[Git][security-tracker-team/security-tracker][master] Add CVE-2023-1637/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90a6b2ec by Salvatore Bonaccorso at 2023-03-27T08:46:07+02:00 Add CVE-2023-1637/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,6 +2,11 @@ CVE-2023-28859 (redis-py through 4.5.3 leaves a connection open after canceling TODO: check CVE-2023-28858 (redis-py before 4.5.3, as used in ChatGPT and other products, leaves a ...) TODO: check +CVE-2023-1637 [x86/speculation: Restore speculation related MSRs during S3 resume] + - linux 5.17.3-1 + [bullseye] - linux 5.10.113-1 + [buster] - linux 4.19.249-1 + NOTE: https://git.kernel.org/linus/e2a1256b17b16f9b9adf1b6fea56819e7b68e463 (5.18-rc2) CVE-2023-1636 RESERVED CVE-2023-1635 (A vulnerability was found in OTCMS 6.72. It has been declared as probl ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90a6b2ec34d9364f235c5981c8731094eaf173ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90a6b2ec34d9364f235c5981c8731094eaf173ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: LTS: add hotspot to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: b483632b by Anton Gladky at 2023-03-27T06:01:55+02:00 LTS: add hotspot to dla-needed.txt - - - - - 189be72a by Anton Gladky at 2023-03-27T06:01:55+02:00 LTS: add json-smart to dla-needed.txt - - - - - 20d75842 by Anton Gladky at 2023-03-27T06:40:01+02:00 LTS: update notes for 389-ds-base - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -17,6 +17,7 @@ rather than remove/replace existing ones. NOTE: 20221231: Programming language: C. NOTE: 20221231: Few users. Low prio. (opal). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/389-ds-base.git + NOTE: 20230227: test new CI -- apache2 NOTE: 20230312: Programming language: C. @@ -120,6 +121,9 @@ hdf5 NOTE: 20230318: Enrico did some work around hdf5* packaging in the past, probably NOTE: 20230318: sync w/ him. (utkarsh) -- +hotspot + NOTE: 20230324: Programming language: C++. +-- intel-microcode (tobi) NOTE: 20230219: Programming language: Binary blob. NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/intel-microcode.git @@ -127,6 +131,9 @@ intel-microcode (tobi) NOTE: 20230312: uploaded to DELAYED/5 for unstable. NOTE: 20230317: now in unstable. prepared SPU for bullseye (#1033079), prepared update for buster, stretch and jessie, available in LTS repo. (tobi) -- +json-smart + NOTE: 20230324: Programming language: Java. +-- libmicrohttpd (Thorsten Alteholz) NOTE: 20230313: Programming language: C. NOTE: 20230326: testing package View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fc28cbbea8b9ba52d5b8952a979ce95979363c38...20d7584284af7e241629d731c16f387e043141c0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fc28cbbea8b9ba52d5b8952a979ce95979363c38...20d7584284af7e241629d731c16f387e043141c0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] update notes
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: fc28cbbe by Thorsten Alteholz at 2023-03-26T23:27:22+02:00 update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -56,6 +56,7 @@ docker.io (gladk) duktape (Thorsten Alteholz, maintainer) NOTE: 20230311: Programming language: C. NOTE: 20230311: Maintainer notes: Maintainer prepares o-o-s updates. + NOTE: 20230326: testing package -- emacs (Adrian Bunk) NOTE: 20230223: Programming language: Lisp. @@ -128,6 +129,7 @@ intel-microcode (tobi) -- libmicrohttpd (Thorsten Alteholz) NOTE: 20230313: Programming language: C. + NOTE: 20230326: testing package -- linux (Ben Hutchings) NOTE: 20230111: Programming language: C View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc28cbbea8b9ba52d5b8952a979ce95979363c38 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc28cbbea8b9ba52d5b8952a979ce95979363c38 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3368-1 for libreoffice
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 44619aae by Bastien Roucariès at 2023-03-26T20:41:39+00:00 Reserve DLA-3368-1 for libreoffice - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -85380,17 +85380,14 @@ CVE-2022-26308 (Pandora FMS v7.0NG.760 and below allows an improper access contr CVE-2022-26307 (LibreOffice supports the storage of passwords for web connections in t ...) - libreoffice 1:7.3.3~rc1-2 [bullseye] - libreoffice 1:7.0.4-4+deb11u2 - [buster] - libreoffice (Minor issue) NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2022-26307 CVE-2022-26306 (LibreOffice supports the storage of passwords for web connections in t ...) - libreoffice 1:7.3.3~rc1-2 [bullseye] - libreoffice 1:7.0.4-4+deb11u2 - [buster] - libreoffice (Minor issue) NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2022-26306 CVE-2022-26305 (An Improper Certificate Validation vulnerability in LibreOffice existe ...) - libreoffice 1:7.3.2~rc2-1 [bullseye] - libreoffice 1:7.0.4-4+deb11u2 - [buster] - libreoffice (Minor issue) NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2022-26305 CVE-2022-26301 (TuziCMS v2.0.6 was discovered to contain a SQL injection vulnerability ...) NOT-FOR-US: TuziCMS @@ -157240,7 +157237,6 @@ CVE-2021-25637 CVE-2021-25636 (LibreOffice supports digital signatures of ODF documents and macros wi ...) - libreoffice 1:7.3.0-1 [bullseye] - libreoffice 1:7.0.4-4+deb11u2 - [buster] - libreoffice (Minor issue) [stretch] - libreoffice (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2056955 NOTE: https://www.libreoffice.org/about-us/security/advisories/CVE-2021-25636 = data/DLA/list = @@ -1,3 +1,6 @@ +[26 Mar 2023] DLA-3368-1 libreoffice - security update + {CVE-2021-25636 CVE-2022-3140 CVE-2022-26305 CVE-2022-26306 CVE-2022-26307} + [buster] - libreoffice 1:6.1.5-3+deb10u8 [24 Mar 2023] DLA-3367-1 libdatetime-timezone-perl - new timezone database [buster] - libdatetime-timezone-perl 1:2.23-1+2023b [24 Mar 2023] DLA-3366-1 tzdata - new timezone database = data/dla-needed.txt = @@ -129,10 +129,6 @@ intel-microcode (tobi) libmicrohttpd (Thorsten Alteholz) NOTE: 20230313: Programming language: C. -- -libreoffice (rouca) - NOTE: 20221012: Programming language: C++. - NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git --- linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44619aae5b33013176b4d0de2aafd43c8ba5ffbb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/44619aae5b33013176b4d0de2aafd43c8ba5ffbb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fd0fde6f by security tracker role at 2023-03-26T20:10:31+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-28859 (redis-py through 4.5.3 leaves a connection open after canceling an asy ...) + TODO: check +CVE-2023-28858 (redis-py before 4.5.3, as used in ChatGPT and other products, leaves a ...) + TODO: check CVE-2023-1636 RESERVED CVE-2023-1635 (A vulnerability was found in OTCMS 6.72. It has been declared as probl ...) @@ -12,7 +16,7 @@ CVE-2023-1631 (A vulnerability, which was classified as problematic, was found i NOT-FOR-US: Jianming Antivirus CVE-2023-1630 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: Jianming Antivirus -CVE-2023-1629 (A vulnerability classified as critical was found in Jianming Antivirus ...) +CVE-2023-1629 (A vulnerability classified as critical was found in JiangMin Antivirus ...) NOT-FOR-US: Jianming Antivirus CVE-2023-1628 (A vulnerability classified as problematic has been found in Jianming A ...) NOT-FOR-US: Jianming Antivirus View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd0fde6f3553b5cf292efac7489c621308b22d51 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd0fde6f3553b5cf292efac7489c621308b22d51 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-40208/moodle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0ecbed4f by Salvatore Bonaccorso at 2023-03-26T21:14:09+02:00 Add CVE-2022-40208/moodle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43791,7 +43791,7 @@ CVE-2022-41137 CVE-2022-40704 (A XSS vulnerability was found in phoromatic_r_add_test_details.php in ...) - phoronix-test-suite CVE-2022-40208 (In Moodle, insufficient limitations in some quiz web services made it ...) - TODO: check + - moodle CVE-2022-38066 (An OS command injection vulnerability exists in the httpd SNMP functio ...) NOT-FOR-US: Siretta CVE-2022-3253 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ecbed4f583631f24560e6bb790337aef9b26dd1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ecbed4f583631f24560e6bb790337aef9b26dd1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a21633b by Salvatore Bonaccorso at 2023-03-26T21:13:41+02:00 Process NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1359,7 +1359,7 @@ CVE-2023-28466 (do_tls_getsockopt in net/tls/tls_main.c in the Linux kernel thro CVE-2023-28449 RESERVED CVE-2023-28448 (Versionize is a framework for version tolerant serializion/deserializa ...) - TODO: check + NOT-FOR-US: Versionize (firecracker-microvm / framework for version tolerant serializion/deserialization of Rust data structures) CVE-2023-28447 RESERVED CVE-2023-28446 (Deno is a simple, modern and secure runtime for JavaScript and TypeScr ...) @@ -14833,7 +14833,7 @@ CVE-2023-23709 CVE-2023-23708 RESERVED CVE-2023-23707 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-23706 RESERVED CVE-2023-23705 @@ -28320,13 +28320,13 @@ CVE-2022-45639 (** DISPUTED ** OS Command injection vulnerability in sleuthkit f CVE-2022-45638 RESERVED CVE-2022-45637 (An insecure password reset issue discovered in MEGAFEIS, BOFEI DBD+ Ap ...) - TODO: check + NOT-FOR-US: MEGAFEIS CVE-2022-45636 (An issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS & ...) - TODO: check + NOT-FOR-US: MEGAFEIS CVE-2022-45635 (An issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS & ...) - TODO: check + NOT-FOR-US: MEGAFEIS CVE-2022-45634 (An issue discovered in MEGAFEIS, BOFEI DBD+ Application for IOS & ...) - TODO: check + NOT-FOR-US: MEGAFEIS CVE-2022-45633 RESERVED CVE-2022-45632 @@ -30493,9 +30493,9 @@ CVE-2022-45006 CVE-2022-45005 (IP-COM EW9 V15.11.0.14(9732) was discovered to contain a command injec ...) NOT-FOR-US: IP-COM EW9 CVE-2022-45004 (Gophish through 0.12.1 was discovered to contain a cross-site scriptin ...) - TODO: check + NOT-FOR-US: Gophish CVE-2022-45003 (Gophish through 0.12.1 allows attackers to cause a Denial of Service ( ...) - TODO: check + NOT-FOR-US: Gophish CVE-2022-45002 RESERVED CVE-2022-45001 @@ -31059,7 +31059,7 @@ CVE-2022-44744 (Local privilege escalation due to DLL hijacking vulnerability. T CVE-2022-44743 RESERVED CVE-2022-44742 (Auth. (admin+) Stored Cross-Site Scripting vulnerability in Yannick Le ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-44741 (Cross-Site Request Forgery (CSRF) vulnerability leading to Cross-Site ...) NOT-FOR-US: WordPress plugin CVE-2022-44740 (Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in Creative ...) @@ -31827,229 +31827,229 @@ CVE-2023-21081 CVE-2023-21080 RESERVED CVE-2023-21079 (In rtt_unpack_xtlv_cbfn of dhd_rtt.c, there is a possible out of bound ...) - TODO: check + NOT-FOR-US: Android CVE-2023-21078 (In rtt_unpack_xtlv_cbfn of dhd_rtt.c, there is a possible out of bound ...) - TODO: check + NOT-FOR-US: Android CVE-2023-21077 (In rtt_unpack_xtlv_cbfn of dhd_rtt.c, there is a possible out of bound ...) - TODO: check + NOT-FOR-US: Android CVE-2023-21076 (In createTransmitFollowupRequest of nan.cpp, there is a possible out o ...) - TODO: check + NOT-FOR-US: Android CVE-2023-21075 (In get_svc_hash of nan.cpp, there is a possible out of bounds write du ...) - TODO: check + NOT-FOR-US: Android CVE-2023-21074 RESERVED CVE-2023-21073 (In rtt_unpack_xtlv_cbfn of dhd_rtt.c, there is a possible out of bound ...) - TODO: check + NOT-FOR-US: Android CVE-2023-21072 (In rtt_unpack_xtlv_cbfn of dhd_rtt.c, there is a possible out of bound ...) - TODO: check + NOT-FOR-US: Android CVE-2023-21071 (In dhd_prot_ioctcmplt_process of dhd_msgbuf.c, there is a possible out ...) - TODO: check + NOT-FOR-US: Android CVE-2023-21070 (In add_roam_cache_list of wl_roam.c, there is a possible out of bounds ...) - TODO: check + NOT-FOR-US: Android CVE-2023-21069 (In wl_update_hidden_ap_ie of wl_cfgscan.c, there is a possible out of ...) - TODO: check + NOT-FOR-US: Android CVE-2023-21068 (In (TBD) of (TBD), there is a possible way to boot with a hidden debug ...) - TODO: check + NOT-FOR-US: Android CVE-2023-21067 (Product: AndroidVersions: Android kernelAndroid ID: A-254114726Referen ...) - TODO: check + NOT-FOR-US: Android CVE-2023-21066 RESERVED CVE-2023-21065 (In fdt_next_tag of fdt.c, there is a possible out of bounds write due ...) - TODO: check + NOT-FOR-US: Android CVE-2023-21064 (In DoSetPinControl of miscservice.cpp, there is a possible out of boun ...) - TODO: check + NOT-FOR-US:
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0d2dd714 by Salvatore Bonaccorso at 2023-03-26T17:55:06+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -62075,41 +62075,41 @@ CVE-2022-34425 (Dell Enterprise SONiC OS, 4.0.0, 4.0.1, contain a cryptographic CVE-2022-34424 (Networking OS10, versions 10.5.1.x, 10.5.2.x, and 10.5.3.x contain a v ...) NOT-FOR-US: Dell CVE-2022-34423 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34422 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34421 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34420 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34419 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34418 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34417 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34416 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34415 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34414 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34413 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34412 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34411 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34410 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34409 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34408 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34407 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34406 (Dell PowerEdge BIOS and Dell Precision BIOS contain an Improper SMM co ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-34405 (An improper access control vulnerability was identified in the Realtek ...) NOT-FOR-US: Dell CVE-2022-34404 (Dell System Update, version 2.0.0 and earlier, contains an Improper Ce ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d2dd714f289e246a780992b3347f84c572f7eb1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0d2dd714f289e246a780992b3347f84c572f7eb1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix typo in source package name for CVE-2021-32821
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f963920f by Salvatore Bonaccorso at 2023-03-26T17:47:54+02:00 Fix typo in source package name for CVE-2021-32821 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -138338,7 +138338,7 @@ CVE-2021-32823 (In the bindata RubyGem before version 2.4.10 there is a potentia CVE-2021-32822 (The npm hbs package is an Express view engine wrapper for Handlebars. ...) NOT-FOR-US: Node hbs CVE-2021-32821 (MooTools is a collection of JavaScript utilities for JavaScript develo ...) - - mootols (bug #1032664) + - mootools (bug #1032664) NOTE: https://securitylab.github.com/advisories/GHSL-2020-345-redos-mootools/ CVE-2021-32820 (Express-handlebars is a Handlebars view engine for Express. Express-ha ...) NOT-FOR-US: Express-handlebars View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f963920f974bf34157ac6424cae7cebb3a6b620b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f963920f974bf34157ac6424cae7cebb3a6b620b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track mariadb-10.6 as removed in every supported suite
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bb9cdab5 by Salvatore Bonaccorso at 2023-03-26T17:45:45+02:00 Track mariadb-10.6 as removed in every supported suite - - - - - 1 changed file: - data/packages/removed-packages Changes: = data/packages/removed-packages = @@ -938,3 +938,4 @@ php8.1 golang-1.18 axtls rust-crossbeam-utils-0.7 +mariadb-10.6 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb9cdab52fe95a9bd395f34b231acef67b0714f0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bb9cdab52fe95a9bd395f34b231acef67b0714f0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark mariadb-10.6 as removed from unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f8fb6929 by Salvatore Bonaccorso at 2023-03-26T17:44:46+02:00 Mark mariadb-10.6 as removed from unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24194,7 +24194,7 @@ CVE-2022-47016 CVE-2022-47015 (MariaDB Server before 10.3.34 thru 10.9.3 is vulnerable to Denial of S ...) - mariadb [bookworm] - mariadb (Minor issue, wait for next point release) - - mariadb-10.6 + - mariadb-10.6 - mariadb-10.5 [bullseye] - mariadb-10.5 (Minor issue) - mariadb-10.3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8fb69295651f2737e5b03289044ef24d4c14d08 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f8fb69295651f2737e5b03289044ef24d4c14d08 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-27561/runc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 74a2c8fc by Salvatore Bonaccorso at 2023-03-26T17:42:32+02:00 Add Debian bug reference for CVE-2023-27561/runc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -243564,7 +243564,7 @@ CVE-2019-19922 (kernel/sched/fair.c in the Linux kernel before 5.3.9, when cpu.c [stretch] - linux (Vulnerability introduced later) NOTE: https://git.kernel.org/linus/de53fd7aedb100f03e5d2231cfce0e4993282425 CVE-2023-27561 (runc through 1.1.4 has Incorrect Access Control leading to Escalation ...) - - runc + - runc (bug #1033520) NOTE: https://github.com/opencontainers/runc/issues/3751 NOTE: https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334 NOTE: https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74a2c8fcf01fc0a1355814a1b8f8caf98fc3fe11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/74a2c8fcf01fc0a1355814a1b8f8caf98fc3fe11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add apache2 to dsa-needed list for regression
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 45cfe6d9 by Salvatore Bonaccorso at 2023-03-26T17:32:56+02:00 Add apache2 to dsa-needed list for regression - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -11,6 +11,9 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. +-- +apache2 + Regressions: #1033408, maybe #1033284 -- cairosvg (carnil) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45cfe6d927bdc3c1388f875c686a3d17c47f1c9b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45cfe6d927bdc3c1388f875c686a3d17c47f1c9b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-27249/swftools
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f2bf2076 by Salvatore Bonaccorso at 2023-03-26T17:29:39+02:00 Add CVE-2023-27249/swftools - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5158,7 +5158,9 @@ CVE-2023-27251 CVE-2023-27250 (Online Book Store Project v1.0 is vulnerable to SQL Injection via /boo ...) NOT-FOR-US: Online Book Store Project CVE-2023-27249 (swfdump v0.9.2 was discovered to contain a heap buffer overflow in the ...) - TODO: check + - swftools (unimportant) + NOTE: https://github.com/matthiaskramm/swftools/issues/197 + NOTE: Crash in CLI tool, no security implications CVE-2023-27248 RESERVED CVE-2023-27247 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2bf2076a97a3cad041a0ee21746e33320cd5218 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2bf2076a97a3cad041a0ee21746e33320cd5218 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c7871ef7 by Salvatore Bonaccorso at 2023-03-26T17:28:45+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1163,11 +1163,11 @@ CVE-2023-1460 (A vulnerability was found in SourceCodester Online Pizza Ordering CVE-2023-1459 (A vulnerability was found in SourceCodester Canteen Management System ...) NOT-FOR-US: SourceCodester Canteen Management System CVE-2023-1458 (** DISPUTED ** A vulnerability has been found in Ubiquiti EdgeRouter X ...) - TODO: check + NOT-FOR-US: Ubiquiti EdgeRouter X CVE-2023-1457 (** DISPUTED ** A vulnerability, which was classified as critical, was ...) - TODO: check + NOT-FOR-US: Ubiquiti EdgeRouter X CVE-2023-1456 (** DISPUTED ** A vulnerability, which was classified as critical, has ...) - TODO: check + NOT-FOR-US: Ubiquiti EdgeRouter X CVE-2023-1455 (A vulnerability classified as critical was found in SourceCodester Onl ...) NOT-FOR-US: SourceCodester Online Pizza Ordering System CVE-2023-1454 (A vulnerability classified as critical has been found in jeecg-boot 3. ...) @@ -1381,11 +1381,11 @@ CVE-2023-28439 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed CVE-2023-28438 (Pimcore is an open source data and experience management platform. Pri ...) NOT-FOR-US: Pimcore CVE-2023-28437 (Dataease is an open source data visualization and analysis tool. The b ...) - TODO: check + NOT-FOR-US: Dataease CVE-2023-28436 (Tailscale is software for using Wireguard and multi-factor authenticat ...) NOT-FOR-US: Tailscale CVE-2023-28435 (Dataease is an open source data visualization and analysis tool. The p ...) - TODO: check + NOT-FOR-US: Dataease CVE-2023-28434 (Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023 ...) - minio (bug #859207) CVE-2023-28433 (Minio is a Multi-Cloud Object Storage framework. All users on Windows ...) @@ -4010,9 +4010,9 @@ CVE-2023-27603 CVE-2023-27602 RESERVED CVE-2023-1177 (Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prio ...) - TODO: check + NOT-FOR-US: mlflow CVE-2023-1176 (Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2. ...) - TODO: check + NOT-FOR-US: mlflow CVE-2023-1175 (Incorrect Calculation of Buffer Size in GitHub repository vim/vim prio ...) - vim 2:9.0.1378-1 [bullseye] - vim (Minor issue) @@ -5487,7 +5487,7 @@ CVE-2023-27096 CVE-2023-27095 (Insecure Permissions vulnerability found in OpenGoofy Hippo4j v.1.4.3 ...) NOT-FOR-US: Hippo4j CVE-2023-27094 (An issue found in OpenGoofy Hippo4j v.1.4.3 allows attackers to escala ...) - TODO: check + NOT-FOR-US: Hippo4j CVE-2023-27093 (Cross Site Scripting vulnerability found in My-Blog allows attackers t ...) NOT-FOR-US: My-Blog CVE-2023-27092 @@ -5521,7 +5521,7 @@ CVE-2023-27079 (Command Injection vulnerability found in Tenda G103 v.1.0.05 all CVE-2023-27078 (A command injection issue was found in TP-Link MR3020 v.1_150921 that ...) NOT-FOR-US: TP-Link CVE-2023-27077 (Stack Overflow vulnerability found in 360 D901 allows a remote attacke ...) - TODO: check + NOT-FOR-US: 360 D901 CVE-2023-27076 RESERVED CVE-2023-27075 @@ -11228,9 +11228,9 @@ CVE-2023-0631 (The Paid Memberships Pro WordPress plugin before 2.9.12 does not CVE-2023-0630 (The Slimstat Analytics WordPress plugin before 4.9.3.3 does not preven ...) NOT-FOR-US: WordPress plugin CVE-2023-0629 (Docker Desktop before 4.17.0 allows an unprivileged user to bypass Enh ...) - TODO: check + NOT-FOR-US: Docker Desktop CVE-2023-0628 (Docker Desktop before 4.17.0 allows an attacker to execute an arbitrar ...) - TODO: check + NOT-FOR-US: Docker Desktop CVE-2023-0627 RESERVED CVE-2023-0626 @@ -11814,9 +11814,9 @@ CVE-2023-24790 CVE-2023-24789 (jeecg-boot v3.4.4 was discovered to contain an authenticated SQL injec ...) NOT-FOR-US: jeecg-boot CVE-2023-24788 (RESERVED NotrinosERP v0.7 was discovered to contain a SQL injection vu ...) - TODO: check + NOT-FOR-US: NotrinosERP CVE-2023-24787 (RESERVED churchcrm v4.5.3 was discovered to contain a SQL injection vu ...) - TODO: check + NOT-FOR-US: churchcrm CVE-2023-24786 RESERVED CVE-2023-24785 (An issue in Giorgio Tani peazip v.9.0.0 allows attackers to cause a de ...) @@ -12161,7 +12161,7 @@ CVE-2023-24627 CVE-2023-24626 RESERVED CVE-2023-24625 (Faveo 5.0.1 allows remote attackers to obtain sensitive information vi ...) - TODO: check + NOT-FOR-US: Faveo CVE-2023-24624 RESERVED CVE-2023-24623 (Paranoidhttp before 0.3.0 allows SSRF because
[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2023-27561 In release-1.1 branch
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 72727a0d by Salvatore Bonaccorso at 2023-03-26T17:03:39+02:00 Reference upstream commit for CVE-2023-27561 In release-1.1 branch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -243568,6 +243568,7 @@ CVE-2023-27561 (runc through 1.1.4 has Incorrect Access Control leading to Escal NOTE: https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9 NOTE: Issue exists because of a CVE-2019-19921 regression introduced by the fix for CVE-2021-30465. NOTE: Pull Request: https://github.com/opencontainers/runc/pull/3773 + NOTE: Fixed by: https://github.com/opencontainers/runc/commit/0abab45c9b97c113ff2cdc16f3a7388444c3fbec (release-1.1 branch) CVE-2019-19921 (runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalat ...) - runc 1.0.0~rc10+dfsg1-1 [buster] - runc (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72727a0d6bea2600fbdaff84e212bd68525f7c9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72727a0d6bea2600fbdaff84e212bd68525f7c9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-28450 as no-dsa for bullseye
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ea09e8e by Salvatore Bonaccorso at 2023-03-26T16:56:44+02:00 Mark CVE-2023-28450 as no-dsa for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1321,6 +1321,7 @@ CVE-2023-28451 RESERVED CVE-2023-28450 (An issue was discovered in Dnsmasq before 2.90. The default maximum ED ...) - dnsmasq (bug #1033165) + [bullseye] - dnsmasq (Minor issue) NOTE: https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 CVE-2023-1424 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ea09e8e3ceab68a69e83dce1cebd75738cc4b37 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ea09e8e3ceab68a69e83dce1cebd75738cc4b37 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Use salsa main tree for salsa
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 8cb9da77 by Bastien Roucariès at 2023-03-26T12:15:39+00:00 Use salsa main tree for salsa Yadd is ok to use it tree. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -22,6 +22,7 @@ apache2 NOTE: 20230312: Programming language: C. NOTE: 20230312: VCS: https://salsa.debian.org/lts-team/packages/apache2.git NOTE: 20230312: Special attention: Double check an update! Package is used by many customers and users!. + NOTE: 20230326: VCS: https://salsa.debian.org/apache-team/apache2. Yadd is ok for using apache2 salsa tree -- cairosvg (Chris Lamb) NOTE: 20230323: Programming language: Python. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cb9da7710b690199dd681b747bd4006d77d2592 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8cb9da7710b690199dd681b747bd4006d77d2592 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Associate CVE-2022-38745 to libreoffice
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fb01bf6c by Salvatore Bonaccorso at 2023-03-26T13:48:47+02:00 Associate CVE-2022-38745 to libreoffice Usually libreoffice and Apache OpenOffice do not share the CVEs as the projects are diverging. Though in this case Libreoffice project will not do any specific advisory for the issue and solved already over a year ago from time of this commit. After discussion with Rene Engelhard, reference libreoffice for this CVE. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49854,7 +49854,11 @@ CVE-2022-38747 CVE-2022-38746 RESERVED CVE-2022-38745 (Apache OpenOffice versions before 4.1.14 may be configured to add an e ...) - NOT-FOR-US: Apache OpenOffice + - libreoffice 1:7.3.1-1 + [bullseye] - libreoffice (Minor issue) + NOTE: https://cgit.freedesktop.org/libreoffice/core/commit/?id=5e8f64e50f97d39e83a3358697be14db03566878 + NOTE: Technically CVE for Apache OpenOffice. Libreoffice project will not issue a separate CVE + NOTE: and the issue is present in Libreoffice as well. Exceptionally track libreoffice. CVE-2022-2993 (There is an error in the condition of the last if-statement in the fun ...) NOT-FOR-US: zephyr-rtos CVE-2022-2992 (A vulnerability in GitLab CE/EE affecting all versions from 11.10 prio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb01bf6c48e7b807e872e9dfe358eabaf53879f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb01bf6c48e7b807e872e9dfe358eabaf53879f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Make severity of CVE-2022-3704 unimportant with negligible/no security impact
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f79de11 by Salvatore Bonaccorso at 2023-03-26T13:36:21+02:00 Make severity of CVE-2022-3704 unimportant with negligible/no security impact - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36332,9 +36332,11 @@ CVE-2022-3705 (A vulnerability was found in vim and classified as problematic. A NOTE: https://github.com/vim/vim/commit/d0fab10ed2a86698937e3c3fed2f10bd9bb5e731 (v9.0.0805) NOTE: Crash in CLI tool, no security impact CVE-2022-3704 (** DISPUTED ** A vulnerability classified as problematic has been foun ...) - - rails (bug #1024274) + - rails (bug #1024274; unimportant) NOTE: https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4 NOTE: https://github.com/rails/rails/issues/46244 + NOTE: https://github.com/rails/rails/issues/46244#issuecomment-1380875153 + NOTE: Considered only a bug withouth security impact by the rails team CVE-2022-3703 (All versions of ETIC Telecom Remote Access Server (RAS) 4.5.0 and prio ...) NOT-FOR-US: ETIC Telecom Remote Access Server (RAS) CVE-2022-3702 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f79de1166bdbe7452659eafc3e767fc41421d9a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f79de1166bdbe7452659eafc3e767fc41421d9a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a8adf1fe by security tracker role at 2023-03-26T08:10:16+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6,7 +6,7 @@ CVE-2023-1634 (A vulnerability was found in OTCMS 6.72. It has been classified a NOT-FOR-US: OTCMS CVE-2023-1633 RESERVED -CVE-2023-1632 (A vulnerability has been found in Ellucian Banner Web Tailor 8.6 and c ...) +CVE-2023-1632 (** DISPUTED ** A vulnerability has been found in Ellucian Banner Web T ...) NOT-FOR-US: Ellucian Banner Web Tailor CVE-2023-1631 (A vulnerability, which was classified as problematic, was found in Jia ...) NOT-FOR-US: Jianming Antivirus @@ -1162,12 +1162,12 @@ CVE-2023-1460 (A vulnerability was found in SourceCodester Online Pizza Ordering NOT-FOR-US: SourceCodester Online Pizza Ordering System CVE-2023-1459 (A vulnerability was found in SourceCodester Canteen Management System ...) NOT-FOR-US: SourceCodester Canteen Management System -CVE-2023-1458 - RESERVED -CVE-2023-1457 - RESERVED -CVE-2023-1456 - RESERVED +CVE-2023-1458 (** DISPUTED ** A vulnerability has been found in Ubiquiti EdgeRouter X ...) + TODO: check +CVE-2023-1457 (** DISPUTED ** A vulnerability, which was classified as critical, was ...) + TODO: check +CVE-2023-1456 (** DISPUTED ** A vulnerability, which was classified as critical, has ...) + TODO: check CVE-2023-1455 (A vulnerability classified as critical was found in SourceCodester Onl ...) NOT-FOR-US: SourceCodester Online Pizza Ordering System CVE-2023-1454 (A vulnerability classified as critical has been found in jeecg-boot 3. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8adf1fedf787a947196878c806c9ce053b6b44c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8adf1fedf787a947196878c806c9ce053b6b44c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits