[Git][security-tracker-team/security-tracker][master] Mark CVE-2020-21428 as not-affected for stretch
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 6619bfa5 by Anton Gladky at 2023-11-28T06:52:43+01:00 Mark CVE-2020-21428 as not-affected for stretch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -236803,6 +236803,7 @@ CVE-2020-21429 CVE-2020-21428 (Buffer Overflow vulnerability in function LoadRGB in PluginDDS.cpp in ...) {DLA-3662-1} - freeimage 3.18.0+ds2-10 (bug #1051738) + [stretch] - freeimage (vulnerable code is not present) NOTE: https://sourceforge.net/p/freeimage/bugs/299/ NOTE: Fixed with r1877 from http://svn.code.sf.net/p/freeimage/svn/FreeImage/ CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in PluginB ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6619bfa58413f9d3459f33f21a696aa0da67fb3b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6619bfa58413f9d3459f33f21a696aa0da67fb3b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-22084 for MariaDB
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c7192f64 by Salvatore Bonaccorso at 2023-11-28T06:45:53+01:00 Add CVE-2023-22084 for MariaDB - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -58834,7 +58834,11 @@ CVE-2023-22086 (Vulnerability in the Oracle WebLogic Server product of Oracle Fu CVE-2023-22085 (Vulnerability in the Hospitality OPERA 5 Property Services product of ...) NOT-FOR-US: Oracle CVE-2023-22084 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) + - mariadb 1:10.11.6-1 + - mariadb-10.5 + - mariadb-10.3 - mysql-8.0 8.0.35-1 (bug #1055034) + NOTE: Fixed in MariaDB: 11.2.2, 11.1.3, 11.0.4, 10.11.6, 10.10.7, 10.6.16, 10.5.23, 10.4.32 CVE-2023-22083 (Vulnerability in the Oracle Enterprise Session Border Controller produ ...) NOT-FOR-US: Oracle CVE-2023-22082 (Vulnerability in the Oracle Business Intelligence Enterprise Edition p ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7192f648062ed78b9007854a5bafbc96ae7417b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7192f648062ed78b9007854a5bafbc96ae7417b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove duplicate tracking of pending update for glewlwyd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 88bfac79 by Salvatore Bonaccorso at 2023-11-28T06:30:30+01:00 Remove duplicate tracking of pending update for glewlwyd - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -101,8 +101,3 @@ CVE-2023-43887 CVE-2023-47471 [bullseye] - libde265 1.0.11-0+deb11u2 CVE-2022-27240 - [bullseye] - glewlwyd 2.5.2-2+deb11u3 -CVE-2022-29967 - [bullseye] - glewlwyd 2.5.2-2+deb11u3 -CVE-2023-49208 - [bullseye] - glewlwyd 2.5.2-2+deb11u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88bfac7964bb967f7c0747b612132cd1963daaef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88bfac7964bb967f7c0747b612132cd1963daaef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-45360/mediawiki as no-dsa for buster.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: b37cad8d by Guilhem Moulin at 2023-11-28T01:18:00+01:00 Mark CVE-2023-45360/mediawiki as no-dsa for buster. Prior to 1.32 all sysops could edit sitewide CSS/JS hence inject XSS via MediaWiki:Common.js or similar. This was changed in 1.32 following https://phabricator.wikimedia.org/T120886 and https://phabricator.wikimedia.org/T190015. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8240,6 +8240,7 @@ CVE-2023-40310 (SAP PowerDesignerClient- version 16.7, does not sufficiently val CVE-2023-45360 (An issue was discovered in MediaWiki before 1.35.12, 1.36.x through 1. ...) {DSA-5520-1} - mediawiki 1:1.39.5-1 + [buster] - mediawiki (Minor issue: prior to 1.32 any sysop could edit sitewide CSS/JS anyway) NOTE: https://phabricator.wikimedia.org/T340221 CVE-2023-45362 (An issue was discovered in DifferenceEngine.php in MediaWiki before 1. ...) {DSA-5520-1} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b37cad8dfadbfb7305099cd54f45db51545b6a87 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b37cad8dfadbfb7305099cd54f45db51545b6a87 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3670-1 for minizip
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 72ec5d16 by Thorsten Alteholz at 2023-11-28T00:03:01+01:00 Reserve DLA-3670-1 for minizip - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[28 Nov 2023] DLA-3670-1 minizip - security update + {CVE-2023-45853} + [buster] - minizip 1.1-8+deb10u1 [27 Nov 2023] DLA-3669-1 cryptojs - security update {CVE-2023-46233} [buster] - cryptojs 3.1.2+dfsg-2+deb10u1 = data/dla-needed.txt = @@ -120,9 +120,6 @@ linux-5.10 mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- -minizip (Thorsten Alteholz) - NOTE: 20231117: Added by Front-Desk (apo) --- netatalk (gladk) NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72ec5d16fe9ef63249c0f4241b957568c05603be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72ec5d16fe9ef63249c0f4241b957568c05603be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] glewlwyd ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 582f7bbb by Moritz Mühlenhoff at 2023-11-27T22:48:24+01:00 glewlwyd ospu - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -100,3 +100,9 @@ CVE-2023-43887 [bullseye] - libde265 1.0.11-0+deb11u2 CVE-2023-47471 [bullseye] - libde265 1.0.11-0+deb11u2 +CVE-2022-27240 + [bullseye] - glewlwyd 2.5.2-2+deb11u3 +CVE-2022-29967 + [bullseye] - glewlwyd 2.5.2-2+deb11u3 +CVE-2023-49208 + [bullseye] - glewlwyd 2.5.2-2+deb11u3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/582f7bbb191727ba48c6c1f9daf9b7bebc5031d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/582f7bbb191727ba48c6c1f9daf9b7bebc5031d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] nvidia-graphics-drivers-tesla,glewlwyd spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 114358ee by Moritz Mühlenhoff at 2023-11-27T22:45:57+01:00 nvidia-graphics-drivers-tesla,glewlwyd spu - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -256,6 +256,8 @@ CVE-2023-49210 (The openssl (aka node-openssl) NPM package through 2.0.0 was cha NOT-FOR-US: malicious node module CVE-2023-49208 (scheme/webauthn.c in Glewlwyd SSO server before 2.7.6 has a possible b ...) - glewlwyd 2.7.6+ds-1 + [bookworm] - glewlwyd (Minor issue) + [bullseye] - glewlwyd (Minor issue) [buster] - glewlwyd (Vulnerable code not present) NOTE: https://github.com/babelouest/glewlwyd/commit/f9d8c06aae8dfe17e761b18b577ff169e059e812 (v2.7.6) CVE-2023-41812 (Unrestricted Upload of File with Dangerous Type vulnerability in Pando ...) = data/next-point-update.txt = @@ -78,6 +78,7 @@ CVE-2023-31022 [bookworm] - nvidia-graphics-drivers-tesla-470 470.223.02-1~deb12u1 [bookworm] - nvidia-open-gpu-kernel-modules 525.147.05-1~deb12u1 [bookworm] - nvidia-graphics-drivers 525.147.05-1~deb12u1 + [bookworm] - nvidia-graphics-drivers-tesla 525.147.05-3~deb12u1 CVE-2022-48521 [bookworm] - opendkim 2.11.0~beta2-8+deb12u1 CVE-2023-47038 @@ -90,3 +91,5 @@ CVE-2023-43887 [bookworm] - libde265 1.0.11-1+deb12u1 CVE-2023-47471 [bookworm] - libde265 1.0.11-1+deb12u1 +CVE-2023-49208 + [bookworm] - glewlwyd 2.7.5-3+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/114358ee6c813424c4afc9f247c89012d38c3751 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/114358ee6c813424c4afc9f247c89012d38c3751 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libde265 spu/ospu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 96805904 by Moritz Mühlenhoff at 2023-11-27T22:42:05+01:00 libde265 spu/ospu - - - - - 3 changed files: - data/CVE/list - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/CVE/list = @@ -1399,6 +1399,8 @@ CVE-2023-47638 REJECTED CVE-2023-43887 (Libde265 v1.0.12 was discovered to contain multiple buffer overflows v ...) - libde265 1.0.13-1 + [bookworm] - libde265 (Minor issue) + [bullseye] - libde265 (Minor issue) NOTE: https://github.com/strukturag/libde265/issues/418 NOTE: https://github.com/strukturag/libde265/commit/63b596c915977f038eafd7647d1db25488a8c133 (v1.0.13) CVE-2023-47471 (Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a ...) = data/next-oldstable-point-update.txt = @@ -92,3 +92,11 @@ CVE-2023-31022 [bullseye] - nvidia-graphics-drivers-tesla-470 470.223.02-1~deb11u1 CVE-2023-47038 [bullseye] - perl 5.32.1-4+deb11u3 +CVE-2023-27102 + [bullseye] - libde265 1.0.11-0+deb11u2 +CVE-2023-27103 + [bullseye] - libde265 1.0.11-0+deb11u2 +CVE-2023-43887 + [bullseye] - libde265 1.0.11-0+deb11u2 +CVE-2023-47471 + [bullseye] - libde265 1.0.11-0+deb11u2 = data/next-point-update.txt = @@ -82,3 +82,11 @@ CVE-2022-48521 [bookworm] - opendkim 2.11.0~beta2-8+deb12u1 CVE-2023-47038 [bookworm] - perl 5.36.0-7+deb12u1 +CVE-2023-27102 + [bookworm] - libde265 1.0.11-1+deb12u1 +CVE-2023-27103 + [bookworm] - libde265 1.0.11-1+deb12u1 +CVE-2023-43887 + [bookworm] - libde265 1.0.11-1+deb12u1 +CVE-2023-47471 + [bookworm] - libde265 1.0.11-1+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96805904c5ecf7893354dd65fbeae32140400728 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96805904c5ecf7893354dd65fbeae32140400728 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two more Mattermost CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 470b6a71 by Salvatore Bonaccorso at 2023-11-27T22:07:26+01:00 Process two more Mattermost CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -88,7 +88,7 @@ CVE-2023-47168 (Mattermost fails to properly check a redirect URL parameter allo CVE-2023-45223 (Mattermost fails to properly validate the "Show Full Name" option in a ...) - mattermost-server (bug #823556) CVE-2023-43754 (Mattermost fails to check whether the \u201cAllow users to view archiv ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-42000 (Arcserve UDP prior to 9.2 contains a path traversal vulnerability in c ...) NOT-FOR-US: Arcserve CVE-2023-41999 (An authentication bypass exists in Arcserve UDP prior to version 9.2. ...) @@ -108,7 +108,7 @@ CVE-2023-38573 (A use-after-free vulnerability exists in the way Foxit Reader 12 CVE-2023-35985 (An arbitrary file creation vulnerability exists in the Javascript expo ...) NOT-FOR-US: Foxit Reader CVE-2023-35075 (Mattermost fails to use innerText /textContentwhen setting the channel ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-32616 (A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.1 ...) NOT-FOR-US: Foxit Reader CVE-2023-31275 (An uninitialized pointer use vulnerability exists in the functionality ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/470b6a71a69797c1a66957dbb0e3b8f5ccb469d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/470b6a71a69797c1a66957dbb0e3b8f5ccb469d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d8763a1 by Salvatore Bonaccorso at 2023-11-27T22:06:44+01:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54,11 +54,11 @@ CVE-2023-4642 (The kk Star Ratings WordPress plugin before 5.4.6 does not implem CVE-2023-4590 (Buffer overflow vulnerability in Frhed hex editor, affecting version 1 ...) TODO: check CVE-2023-4514 (The Mmm Simple File List WordPress plugin through 2.3 does not validat ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-4297 (The Mmm Simple File List WordPress plugin through 2.3 does not validat ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-4252 (The EventPrime WordPress plugin through 3.2.9 specifies the price of a ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49316 (In Math/BinaryField.php in phpseclib before 3.0.34, excessively large ...) - php-phpseclib3 (bug #1057008) NOTE: Fixed by: https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f (3.0.34) @@ -90,31 +90,31 @@ CVE-2023-45223 (Mattermost fails to properly validate the "Show Full Name" optio CVE-2023-43754 (Mattermost fails to check whether the \u201cAllow users to view archiv ...) TODO: check CVE-2023-42000 (Arcserve UDP prior to 9.2 contains a path traversal vulnerability in c ...) - TODO: check + NOT-FOR-US: Arcserve CVE-2023-41999 (An authentication bypass exists in Arcserve UDP prior to version 9.2. ...) - TODO: check + NOT-FOR-US: Arcserve CVE-2023-41998 (Arcserve UDP prior to 9.2 contained a vulnerability in thecom.ca.arcfl ...) - TODO: check + NOT-FOR-US: Arcserve CVE-2023-41257 (A type confusion vulnerability exists in the way Foxit Reader 12.1.2.1 ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2023-40703 (Mattermost fails to properly limit the characters allowed in different ...) - mattermost-server (bug #823556) CVE-2023-40194 (An arbitrary file creation vulnerability exists in the Javascript expo ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2023-39542 (A code execution vulnerability exists in the Javascript saveAs API of ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2023-38573 (A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.1 ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2023-35985 (An arbitrary file creation vulnerability exists in the Javascript expo ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2023-35075 (Mattermost fails to use innerText /textContentwhen setting the channel ...) TODO: check CVE-2023-32616 (A use-after-free vulnerability exists in the way Foxit Reader 12.1.2.1 ...) - TODO: check + NOT-FOR-US: Foxit Reader CVE-2023-31275 (An uninitialized pointer use vulnerability exists in the functionality ...) - TODO: check + NOT-FOR-US: WPS Office CVE-2023-2707 (The gAppointments WordPress plugin through 1.9.5.1 does not sanitise a ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-43701 (Improper payload validation and an improper REST API response type, ma ...) NOT-FOR-US: Apache Superset CVE-2023-42501 (Unnecessary read permissions within the Gamma role would allow authent ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d8763a1767fe536c826d66cbffcf176d4047bd7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d8763a1767fe536c826d66cbffcf176d4047bd7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two more Mattermost issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fa15386d by Salvatore Bonaccorso at 2023-11-27T22:01:34+01:00 Process two more Mattermost issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -86,7 +86,7 @@ CVE-2023-47865 (Mattermost fails to check if hardened mode is enabled when overr CVE-2023-47168 (Mattermost fails to properly check a redirect URL parameter allowing f ...) - mattermost-server (bug #823556) CVE-2023-45223 (Mattermost fails to properly validate the "Show Full Name" option in a ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-43754 (Mattermost fails to check whether the \u201cAllow users to view archiv ...) TODO: check CVE-2023-42000 (Arcserve UDP prior to 9.2 contains a path traversal vulnerability in c ...) @@ -98,7 +98,7 @@ CVE-2023-41998 (Arcserve UDP prior to 9.2 contained a vulnerability in thecom.ca CVE-2023-41257 (A type confusion vulnerability exists in the way Foxit Reader 12.1.2.1 ...) TODO: check CVE-2023-40703 (Mattermost fails to properly limit the characters allowed in different ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-40194 (An arbitrary file creation vulnerability exists in the Javascript expo ...) TODO: check CVE-2023-39542 (A code execution vulnerability exists in the Javascript saveAs API of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa15386d6c6c7f8e31d7363ebce8910a2d2adea3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa15386d6c6c7f8e31d7363ebce8910a2d2adea3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-49316
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e0a7dfe by Salvatore Bonaccorso at 2023-11-27T21:59:43+01:00 Add Debian bug reference for CVE-2023-49316 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -60,7 +60,7 @@ CVE-2023-4297 (The Mmm Simple File List WordPress plugin through 2.3 does not va CVE-2023-4252 (The EventPrime WordPress plugin through 3.2.9 specifies the price of a ...) TODO: check CVE-2023-49316 (In Math/BinaryField.php in phpseclib before 3.0.34, excessively large ...) - - php-phpseclib3 + - php-phpseclib3 (bug #1057008) NOTE: Fixed by: https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f (3.0.34) TODO: check if affecting ldap-account-manager or unused path CVE-2023-49047 (Tenda AX1803 v1.0.0.1 contains a stack overflow via the devName parame ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e0a7dfe2060fa2d0046352b736d0f1e03f6555a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e0a7dfe2060fa2d0046352b736d0f1e03f6555a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-49316/php-phpseclib3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 14073db3 by Salvatore Bonaccorso at 2023-11-27T21:49:42+01:00 Add CVE-2023-49316/php-phpseclib3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -60,7 +60,9 @@ CVE-2023-4297 (The Mmm Simple File List WordPress plugin through 2.3 does not va CVE-2023-4252 (The EventPrime WordPress plugin through 3.2.9 specifies the price of a ...) TODO: check CVE-2023-49316 (In Math/BinaryField.php in phpseclib before 3.0.34, excessively large ...) - TODO: check + - php-phpseclib3 + NOTE: Fixed by: https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f (3.0.34) + TODO: check if affecting ldap-account-manager or unused path CVE-2023-49047 (Tenda AX1803 v1.0.0.1 contains a stack overflow via the devName parame ...) NOT-FOR-US: Tenda CVE-2023-49046 (Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14073db3047bd5548656c1d82eace80aa5a1d969 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14073db3047bd5548656c1d82eace80aa5a1d969 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some CVEs in Mattermost (mark as mattermost-server)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20820142 by Salvatore Bonaccorso at 2023-11-27T21:39:42+01:00 Process some CVEs in Mattermost (mark as mattermost-server) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6,7 +6,7 @@ CVE-2023-6254 (A Vulnerability in OTRS AgentInterface and ExternalInterface allo NOT-FOR-US: OTRS NOTE: Issue is listed as specific to 8.x, so won't affect Znuny which forked from 6.x CVE-2023-6202 (Mattermost fails to perform proper authorization in the /plugins/focal ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-5974 (The WPB Show Core WordPress plugin through 2.2 is vulnerable to server ...) NOT-FOR-US: WordPress plugin CVE-2023-5958 (The POST SMTP Mailer WordPress plugin before 2.7.1 does not escape ema ...) @@ -76,13 +76,13 @@ CVE-2023-49029 (Cross Site Scripting vulnerability in smpn1smg absis v.2017-10-1 CVE-2023-49028 (Cross Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and ...) TODO: check CVE-2023-48369 (Mattermost fails to limit the log size of server logs allowing an atta ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-48268 (Mattermost fails tolimit the amount of data extracted from compressed ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-47865 (Mattermost fails to check if hardened mode is enabled when overriding ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-47168 (Mattermost fails to properly check a redirect URL parameter allowing f ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-45223 (Mattermost fails to properly validate the "Show Full Name" option in a ...) TODO: check CVE-2023-43754 (Mattermost fails to check whether the \u201cAllow users to view archiv ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/208201425661fa13fde07aaa0dc7fbf010748588 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/208201425661fa13fde07aaa0dc7fbf010748588 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6287/check-mk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5699fdbb by Salvatore Bonaccorso at 2023-11-27T21:39:05+01:00 Add CVE-2023-6287/check-mk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2023-6329 ([PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATF ...) NOT-FOR-US: Control iD iDSecure CVE-2023-6287 (Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before ...) - TODO: check + - check-mk CVE-2023-6254 (A Vulnerability in OTRS AgentInterface and ExternalInterface allows th ...) NOT-FOR-US: OTRS NOTE: Issue is listed as specific to 8.x, so won't affect Znuny which forked from 6.x View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5699fdbb9c4f6ccde061e1f3eee3e228d464f1ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5699fdbb9c4f6ccde061e1f3eee3e228d464f1ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some new NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9b9abcf by Salvatore Bonaccorso at 2023-11-27T21:37:51+01:00 Process some new NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,55 +1,56 @@ CVE-2023-6329 ([PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATF ...) - TODO: check + NOT-FOR-US: Control iD iDSecure CVE-2023-6287 (Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before ...) TODO: check CVE-2023-6254 (A Vulnerability in OTRS AgentInterface and ExternalInterface allows th ...) - TODO: check + NOT-FOR-US: OTRS + NOTE: Issue is listed as specific to 8.x, so won't affect Znuny which forked from 6.x CVE-2023-6202 (Mattermost fails to perform proper authorization in the /plugins/focal ...) TODO: check CVE-2023-5974 (The WPB Show Core WordPress plugin through 2.2 is vulnerable to server ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5958 (The POST SMTP Mailer WordPress plugin before 2.7.1 does not escape ema ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5942 (The Medialist WordPress plugin before 1.4.1 does not validate and esca ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5906 (The Job Manager & Career WordPress plugin before 1.4.4 contains a vuln ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5845 (The Simple Social Media Share Buttons WordPress plugin before 5.1.1 le ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5738 (The WordPress Backup & Migration WordPress plugin before 1.4.4 does no ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5737 (The WordPress Backup & Migration WordPress plugin before 1.4.4 does no ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5653 (The WassUp Real Time Analytics WordPress plugin through 1.9.4.5 does n ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5641 (The Martins Free & Easy SEO BackLink Link Building Network WordPress p ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5620 (The Web Push Notifications WordPress plugin before 4.35.0 does not pre ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5611 (The Seraphinite Accelerator WordPress plugin before 2.20.32 does not h ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5607 (An improper limitation of a path name to a restricted directory (path ...) - TODO: check + NOT-FOR-US: Trellix CVE-2023-5604 (The Asgaros Forum WordPress plugin before 2.7.1 allows forum administr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5560 (The WP-UserOnline WordPress plugin before 2.88.3 does not sanitise and ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5559 (The 10Web Booster WordPress plugin before 2.24.18 does not validate th ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5525 (The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is m ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5325 (The Woocommerce Vietnam Checkout WordPress plugin before 2.0.6 does no ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5239 (The Security & Malware scan by CleanTalk WordPress plugin before 2.121 ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5209 (The WordPress Online Booking and Scheduling Plugin WordPress plugin be ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-4931 (Uncontrolled search path element vulnerability in Plesk Installer affe ...) - TODO: check + NOT-FOR-US: Plesk Installer CVE-2023-4922 (The WPB Show Core WordPress plugin through 2.2 is vulnerable to a loca ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-4642 (The kk Star Ratings WordPress plugin before 5.4.6 does not implement a ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-4590 (Buffer overflow vulnerability in Frhed hex editor, affecting version 1 ...) TODO: check CVE-2023-4514 (The Mmm Simple File List WordPress plugin through 2.3 does not validat ...) @@ -61,15 +62,15 @@ CVE-2023-4252 (The EventPrime WordPress plugin through 3.2.9 specifies the price CVE-2023-49316 (In Math/BinaryField.php in phpseclib before 3.0.34, excessively large ...) TODO: check CVE-2023-49047 (Tenda AX1803 v1.0.0.1 contains a stack overflow via the devName parame ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-49046 (Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-49043 (Buffer Overflow
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-44034/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e769efd by Salvatore Bonaccorso at 2023-11-27T21:26:09+01:00 Track fixed version for CVE-2022-44034/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -71171,7 +71171,7 @@ CVE-2022-44036 (In b2evolution 7.2.5, if configured with admins_can_manipulate_s CVE-2022-44035 RESERVED CVE-2022-44034 (An issue was discovered in the Linux kernel through 6.0.6. drivers/cha ...) - - linux (unimportant) + - linux 6.4.4-1 (unimportant) NOTE: https://lore.kernel.org/lkml/20220916050333.GA188358@ubuntu/ NOTE: https://lore.kernel.org/lkml/20220919101825.GA313940@ubuntu/ NOTE: Negligible security impact, would need physical access to "exploit" View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e769efd6aa0cec4d41be7f7c730eeb0bd41731f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e769efd6aa0cec4d41be7f7c730eeb0bd41731f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d3813e2 by security tracker role at 2023-11-27T20:23:34+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,8 +1,122 @@ -CVE-2023-43701 +CVE-2023-6329 ([PROBLEMTYPE] in [COMPONENT] in [VENDOR] [PRODUCT] [VERSION] on [PLATF ...) + TODO: check +CVE-2023-6287 (Sensitive data exposure in Webconf in Tribe29 Checkmk Appliance before ...) + TODO: check +CVE-2023-6254 (A Vulnerability in OTRS AgentInterface and ExternalInterface allows th ...) + TODO: check +CVE-2023-6202 (Mattermost fails to perform proper authorization in the /plugins/focal ...) + TODO: check +CVE-2023-5974 (The WPB Show Core WordPress plugin through 2.2 is vulnerable to server ...) + TODO: check +CVE-2023-5958 (The POST SMTP Mailer WordPress plugin before 2.7.1 does not escape ema ...) + TODO: check +CVE-2023-5942 (The Medialist WordPress plugin before 1.4.1 does not validate and esca ...) + TODO: check +CVE-2023-5906 (The Job Manager & Career WordPress plugin before 1.4.4 contains a vuln ...) + TODO: check +CVE-2023-5845 (The Simple Social Media Share Buttons WordPress plugin before 5.1.1 le ...) + TODO: check +CVE-2023-5738 (The WordPress Backup & Migration WordPress plugin before 1.4.4 does no ...) + TODO: check +CVE-2023-5737 (The WordPress Backup & Migration WordPress plugin before 1.4.4 does no ...) + TODO: check +CVE-2023-5653 (The WassUp Real Time Analytics WordPress plugin through 1.9.4.5 does n ...) + TODO: check +CVE-2023-5641 (The Martins Free & Easy SEO BackLink Link Building Network WordPress p ...) + TODO: check +CVE-2023-5620 (The Web Push Notifications WordPress plugin before 4.35.0 does not pre ...) + TODO: check +CVE-2023-5611 (The Seraphinite Accelerator WordPress plugin before 2.20.32 does not h ...) + TODO: check +CVE-2023-5607 (An improper limitation of a path name to a restricted directory (path ...) + TODO: check +CVE-2023-5604 (The Asgaros Forum WordPress plugin before 2.7.1 allows forum administr ...) + TODO: check +CVE-2023-5560 (The WP-UserOnline WordPress plugin before 2.88.3 does not sanitise and ...) + TODO: check +CVE-2023-5559 (The 10Web Booster WordPress plugin before 2.24.18 does not validate th ...) + TODO: check +CVE-2023-5525 (The Limit Login Attempts Reloaded WordPress plugin before 2.25.26 is m ...) + TODO: check +CVE-2023-5325 (The Woocommerce Vietnam Checkout WordPress plugin before 2.0.6 does no ...) + TODO: check +CVE-2023-5239 (The Security & Malware scan by CleanTalk WordPress plugin before 2.121 ...) + TODO: check +CVE-2023-5209 (The WordPress Online Booking and Scheduling Plugin WordPress plugin be ...) + TODO: check +CVE-2023-4931 (Uncontrolled search path element vulnerability in Plesk Installer affe ...) + TODO: check +CVE-2023-4922 (The WPB Show Core WordPress plugin through 2.2 is vulnerable to a loca ...) + TODO: check +CVE-2023-4642 (The kk Star Ratings WordPress plugin before 5.4.6 does not implement a ...) + TODO: check +CVE-2023-4590 (Buffer overflow vulnerability in Frhed hex editor, affecting version 1 ...) + TODO: check +CVE-2023-4514 (The Mmm Simple File List WordPress plugin through 2.3 does not validat ...) + TODO: check +CVE-2023-4297 (The Mmm Simple File List WordPress plugin through 2.3 does not validat ...) + TODO: check +CVE-2023-4252 (The EventPrime WordPress plugin through 3.2.9 specifies the price of a ...) + TODO: check +CVE-2023-49316 (In Math/BinaryField.php in phpseclib before 3.0.34, excessively large ...) + TODO: check +CVE-2023-49047 (Tenda AX1803 v1.0.0.1 contains a stack overflow via the devName parame ...) + TODO: check +CVE-2023-49046 (Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote ...) + TODO: check +CVE-2023-49043 (Buffer Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remot ...) + TODO: check +CVE-2023-49042 (Heap Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote ...) + TODO: check +CVE-2023-49040 (An issue in Tneda AX1803 v.1.0.0.1 allows a remote attacker to execute ...) + TODO: check +CVE-2023-49029 (Cross Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and ...) + TODO: check +CVE-2023-49028 (Cross Site Scripting vulnerability in smpn1smg absis v.2017-10-19 and ...) + TODO: check +CVE-2023-48369 (Mattermost fails to limit the log size of server logs allowing an atta ...) + TODO: check +CVE-2023-48268 (Mattermost fails tolimit the amount of data extracted from compressed ...) + TODO: check +CVE-2023-47865 (Mattermost fails to check if hardened mode is enabled when overriding ...) +
[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2023-6121/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3710ef67 by Salvatore Bonaccorso at 2023-11-27T21:09:43+01:00 Add reference for CVE-2023-6121/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1062,6 +1062,7 @@ CVE-2023-6121 (An out-of-bounds read vulnerability was found in the NVMe-oF/TCP - linux NOTE: https://lore.kernel.org/linux-nvme/b58a2dc6-cc8f-4d19-9efe-e1d5b4505...@nvidia.com/T/ NOTE: https://lore.kernel.org/linux-nvme/cak5usqvxayc3lj4onqers1p0jpbffr9urzmq6jb4qhab7aq...@mail.gmail.com/T/ + NOTE: https://git.kernel.org/linus/1c22e0295a5eb571c27b53c7371f95699ef705ff (6.7-rc3) CVE-2023-6119 (An Improper Privilege Management vulnerability in Trellix GetSusp prio ...) NOT-FOR-US: Trellix CVE-2023-6038 (An attacker is able to read any file on the server hosting the H2O das ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3710ef670689e0aceed8e9385160e2e717c18342 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3710ef670689e0aceed8e9385160e2e717c18342 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] samba fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: de9d9107 by Moritz Muehlenhoff at 2023-11-27T20:59:56+01:00 samba fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -361861,7 +361861,7 @@ CVE-2018-14629 (A denial of service vulnerability was discovered in Samba's LDAP - samba 2:4.9.2+dfsg-2 NOTE: https://www.samba.org/samba/security/CVE-2018-14629.html CVE-2018-14628 (An information leak vulnerability was discovered in Samba's LDAP serve ...) - - samba (bug #1034803) + - samba 2:4.19.3+dfsg-1 (bug #1034803) [bookworm] - samba (Minor issue, revisit when fixed upstream) [bullseye] - samba (Domain controller functionality is EOLed, see DSA DSA-5477-1) [buster] - samba (Domain controller functionality is EOLed, see DSA-5015-1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de9d9107284fb0d7b7b8272ac0c457f04e75d0d9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de9d9107284fb0d7b7b8272ac0c457f04e75d0d9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 68d07de7 by Salvatore Bonaccorso at 2023-11-27T20:42:19+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,7 @@ CVE-2023-6311 (A vulnerability was found in SourceCodester Loan Management Syste CVE-2023-6310 (A vulnerability has been found in SourceCodester Loan Management Syste ...) NOT-FOR-US: SourceCodester Loan Management System CVE-2023-6309 (A vulnerability, which was classified as critical, was found in moses- ...) - TODO: check + NOT-FOR-US: Moses CVE-2023-6308 (A vulnerability, which was classified as critical, has been found in X ...) NOT-FOR-US: Xiamen Four-Faith Video Surveillance Management System CVE-2023-6307 (A vulnerability classified as critical was found in jeecgboot JimuRepo ...) @@ -39,7 +39,7 @@ CVE-2023-6298 (A vulnerability classified as problematic was found in Apryse iTe CVE-2023-6297 (A vulnerability classified as problematic has been found in PHPGurukul ...) NOT-FOR-US: PHPGurukul CVE-2023-6296 (A vulnerability was found in osCommerce 4. It has been rated as proble ...) - TODO: check + NOT-FOR-US: osCommerce CVE-2023-49322 (Certain WithSecure products allow a Denial of Service because there is ...) NOT-FOR-US: WithSecure CVE-2023-49321 (Certain WithSecure products allow a Denial of Service because scanning ...) @@ -45682,7 +45682,7 @@ CVE-2023-25634 CVE-2023-25633 RESERVED CVE-2023-25632 (The Android Mobile Whale browser app before 3.0.1.2 allows the attacke ...) - TODO: check + NOT-FOR-US: Whale browser CVE-2023-25631 RESERVED CVE-2023-25630 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68d07de7849df784dabbb9ece5311899ed4a8f41 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68d07de7849df784dabbb9ece5311899ed4a8f41 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fastdds DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 53064de5 by Moritz Mühlenhoff at 2023-11-27T20:13:58+01:00 fastdds DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[27 Nov 2023] DSA-5568-1 fastdds - security update + {CVE-2023-42459} + [bookworm] - fastdds 2.9.1+ds-1+deb12u2 [27 Nov 2023] DSA-5567-1 tiff - security update {CVE-2023-3576 CVE-2023-40745 CVE-2023-41175} [bullseye] - tiff 4.2.0-1+deb11u5 = data/dsa-needed.txt = @@ -16,8 +16,6 @@ cryptojs -- dnsdist (jmm) -- -fastdds (jmm) --- freeimage (jmm) -- frr View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53064de5cb6c740a7699712c44ebff8dcaa8be92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53064de5cb6c740a7699712c44ebff8dcaa8be92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3669-1 for cryptojs
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: cecc9598 by Guilhem Moulin at 2023-11-27T19:51:00+01:00 Reserve DLA-3669-1 for cryptojs - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[27 Nov 2023] DLA-3669-1 cryptojs - security update + {CVE-2023-46233} + [buster] - cryptojs 3.1.2+dfsg-2+deb10u1 [27 Nov 2023] DLA-3668-1 opensc - security update {CVE-2023-40660 CVE-2023-40661} [buster] - opensc 0.19.0-1+deb10u3 = data/dla-needed.txt = @@ -44,9 +44,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -cryptojs (guilhem) - NOTE: 20231119: Added by Front-Desk (apo) --- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cecc95986fad1de59ced1df98928feb67139595f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cecc95986fad1de59ced1df98928feb67139595f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim bouncycastle and squid in dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 79f6e7d8 by Markus Koschany at 2023-11-27T19:43:26+01:00 Claim bouncycastle and squid in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,7 +29,7 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231119: almost done with testing -- -bouncycastle +bouncycastle (Markus Koschany) NOTE: 20231127: Added by Front-Desk (Beuc) NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) -- @@ -221,7 +221,7 @@ salt samba NOTE: 20230918: Added by Front-Desk (apo) -- -squid +squid (Markus Koschany) NOTE: 20231102: Added by Front-Desk (lamby) -- suricata (Adrian Bunk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79f6e7d8bef1f46d3da8fcb2043bcc3cbea6b48e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/79f6e7d8bef1f46d3da8fcb2043bcc3cbea6b48e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ee4af7e by Salvatore Bonaccorso at 2023-11-27T19:13:25+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2023-43701 + NOT-FOR-US: Apache Superset +CVE-2023-42501 + NOT-FOR-US: Apache Superset +CVE-2023-40610 + NOT-FOR-US: Apache Superset CVE-2023-6313 (A vulnerability was found in SourceCodester URL Shortener 1.0. It has ...) NOT-FOR-US: SourceCodester URL Shortener CVE-2023-6312 (A vulnerability was found in SourceCodester Loan Management System 1.0 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ee4af7e8f73bbdfe5658cb10da01de1551512d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ee4af7e8f73bbdfe5658cb10da01de1551512d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additional CVE for glewlwyd bullseye-pu update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c864d61 by Salvatore Bonaccorso at 2023-11-27T19:02:19+01:00 Add additional CVE for glewlwyd bullseye-pu update - - - - - 1 changed file: - data/next-oldstable-point-update.txt Changes: = data/next-oldstable-point-update.txt = @@ -20,6 +20,8 @@ CVE-2022-27240 [bullseye] - glewlwyd 2.5.2-2+deb11u3 CVE-2022-29967 [bullseye] - glewlwyd 2.5.2-2+deb11u3 +CVE-2023-49208 + [bullseye] - glewlwyd 2.5.2-2+deb11u3 CVE-2021-24119 [bullseye] - mbedtls 2.16.12-0+deb11u1 CVE-2021-44732 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c864d612411a3e09c27b969c2e5e0dedc0a2ec5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c864d612411a3e09c27b969c2e5e0dedc0a2ec5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add additional CVEs for hoteldruid
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 887df33a by Salvatore Bonaccorso at 2023-11-27T18:56:23+01:00 Add additional CVEs for hoteldruid Thanks for upstream to confirm the validity of the CVEs (though not yet published) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -65468,8 +65468,15 @@ CVE-2022-45594 RESERVED CVE-2022-45593 RESERVED -CVE-2022-45592 +CVE-2023-34854 [Authenticated remote code execution via backup/restore in HotelDruid] + - hoteldruid 3.0.6-1 + [bookworm] - hoteldruid (Minor issue) + [bullseye] - hoteldruid (Minor issue) +CVE-2022-45592 [(1) Server Side Request Forgery (SSRF), (2) persistant Cross site scripting (XSS), and (3) File upload vulnerability.] RESERVED + - hoteldruid 3.0.6-1 + [bookworm] - hoteldruid (Minor issue) + [bullseye] - hoteldruid (Minor issue) CVE-2022-45591 RESERVED CVE-2022-45590 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/887df33ab5bb5b160e419e30661dec18342a593a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/887df33ab5bb5b160e419e30661dec18342a593a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-6277/tiff: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9159033d by Sylvain Beucler at 2023-11-27T18:09:42+01:00 CVE-2023-6277/tiff: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -58,6 +58,7 @@ CVE-2023-6277 (An out-of-memory flaw was found in libtiff. Passing a crafted tif - tiff 4.5.1+git230720-2 (bug #1056751) [bookworm] - tiff (Minor issue) [bullseye] - tiff (Minor issue) + [buster] - tiff (Minor issue; OOM DoS) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/614 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/545 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9159033d75a9da0f96181f549fe95231f8c8b375 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9159033d75a9da0f96181f549fe95231f8c8b375 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2019-14744/kde4libs: precise stretch context
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 7910bbdb by Sylvain Beucler at 2023-11-27T17:54:04+01:00 CVE-2019-14744/kde4libs: precise stretch context - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -305449,6 +305449,7 @@ CVE-2019-14744 (In KDE Frameworks KConfig before 5.61.0, malicious desktop files NOTE: https://kde.org/info/security/advisory-20190807-1.txt NOTE: kconfig: https://github.com/KDE/kconfig/commit/5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22 NOTE: kdelibs: https://github.com/KDE/kdelibs/commit/2c3762feddf7e66cf6b64d9058f625a715694a00 + NOTE: stretch desktop users affected through dolphin (kconfig), and also through dolphin4 and konqueror (kde4libs) CVE-2019-14743 (In Valve Steam Client for Windows through 2019-08-07, HKLM\SOFTWARE\Wo ...) NOT-FOR-US: Valve Steam Client for Windows CVE-2019-14742 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7910bbdb4a8a7625c897b16f812c99a68fdc8d35 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7910bbdb4a8a7625c897b16f812c99a68fdc8d35 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 35cf6256 by Moritz Muehlenhoff at 2023-11-27T17:11:29+01:00 bullseye/bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2943,6 +2943,8 @@ CVE-2023-47004 (Buffer Overflow vulnerability in Redis RedisGraph v.2.x through NOT-FOR-US: RedisGraph CVE-2023-46998 (Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through ...) - libjs-bootbox (bug #1055612) + [bookworm] - libjs-bootbox (Minor issue) + [bullseye] - libjs-bootbox (Minor issue) NOTE: https://github.com/bootboxjs/bootbox/issues/661 CVE-2023-46845 (EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, ...) NOT-FOR-US: EC-CUBE @@ -6489,6 +6491,7 @@ CVE-2023-42497 (Reflected cross-site scripting (XSS) vulnerability on the Export NOT-FOR-US: Liferay Portal CVE-2023-42459 (Fast DDS is a C++ implementation of the DDS (Data Distribution Service ...) - fastdds 2.11.2+ds-6 (bug #1054163) + [bullseye] - fastdds (Vulnerable code not present) NOTE: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gm NOTE: https://github.com/eProsima/Fast-DDS/issues/3207 NOTE: https://github.com/eProsima/Fast-DDS/pull/3824 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35cf6256accda513d05dc3bac764eff195fe21ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/35cf6256accda513d05dc3bac764eff195fe21ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add bouncycastle
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d193738 by Sylvain Beucler at 2023-11-27T13:57:12+01:00 dla: add bouncycastle - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,6 +29,10 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231119: almost done with testing -- +bouncycastle + NOTE: 20231127: Added by Front-Desk (Beuc) + NOTE: 20231127: Also fix pending no-dsa CVEs, in particular CVE-2020-26939 was fixed in stretch-lts (Beuc/front-desk) +-- cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d193738dabedb79891edc450ad921fe98143761 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d193738dabedb79891edc450ad921fe98143761 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add gimp-dds
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 030c6248 by Sylvain Beucler at 2023-11-27T13:35:16+01:00 dla: add gimp-dds - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -64,6 +64,9 @@ flatpak frr NOTE: 20231119: Added by Front-Desk (apo) -- +gimp-dds + NOTE: 20231127: Added by Front-Desk (Beuc) +-- gst-plugins-bad1.0 (Thorsten Alteholz) NOTE: 20231118: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/030c624874c6092868ba6b2080c3086af0b20898 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/030c624874c6092868ba6b2080c3086af0b20898 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: reclaim mediawiki in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: bce34a0d by Guilhem Moulin at 2023-11-27T12:57:33+01:00 LTS: reclaim mediawiki in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -113,7 +113,7 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -mediawiki +mediawiki (guilhem) NOTE: 20231011: Added by Front-Desk (ta) -- minizip (Thorsten Alteholz) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bce34a0dbd2156d3e226ad5531299bf3b7ec51b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bce34a0dbd2156d3e226ad5531299bf3b7ec51b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add zfs-linux
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: ddbf19b5 by Sylvain Beucler at 2023-11-27T12:28:46+01:00 dla: add zfs-linux - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -252,3 +252,6 @@ zabbix zbar NOTE: 20231119: Added by Front-Desk (apo) -- +zfs-linux + NOTE: 20231127: Added by Front-Desk (Beuc) +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddbf19b52675135e49cd264dda61323b90e14904 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ddbf19b52675135e49cd264dda61323b90e14904 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim python-django.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 27e8ac71 by Chris Lamb at 2023-11-27T10:47:18+00:00 data/dla-needed.txt: Claim python-django. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -158,7 +158,7 @@ postgresql-multicorn (rouca) NOTE: 20231108: Added by Front-Desk (santiago) NOTE: 20231108: Need to handle incompatibilities with versions in debian packages, brought up by PEP 440. See https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70 -- -python-django +python-django (Chris Lamb) NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27e8ac71e656c4164ae0274bdd5361d3051cf2dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/27e8ac71e656c4164ae0274bdd5361d3051cf2dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 63c2ddcc by Moritz Muehlenhoff at 2023-11-27T11:26:48+01:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -56,6 +56,8 @@ CVE-2023-6293 (Prototype Pollution in GitHub repository robinbuschmann/sequelize NOT-FOR-US: sequelize-typescript CVE-2023-6277 (An out-of-memory flaw was found in libtiff. Passing a crafted tiff fil ...) - tiff 4.5.1+git230720-2 (bug #1056751) + [bookworm] - tiff (Minor issue) + [bullseye] - tiff (Minor issue) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/614 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/545 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a = data/dsa-needed.txt = @@ -16,8 +16,9 @@ cryptojs -- dnsdist (jmm) -- -fastdds - Awaiting feedback from maintainer on bullseye status +fastdds (jmm) +-- +freeimage (jmm) -- frr -- @@ -81,6 +82,8 @@ samba/oldstable -- squid -- +varnish +-- xen (jmm) -- zbar View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63c2ddccd503001d583047ce4b7db7e17d270d9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63c2ddccd503001d583047ce4b7db7e17d270d9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e8a90ad by Roberto C. Sánchez at 2023-11-27T04:23:35-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -113,7 +113,7 @@ linux (Ben Hutchings) linux-5.10 NOTE: 20231005: perma-added for LTS package-specific delegation (bwh) -- -mediawiki (guilhem) +mediawiki NOTE: 20231011: Added by Front-Desk (ta) -- minizip (Thorsten Alteholz) @@ -158,7 +158,7 @@ postgresql-multicorn (rouca) NOTE: 20231108: Added by Front-Desk (santiago) NOTE: 20231108: Need to handle incompatibilities with versions in debian packages, brought up by PEP 440. See https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70 -- -python-django (Chris Lamb) +python-django NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Fix the 4 no-dsa issues that are fixed in all other dists (Beuc/front-desk) NOTE: 20231020: ^ CVE-2021-28658, CVE-2021-31542, CVE-2021-33203 & CVE-2021-33571. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e8a90ae8d2faea4e41267f9d9b064b944c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e8a90ae8d2faea4e41267f9d9b064b944c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version via unstable for CVE-2023-46118/rabbitmq-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 89dee89d by Salvatore Bonaccorso at 2023-11-27T10:17:28+01:00 Add fixed version via unstable for CVE-2023-46118/rabbitmq-server - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5040,7 +5040,7 @@ CVE-2023-46120 (The RabbitMQ Java client library allows Java and JVM-based appli CVE-2023-46119 (Parse Server is an open source backend that can be deployed to any inf ...) NOT-FOR-US: Parse Server CVE-2023-46118 (RabbitMQ is a multi-protocol messaging and streaming broker. HTTP API ...) - - rabbitmq-server (bug #1056723) + - rabbitmq-server 3.10.8-3 (bug #1056723) [bookworm] - rabbitmq-server (Minor issue) [bullseye] - rabbitmq-server (Minor issue) NOTE: https://github.com/rabbitmq/rabbitmq-server/security/advisories/GHSA-w6cq-9cf4-gqpg View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89dee89d91eebe8fa3fe36b587318f354cc5dd6a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89dee89d91eebe8fa3fe36b587318f354cc5dd6a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e383e38 by Salvatore Bonaccorso at 2023-11-27T09:28:54+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,45 +1,45 @@ CVE-2023-6313 (A vulnerability was found in SourceCodester URL Shortener 1.0. It has ...) - TODO: check + NOT-FOR-US: SourceCodester URL Shortener CVE-2023-6312 (A vulnerability was found in SourceCodester Loan Management System 1.0 ...) - TODO: check + NOT-FOR-US: SourceCodester Loan Management System CVE-2023-6311 (A vulnerability was found in SourceCodester Loan Management System 1.0 ...) - TODO: check + NOT-FOR-US: SourceCodester Loan Management System CVE-2023-6310 (A vulnerability has been found in SourceCodester Loan Management Syste ...) - TODO: check + NOT-FOR-US: SourceCodester Loan Management System CVE-2023-6309 (A vulnerability, which was classified as critical, was found in moses- ...) TODO: check CVE-2023-6308 (A vulnerability, which was classified as critical, has been found in X ...) - TODO: check + NOT-FOR-US: Xiamen Four-Faith Video Surveillance Management System CVE-2023-6307 (A vulnerability classified as critical was found in jeecgboot JimuRepo ...) - TODO: check + NOT-FOR-US: jeecgboot JimuReport CVE-2023-6306 (A vulnerability classified as critical has been found in SourceCodeste ...) - TODO: check + NOT-FOR-US: SourceCodester Free and Open Source Inventory Management System CVE-2023-6305 (A vulnerability was found in SourceCodester Free and Open Source Inven ...) - TODO: check + NOT-FOR-US: SourceCodester Free and Open Source Inventory Management System CVE-2023-6304 (A vulnerability was found in Tecno 4G Portable WiFi TR118 TR118-M30E-R ...) - TODO: check + NOT-FOR-US: Tecno 4G Portable WiFi TR118 CVE-2023-6303 (A vulnerability was found in CSZCMS 1.3.0. It has been classified as p ...) - TODO: check + NOT-FOR-US: CSZCMS CVE-2023-6302 (A vulnerability was found in CSZCMS 1.3.0 and classified as critical. ...) - TODO: check + NOT-FOR-US: CSZCMS CVE-2023-6301 (A vulnerability has been found in SourceCodester Best Courier Manageme ...) - TODO: check + NOT-FOR-US: SourceCodester Best Courier Management System CVE-2023-6300 (A vulnerability, which was classified as problematic, was found in Sou ...) - TODO: check + NOT-FOR-US: SourceCodester Best Courier Management System CVE-2023-6299 (A vulnerability, which was classified as problematic, has been found i ...) TODO: check CVE-2023-6298 (A vulnerability classified as problematic was found in Apryse iText 8. ...) TODO: check CVE-2023-6297 (A vulnerability classified as problematic has been found in PHPGurukul ...) - TODO: check + NOT-FOR-US: PHPGurukul CVE-2023-6296 (A vulnerability was found in osCommerce 4. It has been rated as proble ...) TODO: check CVE-2023-49322 (Certain WithSecure products allow a Denial of Service because there is ...) - TODO: check + NOT-FOR-US: WithSecure CVE-2023-49321 (Certain WithSecure products allow a Denial of Service because scanning ...) - TODO: check + NOT-FOR-US: WithSecure CVE-2023-49312 (Precision Bridge PrecisionBridge.exe (aka the thick client) before 7.3 ...) - TODO: check + NOT-FOR-US: Precision Bridge CVE-2023-47039 - perl (Windows specific issue) CVE-2023-47038 [Write past buffer end via illegal user-defined Unicode property] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e383e387ba188c7ae14410fc3e1e379e174dace -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3e383e387ba188c7ae14410fc3e1e379e174dace You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 37aca15d by security tracker role at 2023-11-27T08:11:38+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,45 @@ +CVE-2023-6313 (A vulnerability was found in SourceCodester URL Shortener 1.0. It has ...) + TODO: check +CVE-2023-6312 (A vulnerability was found in SourceCodester Loan Management System 1.0 ...) + TODO: check +CVE-2023-6311 (A vulnerability was found in SourceCodester Loan Management System 1.0 ...) + TODO: check +CVE-2023-6310 (A vulnerability has been found in SourceCodester Loan Management Syste ...) + TODO: check +CVE-2023-6309 (A vulnerability, which was classified as critical, was found in moses- ...) + TODO: check +CVE-2023-6308 (A vulnerability, which was classified as critical, has been found in X ...) + TODO: check +CVE-2023-6307 (A vulnerability classified as critical was found in jeecgboot JimuRepo ...) + TODO: check +CVE-2023-6306 (A vulnerability classified as critical has been found in SourceCodeste ...) + TODO: check +CVE-2023-6305 (A vulnerability was found in SourceCodester Free and Open Source Inven ...) + TODO: check +CVE-2023-6304 (A vulnerability was found in Tecno 4G Portable WiFi TR118 TR118-M30E-R ...) + TODO: check +CVE-2023-6303 (A vulnerability was found in CSZCMS 1.3.0. It has been classified as p ...) + TODO: check +CVE-2023-6302 (A vulnerability was found in CSZCMS 1.3.0 and classified as critical. ...) + TODO: check +CVE-2023-6301 (A vulnerability has been found in SourceCodester Best Courier Manageme ...) + TODO: check +CVE-2023-6300 (A vulnerability, which was classified as problematic, was found in Sou ...) + TODO: check +CVE-2023-6299 (A vulnerability, which was classified as problematic, has been found i ...) + TODO: check +CVE-2023-6298 (A vulnerability classified as problematic was found in Apryse iText 8. ...) + TODO: check +CVE-2023-6297 (A vulnerability classified as problematic has been found in PHPGurukul ...) + TODO: check +CVE-2023-6296 (A vulnerability was found in osCommerce 4. It has been rated as proble ...) + TODO: check +CVE-2023-49322 (Certain WithSecure products allow a Denial of Service because there is ...) + TODO: check +CVE-2023-49321 (Certain WithSecure products allow a Denial of Service because scanning ...) + TODO: check +CVE-2023-49312 (Precision Bridge PrecisionBridge.exe (aka the thick client) before 7.3 ...) + TODO: check CVE-2023-47039 - perl (Windows specific issue) CVE-2023-47038 [Write past buffer end via illegal user-defined Unicode property] @@ -3109,6 +3151,7 @@ CVE-2023-41685 (Improper Neutralization of Special Elements used in an SQL Comma CVE-2023-41378 (In certain conditions for Calico Typha (v3.26.2, v3.25.1 and below), a ...) NOT-FOR-US: Calico Typha CVE-2023-40661 (Several memory vulnerabilities were identified within the OpenSC packa ...) + {DLA-3668-1} - opensc 0.23.0-2 (bug #1055522) [bookworm] - opensc (Minor issue) [bullseye] - opensc (Minor issue) @@ -3116,6 +3159,7 @@ CVE-2023-40661 (Several memory vulnerabilities were identified within the OpenSC NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2023-40661 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2240913#c1 CVE-2023-40660 (A flaw was found in OpenSC packages that allow a potential PIN bypass. ...) + {DLA-3668-1} - opensc 0.23.0-2 (bug #1055521) [bookworm] - opensc (Minor issue) [bullseye] - opensc (Minor issue) @@ -8694,6 +8738,7 @@ CVE-2023-3701 (Aqua Drive, in its 2.4 version, is vulnerable to a relative path CVE-2023-3665 (A code injection vulnerability in Trellix ENS 10.7.0 April 2023 releas ...) NOT-FOR-US: Trellix CVE-2023-3576 (A memory leak flaw was found in Libtiff's tiffcrop utility. This issue ...) + {DSA-5567-1} - tiff 4.5.1~rc3-1 [buster] - tiff (Minor issue, memory leak in CLI tool) NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/475 @@ -18945,13 +18990,13 @@ CVE-2023-32232 (An issue was discovered in Vasion PrinterLogic Client for Window CVE-2023-32231 (An issue was discovered in Vasion PrinterLogic Client for Windows befo ...) NOT-FOR-US: Vasion CVE-2023-41175 (A vulnerability was found in libtiff due to multiple potential integer ...) - {DLA-3513-1} + {DSA-5567-1 DLA-3513-1} - tiff 4.5.1+git230720-1 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/592 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/6e2dac5f904496d127c92ddc4e56eccfca25c2ee NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2235264 CVE-2023-40745 (LibTIFF is vulnerable to