[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 88d32646 by Moritz Muehlenhoff at 2023-07-09T22:16:29+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2023-3045 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: Tise Technology Parking Web Report CVE-2023-36935 REJECTED CVE-2023-36360 @@ -7,11 +7,11 @@ CVE-2023-36360 CVE-2023-34682 REJECTED CVE-2023-2853 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: Softmed SelfPatron CVE-2023-2852 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: Softmed SelfPatron CVE-2023-3566 (A vulnerability was found in wallabag 2.5.4. It has been declared as p ...) - TODO: check + NOT-FOR-US: Wallabag CVE-2023-3565 (Cross-site Scripting (XSS) - Generic in GitHub repository nilsteampass ...) - teampass (bug #730180) CVE-2023-3564 (A vulnerability was found in GZ Scripts GZ Multi Hotel Booking System ...) @@ -127,7 +127,6 @@ CVE-2023-34197 (Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plu NOT-FOR-US: Zoho CVE-2023-33715 REJECTED - NOT-FOR-US: ACDSee CVE-2023-33664 (ai-dev aicombinationsonfly before v0.3.1 was discovered to contain a S ...) NOT-FOR-US: ai-dev aicombinationsonfly CVE-2023-32183 (Incorrect Default Permissions vulnerability in the openSUSE Tumbleweed ...) @@ -8869,7 +8868,7 @@ CVE-2023-2048 (A vulnerability was found in Campcodes Advanced Online Voting Sys CVE-2023-2047 (A vulnerability was found in Campcodes Advanced Online Voting System 1 ...) NOT-FOR-US: Campcodes Advanced Online Voting System CVE-2023-2046 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: Yontem Informatics Vehicle Tracking System CVE-2023-2045 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: Ipekyolu Software Auto Damage Tracking Software CVE-2023-2044 (A vulnerability has been found in Control iD iDSecure 4.7.29.1 and cla ...) @@ -46178,9 +46177,9 @@ CVE-2022-44722 CVE-2022-44721 REJECTED CVE-2022-44720 (An issue was discovered in Weblib Ucopia before 6.0.13. OS Command Inj ...) - TODO: check + NOT-FOR-US: Weblib Ucopia CVE-2022-44719 (An issue was discovered in Weblib Ucopia before 6.0.13. The SSH Server ...) - TODO: check + NOT-FOR-US: Weblib Ucopia CVE-2022-44718 (An issue was discovered in NetScout nGeniusONE 6.3.2 build 904. Open R ...) NOT-FOR-US: NetScout CVE-2022-44717 (An issue was discovered in NetScout nGeniusONE 6.3.2 build 904. Open R ...) @@ -48470,7 +48469,7 @@ CVE-2022-44278 (Sanitization Management System v1.0 is vulnerable to SQL Injecti CVE-2022-44277 (Sanitization Management System v1.0 is vulnerable to SQL Injection via ...) NOT-FOR-US: Sanitization Management System CVE-2022-44276 (In Responsive Filemanager < 9.12.0, an attacker can bypass upload rest ...) - TODO: check + NOT-FOR-US: Responsive Filemanager CVE-2022-44275 RESERVED CVE-2022-44274 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88d32646f1f822ffc1b228cb192334d884ce8004 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88d32646f1f822ffc1b228cb192334d884ce8004 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5c5afe1 by security tracker role at 2023-07-09T20:12:41+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,15 @@ +CVE-2023-3045 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check +CVE-2023-36935 + REJECTED +CVE-2023-36360 + REJECTED +CVE-2023-34682 + REJECTED +CVE-2023-2853 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-2852 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check CVE-2023-3566 (A vulnerability was found in wallabag 2.5.4. It has been declared as p ...) TODO: check CVE-2023-3565 (Cross-site Scripting (XSS) - Generic in GitHub repository nilsteampass ...) @@ -113,7 +125,8 @@ CVE-2023-36201 (An issue in JerryscriptProject jerryscript v.3.0.0 allows an att NOTE: https://github.com/jerryscript-project/jerryscript/issues/5026 CVE-2023-34197 (Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP ...) NOT-FOR-US: Zoho -CVE-2023-33715 (A buffer overflow in ACDSee Free v2.0.2.227 allows attackers to cause ...) +CVE-2023-33715 + REJECTED NOT-FOR-US: ACDSee CVE-2023-33664 (ai-dev aicombinationsonfly before v0.3.1 was discovered to contain a S ...) NOT-FOR-US: ai-dev aicombinationsonfly @@ -461,7 +474,7 @@ CVE-2023-37212 (Memory safety bugs present in Firefox 114. Some of these bugs sh - firefox 115.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-22/#CVE-2023-37212 CVE-2023-37211 (Memory safety bugs present in Firefox 114, Firefox ESR 102.12, and Thu ...) - {DSA-5450-1 DLA-3484-1} + {DSA-5451-1 DSA-5450-1 DLA-3484-1} - firefox 115.0-1 - firefox-esr 102.13.0esr-1 - thunderbird 1:102.13.0-1 @@ -475,7 +488,7 @@ CVE-2023-37209 (A use-after-free condition existed in `NotifyOnHistoryReload` wh - firefox 115.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-22/#CVE-2023-37209 CVE-2023-37208 (When opening Diagcab files, Firefox did not warn the user that these f ...) - {DSA-5450-1 DLA-3484-1} + {DSA-5451-1 DSA-5450-1 DLA-3484-1} - firefox 115.0-1 - firefox-esr 102.13.0esr-1 - thunderbird 1:102.13.0-1 @@ -483,7 +496,7 @@ CVE-2023-37208 (When opening Diagcab files, Firefox did not warn the user that t NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/#CVE-2023-37208 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-24/#CVE-2023-37208 CVE-2023-37207 (A website could have obscured the fullscreen notification by using a U ...) - {DSA-5450-1 DLA-3484-1} + {DSA-5451-1 DSA-5450-1 DLA-3484-1} - firefox 115.0-1 - firefox-esr 102.13.0esr-1 - thunderbird 1:102.13.0-1 @@ -503,7 +516,7 @@ CVE-2023-37203 (Insufficient validation in the Drag and Drop API in conjunction - firefox 115.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-22/#CVE-2023-37203 CVE-2023-37202 (Cross-compartment wrappers wrapping a scripted proxy could have caused ...) - {DSA-5450-1 DLA-3484-1} + {DSA-5451-1 DSA-5450-1 DLA-3484-1} - firefox 115.0-1 - firefox-esr 102.13.0esr-1 - thunderbird 1:102.13.0-1 @@ -511,7 +524,7 @@ CVE-2023-37202 (Cross-compartment wrappers wrapping a scripted proxy could have NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/#CVE-2023-37202 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-24/#CVE-2023-37202 CVE-2023-37201 (An attacker could have triggered a use-after-free condition when creat ...) - {DSA-5450-1 DLA-3484-1} + {DSA-5451-1 DSA-5450-1 DLA-3484-1} - firefox 115.0-1 - firefox-esr 102.13.0esr-1 - thunderbird 1:102.13.0-1 @@ -8855,8 +8868,8 @@ CVE-2023-2048 (A vulnerability was found in Campcodes Advanced Online Voting Sys NOT-FOR-US: Campcodes Advanced Online Voting System CVE-2023-2047 (A vulnerability was found in Campcodes Advanced Online Voting System 1 ...) NOT-FOR-US: Campcodes Advanced Online Voting System -CVE-2023-2046 - RESERVED +CVE-2023-2046 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check CVE-2023-2045 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: Ipekyolu Software Auto Damage Tracking Software CVE-2023-2044 (A vulnerability has been found in Control iD iDSecure 4.7.29.1 and cla ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5c5afe1c3b66a5468e5494a5c1714f20
[Git][security-tracker-team/security-tracker][master] yajl fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c246019e by Moritz Muehlenhoff at 2023-07-09T22:04:58+02:00 yajl fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -105007,7 +105007,7 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation [bullseye] - ruby-yajl (Minor issue) [buster] - ruby-yajl (Minor issue) [stretch] - ruby-yajl (Minor issue) - - yajl (bug #1040036) + - yajl 2.1.0-4 (bug #1040036) - burp (bug #1040146) - crun (bug #1040147) - epics-base (bug #1040159) @@ -382742,7 +382742,7 @@ CVE-2017-16516 (In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is - ruby-yajl 1.2.0-3.1 (low; bug #880691) [stretch] - ruby-yajl (Minor issue) [jessie] - ruby-yajl (Minor issue) - - yajl (bug #1040036) + - yajl 2.1.0-4 (bug #1040036) - burp (bug #1040146) - crun (bug #1040147) - epics-base (bug #1040159) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c246019eb45ccff09ae02d7f4c37cd1866eafe0c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c246019eb45ccff09ae02d7f4c37cd1866eafe0c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove annotation from CVE-2023-34254 of unimportant severity
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 735eaa5b by Salvatore Bonaccorso at 2023-07-09T21:11:41+02:00 Remove annotation from CVE-2023-34254 of unimportant severity As this does affect the Agent, the usual reasoning does not apply. Reported-by: Moritz MühlenhoffFixes: 967c8d344ba5 ("Mark glpi issues as unimportant") - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1410,9 +1410,8 @@ CVE-2023-35163 (Vega is a decentralized trading platform that allows pseudo-anon CVE-2023-35154 (Knowage is an open source analytics and business intelligence suite. S ...) NOT-FOR-US: Knowage CVE-2023-34254 (The GLPI Agent is a generic management agent. Prior to version 1.5, if ...) - - glpi (unimportant) + - glpi NOTE: https://github.com/glpi-project/glpi-agent/security/advisories/GHSA-39vc-hxgm-j465 - NOTE: Only supported behind an authenticated HTTP zone CVE-2023-3394 (Session Fixation in GitHub repository fossbilling/fossbilling prior to ...) NOT-FOR-US: fossbilling CVE-2023-3393 (Code Injection in GitHub repository fossbilling/fossbilling prior to 0 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/735eaa5b947fb2333f35c050777192aee1a0e9fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/735eaa5b947fb2333f35c050777192aee1a0e9fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Mark CVE-2023-36201 as ignored for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 53d95b27 by Anton Gladky at 2023-07-09T20:45:19+02:00 Mark CVE-2023-36201 as ignored for buster - - - - - ebd698e1 by Anton Gladky at 2023-07-09T20:45:19+02:00 Mark CVE-2023-3523 as EOL for buster (gpac) - - - - - 2533cd69 by Anton Gladky at 2023-07-09T20:45:19+02:00 LTS: Add node-tough-cookie - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -109,6 +109,7 @@ CVE-2023-36256 (The Online Examination System Project 1.0 version is vulnerable CVE-2023-36201 (An issue in JerryscriptProject jerryscript v.3.0.0 allows an attacker ...) - iotjs [bullseye] - iotjs (Minor issue) + [buster] - iotjs (Minor issue) NOTE: https://github.com/jerryscript-project/jerryscript/issues/5026 CVE-2023-34197 (Zoho ManageEngine ServiceDesk Plus before 14202, ServiceDesk Plus MSP ...) NOT-FOR-US: Zoho @@ -160,6 +161,7 @@ CVE-2023-3523 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2. - gpac NOTE: https://huntr.dev/bounties/57e0be03-8484-415e-8b5c-c1fe4546eaac/ NOTE: https://github.com/gpac/gpac/commit/64201a26476c12a7dbd7ffb5757743af6954db96 + [buster] - gpac (EOL in buster LTS) CVE-2023-3456 (Vulnerability of kernel raw address leakage in the hang detector modu ...) NOT-FOR-US: Huawei CVE-2023-37454 (An issue was discovered in the Linux kernel through 6.4.2. A crafted U ...) = data/dla-needed.txt = @@ -103,6 +103,9 @@ linux (Ben Hutchings) mediawiki (Markus Koschany) NOTE: 20230701: Added by Front-Desk (ta) -- +node-tough-cookie + NOTE: 20230709: Added by Front-Desk (gladk) +-- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression @@ -132,6 +135,9 @@ openjdk-11 (Emilio) NOTE: 20230612: sid updated, preparing backport (pochu) NOTE: 20230627: waiting for DSA (pochu) -- +pandoc + NOTE: 20230709: Added by Front-Desk (gladk) +-- php-dompdf (rouca) NOTE: 20230618: Added by Front-Desk (opal) NOTE: 20230618: Low priority but higher than to not fix it. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/00404a33424169134995001a541dfecc28fd17a8...2533cd69dae703e8ebb5ec18e44b2b682bcf950d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/00404a33424169134995001a541dfecc28fd17a8...2533cd69dae703e8ebb5ec18e44b2b682bcf950d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fix CVE ID list
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 00404a33 by Moritz Mühlenhoff at 2023-07-09T20:26:31+02:00 fix CVE ID list - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,4 +1,5 @@ [09 Jul 2023] DSA-5451-1 thunderbird - security update + {CVE-2023-37201 CVE-2023-37202 CVE-2023-37207 CVE-2023-37208 CVE-2023-37211} [bullseye] - thunderbird 1:102.13.0-1~deb11u1 [bookworm] - thunderbird 1:102.13.0-1~deb12u1 [07 Jul 2023] DSA-5450-1 firefox-esr - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00404a33424169134995001a541dfecc28fd17a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00404a33424169134995001a541dfecc28fd17a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1cd95a43 by Moritz Mühlenhoff at 2023-07-09T20:23:48+02:00 thunderbird DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[09 Jul 2023] DSA-5451-1 thunderbird - security update + [bullseye] - thunderbird 1:102.13.0-1~deb11u1 + [bookworm] - thunderbird 1:102.13.0-1~deb12u1 [07 Jul 2023] DSA-5450-1 firefox-esr - security update {CVE-2023-37201 CVE-2023-37202 CVE-2023-37207 CVE-2023-37208 CVE-2023-37211} [bullseye] - firefox-esr 102.13.0esr-1~deb11u1 = data/dsa-needed.txt = @@ -69,8 +69,6 @@ salt/oldstable -- samba/oldstable -- -thunderbird (jmm) --- wpewebkit -- xrdp/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cd95a434945bc175d8c119b9e86eecebcf8316d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1cd95a434945bc175d8c119b9e86eecebcf8316d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] node-dottie fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ac8e94c6 by Moritz Muehlenhoff at 2023-07-09T16:31:34+02:00 node-dottie fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22105,7 +22105,7 @@ CVE-2023-26134 (Versions of the package git-commit-info before 2.0.2 are vulnera CVE-2023-26133 (All versions of the package progressbar.js are vulnerable to Prototype ...) NOT-FOR-US: progressbar.js CVE-2023-26132 (Versions of the package dottie before 2.0.4 are vulnerable to Prototyp ...) - - node-dottie (bug #1040592) + - node-dottie 2.0.6+~2.0.5-1 (bug #1040592) [bookworm] - node-dottie (Minor issue) [bullseye] - node-dottie (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac8e94c671e7e0764a0c04358fec522ab99a090f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ac8e94c671e7e0764a0c04358fec522ab99a090f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits