Bug#1074234: scikit-learn: CVE-2024-5206
Source: scikit-learn X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for scikit-learn. CVE-2024-5206[0]: | A sensitive data leakage vulnerability was identified in scikit- | learn's TfidfVectorizer, specifically in versions up to and | including 1.4.1.post1, which was fixed in version 1.5.0. The | vulnerability arises from the unexpected storage of all tokens | present in the training data within the `stop_words_` attribute, | rather than only storing the subset of tokens required for the TF- | IDF technique to function. This behavior leads to the potential | leakage of sensitive information, as the `stop_words_` attribute | could contain tokens that were meant to be discarded and not stored, | such as passwords or keys. The impact of this vulnerability varies | based on the nature of the data being processed by the vectorizer. https://huntr.com/bounties/14bc0917-a85b-4106-a170-d09d5191517c https://github.com/scikit-learn/scikit-learn/commit/70ca21f106b603b611da73012c9ade7cd8e438b8 (1.5.0rc1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-5206 https://www.cve.org/CVERecord?id=CVE-2024-5206 Please adjust the affected versions in the BTS as needed.
Bug#1074235: cvc5: CVE-2024-37794 CVE-2024-37795
Source: cvc5 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for cvc5. CVE-2024-37794[0]: | Improper input validation in CVC5 Solver v1.1.3 allows attackers to | cause a Denial of Service (DoS) via a crafted SMT2 input file. CVE-2024-37795[1]: | A segmentation fault in CVC5 Solver v1.1.3 allows attackers to cause | a Denial of Service (DoS) via a crafted SMT-LIB input file | containing the `set-logic` command with specific formatting errors. https://github.com/cvc5/cvc5/issues/10813 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-37794 https://www.cve.org/CVERecord?id=CVE-2024-37794 [1] https://security-tracker.debian.org/tracker/CVE-2024-37795 https://www.cve.org/CVERecord?id=CVE-2024-37795 Please adjust the affected versions in the BTS as needed.
Bug#1074233: slic3r-prusa: CVE-2024-24686 CVE-2024-24685 CVE-2024-24684 CVE-2024-24584 CVE-2024-24583 CVE-2024-23951 CVE-2024-23950 CVE-2024-23949 CVE-2024-23948 CVE-2024-23947 CVE-2024-22181 CVE-2023
Source: slic3r-prusa X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for libigl, which slic3r-prusa embeds a copy of. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1929 https://talosintelligence.com/vulnerability_reports/TALOS-2024-1928 https://talosintelligence.com/vulnerability_reports/TALOS-2024-1926 https://talosintelligence.com/vulnerability_reports/TALOS-2024-1930 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1879 https://talosintelligence.com/vulnerability_reports/TALOS-2023-1784 https://github.com/libigl/libigl/issues/2387 CVE-2024-24686[0]: | Multiple stack-based buffer overflow vulnerabilities exist in the | readOFF functionality of libigl v2.5.0. A specially crafted .off | file can lead to stack-based buffer overflow. An attacker can | provide a malicious file to trigger this vulnerability.This | vulnerability concerns the parsing of comments within the faces | section of an `.off` file processed via the `readOFF` function. CVE-2024-24685[1]: | Multiple stack-based buffer overflow vulnerabilities exist in the | readOFF functionality of libigl v2.5.0. A specially crafted .off | file can lead to stack-based buffer overflow. An attacker can | provide a malicious file to trigger this vulnerability.This | vulnerability concerns the parsing of comments within the vertex | section of an `.off` file processed via the `readOFF` function. CVE-2024-24684[2]: | Multiple stack-based buffer overflow vulnerabilities exist in the | readOFF functionality of libigl v2.5.0. A specially crafted .off | file can lead to stack-based buffer overflow. An attacker can | provide a malicious file to trigger this vulnerability.This | vulnerability concerns the header parsing occuring while processing | an `.off` file via the `readOFF` function. We can see above | that at [0] a stack-based buffer called `comment` is defined with an | hardcoded size of `1000 bytes`. The call to `fscanf` at [1] is | unsafe and if the first line of the header of the `.off` files is | longer than 1000 bytes it will overflow the `header` buffer. CVE-2024-24584[3]: | Multiple out-of-bounds read vulnerabilities exist in the readMSH | functionality of libigl v2.5.0. A specially crafted .msh file can | lead to an out-of-bounds read. An attacker can provide a malicious | file to trigger this vulnerability.This vulnerabilitty concerns | the`readMSH` function while processing `MshLoader::ELEMENT_TET` | elements. CVE-2024-24583[4]: | Multiple out-of-bounds read vulnerabilities exist in the readMSH | functionality of libigl v2.5.0. A specially crafted .msh file can | lead to an out-of-bounds read. An attacker can provide a malicious | file to trigger this vulnerability.This vulnerabilitty concerns | the`readMSH` function while processing `MshLoader::ELEMENT_TRI` | elements. CVE-2024-23951[5]: | Multiple improper array index validation vulnerabilities exist in | the readMSH functionality of libigl v2.5.0. A specially crafted .msh | file can lead to an out-of-bounds write. An attacker can provide a | malicious file to trigger this vulnerability.This vulnerability | concerns the `igl::MshLoader::parse_element_field` function while | handling an `ascii`.msh` file. CVE-2024-23950[6]: | Multiple improper array index validation vulnerabilities exist in | the readMSH functionality of libigl v2.5.0. A specially crafted .msh | file can lead to an out-of-bounds write. An attacker can provide a | malicious file to trigger this vulnerability.This vulnerability | concerns the `igl::MshLoader::parse_element_field` function while | handling an `binary`.msh` file. CVE-2024-23949[7]: | Multiple improper array index validation vulnerabilities exist in | the readMSH functionality of libigl v2.5.0. A specially crafted .msh | file can lead to an out-of-bounds write. An attacker can provide a | malicious file to trigger this vulnerability.This vulnerability | concerns the `igl::MshLoader::parse_node_field` function while | handling an `ascii`.msh` file. CVE-2024-23948[8]: | Multiple improper array index validation vulnerabilities exist in | the readMSH functionality of libigl v2.5.0. A specially crafted .msh | file can lead to an out-of-bounds write. An attacker can provide a | malicious file to trigger this vulnerability.This vulnerability | concerns the `igl::MshLoader::parse_nodes` function while handling | an `ascii`.msh` file. CVE-2024-23947[9]: | Multiple improper array index validation vulnerabilities exist in | the readMSH functionality of libigl v2.5.0. A specially crafted .msh | file can lead to an out-of-bounds write. An attacker can provide a | malicious file to trigger this vulnerability.This vulnerability | concerns the `igl::MshLoader::parse_nodes` function while handling a | `binary` `.msh` file. CVE-2024-22181[10]: | An out-of-bounds write vulnerability exists in the readNODE | functionality of libigl v2.5.0. A speciall
Bug#1074236: node-ws: CVE-2024-37890
Source: node-ws X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-ws. CVE-2024-37890[0]: | ws is an open source WebSocket client and server for Node.js. A | request with a number of headers exceeding theserver.maxHeadersCount | threshold could be used to crash a ws server. The vulnerability was | fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), | ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions | of ws, the issue can be mitigated in the following ways: 1. Reduce | the maximum allowed length of the request headers using the --max- | http-header-size=size and/or the maxHeaderSize options so that no | more headers than the server.maxHeadersCount limit can be sent. 2. | Set server.maxHeadersCount to 0 so that no limit is applied. https://github.com/websockets/ws/security/advisories/GHSA-3h5v-q93c-6h6q https://github.com/websockets/ws/issues/2230 https://github.com/websockets/ws/pull/2231 https://github.com/websockets/ws/commit/e55e5106f10fcbaac37cfa89759e4cc0d073a52c (8.17.1) https://github.com/websockets/ws/commit/22c28763234aa75a7e1b76f5c01c181260d7917f (7.5.10) https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63 (6.2.3) https://github.com/websockets/ws/commit/4abd8f6de4b0b65ef80b3ff081989479ed93377e (5.2.4) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-37890 https://www.cve.org/CVERecord?id=CVE-2024-37890 Please adjust the affected versions in the BTS as needed.
Bug#1073061: r-base: CVE-2024-27322 execution of arbitrary code
Am Wed, Jun 12, 2024 at 05:00:25PM -0500 schrieb Dirk Eddelbuettel: > > On 12 June 2024 at 23:46, Moritz Mühlenhoff wrote: > | Dirk Eddelbuettel wrote: > | > Just FYI the view of R Core (upstream) and the R Foundation (I'm on the > board) > | > is that this is a nothingburger. We would love for the CVE to be retracted > | > but nobody (among a team of volunteers) has time or energy to pursue this. > | > > | > See > https://blog.r-project.org/2024/05/10/statement-on-cve-2024-27322/index.html > | > for the official statement. > | > | JFTR, I've sent a request to mark this CVE as rejected, with a reference to > | the statement above. > > Fabulous!!! Any past experience whether this may succeed? It often does, but takes up to a few weeks... We'll let you know if a reject appears in the CVE feed. Cheers, Moritz
Bug#1074284: squid: CVE-2024-37894
Source: squid X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for squid. CVE-2024-37894[0]: | Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, | and more. Due to an Out-of-bounds Write error when assigning ESI | variables, Squid is susceptible to a Memory Corruption error. This | error can lead to a Denial of Service attack. https://github.com/squid-cache/squid/security/advisories/GHSA-wgvf-q977-9xjg https://github.com/squid-cache/squid/commit/920563e7a080155fae3ced73d6198781e8b0ff04 (master) https://github.com/squid-cache/squid/commit/67f5496f7b72e698ad0f5aa3512c83089424f27f (v6) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-37894 https://www.cve.org/CVERecord?id=CVE-2024-37894 Please adjust the affected versions in the BTS as needed.
Bug#1074414: gpac: CVE-2024-6061 CVE-2024-6062 CVE-2024-6063 CVE-2024-6064
Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2024-6061[0]: | A vulnerability has been found in GPAC 2.5-DEV- | rev228-g11067ea92-master and classified as problematic. Affected by | this vulnerability is the function isoffin_process of the file | src/filters/isoffin_read.c of the component MP4Box. The manipulation | leads to infinite loop. It is possible to launch the attack on the | local host. The exploit has been disclosed to the public and may be | used. The identifier of the patch is | 20c0f29139a82779b86453ce7f68d0681ec7624c. It is recommended to apply | a patch to fix this issue. The identifier VDB-268789 was assigned to | this vulnerability. https://github.com/gpac/gpac/issues/2871 https://github.com/gpac/gpac/commit/20c0f29139a82779b86453ce7f68d0681ec7624c CVE-2024-6062[1]: | A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master | and classified as problematic. Affected by this issue is the | function swf_svg_add_iso_sample of the file src/filters/load_text.c | of the component MP4Box. The manipulation leads to null pointer | dereference. The attack needs to be approached locally. The exploit | has been disclosed to the public and may be used. The patch is | identified as 31e499d310a48bd17c8b055a0bfe0fe35887a7cd. It is | recommended to apply a patch to fix this issue. VDB-268790 is the | identifier assigned to this vulnerability. https://github.com/gpac/gpac/issues/2872 https://github.com/gpac/gpac/commit/31e499d310a48bd17c8b055a0bfe0fe35887a7cd CVE-2024-6063[2]: | A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master. | It has been classified as problematic. This affects the function | m2tsdmx_on_event of the file src/filters/dmx_m2ts.c of the component | MP4Box. The manipulation leads to null pointer dereference. An | attack has to be approached locally. The exploit has been disclosed | to the public and may be used. The patch is named | 8767ed0a77c4b02287db3723e92c2169f67c85d5. It is recommended to apply | a patch to fix this issue. The associated identifier of this | vulnerability is VDB-268791. https://github.com/gpac/gpac/issues/2873 https://github.com/gpac/gpac/commit/8767ed0a77c4b02287db3723e92c2169f67c85d5 CVE-2024-6064[3]: | A vulnerability was found in GPAC 2.5-DEV-rev228-g11067ea92-master. | It has been declared as problematic. This vulnerability affects the | function xmt_node_end of the file src/scene_manager/loader_xmt.c of | the component MP4Box. The manipulation leads to use after free. | Local access is required to approach this attack. The exploit has | been disclosed to the public and may be used. The name of the patch | is f4b3e4d2f91bc1749e7a924a8ab171af03a355a8/c1b9c794bad8f262c56f3cf6 | 90567980d96662f5. It is recommended to apply a patch to fix this | issue. The identifier of this vulnerability is VDB-268792. https://github.com/gpac/gpac/issues/2874 https://github.com/gpac/gpac/commit/c1b9c794bad8f262c56f3cf690567980d96662f5 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6061 https://www.cve.org/CVERecord?id=CVE-2024-6061 [1] https://security-tracker.debian.org/tracker/CVE-2024-6062 https://www.cve.org/CVERecord?id=CVE-2024-6062 [2] https://security-tracker.debian.org/tracker/CVE-2024-6063 https://www.cve.org/CVERecord?id=CVE-2024-6063 [3] https://security-tracker.debian.org/tracker/CVE-2024-6064 https://www.cve.org/CVERecord?id=CVE-2024-6064 Please adjust the affected versions in the BTS as needed.
Bug#1074415: slic3r-prusa: CVE-2020-28594 CVE-2020-28595 CVE-2020-28596 CVE-2020-28598
Source: slic3r-prusa X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for slic3r-prusa. Although these are quite old, I believe they have never been properly reported upstream and are unfixed to this day? CVE-2020-28594[0]: | A use-after-free vulnerability exists in the | _3MF_Importer::_handle_end_model() functionality of Prusa Research | PrusaSlicer 2.2.0 and Master (commit 4b040b856). A specially crafted | 3MF file can lead to code execution. An attacker can provide a | malicious file to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2020-1218 CVE-2020-28595[1]: | An out-of-bounds write vulnerability exists in the Obj.cpp | load_obj() functionality of Prusa Research PrusaSlicer 2.2.0 and | Master (commit 4b040b856). A specially crafted obj file can lead to | code execution. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2020-1219 CVE-2020-28596[2]: | A stack-based buffer overflow vulnerability exists in the | Objparser::objparse() functionality of Prusa Research PrusaSlicer | 2.2.0 and Master (commit 4b040b856). A specially crafted obj file | can lead to code execution. An attacker can provide a malicious file | to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2020-1220 CVE-2020-28598[3]: | An out-of-bounds write vulnerability exists in the Admesh | stl_fix_normal_directions() functionality of Prusa Research | PrusaSlicer 2.2.0 and Master (commit 4b040b856). A specially crafted | AMF file can lead to code execution. An attacker can provide a | malicious file to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2020-1222 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-28594 https://www.cve.org/CVERecord?id=CVE-2020-28594 [1] https://security-tracker.debian.org/tracker/CVE-2020-28595 https://www.cve.org/CVERecord?id=CVE-2020-28595 [2] https://security-tracker.debian.org/tracker/CVE-2020-28596 https://www.cve.org/CVERecord?id=CVE-2020-28596 [3] https://security-tracker.debian.org/tracker/CVE-2020-28598 https://www.cve.org/CVERecord?id=CVE-2020-28598 Please adjust the affected versions in the BTS as needed.
Bug#1074416: libde265: CVE-2024-38949 CVE-2024-38950
Source: libde265 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for libde265. CVE-2024-38949[0]: | Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows | attackers to crash the application via crafted payload to | display444as420 function at sdl.cc https://github.com/strukturag/libde265/issues/460 CVE-2024-38950[1]: | Heap Buffer Overflow vulnerability in Libde265 v1.0.15 allows | attackers to crash the application via crafted payload to | __interceptor_memcpy function. https://github.com/strukturag/libde265/issues/460 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-38949 https://www.cve.org/CVERecord?id=CVE-2024-38949 [1] https://security-tracker.debian.org/tracker/CVE-2024-38950 https://www.cve.org/CVERecord?id=CVE-2024-38950 Please adjust the affected versions in the BTS as needed.
Bug#1074417: zziplib: CVE-2024-39133
Source: zziplib X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for zziplib. CVE-2024-39133[0]: | Heap Buffer Overflow vulnerability in zziplib v0.13.77 allows | attackers to cause a denial of service via the | __zzip_parse_root_directory() function at /zzip/zip.c. https://github.com/gdraheim/zziplib/issues/164 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-39133 https://www.cve.org/CVERecord?id=CVE-2024-39133 Please adjust the affected versions in the BTS as needed.
Bug#1074419: bluez: CVE-2023-51596
Source: bluez X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for bluez. CVE-2023-51596[0]: | BlueZ Phone Book Access Profile Heap-based Buffer Overflow Remote | Code Execution Vulnerability. This vulnerability allows network- | adjacent attackers to execute arbitrary code on affected | installations of BlueZ. User interaction is required to exploit this | vulnerability in that the target must connect to a malicious | Bluetooth device. The specific flaw exists within the handling of | the Phone Book Access profile. The issue results from the lack of | proper validation of the length of user-supplied data prior to | copying it to a fixed-length heap-based buffer. An attacker can | leverage this vulnerability to execute code in the context of root. | Was ZDI-CAN-20939. https://www.zerodayinitiative.com/advisories/ZDI-23-1902/ Not sure if this was reported upstream, might be worth reaching out. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-51596 https://www.cve.org/CVERecord?id=CVE-2023-51596 Please adjust the affected versions in the BTS as needed.
Bug#1074418: libmodbus: CVE-2023-26793
Source: libmodbus X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libmodbus. CVE-2023-26793[0]: | libmodbus v3.1.10 has a heap-based buffer overflow vulnerability in | read_io_status function in src/modbus.c. https://github.com/stephane/libmodbus/issues/683 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-26793 https://www.cve.org/CVERecord?id=CVE-2023-26793 Please adjust the affected versions in the BTS as needed.
Bug#1074422: libmodbus: CVE-2024-36843 CVE-2024-36844 CVE-2024-36845
Source: libmodbus X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for libmodbus. CVE-2024-36843[0]: | libmodbus v3.1.6 was discovered to contain a heap overflow via the | modbus_mapping_free() function. https://github.com/stephane/libmodbus/issues/748 CVE-2024-36844[1]: | libmodbus v3.1.6 was discovered to contain a use-after-free via the | ctx->backend pointer. This vulnerability allows attackers to cause a | Denial of Service (DoS) via a crafted message sent to the unit-test- | server. https://github.com/stephane/libmodbus/issues/749 CVE-2024-36845[2]: | An invalid pointer in the modbus_receive() function of libmodbus | v3.1.6 allows attackers to cause a Denial of Service (DoS) via a | crafted message sent to the unit-test-server. https://github.com/stephane/libmodbus/issues/750 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-36843 https://www.cve.org/CVERecord?id=CVE-2024-36843 [1] https://security-tracker.debian.org/tracker/CVE-2024-36844 https://www.cve.org/CVERecord?id=CVE-2024-36844 [2] https://security-tracker.debian.org/tracker/CVE-2024-36845 https://www.cve.org/CVERecord?id=CVE-2024-36845 Please adjust the affected versions in the BTS as needed.
Bug#1074421: grpc: CVE-2023-44487
Source: grpc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for grpc. CVE-2023-44487[0]: | The HTTP/2 protocol allows a denial of service (server resource | consumption) because request cancellation can reset many streams | quickly, as exploited in the wild in August through October 2023. https://github.com/grpc/grpc/pull/34763 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44487 https://www.cve.org/CVERecord?id=CVE-2023-44487 Please adjust the affected versions in the BTS as needed.
Bug#1074424: zziplib: CVE-2024-39134
Source: zziplib X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for zziplib. CVE-2024-39134[0]: | A Stack Buffer Overflow vulnerability in zziplibv 0.13.77 allows | attackers to cause a denial of service via the | __zzip_fetch_disk_trailer() function at /zzip/zip.c. https://github.com/gdraheim/zziplib/issues/165 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-39134 https://www.cve.org/CVERecord?id=CVE-2024-39134 Please adjust the affected versions in the BTS as needed.
Bug#1074425: openvpn-auth-ldap: CVE-2024-28820
Source: openvpn-auth-ldap X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for openvpn-auth-ldap. CVE-2024-28820[0]: | Buffer overflow in the extract_openvpn_cr function in openvpn-cr.c | in openvpn-auth-ldap (aka the Three Rings Auth-LDAP plugin for | OpenVPN) 2.0.4 allows attackers with a valid LDAP username and who | can control the challenge/response password field to pass a string | with more than 14 colons into this field and cause a buffer | overflow. https://github.com/threerings/openvpn-auth-ldap/pull/92 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28820 https://www.cve.org/CVERecord?id=CVE-2024-28820 Please adjust the affected versions in the BTS as needed.
Bug#1074423: nltk: CVE-2024-39705
Source: nltk X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for nltk. CVE-2024-39705[0]: | NLTK through 3.8.1 allows remote code execution if untrusted | packages have pickled Python code, and the integrated data package | download functionality is used. This affects, for example, | averaged_perceptron_tagger and punkt. https://github.com/nltk/nltk/issues/3266 https://github.com/nltk/nltk/issues/2522 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-39705 https://www.cve.org/CVERecord?id=CVE-2024-39705 Please adjust the affected versions in the BTS as needed.
Bug#1074426: golang-golang-x-image: CVE-2024-24792
Source: golang-golang-x-image X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for golang-golang-x-image. CVE-2024-24792[0]: | Parsing a corrupt or malicious image with invalid color indices can | cause a panic. https://github.com/advisories/GHSA-9phm-fm57-rhg8 https://github.com/golang/go/issues/67624 https://go-review.googlesource.com/c/image/+/588115 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24792 https://www.cve.org/CVERecord?id=CVE-2024-24792 Please adjust the affected versions in the BTS as needed.
Bug#1074429: xml-security-c: CVE-2024-34580
Source: xml-security-c X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for xml-security-c. CVE-2024-34580[0]: | Apache XML Security for C++ through 2.0.4 implements the XML | Signature Syntax and Processing (XMLDsig) specification without | protection against an SSRF payload in a KeyInfo element. NOTE: the | supplier disputes this CVE Record on the grounds that they are | implementing the specification "correctly" and are not "at fault." https://cloud.google.com/blog/topics/threat-intelligence/apache-library-allows-server-side-request-forgery https://www.sonatype.com/blog/the-exploited-ivanti-connect-ssrf-vulnerability-stems-from-xmltooling-oss-library https://github.com/zmanion/Vulnerabilities/blob/main/CVE-2024-21893.md Not sure what to make out of this? It seems the use of xml-security-sec within Shibboleth continues to be supported, but otherwise the library is deemed deprecated, so maybe this should at least be made explicit in the package description? ` If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34580 https://www.cve.org/CVERecord?id=CVE-2024-34580 Please adjust the affected versions in the BTS as needed.
Bug#1074430: adminer: CVE-2023-45196 CVE-2023-45195
Source: adminer X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for adminer. CVE-2023-45196[0]: | Adminer and AdminerEvo allow an unauthenticated remote attacker to | cause a denial of service by connecting to an attacker-controlled | service that responds with HTTP redirects. The denial of service is | subject to PHP configuration limits. Adminer is no longer supported, | but this issue was fixed in AdminerEvo version 4.8.4. https://github.com/adminerevo/adminerevo/pull/102/commits/23e7cdc0a32b3739e13d19ae504be0fe215142b6 CVE-2023-45195[1]: | Adminer and AdminerEvo are vulnerable to SSRF via database | connection fields. This could allow an unauthenticated remote | attacker to enumerate or access systems the attacker would not | otherwise have access to. Adminer is no longer supported, but this | issue was fixed in AdminerEvo version 4.8.4. https://github.com/adminerevo/adminerevo/pull/102/commits/18f3167bbcbec3bc746f62db72e016aa99144efc It seems adminer is dead upstream and adminerevo picked up development, so most likely Debian should follow the new upstream? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45196 https://www.cve.org/CVERecord?id=CVE-2023-45196 [1] https://security-tracker.debian.org/tracker/CVE-2023-45195 https://www.cve.org/CVERecord?id=CVE-2023-45195 Please adjust the affected versions in the BTS as needed.
Bug#1074431: arm-trusted-firmware: CVE-2024-6287 CVE-2024-6285
Source: arm-trusted-firmware X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for arm-trusted-firmware. CVE-2024-6287[0]: | Incorrect Calculation vulnerability in Renesas arm-trusted-firmware | allows Local Execution of Code. When checking whether a new image | invades/overlaps with a previously loaded image the code neglects to | consider a few cases. that could An attacker to bypass memory range | restriction and overwrite an already loaded image partly or | completely, which could result in code execution and bypass of | secure boot. https://github.com/renesas-rcar/arm-trusted-firmware/commit/954d488a9798f8fda675c6b57c571b469b298f04 https://asrg.io/security-advisories/cve-2024-6287-incorrect-address-range-calculations-in-renesas-rcar/ CVE-2024-6285[1]: | Integer Underflow (Wrap or Wraparound) vulnerability in Renesas arm- | trusted-firmware. An integer underflow in image range check | calculations could lead to bypassing address restrictions and | loading of images to unallowed addresses. https://github.com/renesas-rcar/arm-trusted-firmware/commit/b596f580637bae919b0ac3a5471422a1f756db3b https://asrg.io/security-advisories/cve-2024-6285-integer-underflow-in-memory-range-check-in-renesas-rcar/ If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6287 https://www.cve.org/CVERecord?id=CVE-2024-6287 [1] https://security-tracker.debian.org/tracker/CVE-2024-6285 https://www.cve.org/CVERecord?id=CVE-2024-6285 Please adjust the affected versions in the BTS as needed.
Bug#1032664: mootools: CVE-2021-32821
Source: mootools X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for mootools. CVE-2021-32821[0]: | MooTools is a collection of JavaScript utilities for JavaScript | developers. All known versions include a CSS selector parser that is | vulnerable to Regular Expression Denial of Service (ReDoS). An attack | requires that an attacker can inject a string into a CSS selector at | runtime, which is quite common with e.g. jQuery CSS selectors. No | patches are available for this issue. https://securitylab.github.com/advisories/GHSL-2020-345-redos-mootools/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32821 https://www.cve.org/CVERecord?id=CVE-2021-32821 Please adjust the affected versions in the BTS as needed.
Bug#1032665: tidy-html5: CVE-2021-33391
Source: tidy-html5 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for tidy-html5. CVE-2021-33391[0]: | An issue in HTACG HTML Tidy v5.7.28 allows attacker to execute | arbitrary code via the -g option of the CleanNode() function in | gdoc.c. https://github.com/htacg/tidy-html5/issues/946 https://github.com/htacg/tidy-html5/commit/efa61528aa500a1efbd2768121820742d3bb709b If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-33391 https://www.cve.org/CVERecord?id=CVE-2021-33391 Please adjust the affected versions in the BTS as needed.
Bug#1032666: freeimage: CVE-2021-33367
Source: freeimage X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for freeimage. CVE-2021-33367[0]: | Buffer Overflow vulnerability in Freeimage v3.18.0 allows attacker to | cause a denial of service via a crafted JXR file. https://sourceforge.net/p/freeimage/discussion/36109/thread/1a4db03d58/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-33367 https://www.cve.org/CVERecord?id=CVE-2021-33367 Please adjust the affected versions in the BTS as needed.
Bug#1032667: radare2: CVE-2023-27114
Source: radare2 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for radare2. CVE-2023-27114[0]: | radare2 v5.8.3 was discovered to contain a segmentation fault via the | component wasm_dis at p/wasm/wasm.c. https://github.com/radareorg/radare2/issues/21363 https://github.com/radareorg/radare2/commit/13308c9aad79f9c7a3507ce549fe270103e8ceea If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-27114 https://www.cve.org/CVERecord?id=CVE-2023-27114 Please adjust the affected versions in the BTS as needed.
Bug#1032668: nvidia-cuda-toolkit: CVE-2023-0193 CVE-2023-0196
Source: nvidia-cuda-toolkit X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerabilities were published for nvidia-cuda-toolkit. CVE-2023-0193[0]: No description was found (try on a search engine) CVE-2023-0196[1]: | NVIDIA CUDA Toolkit SDK contains a bug in cuobjdump, where a local | user running the tool against an ill-formed binary may cause a null- | pointer dereference, which may result in a limited denial of service. https://nvidia.custhelp.com/app/answers/detail/a_id/5446 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-0193 https://www.cve.org/CVERecord?id=CVE-2023-0193 [1] https://security-tracker.debian.org/tracker/CVE-2023-0196 https://www.cve.org/CVERecord?id=CVE-2023-0196 Please adjust the affected versions in the BTS as needed.
Bug#1032669: wabt: CVE-2023-27115 CVE-2023-27116 CVE-2023-27117 CVE-2023-27119
Source: wabt X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerabilities were published for wabt. CVE-2023-27115[0]: | WebAssembly v1.0.29 was discovered to contain a segmentation fault via | the component wabt::cat_compute_size. https://github.com/WebAssembly/wabt/issues/1938 https://github.com/WebAssembly/wabt/issues/1992 CVE-2023-27116[1]: | WebAssembly v1.0.29 discovered to contain an abort in | CWriter::MangleType. https://github.com/WebAssembly/wabt/issues/1984 https://github.com/WebAssembly/wabt/pull/2119 https://github.com/WebAssembly/wabt/commit/8a7b7497bdf78f9099f8d5a3a2c9bde87ddd52da CVE-2023-27117[2]: | WebAssembly v1.0.29 was discovered to contain a heap overflow via the | component component wabt::Node::operator. https://github.com/WebAssembly/wabt/issues/1989 CVE-2023-27119[3]: | WebAssembly v1.0.29 was discovered to contain a segmentation fault via | the component wabt::Decompiler::WrapChild. https://github.com/WebAssembly/wabt/issues/1990 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-27115 https://www.cve.org/CVERecord?id=CVE-2023-27115 [1] https://security-tracker.debian.org/tracker/CVE-2023-27116 https://www.cve.org/CVERecord?id=CVE-2023-27116 [2] https://security-tracker.debian.org/tracker/CVE-2023-27117 https://www.cve.org/CVERecord?id=CVE-2023-27117 [3] https://security-tracker.debian.org/tracker/CVE-2023-27119 https://www.cve.org/CVERecord?id=CVE-2023-27119 Please adjust the affected versions in the BTS as needed.
Bug#1032670: allegro4.4: CVE-2021-36489
Source: allegro4.4 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for allegro4.4. CVE-2021-36489[0]: | Buffer Overflow vulnerability in Allegro through 5.2.6 allows | attackers to cause a denial of service via crafted PCX/TGA/BMP files | to allegro_image addon. https://github.com/liballeg/allegro5/issues/1251 https://github.com/liballeg/allegro5/pull/1253 These fixes landed in Allegro 5.2.8.0: https://github.com/liballeg/allegro5/commit/3f2dbd494241774d33aaf83910fd05b2a590604a (5.2.8.0) https://github.com/liballeg/allegro5/commit/cca179bc16827f358153060cd10ac73d394e758c (5.2.8.0) https://github.com/liballeg/allegro5/commit/a2c93939f6997a96ecac1865dbb4fa3f66b5e1b7 (5.2.8.0) https://github.com/liballeg/allegro5/commit/0294e28e6135292eab4b2916a7d2223b1bb6843e (5.2.8.0) In allegro 4.4, code is in src/[pcx|tga].c instead If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-36489 https://www.cve.org/CVERecord?id=CVE-2021-36489 Please adjust the affected versions in the BTS as needed.
Bug#1032885: unblock: debian-security-support/1:12+2023.03.05
Am Mon, Mar 13, 2023 at 01:43:11PM +0100 schrieb Holger Levsen: > * security-support-limited: > - for golang and openjdk-17, point to the bookworm manual instead the one > for bullseye. That's wrong, though. (And the release notes need updating to, I'll file a bug soonish): In Bookworm openjdk-17 is the default Java and fully supported, but we need the equivalent note for openjdk-21 now. Cheers, Moritz
Bug#1014714: nim: CVE-2021-41259
Am Sun, Jul 10, 2022 at 07:31:30PM +0200 schrieb Moritz Mühlenhoff:
> Source: nim
> X-Debbugs-CC: t...@security.debian.org
> Severity: normal
> Tags: security
>
> Hi,
>
> The following vulnerability was published for nim.
>
> CVE-2021-41259[0]:
> | Nim is a systems programming language with a focus on efficiency,
> | expressiveness, and elegance. In affected versions the uri.parseUri
> | function which may be used to validate URIs accepts null bytes in the
> | input URI. This behavior could be used to bypass URI validation. For
> | example: parseUri("http://localhost\0hello";).hostname is set to
> | "localhost\0hello". Additionally, httpclient.getContent accepts null
> | bytes in the input URL and ignores any data after the first null byte.
> | Example: getContent("http://localhost\0hello";) makes a request to
> | localhost:80. An attacker can use a null bytes to bypass the check and
> | mount a SSRF attack.
>
> https://github.com/nim-lang/security/security/advisories/GHSA-3gg2-rw3q-qwgc
Could we get this fixed for bookworm?
Cheers,
Moritz
Bug#992172: exim4: CVE-2021-38371
Am Sun, Aug 15, 2021 at 07:21:40AM +0200 schrieb Andreas Metzler: > On 2021-08-14 Salvatore Bonaccorso wrote: > > Source: exim4 > > Version: 4.94.2-7 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > > Hi, > > > The following vulnerability was published for exim4, this is to start > > tracking the issue downstream for us. Note that at time of writing [2] > > gives still a 404. > > > CVE-2021-38371[0]: > > | The STARTTLS feature in Exim through 4.94.2 allows response injection > > | (buffering) during MTA SMTP sending. > [...] > > IIRC that is mitigated in experimental (4.95 rc) by ALPN and unkown > command related changes, I will not be able to check in detail for a > week or so, though. Do you know if this is fixed in 4.96/bookworm? Cheers, Moritz
Bug#1023693: libstb: CVE-2021-37789
Am Tue, Nov 08, 2022 at 08:42:05PM +0100 schrieb Moritz Mühlenhoff: > Source: libstb > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for libstb. > > CVE-2021-37789[0]: > | stb_image.h 2.27 has a heap-based buffer over in stbi__jpeg_load, > | leading to Information Disclosure or Denial of Service. > > https://github.com/nothings/stb/issues/1178 This is fixed in https://github.com/nothings/stb/commit/5ba0baaa269b3fd681828e0e3b3ac0f1472eaf40 Could we get that fixed for bookworm? Cheers, Moritz
Bug#983576: CVE-2020-8020 CVE-2020-8021 CVE-2020-8031
Am Fri, Feb 26, 2021 at 05:29:07PM +0100 schrieb Moritz Muehlenhoff: > Source: open-build-service > Severity: important > Tags: security > X-Debbugs-Cc: Debian Security Team > > CVE-2020-8020: > https://bugzilla.suse.com/show_bug.cgi?id=1171439 > https://github.com/openSUSE/open-build-service/commit/7cc32c8e2ff7290698e101d9a80a9dc29a5500fb > > CVE-2020-8021: > https://bugzilla.suse.com/show_bug.cgi?id=1171649 > https://github.com/openSUSE/open-build-service/commit/7323c904f86ba9e04065c23422d06c03647589fb > > CVE-2020-8031: > https://bugzilla.suse.com/show_bug.cgi?id=1178880 Could we get these fixed for bookworm? (Plus #911797) Cheers, Moritz
Bug#1019594: closed by Daniel Baumann (bts)
Am Sun, Feb 19, 2023 at 06:03:09PM + schrieb Debian Bug Tracking System: > This is an automatic notification regarding your Bug report > which was filed against the src:deluge package: > > #1019594: deluge: CVE-2021-3427 > > It has been closed by Daniel Baumann . > > Their explanation is attached below along with your original report. > If this explanation is unsatisfactory and you have not received a > better one in a separate message then please contact Daniel Baumann > by > replying to this email. Hi Daniel, What about 2.0.3, do you please to also address this for bookworm? Cheers, Moritz
Bug#1014599: svgpp: CVE-2021-44960
Am Fri, Jul 08, 2022 at 04:31:10PM +0200 schrieb Moritz Mühlenhoff: > Source: svgpp > X-Debbugs-CC: t...@security.debian.org > Severity: normal > Tags: security > > Hi, > > The following vulnerability was published for svgpp. > > CVE-2021-44960[0]: > | In SVGPP SVG++ library 1.3.0, the XMLDocument::getRoot function in the > | renderDocument function handled the XMLDocument object improperly, > | returning a null pointer in advance at the second if, resulting in a > | null pointer reference behind the renderDocument function. > > https://github.com/svgpp/svgpp/issues/101 This was fixed in https://github.com/svgpp/svgpp/commit/0bc57f2cc6d9d86a0fa1ce73e508c2b5994b4b91 Could we get that fixed for Bookworm? Cheers, Moritz
Bug#1012763: golang-github-emicklei-go-restful: CVE-2022-1996
Am Mon, Jun 13, 2022 at 06:12:36PM +0200 schrieb Moritz Mühlenhoff: > Source: golang-github-emicklei-go-restful > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for > golang-github-emicklei-go-restful. > > CVE-2022-1996[0]: > | Authorization Bypass Through User-Controlled Key in GitHub repository > | emicklei/go-restful prior to v3.8.0. > > https://huntr.dev/bounties/be837427-415c-4d8c-808b-62ce20aa84f1/ > https://github.com/emicklei/go-restful/commit/fd3c327a379ce08c68ef18765bdc925f5d9bad10 Could we get that fixed for Bookworm? Cheers, Moritz
Bug#988948: CVE-2019-11939
Am Fri, May 21, 2021 at 09:46:31PM +0200 schrieb Moritz Muehlenhoff: > Source: thrift > Severity: important > Tags: security > X-Debbugs-Cc: Debian Security Team > > CVE-2019-11939: > https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757 Hi, is this fixed in Bookworm? Cheers, Moritz
Bug#1032885: unblock: debian-security-support/1:12+2023.03.05
Am Mon, Mar 13, 2023 at 03:07:34PM + schrieb Holger Levsen: > On Mon, Mar 13, 2023 at 03:58:45PM +0100, Moritz Mühlenhoff wrote: > > Am Mon, Mar 13, 2023 at 01:43:11PM +0100 schrieb Holger Levsen: > > > * security-support-limited: > > > - for golang and openjdk-17, point to the bookworm manual instead the > > > one > > > for bullseye. > > That's wrong, though. (And the release notes need updating to, I'll file > > a bug soonish): In Bookworm openjdk-17 is the default Java and fully > > supported, but we need the equivalent note for openjdk-21 now. > > thanks, Moritz. I'll happily update d-s-s once the release manual is updated. > or i could update d-s-s now too, if it's really just about replacing 17 with > 21 in this line from security-support-limited : > > openjdk-17See > https://www.debian.org/releases/bookworm/amd64/release-notes/ch-information.en.html#openjdk-17 Ack. I also filed #1033069 to update the release notes. > Are there any further updates expected from the security team's POV? I pushed a change to add a note on the legacy Spring classes we only use to build some packages, but with by itself are not supported to run anything. With that I think everything is covered for Bookworm I think. Cheers, Moritz
Bug#1013279: cookiecutter: CVE-2022-24065
Am Mon, Jun 20, 2022 at 04:59:39PM +0200 schrieb Moritz Mühlenhoff: > Source: cookiecutter > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for cookiecutter. > > CVE-2022-24065[0]: > | The package cookiecutter before 2.1.1 are vulnerable to Command > | Injection via hg argument injection. When calling the cookiecutter > | function from Python code with the checkout parameter, it is passed to > | the hg checkout command in a way that additional flags can be set. The > | additional flags can be used to perform a command injection. > > https://security.snyk.io/vuln/SNYK-PYTHON-COOKIECUTTER-2414281 > > Fixed in 2.1.1 and this isolated patch: > https://github.com/cookiecutter/cookiecutter/releases/tag/2.1.1 > https://github.com/cookiecutter/cookiecutter/commit/fdffddb31fd2b46344dfa317531ff155e7999f77 Could we get that fixed for bookworm? Cheers, Moritz
Bug#1033109: libcpan-checksums-perl: CVE-2020-16155
Source: libcpan-checksums-perl X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libcpan-checksums-perl. CVE-2020-16155[0]: | The CPAN::Checksums package 2.12 for Perl does not uniquely define | signed data. https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/ http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-16155 https://www.cve.org/CVERecord?id=CVE-2020-16155 Please adjust the affected versions in the BTS as needed.
Bug#1033110: cmark-gfm: CVE-2023-22483 CVE-2023-22484 CVE-2023-22485 CVE-2023-22486
Source: cmark-gfm X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for cmark-gfm. CVE-2023-22483[0]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 are | subject to several polynomial time complexity issues in cmark-gfm that | may lead to unbounded resource exhaustion and subsequent denial of | service. Various commands, when piped to cmark-gfm with large values, | cause the running time to increase quadratically. These | vulnerabilities have been patched in version 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c CVE-2023-22484[1]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 are | subject to a polynomial time complexity issue in cmark-gfm that may | lead to unbounded resource exhaustion and subsequent denial of | service. This vulnerability has been patched in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r CVE-2023-22485[2]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. In versions prior 0.29.0.gfm.7, a | crafted markdown document can trigger an out-of-bounds read in the | `validate_protocol` function. We believe this bug is harmless in | practice, because the out-of-bounds read accesses `malloc` metadata | without causing any visible damage.This vulnerability has been patched | in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr CVE-2023-22486[3]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 | contain a polynomial time complexity issue in handle_close_bracket | that may lead to unbounded resource exhaustion and subsequent denial | of service. This vulnerability has been patched in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22483 https://www.cve.org/CVERecord?id=CVE-2023-22483 [1] https://security-tracker.debian.org/tracker/CVE-2023-22484 https://www.cve.org/CVERecord?id=CVE-2023-22484 [2] https://security-tracker.debian.org/tracker/CVE-2023-22485 https://www.cve.org/CVERecord?id=CVE-2023-22485 [3] https://security-tracker.debian.org/tracker/CVE-2023-22486 https://www.cve.org/CVERecord?id=CVE-2023-22486 Please adjust the affected versions in the BTS as needed.
Bug#1033111: python-cmarkgfm: CVE-2023-22483 CVE-2023-22484 CVE-2023-22485 CVE-2023-22486
Source: python-cmarkgfm X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for python-cmarkgfm. CVE-2023-22483[0]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 are | subject to several polynomial time complexity issues in cmark-gfm that | may lead to unbounded resource exhaustion and subsequent denial of | service. Various commands, when piped to cmark-gfm with large values, | cause the running time to increase quadratically. These | vulnerabilities have been patched in version 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c CVE-2023-22484[1]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 are | subject to a polynomial time complexity issue in cmark-gfm that may | lead to unbounded resource exhaustion and subsequent denial of | service. This vulnerability has been patched in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r CVE-2023-22485[2]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. In versions prior 0.29.0.gfm.7, a | crafted markdown document can trigger an out-of-bounds read in the | `validate_protocol` function. We believe this bug is harmless in | practice, because the out-of-bounds read accesses `malloc` metadata | without causing any visible damage.This vulnerability has been patched | in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr CVE-2023-22486[3]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 | contain a polynomial time complexity issue in handle_close_bracket | that may lead to unbounded resource exhaustion and subsequent denial | of service. This vulnerability has been patched in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22483 https://www.cve.org/CVERecord?id=CVE-2023-22483 [1] https://security-tracker.debian.org/tracker/CVE-2023-22484 https://www.cve.org/CVERecord?id=CVE-2023-22484 [2] https://security-tracker.debian.org/tracker/CVE-2023-22485 https://www.cve.org/CVERecord?id=CVE-2023-22485 [3] https://security-tracker.debian.org/tracker/CVE-2023-22486 https://www.cve.org/CVERecord?id=CVE-2023-22486 Please adjust the affected versions in the BTS as needed.
Bug#1033112: r-cran-commonmark: CVE-2023-22483 CVE-2023-22484 CVE-2023-22485 CVE-2023-22486
Source: r-cran-commonmark X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for r-cran-commonmark. CVE-2023-22483[0]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 are | subject to several polynomial time complexity issues in cmark-gfm that | may lead to unbounded resource exhaustion and subsequent denial of | service. Various commands, when piped to cmark-gfm with large values, | cause the running time to increase quadratically. These | vulnerabilities have been patched in version 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c CVE-2023-22484[1]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 are | subject to a polynomial time complexity issue in cmark-gfm that may | lead to unbounded resource exhaustion and subsequent denial of | service. This vulnerability has been patched in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r CVE-2023-22485[2]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. In versions prior 0.29.0.gfm.7, a | crafted markdown document can trigger an out-of-bounds read in the | `validate_protocol` function. We believe this bug is harmless in | practice, because the out-of-bounds read accesses `malloc` metadata | without causing any visible damage.This vulnerability has been patched | in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr CVE-2023-22486[3]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 | contain a polynomial time complexity issue in handle_close_bracket | that may lead to unbounded resource exhaustion and subsequent denial | of service. This vulnerability has been patched in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22483 https://www.cve.org/CVERecord?id=CVE-2023-22483 [1] https://security-tracker.debian.org/tracker/CVE-2023-22484 https://www.cve.org/CVERecord?id=CVE-2023-22484 [2] https://security-tracker.debian.org/tracker/CVE-2023-22485 https://www.cve.org/CVERecord?id=CVE-2023-22485 [3] https://security-tracker.debian.org/tracker/CVE-2023-22486 https://www.cve.org/CVERecord?id=CVE-2023-22486 Please adjust the affected versions in the BTS as needed.
Bug#1033113: ruby-commonmarker: CVE-2023-22483 CVE-2023-22484 CVE-2023-22485 CVE-2023-22486
Source: ruby-commonmarker X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for ruby-commonmarker. CVE-2023-22483[0]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 are | subject to several polynomial time complexity issues in cmark-gfm that | may lead to unbounded resource exhaustion and subsequent denial of | service. Various commands, when piped to cmark-gfm with large values, | cause the running time to increase quadratically. These | vulnerabilities have been patched in version 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c CVE-2023-22484[1]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 are | subject to a polynomial time complexity issue in cmark-gfm that may | lead to unbounded resource exhaustion and subsequent denial of | service. This vulnerability has been patched in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r CVE-2023-22485[2]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. In versions prior 0.29.0.gfm.7, a | crafted markdown document can trigger an out-of-bounds read in the | `validate_protocol` function. We believe this bug is harmless in | practice, because the out-of-bounds read accesses `malloc` metadata | without causing any visible damage.This vulnerability has been patched | in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr CVE-2023-22486[3]: | cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and | rendering library and program in C. Versions prior to 0.29.0.gfm.7 | contain a polynomial time complexity issue in handle_close_bracket | that may lead to unbounded resource exhaustion and subsequent denial | of service. This vulnerability has been patched in 0.29.0.gfm.7. https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22483 https://www.cve.org/CVERecord?id=CVE-2023-22483 [1] https://security-tracker.debian.org/tracker/CVE-2023-22484 https://www.cve.org/CVERecord?id=CVE-2023-22484 [2] https://security-tracker.debian.org/tracker/CVE-2023-22485 https://www.cve.org/CVERecord?id=CVE-2023-22485 [3] https://security-tracker.debian.org/tracker/CVE-2023-22486 https://www.cve.org/CVERecord?id=CVE-2023-22486 Please adjust the affected versions in the BTS as needed.
Bug#1033114: python-oslo.privsep: CVE-2022-38065
Source: python-oslo.privsep X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for python-oslo.privsep. CVE-2022-38065[0]: | A privilege escalation vulnerability exists in the oslo.privsep | functionality of OpenStack git master 05194e7618 and prior. Overly | permissive functionality within tools leveraging this library within a | container can lead increased privileges. This originates from https://talosintelligence.com/vulnerability_reports/TALOS-2022-1599 but it looks a little murky, since there's no commit 05194e7618 in the upstream repo, probably best to reach out to upstream for details? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-38065 https://www.cve.org/CVERecord?id=CVE-2022-38065 Please adjust the affected versions in the BTS as needed.
Bug#1033115: golang-github-go-macaron-csrf: CVE-2018-25060
Source: golang-github-go-macaron-csrf X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for golang-github-go-macaron-csrf. CVE-2018-25060[0]: | A vulnerability was found in Macaron csrf and classified as | problematic. Affected by this issue is some unknown functionality of | the file csrf.go. The manipulation of the argument Generate leads to | sensitive cookie without secure attribute. The attack may be launched | remotely. The name of the patch is | dadd1711a617000b70e5e408a76531b73187031c. It is recommended to apply a | patch to fix this issue. VDB-217058 is the identifier assigned to this | vulnerability. https://github.com/go-macaron/csrf/commit/dadd1711a617000b70e5e408a76531b73187031c https://github.com/go-macaron/csrf/pull/7 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-25060 https://www.cve.org/CVERecord?id=CVE-2018-25060 Please adjust the affected versions in the BTS as needed.
Bug#1033116: gpac: CVE-2022-3222 CVE-2023-0866 CVE-2022-4202 CVE-2022-43039 CVE-2023-23143 CVE-2023-23144 CVE-2023-23145 CVE-2022-43040 CVE-2022-43042 CVE-2022-43043 CVE-2022-43044 CVE-2022-43045 CVE-
Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2022-3222[0]: | Uncontrolled Recursion in GitHub repository gpac/gpac prior to | 2.1.0-DEV. https://huntr.dev/bounties/b29c69fa-3eac-41e4-9d4f-d861aba18235/ https://github.com/gpac/gpac/commit/4e7736d7ec7bf64026daa611da951993bb42fdaf CVE-2023-0866[2]: | Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to | 2.3.0-DEV. https://huntr.dev/bounties/7d3c5792-d20b-4cb6-9c6d-bb14f3430d7f https://github.com/gpac/gpac/commit/b964fe4226f1424cf676d5822ef898b6b01f5937 CVE-2022-4202[3]: | A vulnerability, which was classified as problematic, was found in | GPAC 2.1-DEV-rev490-g68064e101-master. Affected is the function | lsr_translate_coords of the file laser/lsr_dec.c. The manipulation | leads to integer overflow. It is possible to launch the attack | remotely. The exploit has been disclosed to the public and may be | used. The name of the patch is | b3d821c4ae9ba62b3a194d9dcb5e99f17bd56908. It is recommended to apply a | patch to fix this issue. VDB-214518 is the identifier assigned to this | vulnerability. https://github.com/gpac/gpac/issues/2333 https://github.com/gpac/gpac/commit/b3d821c4ae9ba62b3a194d9dcb5e99f17bd56908 CVE-2022-43039[4]: | GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a | segmentation violation via the function gf_isom_meta_restore_items_ref | at /isomedia/meta.c. https://github.com/gpac/gpac/issues/2281 https://github.com/gpac/gpac/commit/62dbd5caad6b89b33535dfa19ef65419f0378303 CVE-2023-23143[5]: | Buffer overflow vulnerability in function avc_parse_slice in file | media_tools/av_parsers.c. GPAC version 2.3-DEV-rev1-g4669ba229-master. https://github.com/gpac/gpac/commit/af6a5e7a96ee01a139cce6c9e4edfc069aad17a6 CVE-2023-23144[6]: | Integer overflow vulnerability in function Q_DecCoordOnUnitSphere file | bifs/unquantize.c in GPAC version 2.2-rev0-gab012bbfb-master. https://github.com/gpac/gpac/commit/3a2458a49b3e6399709d456d7b35e7a6f50cfb86 CVE-2023-23145[7]: | GPAC version 2.2-rev0-gab012bbfb-master was discovered to contain a | memory leak in lsr_read_rare_full function. https://github.com/gpac/gpac/commit/4ade98128cbc41d5115b97a41ca2e59529c8dd5f CVE-2022-43040[8]: | GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap | buffer overflow via the function gf_isom_box_dump_start_ex at | /isomedia/box_funcs.c. https://github.com/gpac/gpac/issues/2280 https://github.com/gpac/gpac/commit/f17dae31ebf6ea7af8c512165d9b954c2a6ea46e CVE-2022-43042[9]: | GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap | buffer overflow via the function FixSDTPInTRAF at | isomedia/isom_intern.c. https://github.com/gpac/gpac/issues/2278 https://github.com/gpac/gpac/commit/3661da280b3eba75490e75ff20ad440c66e24de9 CVE-2022-43043[10]: | GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a | segmentation violation via the function BD_CheckSFTimeOffset at | /bifs/field_decode.c. https://github.com/gpac/gpac/issues/2276 https://github.com/gpac/gpac/commit/6bff06cdb8e9b4e8ed2e789ee9340877759536fd CVE-2022-43044[11]: | GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a | segmentation violation via the function gf_isom_get_meta_item_info at | /isomedia/meta.c. https://github.com/gpac/gpac/issues/2282 https://github.com/gpac/gpac/commit/8a0e8e4ab13348cb1ab8e93b950a03d93f158a35 CVE-2022-43045[12]: | GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a | segmentation violation via the function gf_dump_vrml_sffield at | /scene_manager/scene_dump.c. https://github.com/gpac/gpac/issues/2277 https://github.com/gpac/gpac/commit/c5249ee4b62dfc604fecb4dce2fc480b3e388bbb CVE-2022-45202[13]: | GPAC v2.1-DEV-rev428-gcb8ae46c8-master was discovered to contain a | stack overflow via the function dimC_box_read at | isomedia/box_code_3gpp.c. https://github.com/gpac/gpac/issues/2296 https://github.com/gpac/gpac/issues/2296#issuecomment-1303112783 Fixed by: https://github.com/gpac/gpac/commit/74e53280dad7b29f85386c6a1286fb92643465da CVE-2022-45283[14]: | GPAC MP4box v2.0.0 was discovered to contain a stack overflow in the | smil_parse_time_list parameter at /scenegraph/svg_attributes.c. https://github.com/gpac/gpac/issues/2295 https://github.com/gpac/gpac/commit/0fc714872ba4536a1190f93aa278b6e08f8c60df CVE-2022-45343[15]: | GPAC v2.1-DEV-rev478-g696e6f868-master was discovered to contain a | heap use-after-free via the Q_IsTypeOn function at | /gpac/src/bifs/unquantize.c. https://github.com/gpac/gpac/issues/2315 https://github.com/gpac/gpac/commit/1016912db5408b6f38e8eb715279493ae380d1c4 CVE-2022-46489[16]: | GPAC version 2.1-DEV-rev505-gb9577e6ad-master was discovered to | contain a memory leak via the gf_isom_box_parse_ex function at | box_funcs.c. https://github.com/gpac/gpac/issues/2328 https://github.com/gpac/gpac/commit/44e8616ec6d0c37498cdacb81375b09249fa9
Bug#1033250: node-request: CVE-2023-28155
Source: node-request X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for node-request. CVE-2023-28155[0]: | ** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1 for | Node.js allows a bypass of SSRF mitigations via an attacker-controller | server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to | HTTP). NOTE: This vulnerability only affects products that are no | longer supported by the maintainer. https://github.com/request/request/issues/3442 was reported, but seems the module is EOLed, so maybe we should be looking into retiring it for trixie? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28155 https://www.cve.org/CVERecord?id=CVE-2023-28155 Please adjust the affected versions in the BTS as needed.
Bug#1033251: wordpress: CVE-2022-3590
Source: wordpress X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for wordpress. CVE-2022-3590[0]: | WordPress is affected by an unauthenticated blind SSRF in the pingback | feature. Because of a TOCTOU race condition between the validation | checks and the HTTP request, attackers can reach internal hosts that | are explicitly forbidden. Only reference here is https://www.sonarsource.com/blog/wordpress-core-unauthenticated-blind-ssrf/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-3590 https://www.cve.org/CVERecord?id=CVE-2022-3590 Please adjust the affected versions in the BTS as needed.
Bug#1033253: undertow: CVE-2023-1108
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for undertow. CVE-2023-1108[0]: https://issues.redhat.com/browse/UNDERTOW-2239 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1108 https://www.cve.org/CVERecord?id=CVE-2023-1108 Please adjust the affected versions in the BTS as needed.
Bug#1033252: maradns: CVE-2022-30256
Source: maradns X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for maradns. CVE-2022-30256[0]: | An issue was discovered in MaraDNS Deadwood through 3.5.0021 that | allows variant V1 of unintended domain name resolution. A revoked | domain name can still be resolvable for a long time, including expired | domains and taken-down malicious domains. The effects of an exploit | would be widespread and highly impactful, because the exploitation | conforms to de facto DNS specifications and operational practices, and | overcomes current mitigation patches for "Ghost" domain names. https://maradns.samiam.org/security.html#CVE-2022-30256 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-30256 https://www.cve.org/CVERecord?id=CVE-2022-30256 Please adjust the affected versions in the BTS as needed.
Bug#1033254: imagemagick: CVE-2023-1289
Source: imagemagick X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for imagemagick. CVE-2023-1289[0]: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1289 https://www.cve.org/CVERecord?id=CVE-2023-1289 Please adjust the affected versions in the BTS as needed.
Bug#1033255: aflplusplus: CVE-2023-26266
Source: aflplusplus X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for aflplusplus. CVE-2023-26266[0]: | In AFL++ 4.05c, the CmpLog component uses the current working | directory to resolve and execute unprefixed fuzzing targets, allowing | code execution. https://github.com/AFLplusplus/AFLplusplus/pull/1643 https://github.com/AFLplusplus/AFLplusplus/commit/f2be73186e2e16c3992f92b65ae9ba598d6fff2f https://github.com/AFLplusplus/AFLplusplus/commit/673a0a3866783bf28e31d14fbd7a9009c7816ec3 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-26266 https://www.cve.org/CVERecord?id=CVE-2023-26266 Please adjust the affected versions in the BTS as needed.
Bug#1033257: libde265: CVE-2023-27102 CVE-2023-27103
Source: libde265 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for libde265. CVE-2023-27102[0]: | Libde265 v1.0.11 was discovered to contain a segmentation violation | via the function decoder_context::process_slice_segment_header at | decctx.cc. https://github.com/strukturag/libde265/issues/393 https://github.com/strukturag/libde265/commit/0b1752abff97cb542941d317a0d18aa50cb199b1 CVE-2023-27103[1]: | Libde265 v1.0.11 was discovered to contain a heap buffer overflow via | the function derive_collocated_motion_vectors at motion.cc. https://github.com/strukturag/libde265/issues/394 https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-27102 https://www.cve.org/CVERecord?id=CVE-2023-27102 [1] https://security-tracker.debian.org/tracker/CVE-2023-27103 https://www.cve.org/CVERecord?id=CVE-2023-27103 Please adjust the affected versions in the BTS as needed.
Bug#1033258: upx-ucl: CVE-2023-23456
Source: upx-ucl X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for upx-ucl. CVE-2023-23456[0]: | A heap-based buffer overflow issue was discovered in UPX in | PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to | cause a denial of service (abort) via a crafted file. https://github.com/upx/upx/commit/510505a85cbe45e51fbd470f1aa8b02157c429d4 https://github.com/upx/upx/issues/632 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-23456 https://www.cve.org/CVERecord?id=CVE-2023-23456 Please adjust the affected versions in the BTS as needed.
Bug#1022555: tiff: CVE-2022-3627 CVE-2022-3626 CVE-2022-3599 CVE-2022-3598 CVE-2022-3597 CVE-2022-3570
Source: tiff X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for tiff. CVE-2022-3627[0]: | LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in | libtiff/tif_unix.c:346 when called from extractImageSection, | tools/tiffcrop.c:6860, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit 236b7191. https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047 https://gitlab.com/libtiff/libtiff/-/issues/411 CVE-2022-3626[1]: | LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemset in | libtiff/tif_unix.c:340 when called from processCropSelections, | tools/tiffcrop.c:7619, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit 236b7191. https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047 https://gitlab.com/libtiff/libtiff/-/issues/426 CVE-2022-3599[2]: | LibTIFF 4.4.0 has an out-of-bounds read in writeSingleSection in | tools/tiffcrop.c:7345, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit e8131125. https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246 https://gitlab.com/libtiff/libtiff/-/issues/398 CVE-2022-3598[3]: | LibTIFF 4.4.0 has an out-of-bounds write in | extractContigSamplesShifted24bits in tools/tiffcrop.c:3604, allowing | attackers to cause a denial-of-service via a crafted tiff file. For | users that compile libtiff from sources, the fix is available with | commit cfbb883b. https://gitlab.com/libtiff/libtiff/-/commit/cfbb883bf6ea7bedcb04177cc4e52d304522fdff https://gitlab.com/libtiff/libtiff/-/issues/435 CVE-2022-3597[4]: | LibTIFF 4.4.0 has an out-of-bounds write in _TIFFmemcpy in | libtiff/tif_unix.c:346 when called from extractImageSection, | tools/tiffcrop.c:6826, allowing attackers to cause a denial-of-service | via a crafted tiff file. For users that compile libtiff from sources, | the fix is available with commit 236b7191. https://gitlab.com/libtiff/libtiff/-/commit/236b7191f04c60d09ee836ae13b50f812c841047 https://gitlab.com/libtiff/libtiff/-/issues/413 CVE-2022-3570[5]: | Multiple heap buffer overflows in tiffcrop.c utility in libtiff | library Version 4.4.0 allows attacker to trigger unsafe or out of | bounds memory access via crafted TIFF image file which could result | into application crash, potential information disclosure or any other | context-dependent impact https://gitlab.com/libtiff/libtiff/-/commit/bd94a9b383d8755a27b5a1bc27660b8ad10b094c https://gitlab.com/libtiff/libtiff/-/issues/381 https://gitlab.com/libtiff/libtiff/-/issues/386 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-3627 https://www.cve.org/CVERecord?id=CVE-2022-3627 [1] https://security-tracker.debian.org/tracker/CVE-2022-3626 https://www.cve.org/CVERecord?id=CVE-2022-3626 [2] https://security-tracker.debian.org/tracker/CVE-2022-3599 https://www.cve.org/CVERecord?id=CVE-2022-3599 [3] https://security-tracker.debian.org/tracker/CVE-2022-3598 https://www.cve.org/CVERecord?id=CVE-2022-3598 [4] https://security-tracker.debian.org/tracker/CVE-2022-3597 https://www.cve.org/CVERecord?id=CVE-2022-3597 [5] https://security-tracker.debian.org/tracker/CVE-2022-3570 https://www.cve.org/CVERecord?id=CVE-2022-3570 Please adjust the affected versions in the BTS as needed.
Bug#1022556: exim4: CVE-2022-3620
Source: exim4 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for exim4. CVE-2022-3620[0]: | A vulnerability was found in Exim and classified as problematic. This | issue affects the function dmarc_dns_lookup of the file dmarc.c of the | component DMARC Handler. The manipulation leads to use after free. The | attack may be initiated remotely. The name of the patch is | 12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445. It is recommended to apply a | patch to fix this issue. The associated identifier of this | vulnerability is VDB-211919. Introduced by: https://git.exim.org/exim.git/commit/92583637b25b6bde926f9ca6be7b085e5ac8b1e6 (exim-4.95-RC0) (as such Bullseye/Buster are not affected) Fixed by: https://git.exim.org/exim.git/commit/12fb3842f81bcbd4a4519d5728f2d7e0e3ca1445 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-3620 https://www.cve.org/CVERecord?id=CVE-2022-3620 Please adjust the affected versions in the BTS as needed.
Bug#1022557: shapelib: CVE-2022-0699
Source: shapelib X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for shapelib. CVE-2022-0699[0]: | A double-free condition exists in contrib/shpsort.c of shapelib 1.5.0 | and older releases. This issue may allow an attacker to cause a denial | of service or have other unspecified impact via control over malloc. https://github.com/OSGeo/shapelib/issues/39 https://github.com/OSGeo/shapelib/commit/c75b9281a5b9452d92e1682bdfe6019a13ed819f If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-0699 https://www.cve.org/CVERecord?id=CVE-2022-0699 Please adjust the affected versions in the BTS as needed.
Bug#1022560: libx11: CVE-2022-3554
Source: libx11 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libx11. CVE-2022-3554[0]: | A vulnerability has been found in X.org libX11 and classified as | problematic. This vulnerability affects the function | _XimRegisterIMInstantiateCallback of the file | modules/im/ximcp/imsClbk.c. The manipulation leads to memory leak. It | is recommended to apply a patch to fix this issue. VDB-211054 is the | identifier assigned to this vulnerability. https://gitlab.freedesktop.org/xorg/lib/libx11/commit/1d11822601fd24a396b354fa616b04ed3df8b4ef If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-3554 https://www.cve.org/CVERecord?id=CVE-2022-3554 Please adjust the affected versions in the BTS as needed.
Bug#937049: mini-buildd: Python2 removal in sid/bullseye
Am Fri, Aug 30, 2019 at 07:26:40AM + schrieb Matthias Klose: > Package: src:mini-buildd > Version: 1.0.41 > Severity: normal > Tags: sid bullseye > User: debian-pyt...@lists.debian.org > Usertags: py2removal > > Python2 becomes end-of-live upstream, and Debian aims to remove > Python2 from the distribution, as discussed in > https://lists.debian.org/debian-python/2019/07/msg00080.html How close is the 2.x branch in experimental from being a replacement? python2 will be dropped in bookworm and also removed from the archive. Cheers, Moritz
Bug#1023625: puppet-module-puppetlabs-apt: CVE-2022-3275
Source: puppet-module-puppetlabs-apt X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for puppet-module-puppetlabs-apt. CVE-2022-3275[0]: | Command injection is possible in the puppetlabs-apt module prior to | version 9.0.0. A malicious actor is able to exploit this vulnerability | only if they are able to provide unsanitized input to the module. This | condition is rare in most deployments of Puppet and Puppet Enterprise. https://puppet.com/security/cve/CVE-2022-3275 https://github.com/puppetlabs/puppetlabs-apt/commit/c26ad2a54f318b4d6fbe55f837b00cd6afd9f1eb This doesn't warrant a DSA (but could be fixed via spu) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-3275 https://www.cve.org/CVERecord?id=CVE-2022-3275 Please adjust the affected versions in the BTS as needed.
Bug#1023693: libstb: CVE-2021-37789
Source: libstb X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libstb. CVE-2021-37789[0]: | stb_image.h 2.27 has a heap-based buffer over in stbi__jpeg_load, | leading to Information Disclosure or Denial of Service. https://github.com/nothings/stb/issues/1178 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-37789 https://www.cve.org/CVERecord?id=CVE-2021-37789 Please adjust the affected versions in the BTS as needed.
Bug#1021292: Enabling branch protection on amd64 and arm64
Am Wed, Jun 21, 2023 at 05:41:36PM +0200 schrieb Emanuele Rocca: > Hey Moritz, > > On 2022-10-26 08:20, Moritz Mühlenhoff wrote: > > I think this should rather be applied early after the Bookworm > > release (and ideally we can also finish off the necessary testing > > and add -fstack-clash-protection at least for amd64 and other archs > > which are ready for it (#918914)). > > Can we go ahead with the dpkg patch now, any specific tests you had in > mind before applying it? Note that I'm not the one driving this change (I'll start a separate thread for -fstack-clash-protection in the next days), but the original request was from Wookey. Personally I think now at the beginning of the new development cycle is the ideal time to start this. Cheers, Moritz
Bug#877512: slapd: enabled systemd integration (untested patch)
Am Wed, Jun 28, 2023 at 09:49:06AM -0700 schrieb Ryan Tandy: > On Wed, Jun 28, 2023 at 06:29:31PM +0200, Andreas Henriksson wrote: > > I'm attaching a patch which has only been compile-tested as I don't > > use slapd myself. It would be great if someone who uses slapd could > > pick it up, test it and finish the remaining work. > > Thanks for the patch and for doing the compile-testing. Unfortunately > upstream's service file won't work for us as is. The remaining work includes > (and this is the part I've been procrastinating) extracting from the init > script the parts that determine the arguments to slapd (based on config from > /etc/default/slapd, and I think in some cases possibly from the slapd config > too), and turning that into a slapd launcher script that the service will > have to invoke. OTOH, moving to the systemd unit might also be a good opportunity to reduce some complexity? Looking at slapd.default shipped with the current package SLAPD_SENTINEL_FILE, SLAPD_PIDFILE and SLAPD_NO_START are all settings which are no longer relevant with a systemd unit or can equally be achieved with commands built-in to systemd (e.g. systemctl mask). Then there's a handful of settings which IMHO probably very people actually modify (SLAPD_USER, SLAPD_USER, SLAPD_CONF, SLAPD_SERVICES) and which folks wanting to modify can always tweak with a local unit override/dropins. The most commonly used option is probably SLAPD_OPTIONS, which could also be read via an EnvironmentFile from /etc/default. Cheers, Moritz
Bug#877512: slapd: enabled systemd integration (untested patch)
Am Wed, Jun 28, 2023 at 01:03:33PM -0700 schrieb Ryan Tandy: > Hmm. So on upgrade I suppose we would want to automatically migrate those > settings to a drop-in? That actually sounds doable; such a drop-in would > probably not have to be a conffile. Indeed, so my idea was that e.g. the systemd unit would default to User=openldap and Group=openldap and then the postinst could check if /etc/default/slapd has SLAPD_GROUP and/or SLAPD_USER set to something other than "openlap" and in that case a drop-in would be generated with those settings. Similar for Kerberos etc. > > The most commonly used option is probably SLAPD_OPTIONS, which could also > > be read via an EnvironmentFile from /etc/default. > > Right. Although if that's the only thing still being consumed, I'd be > tempted to just let it go too. :) Actually, that's a fair point, then there would be a clean cut so that it's obvious that /etc/default/slapd is only relevant for folks not using systemd. Again, SLAPD_OPTIONS could easily also be a drop-in after all. > Thanks for the input, it really does help. :) Glad to help! Cheers, Moritz
Bug#1040592: node-dottie: CVE-2023-26132
Source: node-dottie X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-dottie. CVE-2023-26132[0]: | Versions of the package dottie before 2.0.4 are vulnerable to | Prototype Pollution due to insufficient checks, via the set() | function and the current variable in the /dottie.js file. https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763 https://github.com/mickhansen/dottie.js/commit/7d3aee1c9c3c842720506e131de7e181e5c8db68 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-26132 https://www.cve.org/CVERecord?id=CVE-2023-26132 Please adjust the affected versions in the BTS as needed.
Bug#1040594: libcoap3: CVE-2023-30362
Source: libcoap3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libcoap3. CVE-2023-30362[0]: | Buffer Overflow vulnerability in coap_send function in libcoap | library 4.3.1-103-g52cfd56 fixed in 4.3.1-120-ge242200 allows | attackers to obtain sensitive information via malformed pdu. https://github.com/obgm/libcoap/issues/1063 https://github.com/obgm/libcoap/commit/e242200f0af2a418dc9f69eee543feacc13cd851 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-30362 https://www.cve.org/CVERecord?id=CVE-2023-30362 Please adjust the affected versions in the BTS as needed.
Bug#1040593: kodi: CVE-2023-30207
Source: kodi X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for kodi. CVE-2023-30207[0]: | A divide by zero issue discovered in Kodi Home Theater Software 19.5 | and earlier allows attackers to cause a denial of service via use of | crafted mp3 file. https://github.com/xbmc/xbmc/issues/22378 https://github.com/xbmc/xbmc/pull/22391 https://github.com/xbmc/xbmc/commit/dbc00c500f4c4830049cc040a61c439c580eea73 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-30207 https://www.cve.org/CVERecord?id=CVE-2023-30207 Please adjust the affected versions in the BTS as needed.
Bug#1040595: yt-dlp: CVE-2023-35934
Source: yt-dlp X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for yt-dlp. CVE-2023-35934[0]: | yt-dlp is a command-line program to download videos from video | sites. During file downloads, yt-dlp or the external downloaders | that yt-dlp employs may leak cookies on HTTP redirects to a | different host, or leak them when the host for download fragments | differs from their parent manifest's host. This vulnerable behavior | is present in yt-dlp prior to 2023.07.06 and nightly | 2023.07.06.185519. All native and external downloaders are affected, | except for `curl` and `httpie` (version 3.1.0 or later). At the | file download stage, all cookies are passed by yt-dlp to the file | downloader as a `Cookie` header, thereby losing their scope. This | also occurs in yt-dlp's info JSON output, which may be used by | external tools. As a result, the downloader or external tool may | indiscriminately send cookies with requests to domains or paths for | which the cookies are not scoped. yt-dlp version 2023.07.06 and | nightly 2023.07.06.185519 fix this issue by removing the `Cookie` | header upon HTTP redirects; having native downloaders calculate the | `Cookie` header from the cookiejar, utilizing external downloaders' | built-in support for cookies instead of passing them as header | arguments, disabling HTTP redirectiong if the external downloader | does not have proper cookie support, processing cookies passed as | HTTP headers to limit their scope, and having a separate field for | cookies in the info dict storing more information about scoping | Some workarounds are available for those who are unable to upgrade. | Avoid using cookies and user authentication methods. While | extractors may set custom cookies, these usually do not contain | sensitive information. Alternatively, avoid using `--load-info- | json`. Or, if authentication is a must: verify the integrity of | download links from unknown sources in browser (including redirects) | before passing them to yt-dlp; use `curl` as external downloader, | since it is not impacted; and/or avoid fragmented formats such as | HLS/m3u8, DASH/mpd and ISM. https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729 https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07 https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-35934 https://www.cve.org/CVERecord?id=CVE-2023-35934 Please adjust the affected versions in the BTS as needed.
Bug#1040597: orthanc: CVE-2023-33466
Source: orthanc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for orthanc. CVE-2023-33466[0]: | Orthanc before 1.12.0 allows authenticated users with access to the | Orthanc API to overwrite arbitrary files on the file system, and in | specific deployment scenarios allows the attacker to overwrite the | configuration, which can be exploited to trigger Remote Code | Execution (RCE). https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-33466 https://www.cve.org/CVERecord?id=CVE-2023-33466 Please adjust the affected versions in the BTS as needed.
Bug#1030047: ruby-sanitize: CVE-2023-23627
Source: ruby-sanitize X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ruby-sanitize. CVE-2023-23627[0]: | Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 | and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. | When Sanitize is configured with a custom allowlist that allows | `noscript` elements, attackers are able to include arbitrary HTML, | resulting in XSS (cross-site scripting) or other undesired behavior | when that HTML is rendered in a browser. The default configurations do | not allow `noscript` elements and are not vulnerable. This issue only | affects users who are using a custom config that adds `noscript` to | the element allowlist. This issue has been patched in version 6.0.1. | Users who are unable to upgrade can prevent this issue by using one of | Sanitize's default configs or by ensuring that their custom config | does not include `noscript` in the element allowlist. https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-23627 https://www.cve.org/CVERecord?id=CVE-2023-23627 Please adjust the affected versions in the BTS as needed.
Bug#1030049: opusfile: CVE-2022-47021
Source: opusfile X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for opusfile. CVE-2022-47021[0]: | A null pointer dereference issue was discovered in functions | op_get_data and op_open1 in opusfile.c in xiph opusfile 0.9 thru 0.12 | allows attackers to cause denial of service or other unspecified | impacts. https://github.com/xiph/opusfile/commit/0a4cd796df5b030cb866f3f4a5e41a4b92caddf5 https://github.com/xiph/opusfile/issues/36 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-47021 https://www.cve.org/CVERecord?id=CVE-2022-47021 Please adjust the affected versions in the BTS as needed.
Bug#1030048: pgpool2: CVE-2023-22332
Source: pgpool2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for pgpool2. CVE-2023-22332[0]: | Information disclosure vulnerability exists in Pgpool-II 4.4.0 to | 4.4.1 (4.4 series), 4.3.0 to 4.3.4 (4.3 series), 4.2.0 to 4.2.11 (4.2 | series), 4.1.0 to 4.1.14 (4.1 series), 4.0.0 to 4.0.21 (4.0 series), | All versions of 3.7 series, All versions of 3.6 series, All versions | of 3.5 series, All versions of 3.4 series, and All versions of 3.3 | series. A specific database user's authentication information may be | obtained by another database user. As a result, the information stored | in the database may be altered and/or database may be suspended by a | remote attacker who successfully logged in the product with the | obtained credentials. Quoting from https://www.pgpool.net/mediawiki/index.php/Main_Page#News : (I have no idea how common that is, feel free to downgrade as necessary) -- This release contains a security fix. If following conditions are all met, the password of "wd_lifecheck_user" is exposed by "SHOW POOL STATUS" command. The command can be executed by any user who can connect to Pgpool-II. (CVE-2023-22332) • Version 3.3 or later • use_watchdog = on • wd_lifecheck_method = 'query' • A plain text password is set to wd_lifecheck_password -- If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22332 https://www.cve.org/CVERecord?id=CVE-2023-22332 Please adjust the affected versions in the BTS as needed.
Bug#1030050: rails: CVE-2023-22796 CVE-2023-22795 CVE-2023-22794 CVE-2023-22792 CVE-2022-44566
Source: rails X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for rails. CVE-2023-22796[0]: https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116 https://github.com/rails/rails/commit/4b383e6936d7a72b5dc839f526c9a9aeb280acae (6-1-stable) CVE-2023-22795[1]: https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118 https://github.com/rails/rails/commit/484fc9185db6c6a6a49ab458b11f9366da02bab2 (6-1-stable) CVE-2023-22794[2]: https://discuss.rubyonrails.org/t/cve-2023-22794-sql-injection-vulnerability-via-activerecord-comments/82117 https://github.com/rails/rails/commit/048e9fc05e18c91838a44e60175e475de8b2aad5 (6-1-stable) CVE-2023-22792[3]: https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115 https://github.com/rails/rails/commit/7a7f37f146aa977350cf914eba20a95ce371485f (6-1-stable) CVE-2022-44566[4]: https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119 https://github.com/rails/rails/commit/414eb337d142a9c61d7723ceb9b7c1ab30dff3ed (6-1-stable) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-22796 https://www.cve.org/CVERecord?id=CVE-2023-22796 [1] https://security-tracker.debian.org/tracker/CVE-2023-22795 https://www.cve.org/CVERecord?id=CVE-2023-22795 [2] https://security-tracker.debian.org/tracker/CVE-2023-22794 https://www.cve.org/CVERecord?id=CVE-2023-22794 [3] https://security-tracker.debian.org/tracker/CVE-2023-22792 https://www.cve.org/CVERecord?id=CVE-2023-22792 [4] https://security-tracker.debian.org/tracker/CVE-2022-44566 https://www.cve.org/CVERecord?id=CVE-2022-44566 Please adjust the affected versions in the BTS as needed.
Bug#1021013: mplayer: CVE-2022-38600 CVE-2022-38856 CVE-2022-38861 CVE-2022-38862 CVE-2022-38864
Source: mplayer X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for mplayer. CVE-2022-38600[0]: | Mplayer SVN-r38374-13.0.1 is vulnerable to Memory Leak via vf.c and | vf_vo.c. https://trac.mplayerhq.hu/ticket/2390#comment:2 https://git.ffmpeg.org/gitweb/mplayer.git/commit/59792bad144c11b21b27171a93a36e3fbd21eb5e (r38380) Followup: https://git.ffmpeg.org/gitweb/mplayer.git/commit/48ca1226397974bb2bc53de878411f88a80fe1f8 (r38392) CVE-2022-38856[1]: | Certain The MPlayer Project products are vulnerable to Buffer Overflow | via function mov_build_index() of libmpdemux/demux_mov.c. This affects | mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1. https://trac.mplayerhq.hu/ticket/2395 CVE-2022-38861[2]: | The MPlayer Project mplayer SVN-r38374-13.0.1 is vulnerable to memory | corruption via function free_mp_image() of libmpcodecs/mp_image.c. https://trac.mplayerhq.hu/ticket/2407 https://git.ffmpeg.org/gitweb/mplayer.git/commit/2622e7fbe3605a2f3b4f74900197fefeedc0d2e1 (r38402) CVE-2022-38862[3]: | Certain The MPlayer Project products are vulnerable to Buffer Overflow | via function play() of libaf/af.c:639. This affects mplayer | SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1. https://trac.mplayerhq.hu/ticket/2400 https://trac.mplayerhq.hu/ticket/2404 CVE-2022-38864[4]: | Certain The MPlayer Project products are vulnerable to Buffer Overflow | via the function mp_unescape03() of libmpdemux/mpeg_hdr.c. This | affects mencoder SVN-r38374-13.0.1 and mplayer SVN-r38374-13.0.1. https://trac.mplayerhq.hu/ticket/2406 https://git.ffmpeg.org/gitweb/mplayer.git/commit/36546389ef9fb6b0e0540c5c3f212534c34b0e94 (r38391) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-38600 https://www.cve.org/CVERecord?id=CVE-2022-38600 [1] https://security-tracker.debian.org/tracker/CVE-2022-38856 https://www.cve.org/CVERecord?id=CVE-2022-38856 [2] https://security-tracker.debian.org/tracker/CVE-2022-38861 https://www.cve.org/CVERecord?id=CVE-2022-38861 [3] https://security-tracker.debian.org/tracker/CVE-2022-38862 https://www.cve.org/CVERecord?id=CVE-2022-38862 [4] https://security-tracker.debian.org/tracker/CVE-2022-38864 https://www.cve.org/CVERecord?id=CVE-2022-38864 Please adjust the affected versions in the BTS as needed.
Bug#1021014: snakeyaml: CVE-2022-38752
Source: snakeyaml X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for snakeyaml. CVE-2022-38752[0]: | Using snakeYAML to parse untrusted YAML files may be vulnerable to | Denial of Service attacks (DOS). If the parser is running on user | supplied input, an attacker may supply content that causes the parser | to crash by stack-overflow. Fixed in 1.32: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/stackoverflow-oss-fuzz-47081 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47081 (not public) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-38752 https://www.cve.org/CVERecord?id=CVE-2022-38752 Please adjust the affected versions in the BTS as needed.
Bug#1021015: tinyproxy: CVE-2022-40468
Source: tinyproxy X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for tinyproxy. CVE-2022-40468[0]: | Tinyproxy commit 84f203f and earlier does not process HTTP request | lines in the process_request() function and is using uninitialized | buffers. This vulnerability allows attackers to access sensitive | information at system runtime. https://github.com/tinyproxy/tinyproxy/issues/457 https://github.com/tinyproxy/tinyproxy/commit/3764b8551463b900b5b4e3ec0cd9bb9182191cb7 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-40468 https://www.cve.org/CVERecord?id=CVE-2022-40468 Please adjust the affected versions in the BTS as needed.
Bug#1021016: frr: CVE-2022-37032
Source: frr X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for frr. CVE-2022-37032[0]: | An out-of-bounds read in the BGP daemon of FRRouting FRR before 8.4 | may lead to a segmentation fault and denial of service. This occurs in | bgp_capability_msg_parse in bgpd/bgp_packet.c. Fixed by: https://github.com/FRRouting/frr/commit/ff6db1027f8f36df657ff2e5ea167773752537ed If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-37032 https://www.cve.org/CVERecord?id=CVE-2022-37032 Please adjust the affected versions in the BTS as needed.
Bug#1021017: amanda: CVE-2022-37703
Source: amanda X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for amanda. CVE-2022-37703[0]: | In Amanda 3.5.1, an information leak vulnerability was found in the | calcsize SUID binary. An attacker can abuse this vulnerability to know | if a directory exists or not anywhere in the fs. The binary will use | `opendir()` as root directly without checking the path, letting the | attacker provide an arbitrary path. https://github.com/MaherAzzouzi/CVE-2022-37703 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-37703 https://www.cve.org/CVERecord?id=CVE-2022-37703 Please adjust the affected versions in the BTS as needed.
Bug#1021018: assimp: CVE-2022-38528
Source: assimp X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for assimp. CVE-2022-38528[0]: | Open Asset Import Library (assimp) commit 3c253ca was discovered to | contain a segmentation violation via the component | Assimp::XFileImporter::CreateMeshes. https://github.com/assimp/assimp/issues/4662 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-38528 https://www.cve.org/CVERecord?id=CVE-2022-38528 Please adjust the affected versions in the BTS as needed.
Bug#1021019: qemu: CVE-2022-3165
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qemu. CVE-2022-3165[0]: VNC: integer underflow in vnc_client_cut_text_ext leads to CPU exhaustion https://bugzilla.redhat.com/show_bug.cgi?id=2129739 Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/0bf41cab93e5c72dcda717abd625698b59d9ba3e (v6.1.0-rc0) Proposed fix: https://lists.nongnu.org/archive/html/qemu-devel/2022-09/msg03948.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-3165 https://www.cve.org/CVERecord?id=CVE-2022-3165 Please adjust the affected versions in the BTS as needed.
Bug#1021021: wolfssl: CVE-2022-38152 CVE-2022-38153 CVE-2022-39173
Source: wolfssl X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for wolfssl. CVE-2022-38152[0]: | An issue was discovered in wolfSSL before 5.5.0. When a TLS 1.3 client | connects to a wolfSSL server and SSL_clear is called on its session, | the server crashes with a segmentation fault. This occurs in the | second session, which is created through TLS session resumption and | reuses the initial struct WOLFSSL. If the server reuses the previous | session structure (struct WOLFSSL) by calling wolfSSL_clear(WOLFSSL* | ssl) on it, the next received Client Hello (that resumes the previous | session) crashes the server. Note that this bug is only triggered when | resuming sessions using TLS session resumption. Only servers that use | wolfSSL_clear instead of the recommended SSL_free; SSL_new sequence | are affected. Furthermore, wolfSSL_clear is part of wolfSSL's | compatibility layer and is not enabled by default. It is not part of | wolfSSL's native API. https://github.com/wolfSSL/wolfssl/pull/5468 CVE-2022-38153[1]: | An issue was discovered in wolfSSL before 5.5.0 (when --enable- | session-ticket is used); however, only version 5.3.0 is exploitable. | Man-in-the-middle attackers or a malicious server can crash TLS 1.2 | clients during a handshake. If an attacker injects a large ticket | (more than 256 bytes) into a NewSessionTicket message in a TLS 1.2 | handshake, and the client has a non-empty session cache, the session | cache frees a pointer that points to unallocated memory, causing the | client to crash with a "free(): invalid pointer" message. NOTE: It is | likely that this is also exploitable during TLS 1.3 handshakes between | a client and a malicious server. With TLS 1.3, it is not possible to | exploit this as a man-in-the-middle. https://github.com/wolfSSL/wolfssl/pull/5476 CVE-2022-39173[2]: | In wolfSSL before 5.5.1, malicious clients can cause a buffer overflow | during a TLS 1.3 handshake. This occurs when an attacker supposedly | resumes a previous TLS session. During the resumption Client Hello a | Hello Retry Request must be triggered. Both Client Hellos are required | to contain a list of duplicate cipher suites to trigger the buffer | overflow. In total, two Client Hellos have to be sent: one in the | resumed session, and a second one as a response to a Hello Retry | Request message. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-38152 https://www.cve.org/CVERecord?id=CVE-2022-38152 [1] https://security-tracker.debian.org/tracker/CVE-2022-38153 https://www.cve.org/CVERecord?id=CVE-2022-38153 [2] https://security-tracker.debian.org/tracker/CVE-2022-39173 https://www.cve.org/CVERecord?id=CVE-2022-39173 Please adjust the affected versions in the BTS as needed.
Bug#1021022: samba: CVE-2022-32743
Source: samba X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for samba. CVE-2022-32743[0]: | Samba does not validate the Validated-DNS-Host-Name right for the | dNSHostName attribute which could permit unprivileged users to write | it. https://bugzilla.samba.org/show_bug.cgi?id=14833 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-32743 https://www.cve.org/CVERecord?id=CVE-2022-32743 Please adjust the affected versions in the BTS as needed.
Bug#1021024: samba: CVE-2022-1615
Source: samba X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for samba. CVE-2022-1615[0]: | In Samba, GnuTLS gnutls_rnd() can fail and give predictable random | values. https://bugzilla.samba.org/show_bug.cgi?id=15103 https://gitlab.com/samba-team/samba/-/merge_requests/2644 https://gitlab.com/samba-team/samba/-/commit/9849e7440e30853c61a80ce1f11b7b244ed766fe (samba-4.17.0rc1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-1615 https://www.cve.org/CVERecord?id=CVE-2022-1615 Please adjust the affected versions in the BTS as needed.
Bug#1021133: sox: CVE-2021-23159
Source: sox X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for sox. CVE-2021-23159[0]: | A vulnerability was found in SoX, where a heap-buffer-overflow occurs | in function lsx_read_w_buf() in formats_i.c file. The vulnerability is | exploitable with a crafted file, that could cause an application to | crash. https://sourceforge.net/p/sox/bugs/352/ https://bugzilla.redhat.com/show_bug.cgi?id=1975671 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-23159 https://www.cve.org/CVERecord?id=CVE-2021-23159 Please adjust the affected versions in the BTS as needed.
Bug#1021134: sox: CVE-2021-23172
Source: sox X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for sox. CVE-2021-23172[0]: | A vulnerability was found in SoX, where a heap-buffer-overflow occurs | in function startread() in hcom.c file. The vulnerability is | exploitable with a crafted hcomn file, that could cause an application | to crash. https://sourceforge.net/p/sox/bugs/350/ https://bugzilla.redhat.com/show_bug.cgi?id=1975666 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-23172 https://www.cve.org/CVERecord?id=CVE-2021-23172 Please adjust the affected versions in the BTS as needed.
Bug#1021135: sox: CVE-2021-33844
Source: sox X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for sox. CVE-2021-33844[0]: | A floating point exception (divide-by-zero) issue was discovered in | SoX in functon startread() of wav.c file. An attacker with a crafted | wav file, could cause an application to crash. https://sourceforge.net/p/sox/bugs/349/ https://bugzilla.redhat.com/show_bug.cgi?id=1975664 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-33844 https://www.cve.org/CVERecord?id=CVE-2021-33844 Please adjust the affected versions in the BTS as needed.
Bug#1021136: sox: CVE-2022-39236 CVE-2022-39249 CVE-2022-39251
Source: sox X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for sox. CVE-2022-39236[0]: | Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. | Starting with version 17.1.0-rc.1, improperly formed beacon events can | disrupt or impede the matrix-js-sdk from functioning properly, | potentially impacting the consumer's ability to process data safely. | Note that the matrix-js-sdk can appear to be operating normally but be | excluding or corrupting runtime data presented to the consumer. This | is patched in matrix-js-sdk v19.7.0. Redacting applicable events, | waiting for the sync processor to store data, and restarting the | client are possible workarounds. Alternatively, redacting the | applicable events and clearing all storage will fix the further | perceived issues. Downgrading to an unaffected version, noting that | such a version may be subject to other vulnerabilities, will | additionally resolve the issue. https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-hvv8-5v86-r45x https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76 https://github.com/matrix-org/matrix-spec-proposals/pull/3488 CVE-2022-39249[1]: | Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. | Prior to version 19.7.0, an attacker cooperating with a malicious | homeserver can construct messages appearing to have come from another | person. Such messages will be marked with a grey shield on some | platforms, but this may be missing in others. This attack is possible | due to the matrix-js-sdk implementing a too permissive key forwarding | strategy on the receiving end. Starting with version 19.7.0, the | default policy for accepting key forwards has been made more strict in | the matrix-js-sdk. matrix-js-sdk will now only accept forwarded keys | in response to previously issued requests and only from own, verified | devices. The SDK now sets a `trusted` flag on the decrypted message | upon decryption, based on whether the key used to decrypt the message | was received from a trusted source. Clients need to ensure that | messages decrypted with a key with `trusted = false` are decorated | appropriately, for example, by showing a warning for such messages. | This attack requires coordination between a malicious homeserver and | an attacker, and those who trust your homeservers do not need a | workaround. https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-6263-x97c-c4gg https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76 https://github.com/matrix-org/matrix-spec-proposals/pull/3061 https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients CVE-2022-39251[2]: | Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. | Prior to version 19.7.0, an attacker cooperating with a malicious | homeserver can construct messages that legitimately appear to have | come from another person, without any indication such as a grey | shield. Additionally, a sophisticated attacker cooperating with a | malicious homeserver could employ this vulnerability to perform a | targeted attack in order to send fake to-device messages appearing to | originate from another user. This can allow, for example, to inject | the key backup secret during a self-verification, to make a targeted | device start using a malicious key backup spoofed by the homeserver. | These attacks are possible due to a protocol confusion vulnerability | that accepts to-device messages encrypted with Megolm instead of Olm. | Starting with version 19.7.0, matrix-js-sdk has been modified to only | accept Olm-encrypted to-device messages. Out of caution, several other | checks have been audited or added. This attack requires coordination | between a malicious home server and an attacker, so those who trust | their home servers do not need a workaround. https://github.com/matrix-org/matrix-js-sdk/security/advisories/GHSA-r48r-j8fx-mq2c https://github.com/matrix-org/matrix-js-sdk/commit/a587d7c36026fe1fcf93dfff63588abee359be76 https://matrix.org/blog/2022/09/28/upgrade-now-to-address-encryption-vulns-in-matrix-sdks-and-clients If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39236 https://www.cve.org/CVERecord?id=CVE-2022-39236 [1] https://security-tracker.debian.org/tracker/CVE-2022-39249 https://www.cve.org/CVERecord?id=CVE-2022-39249 [2] https://security-tracker.debian.org/tracker/CVE-2022-39251 https://www.cve.org/CVERecord?id=CVE-2022-39251 Please adjust the affected versions in the BTS as needed.
Bug#1021137: modsecurity-crs: CVE-2022-39955 CVE-2022-39956 CVE-2022-39957 CVE-2022-39958
Source: modsecurity-crs X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for modsecurity-crs. CVE-2022-39955[0]: | The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial | rule set bypass by submitting a specially crafted HTTP Content-Type | header field that indicates multiple character encoding schemes. A | vulnerable back-end can potentially be exploited by declaring multiple | Content-Type "charset" names and therefore bypassing the configurable | CRS Content-Type header "charset" allow list. An encoded payload can | bypass CRS detection this way and may then be decoded by the backend. | The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the | currently supported versions 3.2.1 and 3.3.2. Integrators and users | are advised to upgrade to 3.2.2 and 3.3.3 respectively. https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ CVE-2022-39956[1]: | The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial | rule set bypass for HTTP multipart requests by submitting a payload | that uses a character encoding scheme via the Content-Type or the | deprecated Content-Transfer-Encoding multipart MIME header fields that | will not be decoded and inspected by the web application firewall | engine and the rule set. The multipart payload will therefore bypass | detection. A vulnerable backend that supports these encoding schemes | can potentially be exploited. The legacy CRS versions 3.0.x and 3.1.x | are affected, as well as the currently supported versions 3.2.1 and | 3.3.2. Integrators and users are advised upgrade to 3.2.2 and 3.3.3 | respectively. The mitigation against these vulnerabilities depends on | the installation of the latest ModSecurity version (v2.9.6 / v3.0.8). https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ CVE-2022-39957[2]: | The OWASP ModSecurity Core Rule Set (CRS) is affected by a response | body bypass. A client can issue an HTTP Accept header field containing | an optional "charset" parameter in order to receive the response in an | encoded form. Depending on the "charset", this response can not be | decoded by the web application firewall. A restricted resource, access | to which would ordinarily be detected, may therefore bypass detection. | The legacy CRS versions 3.0.x and 3.1.x are affected, as well as the | currently supported versions 3.2.1 and 3.3.2. Integrators and users | are advised to upgrade to 3.2.2 and 3.3.3 respectively. https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ CVE-2022-39958[3]: | The OWASP ModSecurity Core Rule Set (CRS) is affected by a response | body bypass to sequentially exfiltrate small and undetectable sections | of data by repeatedly submitting an HTTP Range header field with a | small byte range. A restricted resource, access to which would | ordinarily be detected, may be exfiltrated from the backend, despite | being protected by a web application firewall that uses CRS. Short | subsections of a restricted resource may bypass pattern matching | techniques and allow undetected access. The legacy CRS versions 3.0.x | and 3.1.x are affected, as well as the currently supported versions | 3.2.1 and 3.3.2. Integrators and users are advised to upgrade to 3.2.2 | and 3.3.3 respectively and to configure a CRS paranoia level of 3 or | higher. https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/ If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39955 https://www.cve.org/CVERecord?id=CVE-2022-39955 [1] https://security-tracker.debian.org/tracker/CVE-2022-39956 https://www.cve.org/CVERecord?id=CVE-2022-39956 [2] https://security-tracker.debian.org/tracker/CVE-2022-39957 https://www.cve.org/CVERecord?id=CVE-2022-39957 [3] https://security-tracker.debian.org/tracker/CVE-2022-39958 https://www.cve.org/CVERecord?id=CVE-2022-39958 Please adjust the affected versions in the BTS as needed.
Bug#1021138: php8.1: CVE-2022-31628 CVE-2022-31629
Source: php8.1 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for php8.1. CVE-2022-31628[0]: | In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the phar | uncompressor code would recursively uncompress "quines" gzip files, | resulting in an infinite loop. PHP Bug: https://bugs.php.net/bug.php?id=81726 https://github.com/php/php-src/commit/404e8bdb68350931176a5bdc86fc417b34fb583d https://github.com/php/php-src/commit/432bf196d59bcb661fcf9cb7029cea9b43f490af CVE-2022-31629[1]: | In PHP versions before 7.4.31, 8.0.24 and 8.1.11, the vulnerability | enables network and same-site attackers to set a standard insecure | cookie in the victim's browser which is treated as a `__Host-` or | `__Secure-` cookie by PHP applications. PHP Bug: https://bugs.php.net/bug.php?id=81727 https://github.com/php/php-src/commit/0611be4e82887cee0de6c4cbae320d34eec946ca If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31628 https://www.cve.org/CVERecord?id=CVE-2022-31628 [1] https://security-tracker.debian.org/tracker/CVE-2022-31629 https://www.cve.org/CVERecord?id=CVE-2022-31629 Please adjust the affected versions in the BTS as needed.
Bug#1021139: barbican: CVE-2022-3100
Source: barbican X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for barbican. CVE-2022-3100[0]: access policy bypass via query string injection Only reference so far is Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2125404 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-3100 https://www.cve.org/CVERecord?id=CVE-2022-3100 Please adjust the affected versions in the BTS as needed.
Bug#1021141: imagemagick: CVE-2022-3213
Source: imagemagick X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for imagemagick. CVE-2022-3213[0]: | A heap buffer overflow issue was found in ImageMagick. When an | application processes a malformed TIFF file, it could lead to | undefined behavior or a crash causing a denial of service. https://bugzilla.redhat.com/show_bug.cgi?id=2126824 https://github.com/ImageMagick/ImageMagick/commit/30ccf9a0da1f47161b5935a95be854fe84e6c2a2 https://github.com/ImageMagick/ImageMagick6/commit/1aea203eb36409ce6903b9e41fe7cb70030e8750 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-3213 https://www.cve.org/CVERecord?id=CVE-2022-3213 Please adjust the affected versions in the BTS as needed.
Bug#1021142: cargo: CVE-2022-36113 CVE-2022-36114
Source: cargo X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for cargo. CVE-2022-36113[0]: | Cargo is a package manager for the rust programming language. After a | package is downloaded, Cargo extracts its source code in the ~/.cargo | folder on disk, making it available to the Rust projects it builds. To | record when an extraction is successful, Cargo writes "ok" to the | .cargo-ok file at the root of the extracted source code once it | extracted all the files. It was discovered that Cargo allowed packages | to contain a .cargo-ok symbolic link, which Cargo would extract. Then, | when Cargo attempted to write "ok" into .cargo-ok, it would actually | replace the first two bytes of the file the symlink pointed to with | ok. This would allow an attacker to corrupt one file on the machine | using Cargo to extract the package. Note that by design Cargo allows | code execution at build time, due to build scripts and procedural | macros. The vulnerabilities in this advisory allow performing a subset | of the possible damage in a harder to track down way. Your | dependencies must still be trusted if you want to be protected from | attacks, as it's possible to perform the same attacks with build | scripts and procedural macros. The vulnerability is present in all | versions of Cargo. Rust 1.64, to be released on September 22nd, will | include a fix for it. Since the vulnerability is just a more limited | way to accomplish what a malicious build scripts or procedural macros | can do, we decided not to publish Rust point releases backporting the | security fix. Patch files are available for Rust 1.63.0 are available | in the wg-security-response repository for people building their own | toolchain. Mitigations We recommend users of alternate registries to | exercise care in which package they download, by only including | trusted dependencies in their projects. Please note that even with | these vulnerabilities fixed, by design Cargo allows arbitrary code | execution at build time thanks to build scripts and procedural macros: | a malicious dependency will be able to cause damage regardless of | these vulnerabilities. crates.io implemented server-side checks to | reject these kinds of packages years ago, and there are no packages on | crates.io exploiting these vulnerabilities. crates.io users still need | to exercise care in choosing their dependencies though, as remote code | execution is allowed by design there as well. https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j https://github.com/rust-lang/cargo/commit/97b80919e404b0768ea31ae329c3b4da54bed05a CVE-2022-36114[1]: | Cargo is a package manager for the rust programming language. It was | discovered that Cargo did not limit the amount of data extracted from | compressed archives. An attacker could upload to an alternate registry | a specially crafted package that extracts way more data than its size | (also known as a "zip bomb"), exhausting the disk space on the machine | using Cargo to download the package. Note that by design Cargo allows | code execution at build time, due to build scripts and procedural | macros. The vulnerabilities in this advisory allow performing a subset | of the possible damage in a harder to track down way. Your | dependencies must still be trusted if you want to be protected from | attacks, as it's possible to perform the same attacks with build | scripts and procedural macros. The vulnerability is present in all | versions of Cargo. Rust 1.64, to be released on September 22nd, will | include a fix for it. Since the vulnerability is just a more limited | way to accomplish what a malicious build scripts or procedural macros | can do, we decided not to publish Rust point releases backporting the | security fix. Patch files are available for Rust 1.63.0 are available | in the wg-security-response repository for people building their own | toolchain. We recommend users of alternate registries to excercise | care in which package they download, by only including trusted | dependencies in their projects. Please note that even with these | vulnerabilities fixed, by design Cargo allows arbitrary code execution | at build time thanks to build scripts and procedural macros: a | malicious dependency will be able to cause damage regardless of these | vulnerabilities. crates.io implemented server-side checks to reject | these kinds of packages years ago, and there are no packages on | crates.io exploiting these vulnerabilities. crates.io users still need | to excercise care in choosing their dependencies though, as the same | concerns about build scripts and procedural macros apply here. https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp https://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities
Bug#1021143: rust-cargo: CVE-2022-36113 CVE-2022-36114
Source: rust-cargo X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for rust-cargo. CVE-2022-36113[0]: | Cargo is a package manager for the rust programming language. After a | package is downloaded, Cargo extracts its source code in the ~/.cargo | folder on disk, making it available to the Rust projects it builds. To | record when an extraction is successful, Cargo writes "ok" to the | .cargo-ok file at the root of the extracted source code once it | extracted all the files. It was discovered that Cargo allowed packages | to contain a .cargo-ok symbolic link, which Cargo would extract. Then, | when Cargo attempted to write "ok" into .cargo-ok, it would actually | replace the first two bytes of the file the symlink pointed to with | ok. This would allow an attacker to corrupt one file on the machine | using Cargo to extract the package. Note that by design Cargo allows | code execution at build time, due to build scripts and procedural | macros. The vulnerabilities in this advisory allow performing a subset | of the possible damage in a harder to track down way. Your | dependencies must still be trusted if you want to be protected from | attacks, as it's possible to perform the same attacks with build | scripts and procedural macros. The vulnerability is present in all | versions of Cargo. Rust 1.64, to be released on September 22nd, will | include a fix for it. Since the vulnerability is just a more limited | way to accomplish what a malicious build scripts or procedural macros | can do, we decided not to publish Rust point releases backporting the | security fix. Patch files are available for Rust 1.63.0 are available | in the wg-security-response repository for people building their own | toolchain. Mitigations We recommend users of alternate registries to | exercise care in which package they download, by only including | trusted dependencies in their projects. Please note that even with | these vulnerabilities fixed, by design Cargo allows arbitrary code | execution at build time thanks to build scripts and procedural macros: | a malicious dependency will be able to cause damage regardless of | these vulnerabilities. crates.io implemented server-side checks to | reject these kinds of packages years ago, and there are no packages on | crates.io exploiting these vulnerabilities. crates.io users still need | to exercise care in choosing their dependencies though, as remote code | execution is allowed by design there as well. https://github.com/rust-lang/cargo/security/advisories/GHSA-rfj2-q3h3-hm5j https://github.com/rust-lang/cargo/commit/97b80919e404b0768ea31ae329c3b4da54bed05a CVE-2022-36114[1]: | Cargo is a package manager for the rust programming language. It was | discovered that Cargo did not limit the amount of data extracted from | compressed archives. An attacker could upload to an alternate registry | a specially crafted package that extracts way more data than its size | (also known as a "zip bomb"), exhausting the disk space on the machine | using Cargo to download the package. Note that by design Cargo allows | code execution at build time, due to build scripts and procedural | macros. The vulnerabilities in this advisory allow performing a subset | of the possible damage in a harder to track down way. Your | dependencies must still be trusted if you want to be protected from | attacks, as it's possible to perform the same attacks with build | scripts and procedural macros. The vulnerability is present in all | versions of Cargo. Rust 1.64, to be released on September 22nd, will | include a fix for it. Since the vulnerability is just a more limited | way to accomplish what a malicious build scripts or procedural macros | can do, we decided not to publish Rust point releases backporting the | security fix. Patch files are available for Rust 1.63.0 are available | in the wg-security-response repository for people building their own | toolchain. We recommend users of alternate registries to excercise | care in which package they download, by only including trusted | dependencies in their projects. Please note that even with these | vulnerabilities fixed, by design Cargo allows arbitrary code execution | at build time thanks to build scripts and procedural macros: a | malicious dependency will be able to cause damage regardless of these | vulnerabilities. crates.io implemented server-side checks to reject | these kinds of packages years ago, and there are no packages on | crates.io exploiting these vulnerabilities. crates.io users still need | to excercise care in choosing their dependencies though, as the same | concerns about build scripts and procedural macros apply here. https://github.com/rust-lang/cargo/security/advisories/GHSA-2hvr-h6gw-qrxp https://github.com/rust-lang/cargo/commit/d1f9553c825f6d7481453be8d58d0e7f117988a7 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulner
Bug#1021270: libmodbus: CVE-2022-0367
Source: libmodbus X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for libmodbus. CVE-2022-0367[0]: | A heap-based buffer overflow flaw was found in libmodbus in function | modbus_reply() in src/modbus.c. https://bugzilla.redhat.com/show_bug.cgi?id=2045571 https://github.com/stephane/libmodbus/issues/614 Fixed by: https://github.com/stephane/libmodbus/commit/b4ef4c17d618eba0adccc4c7d9e9a1ef809fc9b6 (v3.1.7) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-0367 https://www.cve.org/CVERecord?id=CVE-2022-0367 Please adjust the affected versions in the BTS as needed.
Bug#1021272: keystone: CVE-2022-2447
Source: keystone X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for keystone. CVE-2022-2447[0]: | A flaw was found in Keystone. There is a time lag (up to one hour in a | default configuration) between when security policy says a token | should be revoked from when it is actually revoked. This could allow a | remote administrator to secretly maintain access for longer than | expected. The only reference so far seems from Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2105419 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-2447 https://www.cve.org/CVERecord?id=CVE-2022-2447 Please adjust the affected versions in the BTS as needed.
Bug#1021273: nomad: CVE-2021-37218 CVE-2021-43415 CVE-2022-24683 CVE-2022-24684 CVE-2022-24685 CVE-2022-24686
Source: nomad X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for nomad. CVE-2021-37218[0]: | HashiCorp Nomad and Nomad Enterprise Raft RPC layer allows non-server | agents with a valid certificate signed by the same CA to access | server-only functionality, enabling privilege escalation. Fixed in | 1.0.10 and 1.1.4. https://discuss.hashicorp.com/t/hcsec-2021-21-nomad-raft-rpc-privilege-escalation/29023 https://github.com/hashicorp/nomad/pull/11089 (main) https://github.com/hashicorp/nomad/commit/768d7c72a77e9c0415d92900753fc83e8822145a (release-1.1.4) https://github.com/hashicorp/nomad/commit/61a922afcf12784281757402c8e0b61686ff855d (release-1.0.11) CVE-2021-43415[1]: | HashiCorp Nomad and Nomad Enterprise up to 1.0.13, 1.1.7, and 1.2.0, | with the QEMU task driver enabled, allowed authenticated users with | job submission capabilities to bypass the configured allowed image | paths. Fixed in 1.0.14, 1.1.8, and 1.2.1. https://discuss.hashicorp.com/t/hcsec-2021-31-nomad-qemu-task-driver-allowed-paths-bypass-with-job-args/32288 https://github.com/hashicorp/nomad/issues/11542 https://github.com/hashicorp/nomad/pull/11554 https://github.com/hashicorp/nomad/commit/40de248b940eb7babbd4a08ebe9d6874758f5285 (v1.2.1) CVE-2022-24683[2]: | HashiCorp Nomad and Nomad Enterprise 0.9.2 through 1.0.17, 1.1.11, and | 1.2.5 allow operators with read-fs and alloc-exec (or job-submit) | capabilities to read arbitrary files on the host filesystem as root. https://discuss.hashicorp.com/t/hcsec-2022-02-nomad-alloc-filesystem-and-container-escape/35560 CVE-2022-24684[3]: | HashiCorp Nomad and Nomad Enterprise 0.9.0 through 1.0.16, 1.1.11, and | 1.2.5 allow operators with job-submit capabilities to use the spread | stanza to panic server agents. Fixed in 1.0.18, 1.1.12, and 1.2.6. https://discuss.hashicorp.com/t/hcsec-2022-04-nomad-spread-job-stanza-may-trigger-panic-in-servers/35562 https://github.com/hashicorp/nomad/issues/12039 https://github.com/hashicorp/nomad/commit/c49359ad58f0af18a5697a0b7b9b6cca9656d267 (v1.2.6) CVE-2022-24685[4]: | HashiCorp Nomad and Nomad Enterprise 1.0.17, 1.1.11, and 1.2.5 allow | invalid HCL for the jobs parse endpoint, which may cause excessive CPU | usage. Fixed in 1.0.18, 1.1.12, and 1.2.6. https://discuss.hashicorp.com/t/hcsec-2022-03-nomad-malformed-job-parsing-results-in-excessive-cpu-usage/35561 https://github.com/hashicorp/nomad/issues/12038 CVE-2022-24686[5]: | HashiCorp Nomad and Nomad Enterprise 0.3.0 through 1.0.17, 1.1.11, and | 1.2.5 artifact download functionality has a race condition such that | the Nomad client agent could download the wrong artifact into the | wrong destination. Fixed in 1.0.18, 1.1.12, and 1.2.6 https://discuss.hashicorp.com/t/hcsec-2022-01-nomad-artifact-download-race-condition/35559 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-37218 https://www.cve.org/CVERecord?id=CVE-2021-37218 [1] https://security-tracker.debian.org/tracker/CVE-2021-43415 https://www.cve.org/CVERecord?id=CVE-2021-43415 [2] https://security-tracker.debian.org/tracker/CVE-2022-24683 https://www.cve.org/CVERecord?id=CVE-2022-24683 [3] https://security-tracker.debian.org/tracker/CVE-2022-24684 https://www.cve.org/CVERecord?id=CVE-2022-24684 [4] https://security-tracker.debian.org/tracker/CVE-2022-24685 https://www.cve.org/CVERecord?id=CVE-2022-24685 [5] https://security-tracker.debian.org/tracker/CVE-2022-24686 https://www.cve.org/CVERecord?id=CVE-2022-24686 Please adjust the affected versions in the BTS as needed.
Bug#1021274: python-opcua: CVE-2022-25304
Source: python-opcua X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-opcua. CVE-2022-25304[0]: | All versions of package opcua; all versions of package asyncua are | vulnerable to Denial of Service (DoS) due to a missing limitation on | the number of received chunks - per single session or in total for all | concurrent sessions. An attacker can exploit this vulnerability by | sending an unlimited number of huge chunks (e.g. 2GB each) without | sending the Final closing chunk. https://github.com/FreeOpcUa/python-opcua/issues/1466 https://security.snyk.io/vuln/SNYK-PYTHON-OPCUA-2988730 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-25304 https://www.cve.org/CVERecord?id=CVE-2022-25304 Please adjust the affected versions in the BTS as needed.
Bug#1021276: snort: CVE-2020-3315 CVE-2021-1223 CVE-2021-1224 CVE-2021-1494 CVE-2021-1495 CVE-2021-34749 CVE-2021-40114
Source: snort X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for snort. These all lack details, but all boil down to the fact Snort needs to be updated: CVE-2020-3315[0]: | Multiple Cisco products are affected by a vulnerability in the Snort | detection engine that could allow an unauthenticated, remote attacker | to bypass the configured file policies on an affected system. The | vulnerability is due to errors in how the Snort detection engine | handles specific HTTP responses. An attacker could exploit this | vulnerability by sending crafted HTTP packets that would flow through | an affected system. A successful exploit could allow the attacker to | bypass the configured file policies and deliver a malicious payload to | the protected network. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort_filepolbypass-m4X5DgOP CVE-2021-1223[1]: | Multiple Cisco products are affected by a vulnerability in the Snort | detection engine that could allow an unauthenticated, remote attacker | to bypass a configured file policy for HTTP. The vulnerability is due | to incorrect handling of an HTTP range header. An attacker could | exploit this vulnerability by sending crafted HTTP packets through an | affected device. A successful exploit could allow the attacker to | bypass configured file policy for HTTP packets and deliver a malicious | payload. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-filepolbypass-67DEwMe2 CVE-2021-1224[2]: | Multiple Cisco products are affected by a vulnerability with TCP Fast | Open (TFO) when used in conjunction with the Snort detection engine | that could allow an unauthenticated, remote attacker to bypass a | configured file policy for HTTP. The vulnerability is due to incorrect | detection of the HTTP payload if it is contained at least partially | within the TFO connection handshake. An attacker could exploit this | vulnerability by sending crafted TFO packets with an HTTP payload | through an affected device. A successful exploit could allow the | attacker to bypass configured file policy for HTTP packets and deliver | a malicious payload. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-tfo-bypass-MmzZrtes CVE-2021-1494[3]: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-fp-bp-KfDdcQhc CVE-2021-1495[4]: | Multiple Cisco products are affected by a vulnerability in the Snort | detection engine that could allow an unauthenticated, remote attacker | to bypass a configured file policy for HTTP. The vulnerability is due | to incorrect handling of specific HTTP header parameters. An attacker | could exploit this vulnerability by sending crafted HTTP packets | through an affected device. A successful exploit could allow the | attacker to bypass a configured file policy for HTTP packets and | deliver a malicious payload. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-http-fp-bp-KfDdcQhc CVE-2021-34749[5]: | A vulnerability in Server Name Identification (SNI) request filtering | of Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense | (FTD), and the Snort detection engine could allow an unauthenticated, | remote attacker to bypass filtering technology on an affected device | and exfiltrate data from a compromised host. This vulnerability is due | to inadequate filtering of the SSL handshake. An attacker could | exploit this vulnerability by using data from the SSL client hello | packet to communicate with an external server. A successful exploit | could allow the attacker to execute a command-and-control attack on a | compromised host and perform additional data exfiltration attacks. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sni-data-exfil-mFgzXqLN CVE-2021-40114[6]: | Multiple Cisco products are affected by a vulnerability in the way the | Snort detection engine processes ICMP traffic that could allow an | unauthenticated, remote attacker to cause a denial of service (DoS) | condition on an affected device. The vulnerability is due to improper | memory resource management while the Snort detection engine is | processing ICMP packets. An attacker could exploit this vulnerability | by sending a series of ICMP packets through an affected device. A | successful exploit could allow the attacker to exhaust resources on | the affected device, causing the device to reload. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snort-dos-s2R7W9UU If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-3315 https://www.cve.org/CVERecord?id=CVE-2020-3315 [1] https://security-tracker.debian.org/tracker
Bug#1021277: strongswan: CVE-2022-40617
Source: strongswan X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for strongswan. CVE-2022-40617[0]: https://www.strongswan.org/blog/2022/10/03/strongswan-vulnerability-(cve-2022-40617).html Patch: https://download.strongswan.org/security/CVE-2022-40617/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-40617 https://www.cve.org/CVERecord?id=CVE-2022-40617 Please adjust the affected versions in the BTS as needed.
