date:20240124

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-0822 as NFU

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4f18edac by Salvatore Bonaccorso at 2024-01-25T08:37:30+01:00
Add CVE-2024-0822 as NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,5 @@
+CVE-2024-0822
+   NOT-FOR-US: ovirt-engine
 CVE-2024-0727 [Add NULL checks where ContentInfo data can be NULL]
- openssl 
NOTE: https://github.com/openssl/openssl/pull/23362



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f18edac7712982080c8670f6fc3bbdbc747ebe4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4f18edac7712982080c8670f6fc3bbdbc747ebe4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-0727/openssl

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
4a52090f by Salvatore Bonaccorso at 2024-01-25T08:36:09+01:00
Add CVE-2024-0727/openssl

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,7 @@
+CVE-2024-0727 [Add NULL checks where ContentInfo data can be NULL]
+   - openssl 
+   NOTE: https://github.com/openssl/openssl/pull/23362
+   TODO: check, might be only in 3.0 and 3.1
 CVE-2023-6267
NOT-FOR-US: Quarkus
 CVE-2023-5675



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a52090ff6df9c8b5a5e1ddba4912dd0ef8bf9ff

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a52090ff6df9c8b5a5e1ddba4912dd0ef8bf9ff
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6267 as NFU

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0315736f by Salvatore Bonaccorso at 2024-01-25T08:34:12+01:00
Add CVE-2023-6267 as NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,5 @@
+CVE-2023-6267
+   NOT-FOR-US: Quarkus
 CVE-2023-5675
NOT-FOR-US: Quarkus
 CVE-2023-52356



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0315736ff801e11f58dfa70024fde59233f309f8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0315736ff801e11f58dfa70024fde59233f309f8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-5675 as NFU

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
cdee631d by Salvatore Bonaccorso at 2024-01-25T08:33:34+01:00
Add CVE-2023-5675 as NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,5 @@
+CVE-2023-5675
+   NOT-FOR-US: Quarkus
 CVE-2023-52356
- tiff 
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/622



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdee631d171978c4547ffdc030987c7aaa0ee3fd

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cdee631d171978c4547ffdc030987c7aaa0ee3fd
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-52356/tiff

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2a02f485 by Salvatore Bonaccorso at 2024-01-25T08:24:57+01:00
Add CVE-2023-52356/tiff

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,8 @@
+CVE-2023-52356
+   - tiff 
+   NOTE: https://gitlab.com/libtiff/libtiff/-/issues/622
+   NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/546
+   NOTE: 
https://gitlab.com/libtiff/libtiff/-/commit/51558511bdbbcffdce534db21dbaf5d54b31638a
 CVE-2023-52355
- tiff 
NOTE: https://gitlab.com/libtiff/libtiff/-/issues/621



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a02f485c3378d9a140a8935940b6b8c50d394db

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a02f485c3378d9a140a8935940b6b8c50d394db
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-52355/tiff

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3459b3be by Salvatore Bonaccorso at 2024-01-25T08:20:40+01:00
Add CVE-2023-52355/tiff

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,10 @@
+CVE-2023-52355
+   - tiff 
+   NOTE: https://gitlab.com/libtiff/libtiff/-/issues/621
+   NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/553
+   NOTE: 
https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4
+   NOTE: 
https://gitlab.com/libtiff/libtiff/-/commit/16ab4a205cfc938c32686e8d697d048fabf97ed4
+   NOTE: Issue fixed by providing a documentation update
 CVE-2023-40551
- shim 
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259918



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3459b3bed2e57664539562bb62e259d3d90b38a2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3459b3bed2e57664539562bb62e259d3d90b38a2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add new shim issues (no upstream references so far)

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8c1a2a11 by Salvatore Bonaccorso at 2024-01-25T07:44:57+01:00
Add new shim issues (no upstream references so far)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,21 @@
+CVE-2023-40551
+   - shim 
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259918
+CVE-2023-40550
+   - shim 
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259915
+CVE-2023-40549
+   - shim 
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241797
+CVE-2023-40548
+   - shim 
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241782
+CVE-2023-40547
+   - shim 
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2234589
+CVE-2023-40546
+   - shim 
+   NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241796
 CVE-2024-23649 (Lemmy is a link aggregator and forum for the fediverse. 
Starting in ve ...)
TODO: check
 CVE-2024-23648 (Pimcore's Admin Classic Bundle provides a backend user 
interface for P ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c1a2a1150dd5087bfca8fa58313fc8d82cb81da

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c1a2a1150dd5087bfca8fa58313fc8d82cb81da
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] check-new-issues: Fix comment header for copyright

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c391b8c8 by Salvatore Bonaccorso at 2024-01-25T06:37:12+01:00
check-new-issues: Fix comment header for copyright

Make the copyright statement coplete.

Signed-off-by: Salvatore Bonaccorso car...@debian.org

- - - - -


1 changed file:

- bin/check-new-issues


Changes:

=
bin/check-new-issues
=
@@ -15,6 +15,10 @@
 # This file is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this file.  If not, see .
 
 import argparse
 import collections



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c391b8c856866cf89bec51396071a3b54b2d9db5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c391b8c856866cf89bec51396071a3b54b2d9db5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add end-of-life tracking for chromium in bullseye

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3c4b3735 by Salvatore Bonaccorso at 2024-01-25T06:21:53+01:00
Add end-of-life tracking for chromium in bullseye

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -251,36 +251,47 @@ CVE-2022-4964 (Ubuntu's pipewire-pulse in snap grants 
microphone access even whe
NOT-FOR-US: Ubuntu snap pipewire-pulse
 CVE-2024-0814 (Incorrect security UI in Payments in Google Chrome prior to 
121.0.6167 ...)
- chromium 121.0.6167.85-1
+   [bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-0813 (Use after free in Reading Mode in Google Chrome prior to 
121.0.6167.85 ...)
- chromium 121.0.6167.85-1
+   [bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-0812 (Inappropriate implementation in Accessibility in Google Chrome 
prior t ...)
- chromium 121.0.6167.85-1
+   [bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-0811 (Inappropriate implementation in Extensions API in Google Chrome 
prior  ...)
- chromium 121.0.6167.85-1
+   [bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-0810 (Insufficient policy enforcement in DevTools in Google Chrome 
prior to  ...)
- chromium 121.0.6167.85-1
+   [bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-0809 (Inappropriate implementation in Autofill in Google Chrome prior 
to 121 ...)
- chromium 121.0.6167.85-1
+   [bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-0808 (Integer underflow in WebUI in Google Chrome prior to 
121.0.6167.85 all ...)
- chromium 121.0.6167.85-1
+   [bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-0807 (Use after free in Web Audio in Google Chrome prior to 
121.0.6167.85 al ...)
- chromium 121.0.6167.85-1
+   [bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-0806 (Use after free in Passwords in Google Chrome prior to 
121.0.6167.85 al ...)
- chromium 121.0.6167.85-1
+   [bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-0805 (Inappropriate implementation in Downloads in Google Chrome 
prior to 12 ...)
- chromium 121.0.6167.85-1
+   [bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-0804 (Insufficient policy enforcement in iOS Security UI in Google 
Chrome pr ...)
- chromium 121.0.6167.85-1
+   [bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-23854
REJECTED



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c4b3735f0a14c2f0e81e8f3cb5ca6c96b1440cb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c4b3735f0a14c2f0e81e8f3cb5ca6c96b1440cb
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-48795/dropbear

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e49368c2 by Salvatore Bonaccorso at 2024-01-25T05:00:33+01:00
Track fixed version for CVE-2023-48795/dropbear

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -6867,7 +6867,7 @@ CVE-2023-32230 (An improper handling of a malformed API 
request to an API server
NOT-FOR-US: Bosch
 CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, 
found in O ...)
{DSA-5601-1 DSA-5600-1 DSA-5599-1 DSA-5591-1 DSA-5588-1 DSA-5586-1 
DLA-3694-1}
-   - dropbear  (bug #1059001)
+   - dropbear 2022.83-4 (bug #1059001)
[bookworm] - dropbear  (Minor issue)
[bullseye] - dropbear  (Minor issue)
- erlang 1:25.3.2.8+dfsg-1 (bug #1059002)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e49368c212d0658c85f04ea011607558cec797c8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e49368c212d0658c85f04ea011607558cec797c8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3719-1 for phpseclib

2024-01-24 Thread Guilhem Moulin (@guilhem)



Guilhem Moulin pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
85d5e068 by Guilhem Moulin at 2024-01-25T02:26:49+01:00
Reserve DLA-3719-1 for phpseclib

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[25 Jan 2024] DLA-3719-1 phpseclib - security update
+   {CVE-2023-48795}
+   [buster] - phpseclib 1.0.19-3~deb10u2
 [25 Jan 2024] DLA-3718-1 php-phpseclib - security update
{CVE-2023-48795}
[buster] - php-phpseclib 2.0.30-2~deb10u2


=
data/dla-needed.txt
=
@@ -183,9 +183,6 @@ nvidia-cuda-toolkit
 openjdk-11 (Emilio)
   NOTE: 20240121: Added by Front-Desk (apo)
 --
-phpseclib (guilhem)
-  NOTE: 20240114: Added by Front-Desk (apo)
---
 pillow (Chris Lamb)
   NOTE: 20240121: Added by Front-Desk (apo)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85d5e068fe97f96e1e332fdfe405cc7443f2e9ed

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85d5e068fe97f96e1e332fdfe405cc7443f2e9ed
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3718-1 for php-phpseclib

2024-01-24 Thread Guilhem Moulin (@guilhem)



Guilhem Moulin pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c9253e3e by Guilhem Moulin at 2024-01-25T02:26:19+01:00
Reserve DLA-3718-1 for php-phpseclib

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[25 Jan 2024] DLA-3718-1 php-phpseclib - security update
+   {CVE-2023-48795}
+   [buster] - php-phpseclib 2.0.30-2~deb10u2
 [24 Jan 2024] DLA-3717-1 zabbix - security update
{CVE-2023-32721 CVE-2023-32723 CVE-2023-32726}
[buster] - zabbix 1:4.0.4+dfsg-1+deb10u4


=
data/dla-needed.txt
=
@@ -183,9 +183,6 @@ nvidia-cuda-toolkit
 openjdk-11 (Emilio)
   NOTE: 20240121: Added by Front-Desk (apo)
 --
-php-phpseclib (guilhem)
-  NOTE: 20240114: Added by Front-Desk (apo)
---
 phpseclib (guilhem)
   NOTE: 20240114: Added by Front-Desk (apo)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9253e3e804f96ce5e022211388f057c5a8d1baf

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9253e3e804f96ce5e022211388f057c5a8d1baf
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] chromium DSA

2024-01-24 Thread Andres Salomon (@dilinger)



Andres Salomon pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fc3c6b09 by Andres Salomon at 2024-01-24T19:37:59-05:00
chromium DSA

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[24 Jan 2024] DSA-5607-1 chromium - security update
+   {CVE-2024-0804 CVE-2024-0805 CVE-2024-0806 CVE-2024-0807 CVE-2024-0808 
CVE-2024-0809 CVE-2024-0810 CVE-2024-0811 CVE-2024-0812 CVE-2024-0813 
CVE-2024-0814}
+   [bookworm] - chromium 121.0.6167.85-1~deb12u1
 [24 Jan 2024] DSA-5606-1 firefox-esr - security update
{CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 
CVE-2024-0750 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755}
[bullseye] - firefox-esr 115.7.0esr-1~deb11u1


=
data/dsa-needed.txt
=
@@ -16,8 +16,6 @@ atril
 --
 cacti
 --
-chromium (dilinger)
---
 cryptojs
 --
 dnsdist (jmm)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc3c6b09e16619d13ce959bedbf38e80b954a2d9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fc3c6b09e16619d13ce959bedbf38e80b954a2d9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] add libx11 refs

2024-01-24 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c1f6a8ba by Moritz Muehlenhoff at 2024-01-24T23:34:05+01:00
add libx11 refs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -20536,6 +20536,8 @@ CVE-2023-43787 (A vulnerability was found in libX11 due 
to an integer overflow w
NOTE: https://www.openwall.com/lists/oss-security/2023/10/03/1
NOTE: Fixed by: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/7916869d16bdd115ac5be30a67c3749907aea6a0
NOTE: Hardening: 
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/91f887b41bf75648df725a4ed3be036da02e911e
+   NOTE: 
https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-one/
+   NOTE: 
https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-two/
 CVE-2023-43786 (A vulnerability was found in libX11 due to an infinite loop 
within the ...)
{DSA-5517-1 DLA-3602-1}
- libx11 2:1.8.7-1
@@ -20544,6 +20546,8 @@ CVE-2023-43786 (A vulnerability was found in libX11 due 
to an infinite loop with
NOTE: Hardening: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/73a37d5f2fcadd6540159b432a70d80f442ddf4a
NOTE: Hardening: 
https://gitlab.freedesktop.org/xorg/lib/libx11/-/commit/b4031fc023816aca07fbd592ed97010b9b48784b
NOTE: Hardening: 
https://gitlab.freedesktop.org/xorg/lib/libxpm/-/commit/84fb14574c039f19ad7face87eb9acc31a50701c
+   NOTE: 
https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-one/
+   NOTE: 
https://jfrog.com/blog/xorg-libx11-vulns-cve-2023-43786-cve-2023-43787-part-two/
 CVE-2023-43785 (A vulnerability was found in libX11 due to a boundary 
condition within ...)
{DSA-5517-1 DLA-3602-1}
- libx11 2:1.8.7-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1f6a8ba500318e36db82c8327c503478910393d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1f6a8ba500318e36db82c8327c503478910393d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-4969/firmware-nonfree

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
33ec9dda by Salvatore Bonaccorso at 2024-01-24T22:25:56+01:00
Add Debian bug reference for CVE-2023-4969/firmware-nonfree

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1646,7 +1646,7 @@ CVE-2023-52041 (An issue discovered in TOTOLINK X6000R 
V9.4.0cu.852_B20230719 al
 CVE-2023-51381
REJECTED
 CVE-2023-4969 (A GPU kernel can read sensitive data from another GPU kernel 
(even fro ...)
-   - firmware-nonfree 
+   - firmware-nonfree  (bug #1061460)
[bookworm] - firmware-nonfree  (Minor issue, revisit when 
updates are available around March 2024)
[bullseye] - firmware-nonfree  (Non-free not supported)
[buster] - firmware-nonfree  (Minor issue, revisit when 
updates are available)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33ec9dda90dd3e8431758eced11d63de1a1626f4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/33ec9dda90dd3e8431758eced11d63de1a1626f4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update information for CVE-2024-22563/openvswitch

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ad8730e7 by Salvatore Bonaccorso at 2024-01-24T22:24:07+01:00
Update information for CVE-2024-22563/openvswitch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -806,9 +806,10 @@ CVE-2024-22877 (StrangeBee TheHive 5.2.0 to 5.2.8 is 
vulnerable to Cross Site Sc
 CVE-2024-22876 (StrangeBee TheHive 5.1.0 to 5.1.9 and 5.2.0 to 5.2.8 is 
vulnerable to  ...)
NOT-FOR-US: StrangeBee TheHive
 CVE-2024-22563 (openvswitch 2.17.8 was discovered to contain a memory leak via 
the fun ...)
-   - openvswitch 
+   - openvswitch 2.17.2-4
+   [bullseye] - openvswitch  (Minor issue)
NOTE: https://github.com/openvswitch/ovs-issues/issues/315
-   TODO: check details, unclear report upstream and seems fixed by 
https://github.com/openvswitch/ovs/commit/3168f328c78cf6e4b3022940452673b0e49f7620
+   NOTE: 
https://github.com/openvswitch/ovs/commit/3168f328c78cf6e4b3022940452673b0e49f7620
 (v2.17.0)
 CVE-2024-22562 (swftools 0.9.2 was discovered to contain a Stack Buffer 
Underflow via  ...)
- swftools 
NOTE: https://github.com/matthiaskramm/swftools/issues/210



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad8730e7a25b53d3038ffa099f5aad21232b3282

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad8730e7a25b53d3038ffa099f5aad21232b3282
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-4969: Mention that AMD expect starting rolling out mitigations around March 2024

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a5415a19 by Salvatore Bonaccorso at 2024-01-24T22:16:34+01:00
CVE-2023-4969: Mention that AMD expect starting rolling out mitigations around 
March 2024

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1646,7 +1646,7 @@ CVE-2023-51381
REJECTED
 CVE-2023-4969 (A GPU kernel can read sensitive data from another GPU kernel 
(even fro ...)
- firmware-nonfree 
-   [bookworm] - firmware-nonfree  (Minor issue, revisit when 
updates are available)
+   [bookworm] - firmware-nonfree  (Minor issue, revisit when 
updates are available around March 2024)
[bullseye] - firmware-nonfree  (Non-free not supported)
[buster] - firmware-nonfree  (Minor issue, revisit when 
updates are available)
NOTE: 
https://blog.trailofbits.com/2024/01/16/leftoverlocals-listening-to-llm-responses-through-leaked-gpu-local-memory/



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5415a1954b255b64e3f03b6a83a3366911b0fbe

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a5415a1954b255b64e3f03b6a83a3366911b0fbe
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Mark pstotext as removed from every supported suite

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6f25f974 by Salvatore Bonaccorso at 2024-01-24T22:11:27+01:00
Mark pstotext as removed from every supported suite

- - - - -


1 changed file:

- data/packages/removed-packages


Changes:

=
data/packages/removed-packages
=
@@ -955,3 +955,4 @@ masqmail
 openjdk-18
 nomad
 linux-wlan-ng
+pstotext



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f25f97446750be0152b9d511870a1dc97551491

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f25f97446750be0152b9d511870a1dc97551491
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: Process some airflow CVEs

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d15c28a7 by Salvatore Bonaccorso at 2024-01-24T22:09:28+01:00
Process some airflow CVEs

- - - - -
752bfd6e by Salvatore Bonaccorso at 2024-01-24T22:09:29+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -69,41 +69,41 @@ CVE-2023-51885 (Buffer Overflow vulnerability in Mathtex 
v.1.05 and before allow
- mathtex 
NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
 CVE-2023-51702 (Since version 5.2.0, when using deferrable mode with the path 
of a Kub ...)
-   TODO: check
+   - airflow  (bug #819700)
 CVE-2023-50944 (Apache Airflow, versions before 2.8.1, have a vulnerability 
that allow ...)
-   TODO: check
+   - airflow  (bug #819700)
 CVE-2023-50943 (Apache Airflow, versions before 2.8.1, have a vulnerability 
that allow ...)
-   TODO: check
+   - airflow  (bug #819700)
 CVE-2023-44281 (Dell Pair Installer version prior to 1.2.1 contains an 
elevation of pr ...)
-   TODO: check
+   NOT-FOR-US: Dell
 CVE-2023-44001 (An issue in Ailand clinic mini-app on Line v13.6.1 allows 
attackers to ...)
-   TODO: check
+   NOT-FOR-US: Ailand clinic mini-app on Line
 CVE-2023-44000 (An issue in Otakara lapis totuka mini-app on Line v13.6.1 
allows attac ...)
-   TODO: check
+   NOT-FOR-US: Otakara lapis totuka mini-app on Line
 CVE-2023-43999 (An issue in COLORFUL_laundry mini-app on Line v13.6.1 allows 
attackers ...)
-   TODO: check
+   NOT-FOR-US: COLORFUL_laundry mini-app on Line
 CVE-2023-43998 (An issue in Books-futaba mini-app on Line v13.6.1 allows 
attackers to  ...)
-   TODO: check
+   NOT-FOR-US: Books-futaba mini-app on Line
 CVE-2023-43997 (An issue in Yoruichi hobby base mini-app on Line v13.6.1 
allows attack ...)
-   TODO: check
+   NOT-FOR-US: Yoruichi hobby base mini-app on Line
 CVE-2023-43996 (An issue in Q co ltd mini-app on Line v13.6.1 allows attackers 
to send ...)
-   TODO: check
+   NOT-FOR-US: Q co ltd mini-app on Line
 CVE-2023-43995 (An issue in picot.golf mini-app on Line v13.6.1 allows 
attackers to se ...)
-   TODO: check
+   NOT-FOR-US: picot.golf mini-app on Line
 CVE-2023-43994 (An issue in Cleaning_makotoya mini-app on Line v13.6.1 allows 
attacker ...)
-   TODO: check
+   NOT-FOR-US: Cleaning_makotoya mini-app on Line
 CVE-2023-43993 (An issue in smaregi_app_market mini-app on Line v13.6.1 allows 
attacke ...)
-   TODO: check
+   NOT-FOR-US: smaregi_app_market mini-app on Line
 CVE-2023-43992 (An issue in STOCKMAN GROUP mini-app on Line v13.6.1 allows 
attackers t ...)
-   TODO: check
+   NOT-FOR-US: STOCKMAN GROUP mini-app on Line
 CVE-2023-43991 (An issue in PRIMA CLINIC mini-app on Line v13.6.1 allows 
attackers to  ...)
-   TODO: check
+   NOT-FOR-US: PRIMA CLINIC mini-app on Line
 CVE-2023-43990 (An issue in cherub-hair mini-app on Line v13.6.1 allows 
attackers to s ...)
-   TODO: check
+   NOT-FOR-US: cherub-hair mini-app on Line
 CVE-2023-43989 (An issue in mokumoku chohu mini-app on Line v13.6.1 allows 
attackers t ...)
-   TODO: check
+   NOT-FOR-US: mokumoku chohu mini-app on Line
 CVE-2023-43988 (An issue in nature fitness saijo mini-app on Line v13.6.1 
allows attac ...)
-   TODO: check
+   NOT-FOR-US: nature fitness saijo mini-app on Line
 CVE-2024-23905 (Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier 
programm ...)
NOT-FOR-US: Jenkins plugin
 CVE-2024-23904 (Jenkins Log Command Plugin 1.0.2 and earlier does not disable 
a featur ...)
@@ -40468,7 +40468,7 @@ CVE-2012-10014 (A vulnerability classified as 
problematic has been found in Kau-
 CVE-2012-10013 (A vulnerability was found in Kau-Boy Backend Localization 
Plugin up to ...)
NOT-FOR-US: WordPress plugin
 CVE-2023-31037 (NVIDIA Bluefield 2 and Bluefield 3 DPU BMC contains a 
vulnerability in ...)
-   TODO: check
+   NOT-FOR-US: NVIDIA
 CVE-2023-31036 (NVIDIA Triton Inference Server for Linux and Windows contains 
a vulner ...)
NOT-FOR-US: NVIDIA Triton Inference Server for Linux and Windows
 CVE-2023-31035 (NVIDIA DGX A100 SBIOS contains a vulnerability where an 
attacker may c ...)
@@ -164407,17 +164407,17 @@ CVE-2021-42148
 CVE-2021-3877
REJECTED
 CVE-2021-42147 (Buffer over-read vulnerability in the dtls_sha256_update 
function in C ...)
-   TODO: check
+   NOT-FOR-US: Contiki-NG tinyDTLS
 CVE-2021-42146 (An issue was discovered in Contiki-NG tinyDTLS through master 
branch 5 ...)
-   TODO: check
+   NOT-FOR-US: Contiki-NG tinyDTLS
 CVE-2021-42145 (An assertion failure discovered in in 
check_certificate_request() in C ...)
-   TODO: check
+   NOT-FOR-US: Contiki-NG tinyDTLS
 CVE-2021-42144 (Buffer over-read vulnerability in Contiki-NG

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3717-1 for zabbix

2024-01-24 Thread Tobias Frost (@tobi)



Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7eaa9a46 by Tobias Frost at 2024-01-24T22:06:55+01:00
Reserve DLA-3717-1 for zabbix

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[24 Jan 2024] DLA-3717-1 zabbix - security update
+   {CVE-2023-32721 CVE-2023-32723 CVE-2023-32726}
+   [buster] - zabbix 1:4.0.4+dfsg-1+deb10u4
 [23 Jan 2024] DLA-3716-1 ruby-httparty - security update
{CVE-2024-22049}
[buster] - ruby-httparty 0.16.2+dfsg1-3+deb10u1


=
data/dla-needed.txt
=
@@ -310,9 +310,6 @@ wireshark
 xorg-server (Markus Koschany)
   NOTE: 20240117: Added by Front-Desk (lamby)
 --
-zabbix (tobi)
-  NOTE: 20231015: Added by Front-Desk (ta)
---
 zfs-linux (Utkarsh)
   NOTE: 20231127: Added by Front-Desk (Beuc)
   NOTE: 20240801: the fix for other CVE wasn't obvious but about to be ready; 
D/ELA to be out soon. (utkarsh)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eaa9a46676b26bec145429e8fb1437060cfa791

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7eaa9a46676b26bec145429e8fb1437060cfa791
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add set of CVEs for mathtex

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
62c56510 by Salvatore Bonaccorso at 2024-01-24T22:03:18+01:00
Add set of CVEs for mathtex

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -51,17 +51,23 @@ CVE-2023-52039 (An issue discovered in TOTOLINK X6000R 
v9.4.0cu.852_B20230719 al
 CVE-2023-52038 (An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 
allows a ...)
NOT-FOR-US: TOTOLINK
 CVE-2023-51890 (An infinite loop issue discovered in Mathtex 1.05 and before 
allows a  ...)
-   TODO: check
+   - mathtex 
+   NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
 CVE-2023-51889 (Stack Overflow vulnerability in the validate() function in 
Mathtex v.1 ...)
-   TODO: check
+   - mathtex 
+   NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
 CVE-2023-51888 (Buffer Overflow vulnerability in the nomath() function in 
Mathtex v.1. ...)
-   TODO: check
+   - mathtex 
+   NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
 CVE-2023-51887 (Command Injection vulnerability in Mathtex v.1.05 and before 
allows a  ...)
-   TODO: check
+   - mathtex 
+   NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
 CVE-2023-51886 (Buffer Overflow vulnerability in the main() function in 
Mathtex 1.05 a ...)
-   TODO: check
+   - mathtex 
+   NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
 CVE-2023-51885 (Buffer Overflow vulnerability in Mathtex v.1.05 and before 
allows a re ...)
-   TODO: check
+   - mathtex 
+   NOTE: https://blog.yulun.ac.cn/posts/2023/fuzzing-mathtex/
 CVE-2023-51702 (Since version 5.2.0, when using deferrable mode with the path 
of a Kub ...)
TODO: check
 CVE-2023-50944 (Apache Airflow, versions before 2.8.1, have a vulnerability 
that allow ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62c5651087b601b3f3eef4ed43d4fb07708f226d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62c5651087b601b3f3eef4ed43d4fb07708f226d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-22720/kanboard

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0ee1caf3 by Salvatore Bonaccorso at 2024-01-24T21:29:38+01:00
Add CVE-2024-22720/kanboard

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -12,7 +12,8 @@ CVE-2024-22725 (Orthanc versions before 1.12.2 are affected 
by a reflected cross
- orthanc 1.12.2+dfsg-1
NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/505416b269a0
 CVE-2024-22720 (Kanboard 1.2.34 is vulnerable to Html Injection in the group 
managemen ...)
-   TODO: check
+   - kanboard 
+   NOTE: 
https://cupc4k3.medium.com/html-injection-vulnerability-in-kanboard-group-management-d9fe5154bb1b
 CVE-2024-22651 (There is a command injection vulnerability in the ssdpcgi_main 
functio ...)
NOT-FOR-US: D-Link
 CVE-2024-22309 (Deserialization of Untrusted Data vulnerability in 
QuantumCloud ChatBo ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ee1caf3ce7b78c98323983526f07c2c67b4307e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0ee1caf3ce7b78c98323983526f07c2c67b4307e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e6355f5a by Salvatore Bonaccorso at 2024-01-24T21:28:40+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,9 +1,9 @@
 CVE-2024-23649 (Lemmy is a link aggregator and forum for the fediverse. 
Starting in ve ...)
TODO: check
 CVE-2024-23648 (Pimcore's Admin Classic Bundle provides a backend user 
interface for P ...)
-   TODO: check
+   NOT-FOR-US: Pimcore's Admin Classic Bundle
 CVE-2024-23646 (Pimcore's Admin Classic Bundle provides a backend user 
interface for P ...)
-   TODO: check
+   NOT-FOR-US: Pimcore's Admin Classic Bundle
 CVE-2024-23644 (Trillium is a composable toolkit for building internet 
applications wi ...)
TODO: check
 CVE-2024-23641 (SvelteKit is a web development kit. In SvelteKit 2, sending a 
GET requ ...)
@@ -14,41 +14,41 @@ CVE-2024-22725 (Orthanc versions before 1.12.2 are affected 
by a reflected cross
 CVE-2024-22720 (Kanboard 1.2.34 is vulnerable to Html Injection in the group 
managemen ...)
TODO: check
 CVE-2024-22651 (There is a command injection vulnerability in the ssdpcgi_main 
functio ...)
-   TODO: check
+   NOT-FOR-US: D-Link
 CVE-2024-22309 (Deserialization of Untrusted Data vulnerability in 
QuantumCloud ChatBo ...)
-   TODO: check
+   NOT-FOR-US: QuantumCloud ChatBot with AI
 CVE-2024-22308 (URL Redirection to Untrusted Site ('Open Redirect') 
vulnerability in s ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-22301 (Exposure of Sensitive Information to an Unauthorized Actor 
vulnerabili ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-22294 (Exposure of Sensitive Information to an Unauthorized Actor 
vulnerabili ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-22284 (Deserialization of Untrusted Data vulnerability in Thomas 
Belser Asgar ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-9 (Dell Unity, versions prior to 5.4, contain a vulnerability 
whereby log ...)
-   TODO: check
+   NOT-FOR-US: Dell
 CVE-2024-22154 (Exposure of Sensitive Information to an Unauthorized Actor 
vulnerabili ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-22152 (Unrestricted Upload of File with Dangerous Type vulnerability 
in WebTo ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-22141 (Exposure of Sensitive Information to an Unauthorized Actor 
vulnerabili ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-22135 (Unrestricted Upload of File with Dangerous Type vulnerability 
in WebTo ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-22134 (Server-Side Request Forgery (SSRF) vulnerability in Renzo 
Johnson Cont ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-0854 (URL redirection to untrusted site ('Open Redirect') 
vulnerability in f ...)
-   TODO: check
+   NOT-FOR-US: Synology
 CVE-2023-6697 (The WP Go Maps (formerly WP Google Maps) plugin for WordPress 
is vulne ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-52221 (Unrestricted Upload of File with Dangerous Type vulnerability 
in UkrSo ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-52040 (An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 
allows a ...)
-   TODO: check
+   NOT-FOR-US: TOTOLINK
 CVE-2023-52039 (An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 
allows a ...)
-   TODO: check
+   NOT-FOR-US: TOTOLINK
 CVE-2023-52038 (An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 
allows a ...)
-   TODO: check
+   NOT-FOR-US: TOTOLINK
 CVE-2023-51890 (An infinite loop issue discovered in Mathtex 1.05 and before 
allows a  ...)
TODO: check
 CVE-2023-51889 (Stack Overflow vulnerability in the validate() function in 
Mathtex v.1 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6355f5a3f8a1f2c5cd85a954c78dd737155c384

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6355f5a3f8a1f2c5cd85a954c78dd737155c384
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-22725/orthanc

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3ea4266a by Salvatore Bonaccorso at 2024-01-24T21:26:38+01:00
Add CVE-2024-22725/orthanc

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -9,7 +9,8 @@ CVE-2024-23644 (Trillium is a composable toolkit for building 
internet applicati
 CVE-2024-23641 (SvelteKit is a web development kit. In SvelteKit 2, sending a 
GET requ ...)
TODO: check
 CVE-2024-22725 (Orthanc versions before 1.12.2 are affected by a reflected 
cross-site  ...)
-   TODO: check
+   - orthanc 1.12.2+dfsg-1
+   NOTE: https://orthanc.uclouvain.be/hg/orthanc/rev/505416b269a0
 CVE-2024-22720 (Kanboard 1.2.34 is vulnerable to Html Injection in the group 
managemen ...)
TODO: check
 CVE-2024-22651 (There is a command injection vulnerability in the ssdpcgi_main 
functio ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ea4266a5b19230459e5f87c98409e94738ab26b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ea4266a5b19230459e5f87c98409e94738ab26b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
93962be7 by security tracker role at 2024-01-24T20:12:18+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,20 +1,118 @@
-CVE-2024-23905
+CVE-2024-23649 (Lemmy is a link aggregator and forum for the fediverse. 
Starting in ve ...)
+   TODO: check
+CVE-2024-23648 (Pimcore's Admin Classic Bundle provides a backend user 
interface for P ...)
+   TODO: check
+CVE-2024-23646 (Pimcore's Admin Classic Bundle provides a backend user 
interface for P ...)
+   TODO: check
+CVE-2024-23644 (Trillium is a composable toolkit for building internet 
applications wi ...)
+   TODO: check
+CVE-2024-23641 (SvelteKit is a web development kit. In SvelteKit 2, sending a 
GET requ ...)
+   TODO: check
+CVE-2024-22725 (Orthanc versions before 1.12.2 are affected by a reflected 
cross-site  ...)
+   TODO: check
+CVE-2024-22720 (Kanboard 1.2.34 is vulnerable to Html Injection in the group 
managemen ...)
+   TODO: check
+CVE-2024-22651 (There is a command injection vulnerability in the ssdpcgi_main 
functio ...)
+   TODO: check
+CVE-2024-22309 (Deserialization of Untrusted Data vulnerability in 
QuantumCloud ChatBo ...)
+   TODO: check
+CVE-2024-22308 (URL Redirection to Untrusted Site ('Open Redirect') 
vulnerability in s ...)
+   TODO: check
+CVE-2024-22301 (Exposure of Sensitive Information to an Unauthorized Actor 
vulnerabili ...)
+   TODO: check
+CVE-2024-22294 (Exposure of Sensitive Information to an Unauthorized Actor 
vulnerabili ...)
+   TODO: check
+CVE-2024-22284 (Deserialization of Untrusted Data vulnerability in Thomas 
Belser Asgar ...)
+   TODO: check
+CVE-2024-9 (Dell Unity, versions prior to 5.4, contain a vulnerability 
whereby log ...)
+   TODO: check
+CVE-2024-22154 (Exposure of Sensitive Information to an Unauthorized Actor 
vulnerabili ...)
+   TODO: check
+CVE-2024-22152 (Unrestricted Upload of File with Dangerous Type vulnerability 
in WebTo ...)
+   TODO: check
+CVE-2024-22141 (Exposure of Sensitive Information to an Unauthorized Actor 
vulnerabili ...)
+   TODO: check
+CVE-2024-22135 (Unrestricted Upload of File with Dangerous Type vulnerability 
in WebTo ...)
+   TODO: check
+CVE-2024-22134 (Server-Side Request Forgery (SSRF) vulnerability in Renzo 
Johnson Cont ...)
+   TODO: check
+CVE-2024-0854 (URL redirection to untrusted site ('Open Redirect') 
vulnerability in f ...)
+   TODO: check
+CVE-2023-6697 (The WP Go Maps (formerly WP Google Maps) plugin for WordPress 
is vulne ...)
+   TODO: check
+CVE-2023-52221 (Unrestricted Upload of File with Dangerous Type vulnerability 
in UkrSo ...)
+   TODO: check
+CVE-2023-52040 (An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 
allows a ...)
+   TODO: check
+CVE-2023-52039 (An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 
allows a ...)
+   TODO: check
+CVE-2023-52038 (An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 
allows a ...)
+   TODO: check
+CVE-2023-51890 (An infinite loop issue discovered in Mathtex 1.05 and before 
allows a  ...)
+   TODO: check
+CVE-2023-51889 (Stack Overflow vulnerability in the validate() function in 
Mathtex v.1 ...)
+   TODO: check
+CVE-2023-51888 (Buffer Overflow vulnerability in the nomath() function in 
Mathtex v.1. ...)
+   TODO: check
+CVE-2023-51887 (Command Injection vulnerability in Mathtex v.1.05 and before 
allows a  ...)
+   TODO: check
+CVE-2023-51886 (Buffer Overflow vulnerability in the main() function in 
Mathtex 1.05 a ...)
+   TODO: check
+CVE-2023-51885 (Buffer Overflow vulnerability in Mathtex v.1.05 and before 
allows a re ...)
+   TODO: check
+CVE-2023-51702 (Since version 5.2.0, when using deferrable mode with the path 
of a Kub ...)
+   TODO: check
+CVE-2023-50944 (Apache Airflow, versions before 2.8.1, have a vulnerability 
that allow ...)
+   TODO: check
+CVE-2023-50943 (Apache Airflow, versions before 2.8.1, have a vulnerability 
that allow ...)
+   TODO: check
+CVE-2023-44281 (Dell Pair Installer version prior to 1.2.1 contains an 
elevation of pr ...)
+   TODO: check
+CVE-2023-44001 (An issue in Ailand clinic mini-app on Line v13.6.1 allows 
attackers to ...)
+   TODO: check
+CVE-2023-44000 (An issue in Otakara lapis totuka mini-app on Line v13.6.1 
allows attac ...)
+   TODO: check
+CVE-2023-43999 (An issue in COLORFUL_laundry mini-app on Line v13.6.1 allows 
attackers ...)
+   TODO: check
+CVE-2023-43998 (An issue in Books-futaba mini-app on Line v13.6.1 allows 
attackers to  ...)
+   TODO: check
+CVE-2023-43997 (An issue in Yoruichi hobby base mini-app on Line v13.6.1 
allows attack ...)
+   TODO: check
+CVE-2023-43996 (An issue in Q co ltd mini-app on Line v13.6.1 allows

[Git][security-tracker-team/security-tracker][master] CVE-2023-51764: Add note about fixes for older releases

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a84b3b03 by Salvatore Bonaccorso at 2024-01-24T20:59:23+01:00
CVE-2023-51764: Add note about fixes for older releases

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5458,6 +5458,7 @@ CVE-2023-51764 (Postfix through 3.8.5 allows SMTP 
smuggling unless configured wi
NOTE: Long-term fix with new (optional) feature that is disabled by 
default:
NOTE: New setting: smtpd_forbid_bare_newline = yes
NOTE: https://www.openwall.com/lists/oss-security/2023/12/22/3
+   NOTE: Fixes for older releases: 
https://www.postfix.org/smtp-smuggling.html#back-ports
 CVE-2023-51763 (csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 
allows C ...)
NOT-FOR-US: ActiveAdmin (aka Active Admin)
 CVE-2023-7090 (A flaw was found in sudo in the handling of ipa_hostname, where 
ipa_ho ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a84b3b037d2a137b2a2982a6b7e48baaa6fa9304

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a84b3b037d2a137b2a2982a6b7e48baaa6fa9304
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add additional reference for CVE-2024-23638 and upstream tag

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
68d8642c by Salvatore Bonaccorso at 2024-01-24T20:56:18+01:00
Add additional reference for CVE-2024-23638 and upstream tag

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -23,7 +23,8 @@ CVE-2024- [RUSTSEC-2024-0006]
 CVE-2024-23638 (Squid is a caching proxy for the Web. Due to an expired 
pointer refere ...)
- squid 6.6-1
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-j49p-553x-48rx
-   NOTE: 
https://github.com/squid-cache/squid/commit/290ae202883ac28a48867079c2fb34c40efd382b
+   NOTE: 
https://megamansec.github.io/Squid-Security-Audit/stream-assert.html
+   NOTE: 
https://github.com/squid-cache/squid/commit/290ae202883ac28a48867079c2fb34c40efd382b
 (SQUID_6_6)
NOTE: http://www.squid-cache.org/Versions/v5/SQUID-2023_11.patch
NOTE: http://www.squid-cache.org/Versions/v6/SQUID-2023_11.patch
 CVE-2024-23633 (Label Studio, an open source data labeling tool had a remote 
import fe ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68d8642c0bd874282da99f05fc7b54b1b5d34f17

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68d8642c0bd874282da99f05fc7b54b1b5d34f17
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Re-associate two CVEs with label-studio, itp'ed

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2b1a5a86 by Salvatore Bonaccorso at 2024-01-24T20:38:22+01:00
Re-associate two CVEs with label-studio, itped

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13273,7 +13273,7 @@ CVE-2023-47609 (SQL injection vulnerability in OSS 
Calendar versions prior to v.
 CVE-2023-47346 (Buffer Overflow vulnerability in free5gc 3.3.0, UPF 1.2.0, and 
SMF 1.2 ...)
NOT-FOR-US: free5GC
 CVE-2023-47117 (Label Studio is an open source data labeling tool. In all 
current vers ...)
-   NOT-FOR-US: Label Studio
+   - label-studio  (bug #1026232)
 CVE-2023-46446 (An issue in AsyncSSH before 2.14.1 allows attackers to control 
the rem ...)
- python-asyncssh  (bug #1055999)
[bookworm] - python-asyncssh  (Minor issue)
@@ -13716,7 +13716,7 @@ CVE-2023-45885 (Cross Site Scripting (XSS) 
vulnerability in NASA Open MCT (aka o
 CVE-2023-45884 (Cross Site Request Forgery (CSRF) vulnerability in NASA Open 
MCT (aka  ...)
NOT-FOR-US: NASA Open MCT (aka openmct)
 CVE-2023-43791 (Label Studio is a multi-type data labeling and annotation tool 
with st ...)
-   NOT-FOR-US: HumanSignal Label Studio
+   - label-studio  (bug #1026232)
 CVE-2023-41138 (The AppsAnywhere macOS client-privileged helper can be tricked 
into ex ...)
NOT-FOR-US: AppsAnywhere macOS client-privileged helper
 CVE-2023-41137 (Symmetric encryption used to protect messages between the 
AppsAnywhere ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b1a5a86b4542f0a3018263da19d566123b8424f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b1a5a86b4542f0a3018263da19d566123b8424f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] firefox, thunderbird DSAs

2024-01-24 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
983ea4c0 by Moritz Mühlenhoff at 2024-01-24T19:27:02+01:00
firefox, thunderbird DSAs

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,11 @@
+[24 Jan 2024] DSA-5606-1 firefox-esr - security update
+   {CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 
CVE-2024-0750 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755}
+   [bullseye] - firefox-esr 115.7.0esr-1~deb11u1
+   [bookworm] - firefox-esr 115.7.0esr-1~deb12u1
+[24 Jan 2024] DSA-5605-1 thunderbird - security update
+   {CVE-2024-0741 CVE-2024-0742 CVE-2024-0746 CVE-2024-0747 CVE-2024-0749 
CVE-2024-0750 CVE-2024-0751 CVE-2024-0753 CVE-2024-0755}
+   [bullseye] - thunderbird 1:115.7.0-1~deb11u1
+   [bookworm] - thunderbird 1:115.7.0-1~deb12u1
 [23 Jan 2024] DSA-5604-1 openjdk-11 - security update
{CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926 
CVE-2024-20945 CVE-2024-20952}
[bullseye] - openjdk-11 11.0.22+7-1~deb11u1


=
data/dsa-needed.txt
=
@@ -22,8 +22,6 @@ cryptojs
 --
 dnsdist (jmm)
 --
-firefox-esr (jmm)
---
 frr
 --
 gpac/oldstable
@@ -93,8 +91,6 @@ slurm-wlm
 --
 squid (apo)
 --
-thunderbird (jmm)
---
 varnish
 --
 zbar (carnil)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/983ea4c0019cdb288d98712145f5ae1a58b20c98

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/983ea4c0019cdb288d98712145f5ae1a58b20c98
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

2024-01-24 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fa2b738a by Moritz Muehlenhoff at 2024-01-24T16:42:57+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,21 @@
+CVE-2024-23905
+   NOT-FOR-US: Jenkins plugin
+CVE-2024-23904
+   NOT-FOR-US: Jenkins plugin
+CVE-2024-23903
+   NOT-FOR-US: Jenkins plugin
+CVE-2024-23902
+   NOT-FOR-US: Jenkins plugin
+CVE-2024-23901
+   NOT-FOR-US: Jenkins plugin
+CVE-2024-23900
+   NOT-FOR-US: Jenkins plugin
+CVE-2024-23899
+   NOT-FOR-US: Jenkins plugin
+CVE-2024-23898
+   - jenkins 
+CVE-2024-23897
+   - jenkins 
 CVE-2024- [RUSTSEC-2024-0006]
- rust-shlex 1.3.0-1
NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0006.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa2b738aa3a5d8701bfe0ceb684580f6efe0d392

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa2b738aa3a5d8701bfe0ceb684580f6efe0d392
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim pillow.

2024-01-24 Thread Chris Lamb (@lamby)



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
4b58cf5e by Chris Lamb at 2024-01-24T07:08:36-08:00
data/dla-needed.txt: Claim pillow.

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -189,7 +189,7 @@ php-phpseclib (guilhem)
 phpseclib (guilhem)
   NOTE: 20240114: Added by Front-Desk (apo)
 --
-pillow
+pillow (Chris Lamb)
   NOTE: 20240121: Added by Front-Desk (apo)
 --
 putty



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b58cf5e51e22fded557e28a2c0e86bc222f2a4e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b58cf5e51e22fded557e28a2c0e86bc222f2a4e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new rust-shlex issue

2024-01-24 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2864c57c by Moritz Muehlenhoff at 2024-01-24T15:17:12+01:00
new rust-shlex issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,7 @@
+CVE-2024- [RUSTSEC-2024-0006]
+   - rust-shlex 1.3.0-1
+   NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0006.html
+   NOTE: 
https://github.com/comex/rust-shlex/security/advisories/GHSA-r7qv-8r2h-pg27
 CVE-2024-23638 (Squid is a caching proxy for the Web. Due to an expired 
pointer refere ...)
- squid 6.6-1
NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-j49p-553x-48rx



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2864c57cec253fa223f60ee2c45b4d5addc24172

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2864c57cec253fa223f60ee2c45b4d5addc24172
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

2024-01-24 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
72045b20 by Moritz Muehlenhoff at 2024-01-24T14:26:35+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -117,7 +117,7 @@ CVE-2023-35836 (An issue was discovered in SolaX Pocket 
WiFi 3 through 3.001.02.
 CVE-2023-35835 (An issue was discovered in SolaX Pocket WiFi 3 through 
3.001.02. The d ...)
NOT-FOR-US: SolaX Pocket WiFi
 CVE-2023-31654 (Redis raft master-1b8bd86 to master-7b46079 was discovered to 
contain  ...)
-   TODO: check
+   NOT-FOR-US: redisraft
 CVE-2022-4964 (Ubuntu's pipewire-pulse in snap grants microphone access even 
when the ...)
NOT-FOR-US: Ubuntu snap pipewire-pulse
 CVE-2024-0814 (Incorrect security UI in Payments in Google Chrome prior to 
121.0.6167 ...)
@@ -568,7 +568,7 @@ CVE-2024-23686 (DependencyCheck for Maven 9.0.0 to 9.0.6, 
for CLI version 9.0.0
 CVE-2024-23685 (Hard-coded credentials in mod-remote-storage versions under 
1.7.2 and  ...)
NOT-FOR-US: mod-remote-storage
 CVE-2024-23684 (Inefficient algorithmic complexity in DecodeFromBytes function 
in com. ...)
-   TODO: check
+   NOT-FOR-US: Java CBOR library
 CVE-2024-23683 (Artemis Java Test Sandbox versions less than 1.7.6 are 
vulnerable to a ...)
NOT-FOR-US: Artemis Java Test Sandbox
 CVE-2024-23682 (Artemis Java Test Sandbox versions before 1.8.0 are vulnerable 
to a sa ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72045b2054a8d0bed2f4f7442e5f2ad8306ceac8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/72045b2054a8d0bed2f4f7442e5f2ad8306ceac8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] mark four CVE assignments for ROS as bogus, reporter had sent broken ones...

2024-01-24 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3f71f649 by Moritz Muehlenhoff at 2024-01-24T14:18:22+01:00
mark four CVE assignments for ROS as bogus, reporter had sent broken ones 
before (CVE-2023-33565 to CVE-2023-33567)

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -55,13 +55,13 @@ CVE-2023-52090 (A security agent link following 
vulnerability in Trend Micro Ape
 CVE-2023-51711 (An issue was discovered in Regify Regipay Client for Windows 
version 4 ...)
NOT-FOR-US: Regify Regipay Client
 CVE-2023-51208 (An Arbitrary File Upload vulnerability in ROS2 Foxy Fitzroy 
ROS_VERSIO ...)
-   TODO: check
+   NOTE: Bogus report on ROS, lacks all details and apparently never 
reported either
 CVE-2023-51201 (Cleartext Transmission issue in ROS2 (Robot Operating System 
2) Foxy F ...)
-   TODO: check
+   NOTE: Bogus report on ROS, lacks all details and apparently never 
reported either
 CVE-2023-51200 (An issue in the default configurations of ROS2 Foxy Fitzroy 
ROS_VERSIO ...)
-   TODO: check
+   NOTE: Bogus report on ROS, lacks all details and apparently never 
reported either
 CVE-2023-51199 (Buffer Overflow vulnerability in ROS2 Foxy Fitzroy 
ROS_VERSION=2 and R ...)
-   TODO: check
+   NOTE: Bogus report on ROS, lacks all details and apparently never 
reported either
 CVE-2023-47202 (A local file inclusion vulnerability on the Trend Micro Apex 
One manag ...)
NOT-FOR-US: Trend Micro
 CVE-2023-47201 (A plug-in manager origin validation vulnerability in the Trend 
Micro A ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f71f64914164a0b5ededba14cea4dc88b55d36f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f71f64914164a0b5ededba14cea4dc88b55d36f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] new squid issue

2024-01-24 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
92894b8a by Moritz Muehlenhoff at 2024-01-24T13:57:25+01:00
new squid issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,5 +1,9 @@
 CVE-2024-23638 (Squid is a caching proxy for the Web. Due to an expired 
pointer refere ...)
-   TODO: check
+   - squid 6.6-1
+   NOTE: 
https://github.com/squid-cache/squid/security/advisories/GHSA-j49p-553x-48rx
+   NOTE: 
https://github.com/squid-cache/squid/commit/290ae202883ac28a48867079c2fb34c40efd382b
+   NOTE: http://www.squid-cache.org/Versions/v5/SQUID-2023_11.patch
+   NOTE: http://www.squid-cache.org/Versions/v6/SQUID-2023_11.patch
 CVE-2024-23633 (Label Studio, an open source data labeling tool had a remote 
import fe ...)
- label-studio  (bug #1026232)
 CVE-2024-23453 (Android Spoon application version 7.11.1 to 8.6.0 uses 
hard-coded cred ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92894b8a9d0a04284a3712e169b115d35df8a6c6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92894b8a9d0a04284a3712e169b115d35df8a6c6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-4969/firmware-nonfree: buster postponed

2024-01-24 Thread Sylvain Beucler (@beuc)



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
006a456c by Sylvain Beucler at 2024-01-24T13:33:46+01:00
CVE-2023-4969/firmware-nonfree: buster postponed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1506,6 +1506,7 @@ CVE-2023-4969 (A GPU kernel can read sensitive data from 
another GPU kernel (eve
- firmware-nonfree 
[bookworm] - firmware-nonfree  (Minor issue, revisit when 
updates are available)
[bullseye] - firmware-nonfree  (Non-free not supported)
+   [buster] - firmware-nonfree  (Minor issue, revisit when 
updates are available)
NOTE: 
https://blog.trailofbits.com/2024/01/16/leftoverlocals-listening-to-llm-responses-through-leaked-gpu-local-memory/
NOTE: 
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6010.html
 CVE-2023-4797 (The Newsletters WordPress plugin before 4.9.3 does not properly 
escape ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/006a456c7811d95c691fb697c0b1aec1bd8c7237

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/006a456c7811d95c691fb697c0b1aec1bd8c7237
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

2024-01-24 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0d22978d by Moritz Muehlenhoff at 2024-01-24T13:16:31+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,55 +1,55 @@
 CVE-2024-23638 (Squid is a caching proxy for the Web. Due to an expired 
pointer refere ...)
TODO: check
 CVE-2024-23633 (Label Studio, an open source data labeling tool had a remote 
import fe ...)
-   TODO: check
+   - label-studio  (bug #1026232)
 CVE-2024-23453 (Android Spoon application version 7.11.1 to 8.6.0 uses 
hard-coded cred ...)
-   TODO: check
+   NOT-FOR-US: Android Spoon
 CVE-2024-22380 (Electronic Delivery Check System (Ministry of Agriculture, 
Forestry an ...)
-   TODO: check
+   NOT-FOR-US: Electronic Delivery Check System
 CVE-2024-22372 (OS command injection vulnerability in ELECOM wireless LAN 
routers allo ...)
-   TODO: check
+   NOT-FOR-US: ELECOM
 CVE-2024-22366 (Active debug code exists in Yamaha wireless LAN access point 
devices.  ...)
-   TODO: check
+   NOT-FOR-US: Yamaha
 CVE-2024-21796 (Electronic Deliverables Creation Support Tool (Construction 
Edition) p ...)
-   TODO: check
+   NOT-FOR-US: Electronic Deliverables Creation Support Tool
 CVE-2024-21765 (Electronic Delivery Check System (Doboku) Ver.18.1.0 and 
earlier, Elec ...)
-   TODO: check
+   NOT-FOR-US: Electronic Delivery Check System
 CVE-2024-0665 (The WP Customer Area plugin for WordPress is vulnerable to 
Reflected C ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-7237 (Lantronix XPort sends weakly encoded credentials within web 
request he ...)
-   TODO: check
+   NOT-FOR-US: Lantronix
 CVE-2023-52338 (A link following vulnerability in the Trend Micro Deep 
Security 20.0 a ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-52337 (An improper access control vulnerability in Trend Micro Deep 
Security  ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-52331 (A post-authenticated server-side request forgery (SSRF) 
vulnerability  ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-52330 (A cross-site scripting vulnerability in Trend Micro Apex 
Central could ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-52329 (Certain dashboard widgets on Trend Micro Apex Central 
(on-premise) are ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-52328 (Certain dashboard widgets on Trend Micro Apex Central 
(on-premise) are ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-52327 (Certain dashboard widgets on Trend Micro Apex Central 
(on-premise) are ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-52326 (Certain dashboard widgets on Trend Micro Apex Central 
(on-premise) are ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-52325 (A local file inclusion vulnerability in one of Trend Micro 
Apex Centra ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-52324 (An unrestricted file upload vulnerability in Trend Micro Apex 
Central  ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-52094 (An updater link following vulnerability in the Trend Micro 
Apex One ag ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-52093 (An exposed dangerous function vulnerability in the Trend Micro 
Apex On ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-52092 (A security agent link following vulnerability in Trend Micro 
Apex One  ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-52091 (An anti-spyware engine link following vulnerability in Trend 
Micro Ape ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-52090 (A security agent link following vulnerability in Trend Micro 
Apex One  ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-51711 (An issue was discovered in Regify Regipay Client for Windows 
version 4 ...)
-   TODO: check
+   NOT-FOR-US: Regify Regipay Client
 CVE-2023-51208 (An Arbitrary File Upload vulnerability in ROS2 Foxy Fitzroy 
ROS_VERSIO ...)
TODO: check
 CVE-2023-51201 (Cleartext Transmission issue in ROS2 (Robot Operating System 
2) Foxy F ...)
@@ -59,63 +59,63 @@ CVE-2023-51200 (An issue in the default configurations of 
ROS2 Foxy Fitzroy ROS_
 CVE-2023-51199 (Buffer Overflow vulnerability in ROS2 Foxy Fitzroy 
ROS_VERSION=2 and R ...)
TODO: check
 CVE-2023-47202 (A local file inclusion vulnerability on the Trend Micro Apex 
One manag ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-47201 (A plug-in manager origin validation vulnerability in the Trend 
Micro A ...)
-   TODO: check
+   NOT-FOR-US: Trend Micro
 CVE-2023-47200 (A plug-in manager origin validation vulnerability in the Trend 
Micro A ...)
-

[Git][security-tracker-team/security-tracker][master] CVE-2023-6693/qemu: buster not-affected

2024-01-24 Thread Sylvain Beucler (@beuc)



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
67c1cf09 by Sylvain Beucler at 2024-01-24T12:40:17+01:00
CVE-2023-6693/qemu: buster not-affected

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4332,6 +4332,7 @@ CVE-2023-6693 (A stack based buffer overflow was found in 
the virtio-net device
- qemu 1:8.2.0+ds-3
[bookworm] - qemu  (Minor issue)
[bullseye] - qemu  (Minor issue)
+   [buster] - qemu  (Vulnerable code introduced later)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2254580
NOTE: Introduced by: 
https://gitlab.com/qemu-project/qemu/-/commit/e22f0603fb2fc274920a9e3a1d1306260b9a4cc4
 (v5.1.0-rc0)
NOTE: 
https://lists.nongnu.org/archive/html/qemu-devel/2024-01/msg00045.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67c1cf09ee66f8ad448d02b2a05a007b5c85c76a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/67c1cf09ee66f8ad448d02b2a05a007b5c85c76a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2024-01-24 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c53d282a by security tracker role at 2024-01-24T08:11:40+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,34 +1,152 @@
-CVE-2024-0814
+CVE-2024-23638 (Squid is a caching proxy for the Web. Due to an expired 
pointer refere ...)
+   TODO: check
+CVE-2024-23633 (Label Studio, an open source data labeling tool had a remote 
import fe ...)
+   TODO: check
+CVE-2024-23453 (Android Spoon application version 7.11.1 to 8.6.0 uses 
hard-coded cred ...)
+   TODO: check
+CVE-2024-22380 (Electronic Delivery Check System (Ministry of Agriculture, 
Forestry an ...)
+   TODO: check
+CVE-2024-22372 (OS command injection vulnerability in ELECOM wireless LAN 
routers allo ...)
+   TODO: check
+CVE-2024-22366 (Active debug code exists in Yamaha wireless LAN access point 
devices.  ...)
+   TODO: check
+CVE-2024-21796 (Electronic Deliverables Creation Support Tool (Construction 
Edition) p ...)
+   TODO: check
+CVE-2024-21765 (Electronic Delivery Check System (Doboku) Ver.18.1.0 and 
earlier, Elec ...)
+   TODO: check
+CVE-2024-0665 (The WP Customer Area plugin for WordPress is vulnerable to 
Reflected C ...)
+   TODO: check
+CVE-2023-7237 (Lantronix XPort sends weakly encoded credentials within web 
request he ...)
+   TODO: check
+CVE-2023-52338 (A link following vulnerability in the Trend Micro Deep 
Security 20.0 a ...)
+   TODO: check
+CVE-2023-52337 (An improper access control vulnerability in Trend Micro Deep 
Security  ...)
+   TODO: check
+CVE-2023-52331 (A post-authenticated server-side request forgery (SSRF) 
vulnerability  ...)
+   TODO: check
+CVE-2023-52330 (A cross-site scripting vulnerability in Trend Micro Apex 
Central could ...)
+   TODO: check
+CVE-2023-52329 (Certain dashboard widgets on Trend Micro Apex Central 
(on-premise) are ...)
+   TODO: check
+CVE-2023-52328 (Certain dashboard widgets on Trend Micro Apex Central 
(on-premise) are ...)
+   TODO: check
+CVE-2023-52327 (Certain dashboard widgets on Trend Micro Apex Central 
(on-premise) are ...)
+   TODO: check
+CVE-2023-52326 (Certain dashboard widgets on Trend Micro Apex Central 
(on-premise) are ...)
+   TODO: check
+CVE-2023-52325 (A local file inclusion vulnerability in one of Trend Micro 
Apex Centra ...)
+   TODO: check
+CVE-2023-52324 (An unrestricted file upload vulnerability in Trend Micro Apex 
Central  ...)
+   TODO: check
+CVE-2023-52094 (An updater link following vulnerability in the Trend Micro 
Apex One ag ...)
+   TODO: check
+CVE-2023-52093 (An exposed dangerous function vulnerability in the Trend Micro 
Apex On ...)
+   TODO: check
+CVE-2023-52092 (A security agent link following vulnerability in Trend Micro 
Apex One  ...)
+   TODO: check
+CVE-2023-52091 (An anti-spyware engine link following vulnerability in Trend 
Micro Ape ...)
+   TODO: check
+CVE-2023-52090 (A security agent link following vulnerability in Trend Micro 
Apex One  ...)
+   TODO: check
+CVE-2023-51711 (An issue was discovered in Regify Regipay Client for Windows 
version 4 ...)
+   TODO: check
+CVE-2023-51208 (An Arbitrary File Upload vulnerability in ROS2 Foxy Fitzroy 
ROS_VERSIO ...)
+   TODO: check
+CVE-2023-51201 (Cleartext Transmission issue in ROS2 (Robot Operating System 
2) Foxy F ...)
+   TODO: check
+CVE-2023-51200 (An issue in the default configurations of ROS2 Foxy Fitzroy 
ROS_VERSIO ...)
+   TODO: check
+CVE-2023-51199 (Buffer Overflow vulnerability in ROS2 Foxy Fitzroy 
ROS_VERSION=2 and R ...)
+   TODO: check
+CVE-2023-47202 (A local file inclusion vulnerability on the Trend Micro Apex 
One manag ...)
+   TODO: check
+CVE-2023-47201 (A plug-in manager origin validation vulnerability in the Trend 
Micro A ...)
+   TODO: check
+CVE-2023-47200 (A plug-in manager origin validation vulnerability in the Trend 
Micro A ...)
+   TODO: check
+CVE-2023-47199 (An origin validation vulnerability in the Trend Micro Apex One 
securit ...)
+   TODO: check
+CVE-2023-47198 (An origin validation vulnerability in the Trend Micro Apex One 
securit ...)
+   TODO: check
+CVE-2023-47197 (An origin validation vulnerability in the Trend Micro Apex One 
securit ...)
+   TODO: check
+CVE-2023-47196 (An origin validation vulnerability in the Trend Micro Apex One 
securit ...)
+   TODO: check
+CVE-2023-47195 (An origin validation vulnerability in the Trend Micro Apex One 
securit ...)
+   TODO: check
+CVE-2023-47194 (An origin validation vulnerability in the Trend Micro Apex One 
securit ...)
+   TODO: check
+CVE-2023-47193 (An origin validation vulnerability in the Trend Micro Apex One 
securit ...)
+   TODO: check
+CVE-2023-47192 (An agent link vulnerability in the Trend Micro Apex One

39 matches

Mail list logo