCP
- linux 
NOTE: 
https://lore.kernel.org/linux-nvme/b58a2dc6-cc8f-4d19-9efe-e1d5b4505...@nvidia.com/T/
NOTE: 
https://lore.kernel.org/linux-nvme/cak5usqvxayc3lj4onqers1p0jpbffr9urzmq6jb4qhab7aq...@mail.gmail.com/T/
+   NOTE: 
https://git.kernel.org/linus/1c22e0295a5eb571c27b53c7371f95699ef705ff (6.7-rc3)
 CVE-2023-6119 (An Improper Privilege Management vulnerability in Trellix 
GetSusp prio ...)
NOT-FOR-US: Trellix
 CVE-2023-6038 (An attacker is able to read any file on the server hosting the 
H2O das ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3710ef670689e0aceed8e9385160e2e717c18342

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3710ef670689e0aceed8e9385160e2e717c18342
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] samba fixed in sid

2023-11-27 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
de9d9107 by Moritz Muehlenhoff at 2023-11-27T20:59:56+01:00
samba fixed in sid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -361861,7 +361861,7 @@ CVE-2018-14629 (A denial of service vulnerability was 
discovered in Samba's LDAP
- samba 2:4.9.2+dfsg-2
NOTE: https://www.samba.org/samba/security/CVE-2018-14629.html
 CVE-2018-14628 (An information leak vulnerability was discovered in Samba's 
LDAP serve ...)
-   - samba  (bug #1034803)
+   - samba 2:4.19.3+dfsg-1 (bug #1034803)
[bookworm] - samba  (Minor issue, revisit when fixed 
upstream)
[bullseye] - samba  (Domain controller functionality is EOLed, 
see DSA DSA-5477-1)
[buster] - samba  (Domain controller functionality is EOLed, 
see DSA-5015-1)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de9d9107284fb0d7b7b8272ac0c457f04e75d0d9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de9d9107284fb0d7b7b8272ac0c457f04e75d0d9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
68d07de7 by Salvatore Bonaccorso at 2023-11-27T20:42:19+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13,7 +13,7 @@ CVE-2023-6311 (A vulnerability was found in SourceCodester 
Loan Management Syste
 CVE-2023-6310 (A vulnerability has been found in SourceCodester Loan 
Management Syste ...)
NOT-FOR-US: SourceCodester Loan Management System
 CVE-2023-6309 (A vulnerability, which was classified as critical, was found in 
moses- ...)
-   TODO: check
+   NOT-FOR-US: Moses
 CVE-2023-6308 (A vulnerability, which was classified as critical, has been 
found in X ...)
NOT-FOR-US: Xiamen Four-Faith Video Surveillance Management System
 CVE-2023-6307 (A vulnerability classified as critical was found in jeecgboot 
JimuRepo ...)
@@ -39,7 +39,7 @@ CVE-2023-6298 (A vulnerability classified as problematic was 
found in Apryse iTe
 CVE-2023-6297 (A vulnerability classified as problematic has been found in 
PHPGurukul ...)
NOT-FOR-US: PHPGurukul
 CVE-2023-6296 (A vulnerability was found in osCommerce 4. It has been rated as 
proble ...)
-   TODO: check
+   NOT-FOR-US: osCommerce
 CVE-2023-49322 (Certain WithSecure products allow a Denial of Service because 
there is ...)
NOT-FOR-US: WithSecure
 CVE-2023-49321 (Certain WithSecure products allow a Denial of Service because 
scanning ...)
@@ -45682,7 +45682,7 @@ CVE-2023-25634
 CVE-2023-25633
RESERVED
 CVE-2023-25632 (The Android Mobile Whale browser app before 3.0.1.2 allows the 
attacke ...)
-   TODO: check
+   NOT-FOR-US: Whale browser
 CVE-2023-25631
RESERVED
 CVE-2023-25630



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68d07de7849df784dabbb9ece5311899ed4a8f41

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68d07de7849df784dabbb9ece5311899ed4a8f41
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] fastdds DSA

2023-11-27 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
53064de5 by Moritz Mühlenhoff at 2023-11-27T20:13:58+01:00
fastdds DSA

