Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 41e49df1 by Moritz Muehlenhoff at 2024-05-09T13:26:56+02:00 NFUS also track xpdf issues as NFU, poppler forked from xpdf almost 20 years ago and is regularly fuzzed by oss-fuzz, no real point to assume that new xpdf issues still affect it and if no PoC is available we can't reliably track this down anyway and these end up causing spam - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -29,7 +29,7 @@ CVE-2024-2454 (An issue has been discovered in GitLab CE/EE affecting all versio CVE-2024-28759 (A crafted network packet may cause a buffer overrun in Wind River VxWo ...) NOT-FOR-US: Wind River CVE-2024-27793 (The issue was addressed with improved checks. This issue is fixed in i ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-26517 (SQL Injection vulnerability in School Task Manager v.1.0 allows a remo ...) NOT-FOR-US: School Task Manager CVE-2023-6688 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) @@ -37,7 +37,7 @@ CVE-2023-6688 (An issue has been discovered in GitLab CE/EE affecting all versio CVE-2023-6682 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - gitlab <unfixed> CVE-2023-5971 (The Save as PDF Plugin by Pdfcrowd WordPress plugin before 3.2.0 does ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-29510 - ghostscript <unfixed> NOTE: https://ghostscript.readthedocs.io/en/gs10.03.1/News.html @@ -529,7 +529,7 @@ CVE-2024-29150 (An issue was discovered in Alcatel-Lucent ALE NOE deskphones thr CVE-2024-29149 (An issue was discovered in Alcatel-Lucent ALE NOE deskphones through 8 ...) NOT-FOR-US: Alcatel-Lucent ALE NOE deskphones CVE-2024-28148 (An authenticated user could potentially access metadata for a datasour ...) - TODO: check + NOT-FOR-US: Apache Superset CVE-2024-25514 (RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vu ...) NOT-FOR-US: RuvarOA CVE-2024-25513 (RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vu ...) @@ -547,13 +547,13 @@ CVE-2024-25508 (RuvarOA v6.01 and v12.01 were discovered to contain a SQL inject CVE-2024-25507 (RuvarOA v6.01 and v12.01 were discovered to contain a SQL injection vu ...) NOT-FOR-US: RuvarOA CVE-2023-7240 (An improper authorization level has been detected in the login panel. ...) - TODO: check + NOT-FOR-US: NetIQ Identity Console CVE-2023-6810 (The ClickCease Click Fraud Protection plugin for WordPress is vulnerab ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-46012 (Buffer Overflow vulnerability LINKSYS EA7500 3.0.1.207964 allows a rem ...) - TODO: check + NOT-FOR-US: LINKSYS CVE-2023-42757 (Process Explorer before 17.04 allows attackers to make it functionally ...) - TODO: check + NOT-FOR-US: Buffer Overflow CVE-2024-4559 (Heap buffer overflow in WebAudio in Google Chrome prior to 124.0.6367. ...) {DSA-5683-1} - chromium 124.0.6367.155-1 @@ -647,7 +647,7 @@ CVE-2024-1695 (A potential security vulnerability has been identified in the HP CVE-2023-33548 (Cross Site Scripting (XSS) vulnerability in ASUS RT-AC51U with firmwar ...) NOT-FOR-US: ASUS CVE-2024-4568 (In Xpdf 4.05 (and earlier), a PDF object loop in the PDF resources lea ...) - TODO: check + NOT-FOR-US: xpdf (Debian uses poppler, which forked a long time ago) CVE-2024-4549 (A denial of service vulnerability exists in Delta Electronics DIAEnerg ...) NOT-FOR-US: Delta Electronics CVE-2024-4548 (An SQLi vulnerability exists inDelta Electronics DIAEnergie v1.10.1.86 ...) @@ -731,7 +731,7 @@ CVE-2024-34524 (In XLANG OpenAgents through fe73ac4, the allowed_file protection CVE-2024-34519 (Avantra Server 24.x before 24.0.7 and 24.1.x before 24.1.1 mishandles ...) NOT-FOR-US: Avantra Server CVE-2024-34515 (image-optimizer before 1.7.3 allows PHAR deserialization, e.g., the ph ...) - TODO: check + NOT-FOR-US: PHP image-optimizer CVE-2024-34472 (An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18 ...) NOT-FOR-US: HSC Mailinspector CVE-2024-34471 (An issue was discovered in HSC Mailinspector 5.2.17-3. A Path Traversa ...) @@ -868,7 +868,7 @@ CVE-2024-33121 (Roothub v2.6 was discovered to contain a SQL injection vulnerabi CVE-2024-33118 (LuckyFrameWeb v3.5.2 was discovered to contain an arbitrary read vulne ...) NOT-FOR-US: LuckyFrameWeb CVE-2024-33117 (crmeb_java v1.3.4 was discovered to contain a Server-Side Request Forg ...) - TODO: check + NOT-FOR-US: crmeb_java CVE-2024-33113 (D-LINK DIR-845L <=v1.01KRb03 is vulnerable to Information disclosurey ...) NOT-FOR-US: D-LINK CVE-2024-33112 (D-Link DIR-845L router v1.01KRb03 and before is vulnerable to Command ...) @@ -878,7 +878,7 @@ CVE-2024-33111 (D-Link DIR-845L router <=v1.01KRb03 is vulnerable to Cross Site CVE-2024-33110 (D-Link DIR-845L router v1.01KRb03 and before is vulnerable to Permissi ...) NOT-FOR-US: D-LINK CVE-2024-32982 (Litestar and Starlite is an Asynchronous Server Gateway Interface (ASG ...) - TODO: check + NOT-FOR-US: litestar CVE-2024-32972 (go-ethereum (geth) is a golang execution layer implementation