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[27 Nov 2023] DSA-5568-1 fastdds - security update
+   {CVE-2023-42459}
+   [bookworm] - fastdds 2.9.1+ds-1+deb12u2
 [27 Nov 2023] DSA-5567-1 tiff - security update
{CVE-2023-3576 CVE-2023-40745 CVE-2023-41175}
[bullseye] - tiff 4.2.0-1+deb11u5


=
data/dsa-needed.txt
=
@@ -16,8 +16,6 @@ cryptojs
 --
 dnsdist (jmm)
 --
-fastdds (jmm)
---
 freeimage (jmm)
 --
 frr



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53064de5cb6c740a7699712c44ebff8dcaa8be92

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53064de5cb6c740a7699712c44ebff8dcaa8be92
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3669-1 for cryptojs

2023-11-27 Thread Guilhem Moulin (@guilhem)



Guilhem Moulin pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cecc9598 by Guilhem Moulin at 2023-11-27T19:51:00+01:00
Reserve DLA-3669-1 for cryptojs

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[27 Nov 2023] DLA-3669-1 cryptojs - security update
+   {CVE-2023-46233}
+   [buster] - cryptojs 3.1.2+dfsg-2+deb10u1
 [27 Nov 2023] DLA-3668-1 opensc - security update
{CVE-2023-40660 CVE-2023-40661}
[buster] - opensc 0.19.0-1+deb10u3


=
data/dla-needed.txt
=
@@ -44,9 +44,6 @@ cinder
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, 
python-os-brick, nova and cinder.
 --
-cryptojs (guilhem)
-  NOTE: 20231119: Added by Front-Desk (apo)
---
 docker.io
   NOTE: 20230303: Added by Front-Desk (Beuc)
   NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cecc95986fad1de59ced1df98928feb67139595f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cecc95986fad1de59ced1df98928feb67139595f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Claim bouncycastle and squid in dla-needed.txt

2023-11-27 Thread Markus Koschany (@apo)



Markus Koschany pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
79f6e7d8 by Markus Koschany at 2023-11-27T19:43:26+01:00
Claim bouncycastle and squid in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -29,7 +29,7 @@ bind9 (Thorsten Alteholz)
   NOTE: 20231008: backporting patches
   NOTE: 20231119: almost done with testing
 --
-bouncycastle
+bouncycastle (Markus Koschany)
   NOTE: 20231127: Added by Front-Desk (Beuc)
   NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 
was fixed in stretch-lts (Beuc/front-desk)
 --
@@ -221,7 +221,7 @@ salt
 samba
   NOTE: 20230918: Added by Front-Desk (apo)
 --
-squid
+squid (Markus Koschany)
   NOTE: 20231102: Added by Front-Desk (lamby)
 --
 suricata (Adrian Bunk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79f6e7d8bef1f46d3da8fcb2043bcc3cbea6b48e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79f6e7d8bef1f46d3da8fcb2043bcc3cbea6b48e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1ee4af7e by Salvatore Bonaccorso at 2023-11-27T19:13:25+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,9 @@
+CVE-2023-43701
+   NOT-FOR-US: Apache Superset
+CVE-2023-42501
+   NOT-FOR-US: Apache Superset
+CVE-2023-40610
+   NOT-FOR-US: Apache Superset
 CVE-2023-6313 (A vulnerability was found in SourceCodester URL Shortener 1.0. 
It has  ...)
NOT-FOR-US: SourceCodester URL Shortener
 CVE-2023-6312 (A vulnerability was found in SourceCodester Loan Management 
System 1.0 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ee4af7e8f73bbdfe5658cb10da01de1551512d0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ee4af7e8f73bbdfe5658cb10da01de1551512d0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add additional CVE for glewlwyd bullseye-pu update

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5c864d61 by Salvatore Bonaccorso at 2023-11-27T19:02:19+01:00
Add additional CVE for glewlwyd bullseye-pu update

- - - - -


1 changed file:

- data/next-oldstable-point-update.txt


Changes:

=
data/next-oldstable-point-update.txt
=
@@ -20,6 +20,8 @@ CVE-2022-27240
[bullseye] - glewlwyd 2.5.2-2+deb11u3
 CVE-2022-29967
[bullseye] - glewlwyd 2.5.2-2+deb11u3
+CVE-2023-49208
+   [bullseye] - glewlwyd 2.5.2-2+deb11u3
 CVE-2021-24119
[bullseye] - mbedtls 2.16.12-0+deb11u1
 CVE-2021-44732



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c864d612411a3e09c27b969c2e5e0dedc0a2ec5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c864d612411a3e09c27b969c2e5e0dedc0a2ec5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add additional CVEs for hoteldruid

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
887df33a by Salvatore Bonaccorso at 2023-11-27T18:56:23+01:00
Add additional CVEs for hoteldruid

Thanks for upstream to confirm the validity of the CVEs (though not yet
published)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -65468,8 +65468,15 @@ CVE-2022-45594
RESERVED
 CVE-2022-45593
RESERVED
-CVE-2022-45592
+CVE-2023-34854 [Authenticated remote code execution via backup/restore in 
HotelDruid]
+   - hoteldruid 3.0.6-1
+   [bookworm] - hoteldruid  (Minor issue)
+   [bullseye] - hoteldruid  (Minor issue)
+CVE-2022-45592 [(1) Server Side Request Forgery (SSRF), (2) persistant Cross 
site scripting (XSS), and (3) File upload vulnerability.]
RESERVED
+   - hoteldruid 3.0.6-1
+   [bookworm] - hoteldruid  (Minor issue)
+   [bullseye] - hoteldruid  (Minor issue)
 CVE-2022-45591
RESERVED
 CVE-2022-45590



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/887df33ab5bb5b160e419e30661dec18342a593a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/887df33ab5bb5b160e419e30661dec18342a593a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-6277/tiff: buster postponed

2023-11-27 Thread Sylvain Beucler (@beuc)



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9159033d by Sylvain Beucler at 2023-11-27T18:09:42+01:00
CVE-2023-6277/tiff: buster postponed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -58,6 +58,7 @@ CVE-2023-6277 (An out-of-memory flaw was found in libtiff. 
Passing a crafted tif
- tiff 4.5.1+git230720-2 (bug #1056751)
[bookworm] - tiff  (Minor issue)
[bullseye] - tiff  (Minor issue)
+   [buster] - tiff  (Minor issue; OOM DoS)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/614
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/545
NOTE: 
https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9159033d75a9da0f96181f549fe95231f8c8b375

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9159033d75a9da0f96181f549fe95231f8c8b375
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2019-14744/kde4libs: precise stretch context

2023-11-27 Thread Sylvain Beucler (@beuc)



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7910bbdb by Sylvain Beucler at 2023-11-27T17:54:04+01:00
CVE-2019-14744/kde4libs: precise stretch context

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -305449,6 +305449,7 @@ CVE-2019-14744 (In KDE Frameworks KConfig before 
5.61.0, malicious desktop files
NOTE: https://kde.org/info/security/advisory-20190807-1.txt
NOTE: kconfig: 
https://github.com/KDE/kconfig/commit/5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
NOTE: kdelibs: 
https://github.com/KDE/kdelibs/commit/2c3762feddf7e66cf6b64d9058f625a715694a00
+   NOTE: stretch desktop users affected through dolphin (kconfig), and 
also through dolphin4 and konqueror (kde4libs)
 CVE-2019-14743 (In Valve Steam Client for Windows through 2019-08-07, 
HKLM\SOFTWARE\Wo ...)
NOT-FOR-US: Valve Steam Client for Windows
 CVE-2019-14742



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7910bbdb4a8a7625c897b16f812c99a68fdc8d35

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7910bbdb4a8a7625c897b16f812c99a68fdc8d35
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

2023-11-27 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
35cf6256 by Moritz Muehlenhoff at 2023-11-27T17:11:29+01:00
bullseye/bookworm triage

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2943,6 +2943,8 @@ CVE-2023-47004 (Buffer Overflow vulnerability in Redis 
RedisGraph v.2.x through
NOT-FOR-US: RedisGraph
 CVE-2023-46998 (Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 
through ...)
- libjs-bootbox  (bug #1055612)
+   [bookworm] - libjs-bootbox  (Minor issue)
+   [bullseye] - libjs-bootbox  (Minor issue)
NOTE: https://github.com/bootboxjs/bootbox/issues/661
 CVE-2023-46845 (EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 
4.0.6-p3, ...)
NOT-FOR-US: EC-CUBE
@@ -6489,6 +6491,7 @@ CVE-2023-42497 (Reflected cross-site scripting (XSS) 
vulnerability on the Export
NOT-FOR-US: Liferay Portal
 CVE-2023-42459 (Fast DDS is a C++ implementation of the DDS (Data Distribution 
Service ...)
- fastdds 2.11.2+ds-6 (bug #1054163)
+   [bullseye] - fastdds  (Vulnerable code not present)
NOTE: 
https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gm
NOTE: https://github.com/eProsima/Fast-DDS/issues/3207
NOTE: https://github.com/eProsima/Fast-DDS/pull/3824



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35cf6256accda513d05dc3bac764eff195fe21ad

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35cf6256accda513d05dc3bac764eff195fe21ad
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla: add bouncycastle

2023-11-27 Thread Sylvain Beucler (@beuc)



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6d193738 by Sylvain Beucler at 2023-11-27T13:57:12+01:00
dla: add bouncycastle

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -29,6 +29,10 @@ bind9 (Thorsten Alteholz)
   NOTE: 20231008: backporting patches
   NOTE: 20231119: almost done with testing
 --
+bouncycastle
+  NOTE: 20231127: Added by Front-Desk (Beuc)
+  NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 
was fixed in stretch-lts (Beuc/front-desk)
+--
 cacti (Sylvain Beucler)
   NOTE: 20230906: Added by Front-Desk (lamby)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d193738dabedb79891edc450ad921fe98143761

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d193738dabedb79891edc450ad921fe98143761
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla: add gimp-dds

2023-11-27 Thread Sylvain Beucler (@beuc)



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
030c6248 by Sylvain Beucler at 2023-11-27T13:35:16+01:00
dla: add gimp-dds

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -64,6 +64,9 @@ flatpak
 frr
   NOTE: 20231119: Added by Front-Desk (apo)
 --
+gimp-dds
+  NOTE: 20231127: Added by Front-Desk (Beuc)
+--
 gst-plugins-bad1.0 (Thorsten Alteholz)
   NOTE: 20231118: Added by Front-Desk (apo)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/030c624874c6092868ba6b2080c3086af0b20898

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/030c624874c6092868ba6b2080c3086af0b20898
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: reclaim mediawiki in dla-needed.txt

2023-11-27 Thread Guilhem Moulin (@guilhem)



Guilhem Moulin pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
bce34a0d by Guilhem Moulin at 2023-11-27T12:57:33+01:00
LTS: reclaim mediawiki in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -113,7 +113,7 @@ linux (Ben Hutchings)
 linux-5.10
   NOTE: 20231005: perma-added for LTS package-specific delegation (bwh)
 --
-mediawiki
+mediawiki (guilhem)
   NOTE: 20231011: Added by Front-Desk (ta)
 --
 minizip (Thorsten Alteholz)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bce34a0dbd2156d3e226ad5531299bf3b7ec51b5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bce34a0dbd2156d3e226ad5531299bf3b7ec51b5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla: add zfs-linux

2023-11-27 Thread Sylvain Beucler (@beuc)



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ddbf19b5 by Sylvain Beucler at 2023-11-27T12:28:46+01:00
dla: add zfs-linux

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -252,3 +252,6 @@ zabbix
 zbar
   NOTE: 20231119: Added by Front-Desk (apo)
 --
+zfs-linux
+  NOTE: 20231127: Added by Front-Desk (Beuc)
+--



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddbf19b52675135e49cd264dda61323b90e14904

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddbf19b52675135e49cd264dda61323b90e14904
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim python-django.

2023-11-27 Thread Chris Lamb (@lamby)



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
27e8ac71 by Chris Lamb at 2023-11-27T10:47:18+00:00
data/dla-needed.txt: Claim python-django.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -158,7 +158,7 @@ postgresql-multicorn (rouca)
   NOTE: 20231108: Added by Front-Desk (santiago)
   NOTE: 20231108: Need to handle incompatibilities with versions in debian 
packages, brought up by PEP 440. See 
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70
 --
-python-django
+python-django (Chris Lamb)
   NOTE: 20231006: Added by Front-Desk (Beuc)
   NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists 
(Beuc/front-desk)
   NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & 
CVE-2021-33571. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27e8ac71e656c4164ae0274bdd5361d3051cf2dc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27e8ac71e656c4164ae0274bdd5361d3051cf2dc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage

2023-11-27 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
63c2ddcc by Moritz Muehlenhoff at 2023-11-27T11:26:48+01:00
bullseye/bookworm triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -56,6 +56,8 @@ CVE-2023-6293 (Prototype Pollution in GitHub repository 
robinbuschmann/sequelize
NOT-FOR-US: sequelize-typescript
 CVE-2023-6277 (An out-of-memory flaw was found in libtiff. Passing a crafted 
tiff fil ...)
- tiff 4.5.1+git230720-2 (bug #1056751)
+   [bookworm] - tiff  (Minor issue)
+   [bullseye] - tiff  (Minor issue)
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/614
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/545
NOTE: 
https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a


=
data/dsa-needed.txt
=
@@ -16,8 +16,9 @@ cryptojs
 --
 dnsdist (jmm)
 --
-fastdds
-  Awaiting feedback from maintainer on bullseye status
+fastdds (jmm)
+--
+freeimage (jmm)
 --
 frr
 --
@@ -81,6 +82,8 @@ samba/oldstable
 --
 squid
 --
+varnish
+--
 xen (jmm)
 --
 zbar



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63c2ddccd503001d583047ce4b7db7e17d270d9f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63c2ddccd503001d583047ce4b7db7e17d270d9f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity

2023-11-27 Thread @roberto



Roberto C. Sánchez pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2e8a90ad by Roberto C. Sánchez at 2023-11-27T04:23:35-05:00
semi-automatic unclaim after 2 weeks of inactivity

Signed-off-by: Roberto C. Sánchez robe...@connexer.com

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -113,7 +113,7 @@ linux (Ben Hutchings)
 linux-5.10
   NOTE: 20231005: perma-added for LTS package-specific delegation (bwh)
 --
-mediawiki (guilhem)
+mediawiki
   NOTE: 20231011: Added by Front-Desk (ta)
 --
 minizip (Thorsten Alteholz)
@@ -158,7 +158,7 @@ postgresql-multicorn (rouca)
   NOTE: 20231108: Added by Front-Desk (santiago)
   NOTE: 20231108: Need to handle incompatibilities with versions in debian 
packages, brought up by PEP 440. See 
https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70
 --
-python-django (Chris Lamb)
+python-django
   NOTE: 20231006: Added by Front-Desk (Beuc)
   NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists 
(Beuc/front-desk)
   NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & 
CVE-2021-33571. (lamby)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e8a90ae8d2faea4e41267f9d9b064b944c3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e8a90ae8d2faea4e41267f9d9b064b944c3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2023-46118/rabbitmq-server

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
89dee89d by Salvatore Bonaccorso at 2023-11-27T10:17:28+01:00
Add fixed version via unstable for CVE-2023-46118/rabbitmq-server

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5040,7 +5040,7 @@ CVE-2023-46120 (The RabbitMQ Java client library allows 
Java and JVM-based appli
 CVE-2023-46119 (Parse Server is an open source backend that can be deployed to 
any inf ...)
NOT-FOR-US: Parse Server
 CVE-2023-46118 (RabbitMQ is a multi-protocol messaging and streaming broker. 
HTTP API  ...)
-   - rabbitmq-server  (bug #1056723)
+   - rabbitmq-server 3.10.8-3 (bug #1056723)
[bookworm] - rabbitmq-server  (Minor issue)
[bullseye] - rabbitmq-server  (Minor issue)
NOTE: 
https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89dee89d91eebe8fa3fe36b587318f354cc5dd6a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89dee89d91eebe8fa3fe36b587318f354cc5dd6a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3e383e38 by Salvatore Bonaccorso at 2023-11-27T09:28:54+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,45 +1,45 @@
 CVE-2023-6313 (A vulnerability was found in SourceCodester URL Shortener 1.0. 
It has  ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester URL Shortener
 CVE-2023-6312 (A vulnerability was found in SourceCodester Loan Management 
System 1.0 ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Loan Management System
 CVE-2023-6311 (A vulnerability was found in SourceCodester Loan Management 
System 1.0 ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Loan Management System
 CVE-2023-6310 (A vulnerability has been found in SourceCodester Loan 
Management Syste ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Loan Management System
 CVE-2023-6309 (A vulnerability, which was classified as critical, was found in 
moses- ...)
TODO: check
 CVE-2023-6308 (A vulnerability, which was classified as critical, has been 
found in X ...)
-   TODO: check
+   NOT-FOR-US: Xiamen Four-Faith Video Surveillance Management System
 CVE-2023-6307 (A vulnerability classified as critical was found in jeecgboot 
JimuRepo ...)
-   TODO: check
+   NOT-FOR-US: jeecgboot JimuReport
 CVE-2023-6306 (A vulnerability classified as critical has been found in 
SourceCodeste ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Free and Open Source Inventory Management 
System
 CVE-2023-6305 (A vulnerability was found in SourceCodester Free and Open 
Source Inven ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Free and Open Source Inventory Management 
System
 CVE-2023-6304 (A vulnerability was found in Tecno 4G Portable WiFi TR118 
TR118-M30E-R ...)
-   TODO: check
+   NOT-FOR-US: Tecno 4G Portable WiFi TR118
 CVE-2023-6303 (A vulnerability was found in CSZCMS 1.3.0. It has been 
classified as p ...)
-   TODO: check
+   NOT-FOR-US: CSZCMS
 CVE-2023-6302 (A vulnerability was found in CSZCMS 1.3.0 and classified as 
critical.  ...)
-   TODO: check
+   NOT-FOR-US: CSZCMS
 CVE-2023-6301 (A vulnerability has been found in SourceCodester Best Courier 
Manageme ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Best Courier Management System
 CVE-2023-6300 (A vulnerability, which was classified as problematic, was found 
in Sou ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Best Courier Management System
 CVE-2023-6299 (A vulnerability, which was classified as problematic, has been 
found i ...)
TODO: check
 CVE-2023-6298 (A vulnerability classified as problematic was found in Apryse 
iText 8. ...)
TODO: check
 CVE-2023-6297 (A vulnerability classified as problematic has been found in 
PHPGurukul ...)
-   TODO: check
+   NOT-FOR-US: PHPGurukul
 CVE-2023-6296 (A vulnerability was found in osCommerce 4. It has been rated as 
proble ...)
TODO: check
 CVE-2023-49322 (Certain WithSecure products allow a Denial of Service because 
there is ...)
-   TODO: check
+   NOT-FOR-US: WithSecure
 CVE-2023-49321 (Certain WithSecure products allow a Denial of Service because 
scanning ...)
-   TODO: check
+   NOT-FOR-US: WithSecure
 CVE-2023-49312 (Precision Bridge PrecisionBridge.exe (aka the thick client) 
before 7.3 ...)
-   TODO: check
+   NOT-FOR-US: Precision Bridge
 CVE-2023-47039
- perl  (Windows specific issue)
 CVE-2023-47038 [Write past buffer end via illegal user-defined Unicode 
property]



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e383e387ba188c7ae14410fc3e1e379e174dace

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e383e387ba188c7ae14410fc3e1e379e174dace
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2023-11-27 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
37aca15d by security tracker role at 2023-11-27T08:11:38+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,45 @@
+CVE-2023-6313 (A vulnerability was found in SourceCodester URL Shortener 1.0. 
It has  ...)
+   TODO: check
+CVE-2023-6312 (A vulnerability was found in SourceCodester Loan Management 
System 1.0 ...)
+   TODO: check
+CVE-2023-6311 (A vulnerability was found in SourceCodester Loan Management 
System 1.0 ...)
+   TODO: check
+CVE-2023-6310 (A vulnerability has been found in SourceCodester Loan 
Management Syste ...)
+   TODO: check
+CVE-2023-6309 (A vulnerability, which was classified as critical, was found in 
moses- ...)
+   TODO: check
+CVE-2023-6308 (A vulnerability, which was classified as critical, has been 
found in X ...)
+   TODO: check
+CVE-2023-6307 (A vulnerability classified as critical was found in jeecgboot 
JimuRepo ...)
+   TODO: check
+CVE-2023-6306 (A vulnerability classified as critical has been found in 
SourceCodeste ...)
+   TODO: check
+CVE-2023-6305 (A vulnerability was found in SourceCodester Free and Open 
Source Inven ...)
+   TODO: check
+CVE-2023-6304 (A vulnerability was found in Tecno 4G Portable WiFi TR118 
TR118-M30E-R ...)
+   TODO: check
+CVE-2023-6303 (A vulnerability was found in CSZCMS 1.3.0. It has been 
classified as p ...)
+   TODO: check
+CVE-2023-6302 (A vulnerability was found in CSZCMS 1.3.0 and classified as 
critical.  ...)
+   TODO: check
+CVE-2023-6301 (A vulnerability has been found in SourceCodester Best Courier 
Manageme ...)
+   TODO: check
+CVE-2023-6300 (A vulnerability, which was classified as problematic, was found 
in Sou ...)
+   TODO: check
+CVE-2023-6299 (A vulnerability, which was classified as problematic, has been 
found i ...)
+   TODO: check
+CVE-2023-6298 (A vulnerability classified as problematic was found in Apryse 
iText 8. ...)
+   TODO: check
+CVE-2023-6297 (A vulnerability classified as problematic has been found in 
PHPGurukul ...)
+   TODO: check
+CVE-2023-6296 (A vulnerability was found in osCommerce 4. It has been rated as 
proble ...)
+   TODO: check
+CVE-2023-49322 (Certain WithSecure products allow a Denial of Service because 
there is ...)
+   TODO: check
+CVE-2023-49321 (Certain WithSecure products allow a Denial of Service because 
scanning ...)
+   TODO: check
+CVE-2023-49312 (Precision Bridge PrecisionBridge.exe (aka the thick client) 
before 7.3 ...)
+   TODO: check
 CVE-2023-47039
- perl  (Windows specific issue)
 CVE-2023-47038 [Write past buffer end via illegal user-defined Unicode 
property]
@@ -3109,6 +3151,7 @@ CVE-2023-41685 (Improper Neutralization of Special 
Elements used in an SQL Comma
 CVE-2023-41378 (In certain conditions for Calico Typha (v3.26.2, v3.25.1 and 
below), a ...)
NOT-FOR-US: Calico Typha
 CVE-2023-40661 (Several memory vulnerabilities were identified within the 
OpenSC packa ...)
+   {DLA-3668-1}
- opensc 0.23.0-2 (bug #1055522)
[bookworm] - opensc  (Minor issue)
[bullseye] - opensc  (Minor issue)
@@ -3116,6 +3159,7 @@ CVE-2023-40661 (Several memory vulnerabilities were 
identified within the OpenSC
NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2023-40661
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2240913#c1
 CVE-2023-40660 (A flaw was found in OpenSC packages that allow a potential PIN 
bypass. ...)
+   {DLA-3668-1}
- opensc 0.23.0-2 (bug #1055521)
[bookworm] - opensc  (Minor issue)
[bullseye] - opensc  (Minor issue)
@@ -8694,6 +8738,7 @@ CVE-2023-3701 (Aqua Drive, in its 2.4 version, is 
vulnerable to a relative path
 CVE-2023-3665 (A code injection vulnerability in Trellix ENS 10.7.0 April 2023 
releas ...)
NOT-FOR-US: Trellix
 CVE-2023-3576 (A memory leak flaw was found in Libtiff's tiffcrop utility. 
This issue ...)
+   {DSA-5567-1}
- tiff 4.5.1~rc3-1
[buster] - tiff  (Minor issue, memory leak in CLI tool)
NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/475
@@ -18945,13 +18990,13 @@ CVE-2023-32232 (An issue was discovered in Vasion 
PrinterLogic Client for Window
 CVE-2023-32231 (An issue was discovered in Vasion PrinterLogic Client for 
Windows befo ...)
NOT-FOR-US: Vasion
 CVE-2023-41175 (A vulnerability was found in libtiff due to multiple potential 
integer ...)
-   {DLA-3513-1}
+   {DSA-5567-1 DLA-3513-1}
- tiff 4.5.1+git230720-1
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/592
NOTE: 
https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2235264
 CVE-2023-40745 (LibTIFF is vulnerable to

40 matches

Mail list logo