of the E ...) - golang-github-go-ethereum <itp> (bug #890541) CVE-2024-32807 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) @@ -888,51 +888,51 @@ CVE-2024-2041 CVE-2024-26312 (Archer Platform 6 before 2024.03 contains a sensitive information disc ...) NOT-FOR-US: Archer Platform CVE-2024-23354 (Memory corruption when the IOCTL call is interrupted by a signal.) - TODO: check + NOT-FOR-US: Qualcomm CVE-2024-23351 (Memory corruption as GPU registers beyond the last protected range can ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2024-23193 (E-Mails exported as PDF were stored in a cache that did not consider s ...) - TODO: check + NOT-FOR-US: Open-Xchange CVE-2024-23188 (Maliciously crafted E-Mail attachment names could be used to temporari ...) - TODO: check + NOT-FOR-US: Open-Xchange CVE-2024-23187 (Content-ID based embedding of resources in E-Mails could be abused to ...) - TODO: check + NOT-FOR-US: Open-Xchange CVE-2024-23186 (E-Mail containing malicious display-name information could trigger cli ...) - TODO: check + NOT-FOR-US: Open-Xchange CVE-2024-21480 (Memory corruption while playing audio file having large-sized input bu ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2024-21477 (Transient DOS while parsing a protected 802.11az Fine Time Measurement ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2024-21476 (Memory corruption when the channel ID passed by user is not validated ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2024-21475 (Memory corruption when the payload received from firmware is not as pe ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2024-21474 (Memory corruption when size of buffer from previous call is used witho ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2024-21471 (Memory corruption when IOMMU unmap of a GPU buffer fails in Linux.) - TODO: check + NOT-FOR-US: Qualcomm CVE-2024-20064 (In wlan service, there is a possible out of bounds write due to improp ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20060 (In da, there is a possible escalation of privilege due to an incorrect ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20059 (In da, there is a possible escalation of privilege due to an incorrect ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20058 (In keyInstall, there is a possible out of bounds read due to a missing ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20057 (In keyInstall, there is a possible out of bounds write due to a missin ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20056 (In preloader, there is a possible escalation of privilege due to an in ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20021 (In atf spm, there is a possible way to remap physical memory to virtua ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-0904 (The Fancy Product Designer WordPress plugin before 6.1.81 does not san ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-6854 (The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-49676 (An unauthenticated local attacker may trick a user to open corrupted p ...) - TODO: check + NOT-FOR-US: CODESYS CVE-2023-49675 (An unauthenticated local attacker may trick a user to open corrupted p ...) - TODO: check + NOT-FOR-US: CODESYS CVE-2023-43531 (Memory corruption while verifying the serialized header when the key p ...) TODO: check CVE-2023-43530 (Memory corruption in HLOS while checking for the storage type.) @@ -5506,8 +5506,7 @@ CVE-2024-4058 (Type confusion in ANGLE in Google Chrome prior to 124.0.6367.78 a [bullseye] - chromium <end-of-life> (see #1061268) [buster] - chromium <end-of-life> (see DSA 5046) CVE-2024-4141 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by an in ...) - - poppler <undetermined> - NOTE: Might possibly affect poppler, xpdf in Debian uses it + NOT-FOR-US: xpdf (Debian uses poppler, which forked a long time ago) CVE-2024-4127 (A vulnerability was found in Tenda W15E 15.11.0.14. It has been classi ...) NOT-FOR-US: Tenda CVE-2024-4126 (A vulnerability was found in Tenda W15E 15.11.0.14 and classified as c ...) @@ -6806,8 +6805,7 @@ CVE-2024-3906 (A vulnerability was found in Tenda AC500 2.0.1.9(1307). It has be CVE-2024-3905 (A vulnerability was found in Tenda AC500 2.0.1.9(1307). It has been cl ...) NOT-FOR-US: Tenda CVE-2024-3900 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by long ...) - - poppler <undetermined> - NOTE: Might possibly affect poppler, pdf in Debian uses it + NOT-FOR-US: xpdf (Debian uses poppler, which forked a long time ago) CVE-2024-3825 (Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a flaw ...) NOT-FOR-US: Jenkins plugin CVE-2024-3817 (HashiCorp\u2019s go-getter library is vulnerable to argument injection ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e49df1c704238ba743f7d0d7e5063b67b20c01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41e49df1c704238ba743f7d0d7e5063b67b20c01 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits