Bug#1086042: openrefine-butterfly: CVE-2024-47883
Source: openrefine-butterfly X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for openrefine-butterfly. CVE-2024-47883[0]: | The OpenRefine fork of the MIT Simile Butterfly server is a modular | web application framework. The Butterfly framework uses the | `java.net.URL` class to refer to (what are expected to be) local | resource files, like images or templates. This works: "opening a | connection" to these URLs opens the local file. However, prior to | version 1.2.6, if a `file:/` URL is directly given where a relative | path (resource name) is expected, this is also accepted in some code | paths; the app then fetches the file, from a remote machine if | indicated, and uses it as if it was a trusted part of the app's | codebase. This leads to multiple weaknesses and potential | weaknesses. An attacker that has network access to the application | could use it to gain access to files, either on the the server's | filesystem (path traversal) or shared by nearby machines (server- | side request forgery with e.g. SMB). An attacker that can lead or | redirect a user to a crafted URL belonging to the app could cause | arbitrary attacker-controlled JavaScript to be loaded in the | victim's browser (cross-site scripting). If an app is written in | such a way that an attacker can influence the resource name used for | a template, that attacker could cause the app to fetch and execute | an attacker-controlled template (remote code execution). Version | 1.2.6 contains a patch. https://github.com/OpenRefine/simile-butterfly/security/advisories/GHSA-3p8v-w8mr-m3x8 https://github.com/OpenRefine/simile-butterfly/commit/537f64bfa72746f8b21d4bda461fad843435319c If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-47883 https://www.cve.org/CVERecord?id=CVE-2024-47883 Please adjust the affected versions in the BTS as needed.
Bug#1086041: openrefine: CVE-2024-49760 CVE-2024-47882 CVE-2024-47881 CVE-2024-47880 CVE-2024-47879 CVE-2024-47878
Source: openrefine X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for openrefine. CVE-2024-49760[0]: | OpenRefine is a free, open source tool for working with messy data. | The load-language command expects a `lang` parameter from which it | constructs the path of the localization file to load, of the form | `translations-$LANG.json`. But when doing so in versions prior to | 3.8.3, it does not check that the resulting path is in the expected | directory, which means that this command could be exploited to read | other JSON files on the file system. Version 3.8.3 addresses this | issue. https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qfwq-6jh6-8xx4 https://github.com/OpenRefine/OpenRefine/commit/24d084052dc55426fe460f2a17524fd18d28b20c CVE-2024-47882[1]: | OpenRefine is a free, open source tool for working with messy data. | Prior to version 3.8.3, the built-in "Something went wrong!" error | page includes the exception message and exception traceback without | escaping HTML tags, enabling injection into the page if an attacker | can reliably produce an error with an attacker-influenced message. | It appears that the only way to reach this code in OpenRefine itself | is for an attacker to somehow convince a victim to import a | malicious file, which may be difficult. However, out-of-tree | extensions may add their own calls to `respondWithErrorPage`. | Version 3.8.3 has a fix for this issue. https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-j8hp-f2mj-586g https://github.com/OpenRefine/OpenRefine/commit/85594e75e7b36025f7b6a67dcd3ec253c5dff8c2 CVE-2024-47881[2]: | OpenRefine is a free, open source tool for working with messy data. | Starting in version 3.4-beta and prior to version 3.8.3, in the | `database` extension, the "enable_load_extension" property can be | set for the SQLite integration, enabling an attacker to load (local | or remote) extension DLLs and so run arbitrary code on the server. | The attacker needs to have network access to the OpenRefine | instance. Version 3.8.3 fixes this issue. https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-87cf-j763-vvh8 https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056 CVE-2024-47880[3]: | OpenRefine is a free, open source tool for working with messy data. | Prior to version 3.8.3, the `export-rows` command can be used in | such a way that it reflects part of the request verbatim, with a | Content-Type header also taken from the request. An attacker could | lead a user to a malicious page that submits a form POST that | contains embedded JavaScript code. This code would then be included | in the response, along with an attacker-controlled `Content-Type` | header, and so potentially executed in the victim's browser as if it | was part of OpenRefine. The attacker-provided code can do anything | the user can do, including deleting projects, retrieving database | passwords, or executing arbitrary Jython or Closure expressions, if | those extensions are also present. The attacker must know a valid | project ID of a project that contains at least one row. Version | 3.8.3 fixes the issue. https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-79jv-5226-783f https://github.com/OpenRefine/OpenRefine/commit/8060477fa53842ebabf43b63e039745932fa629d CVE-2024-47879[4]: | OpenRefine is a free, open source tool for working with messy data. | Prior to version 3.8.3, lack of cross-site request forgery | protection on the `preview-expression` command means that visiting a | malicious website could cause an attacker-controlled expression to | be executed. The expression can contain arbitrary Clojure or Python | code. The attacker must know a valid project ID of a project that | contains at least one row, and the attacker must convince the victim | to open a malicious webpage. Version 3.8.3 fixes the issue. https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-3jm4-c6qf-jrh3 https://github.com/OpenRefine/OpenRefine/commit/090924ca923489b6c94397cf1f5df7f7f78f0126 CVE-2024-47878[5]: | OpenRefine is a free, open source tool for working with messy data. | Prior to version 3.8.3, the `/extension/gdata/authorized` endpoint | includes the `state` GET parameter verbatim in a `
Bug#1086043: assimp: CVE-2024-48426
Source: assimp X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for assimp. CVE-2024-48426[0]: | A segmentation fault (SEGV) was detected in the | SortByPTypeProcess::Execute function in the Assimp library during | fuzz testing with AddressSanitizer. The crash occurred due to a read | access to an invalid memory address (0x1000c9714971). https://github.com/assimp/assimp/issues/5789 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-48426 https://www.cve.org/CVERecord?id=CVE-2024-48426 Please adjust the affected versions in the BTS as needed.
Bug#1085696: openjdk-8: CVE-2024-21208 CVE-2024-21210 CVE-2024-21217 CVE-2024-21235
Source: openjdk-8 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for openjdk-8. CVE-2024-21208[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Networking). Supported versions that are affected are Oracle Java | SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM | for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: | 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized ability to cause a partial denial of service | (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability does not apply to Java | deployments, typically in servers, that load and run only trusted | code (e.g., code installed by an administrator). CVSS 3.1 Base Score | 3.7 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21210[1]: | Vulnerability in Oracle Java SE (component: Hotspot). Supported | versions that are affected are Oracle Java SE: 8u421, 8u421-perf, | 11.0.24, 17.0.12, 21.0.4 and 23. Difficult to exploit vulnerability | allows unauthenticated attacker with network access via multiple | protocols to compromise Oracle Java SE. Successful attacks of this | vulnerability can result in unauthorized update, insert or delete | access to some of Oracle Java SE accessible data. Note: This | vulnerability can be exploited by using APIs in the specified | Component, e.g., through a web service which supplies data to the | APIs. This vulnerability also applies to Java deployments, typically | in clients running sandboxed Java Web Start applications or | sandboxed Java applets, that load and run untrusted code (e.g., code | that comes from the internet) and rely on the Java sandbox for | security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2024-21217[2]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Serialization). Supported versions that are affected are Oracle | Java SE: 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle | GraalVM for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise | Edition: 20.3.15 and 21.3.11. Difficult to exploit vulnerability | allows unauthenticated attacker with network access via multiple | protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, | Oracle GraalVM Enterprise Edition. Successful attacks of this | vulnerability can result in unauthorized ability to cause a partial | denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM | for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability | can be exploited by using APIs in the specified Component, e.g., | through a web service which supplies data to the APIs. This | vulnerability also applies to Java deployments, typically in clients | running sandboxed Java Web Start applications or sandboxed Java | applets, that load and run untrusted code (e.g., code that comes | from the internet) and rely on the Java sandbox for security. CVSS | 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21235[3]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u421, 8u421-perf, 11.0.24, 17.0.12, 21.0.4, 23; Oracle GraalVM | for JDK: 17.0.12, 21.0.4, 23; Oracle GraalVM Enterprise Edition: | 20.3.15 and 21.3.11. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized update, insert or delete access to some of | Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise | Edition accessible data as well as unauthorized read access to a | subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition accessible data. Note: This vulnerability can be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. This vulnerability also | appli
Bug#1085294: mysql-8.0: CVE-2024-21247 CVE-2024-21241 CVE-2024-21239 CVE-2024-21238 CVE-2024-21237 CVE-2024-21236 CVE-2024-21231 CVE-2024-21230 CVE-2024-21219 CVE-2024-21218 CVE-2024-21213 CVE-2024-21
Source: mysql-8.0 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for mysql-8.0. CVE-2024-21247[0]: | Vulnerability in the MySQL Client product of Oracle MySQL | (component: Client: mysqldump). Supported versions that are | affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. | Easily exploitable vulnerability allows high privileged attacker | with network access via multiple protocols to compromise MySQL | Client. Successful attacks of this vulnerability can result in | unauthorized update, insert or delete access to some of MySQL Client | accessible data as well as unauthorized read access to a subset of | MySQL Client accessible data. CVSS 3.1 Base Score 3.8 | (Confidentiality and Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N). CVE-2024-21241[1]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. | Easily exploitable vulnerability allows high privileged attacker | with network access via multiple protocols to compromise MySQL | Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21239[2]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21238[3]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Thread Pooling). Supported versions that are | affected are 8.0.39 and prior, 8.4.1 and prior and 9.0.1 and prior. | Difficult to exploit vulnerability allows low privileged attacker | with network access via multiple protocols to compromise MySQL | Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a hang or frequently repeatable crash | (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21237[4]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Group Replication GCS). Supported versions that | are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and | prior. Difficult to exploit vulnerability allows high privileged | attacker with network access via multiple protocols to compromise | MySQL Server. Successful attacks of this vulnerability can result | in unauthorized ability to cause a partial denial of service | (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.2 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21236[5]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21231[6]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Client programs). Supported versions that are affected | are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. | Difficult to exploit vulnerability allows low privileged attacker | with network access via multiple protocols to compromise MySQL | Server. Successful attacks of this vulnerability can result in | unauthorized ability to cause a partial denial of service (partial | DOS) of MySQL Server. CVSS 3.1 Base Score 3.1 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21230[7]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. | Easily exploitable vulnerability allows low privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful att
Bug#1085295: starlette: CVE-2024-47874
Source: starlette X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for starlette. CVE-2024-47874[0]: | Starlette is an Asynchronous Server Gateway Interface (ASGI) | framework/toolkit. Prior to version 0.40.0, Starlette treats | `multipart/form-data` parts without a `filename` as text form fields | and buffers those in byte strings with no size limit. This allows an | attacker to upload arbitrary large form fields and cause Starlette | to both slow down significantly due to excessive memory allocations | and copy operations, and also consume more and more memory until the | server starts swapping and grinds to a halt, or the OS terminates | the server process with an OOM error. Uploading multiple such | requests in parallel may be enough to render a service practically | unusable, even if reasonable request size limits are enforced by a | reverse proxy in front of Starlette. This Denial of service (DoS) | vulnerability affects all applications built with Starlette (or | FastAPI) accepting form requests. Verison 0.40.0 fixes this issue. https://github.com/encode/starlette/security/advisories/GHSA-f96h-pmfr-66vw https://github.com/encode/starlette/commit/fd038f3070c302bff17ef7d173dbb0b007617733 (0.40.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-47874 https://www.cve.org/CVERecord?id=CVE-2024-47874 Please adjust the affected versions in the BTS as needed.
Bug#1084983: [Pkg-javascript-devel] Bug#1084983: node-dompurify: CVE-2024-47875
On Sat, Oct 12, 2024 at 04:14:14PM +0200, Yadd wrote: > Hi, > > here is a debdiff for bookworm Please upload to security-master, thanks! Cheers, Moritz
Bug#1084983: node-dompurify: CVE-2024-47875
Source: node-dompurify X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for node-dompurify. CVE-2024-47875[0]: | DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for | HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based | mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3. https://github.com/cure53/DOMPurify/security/advisories/GHSA-gx9m-whjm-85jf https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f https://github.com/cure53/DOMPurify/commit/6ea80cd8b47640c20f2f230c7920b1f4ce4fdf7a If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-47875 https://www.cve.org/CVERecord?id=CVE-2024-47875 Please adjust the affected versions in the BTS as needed.
Bug#1084805: redis: CVE-2024-31227 CVE-2024-31228 CVE-2024-31449
Source: redis X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for redis. CVE-2024-31227[0]: | Redis is an open source, in-memory database that persists on disk. | An authenticated with sufficient privileges may create a malformed | ACL selector which, when accessed, triggers a server panic and | subsequent denial of service. The problem exists in Redis 7 prior to | versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no | known workarounds for this vulnerability. https://github.com/redis/redis/security/advisories/GHSA-38p4-26x2-vqhh https://github.com/redis/redis/commit/b351d5a3210e61cc3b22ba38a723d6da8f3c298a (7.2.6) CVE-2024-31228[1]: | Redis is an open source, in-memory database that persists on disk. | Authenticated users can trigger a denial-of-service by using | specially crafted, long string match patterns on supported commands | such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND | LIST` and ACL definitions. Matching of extremely long patterns may | result in unbounded recursion, leading to stack overflow and process | crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, | and 7.4.1. Users are advised to upgrade. There are no known | workarounds for this vulnerability. https://github.com/redis/redis/security/advisories/GHSA-66gq-c942-6976 https://github.com/redis/redis/commit/c8649f8e852d1dc388b5446e003bb0eefa33d61f (7.2.6) CVE-2024-31449[2]: | Redis is an open source, in-memory database that persists on disk. | An authenticated user may use a specially crafted Lua script to | trigger a stack buffer overflow in the bit library, which may | potentially lead to remote code execution. The problem exists in all | versions of Redis with Lua scripting. This problem has been fixed in | Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to | upgrade. There are no known workarounds for this vulnerability. https://github.com/redis/redis/security/advisories/GHSA-whxg-wx83-85p5 https://github.com/redis/redis/commit/fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71 (7.2.6) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31227 https://www.cve.org/CVERecord?id=CVE-2024-31227 [1] https://security-tracker.debian.org/tracker/CVE-2024-31228 https://www.cve.org/CVERecord?id=CVE-2024-31228 [2] https://security-tracker.debian.org/tracker/CVE-2024-31449 https://www.cve.org/CVERecord?id=CVE-2024-31449 Please adjust the affected versions in the BTS as needed.
Bug#1084056: libgsf: CVE-2024-36474 CVE-2024-42415
Source: libgsf X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for libgsf. CVE-2024-36474[0]: | An integer overflow vulnerability exists in the Compound Document | Binary File format parser of the GNOME Project G Structured File | Library (libgsf) version v1.14.52. A specially crafted file can | result in an integer overflow when processing the directory from the | file that allows for an out-of-bounds index to be used when reading | and writing to an array. This can lead to arbitrary code execution. | An attacker can provide a malicious file to trigger this | vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-2068 CVE-2024-42415[1]: | An integer overflow vulnerability exists in the Compound Document | Binary File format parser of v1.14.52 of the GNOME Project G | Structured File Library (libgsf). A specially crafted file can | result in an integer overflow that allows for a heap-based buffer | overflow when processing the sector allocation table. This can lead | to arbitrary code execution. An attacker can provide a malicious | file to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-2069 Both are tracked/fixed upstream via: https://gitlab.gnome.org/GNOME/libgsf/-/issues/34 https://gitlab.gnome.org/GNOME/libgsf/-/commit/06d0cb92a4c02e7126ef2ff6f5e29fd74b4be9e0 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-36474 https://www.cve.org/CVERecord?id=CVE-2024-36474 [1] https://security-tracker.debian.org/tracker/CVE-2024-42415 https://www.cve.org/CVERecord?id=CVE-2024-42415 Please adjust the affected versions in the BTS as needed.
Bug#1083184: golang-github-hashicorp-go-getter: CVE-2024-3817
Package: golang-github-hashicorp-go-getter X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for golang-github-hashicorp-go-getter. CVE-2024-3817[0]: | HashiCorp’s go-getter library is vulnerable to argument injection | when executing Git to discover remote branches. This vulnerability | does not affect the go-getter/v2 branch and package. https://discuss.hashicorp.com/t/hcsec-2024-09-hashicorp-go-getter-vulnerable-to-argument-injection-when-fetching-remote-default-git-branches/66040 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3817 https://www.cve.org/CVERecord?id=CVE-2024-3817 Please adjust the affected versions in the BTS as needed.
Bug#1082868: dogtag-pki: CVE-2023-4727
Source: dogtag-pki X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for dogtag-pki. CVE-2023-4727[0]: | A flaw was found in dogtag-pki and pki-core. The token | authentication scheme can be bypassed with a LDAP injection. By | passing the query string parameter sessionID=*, an attacker can | authenticate with an existing session saved in the LDAP directory | server, which may lead to escalation of privilege. https://bugzilla.redhat.com/show_bug.cgi?id=2232218 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-4727 https://www.cve.org/CVERecord?id=CVE-2023-4727 Please adjust the affected versions in the BTS as needed.
Bug#1082872: jupyter-notebook: CVE-2024-43805
Package: jupyter-notebook X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for jupyter-notebook. CVE-2024-43805[0]: | jupyterlab is an extensible environment for interactive and | reproducible computing, based on the Jupyter Notebook Architecture. | This vulnerability depends on user interaction by opening a | malicious notebook with Markdown cells, or Markdown file using | JupyterLab preview feature. A malicious user can access any data | that the attacked user has access to as well as perform arbitrary | requests acting as the attacked user. JupyterLab v3.6.8, v4.2.5 and | Jupyter Notebook v7.2.2 have been patched to resolve this issue. | Users are advised to upgrade. There is no workaround for the | underlying DOM Clobbering susceptibility. However, select plugins | can be disabled on deployments which cannot update in a timely | fashion to minimise the risk. These are: 1. `@jupyterlab/mathjax- | extension:plugin` - users will loose ability to preview mathematical | equations. 2. `@jupyterlab/markdownviewer-extension:plugin` - users | will loose ability to open Markdown previews. 3. | `@jupyterlab/mathjax2-extension:plugin` (if installed with optional | `jupyterlab-mathjax2` package) - an older version of the mathjax | plugin for JupyterLab 4.x. To disable these extensions run: | ```jupyter labextension disable @jupyterlab/markdownviewer- | extension:plugin && jupyter labextension disable | @jupyterlab/mathjax-extension:plugin && jupyter labextension disable | @jupyterlab/mathjax2-extension:plugin ``` in bash. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43805 https://www.cve.org/CVERecord?id=CVE-2024-43805 Please adjust the affected versions in the BTS as needed.
Bug#1082871: jupyterlab: CVE-2024-43805
Package: jupyterlab X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for jupyterlab. CVE-2024-43805[0]: | jupyterlab is an extensible environment for interactive and | reproducible computing, based on the Jupyter Notebook Architecture. | This vulnerability depends on user interaction by opening a | malicious notebook with Markdown cells, or Markdown file using | JupyterLab preview feature. A malicious user can access any data | that the attacked user has access to as well as perform arbitrary | requests acting as the attacked user. JupyterLab v3.6.8, v4.2.5 and | Jupyter Notebook v7.2.2 have been patched to resolve this issue. | Users are advised to upgrade. There is no workaround for the | underlying DOM Clobbering susceptibility. However, select plugins | can be disabled on deployments which cannot update in a timely | fashion to minimise the risk. These are: 1. `@jupyterlab/mathjax- | extension:plugin` - users will loose ability to preview mathematical | equations. 2. `@jupyterlab/markdownviewer-extension:plugin` - users | will loose ability to open Markdown previews. 3. | `@jupyterlab/mathjax2-extension:plugin` (if installed with optional | `jupyterlab-mathjax2` package) - an older version of the mathjax | plugin for JupyterLab 4.x. To disable these extensions run: | ```jupyter labextension disable @jupyterlab/markdownviewer- | extension:plugin && jupyter labextension disable | @jupyterlab/mathjax-extension:plugin && jupyter labextension disable | @jupyterlab/mathjax2-extension:plugin ``` in bash. https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-43805 https://www.cve.org/CVERecord?id=CVE-2024-43805 Please adjust the affected versions in the BTS as needed.
Bug#1082379: puma: CVE-2024-45614
Source: puma X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for puma. CVE-2024-45614[0]: | Puma is a Ruby/Rack web server built for parallelism. In affected | versions clients could clobber values set by intermediate proxies | (such as X-Forwarded-For) by providing a underscore version of the | same header (X-Forwarded_For). Any users relying on proxy set | variables is affected. v6.4.3/v5.6.9 now discards any headers using | underscores if the non-underscore version also exists. Effectively, | allowing the proxy defined headers to always win. Users are advised | to upgrade. Nginx has a underscores_in_headers configuration | variable to discard these headers at the proxy level as a | mitigation. Any users that are implicitly trusting the proxy defined | headers for security should immediately cease doing so until | upgraded to the fixed versions. https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45614 https://www.cve.org/CVERecord?id=CVE-2024-45614 Please adjust the affected versions in the BTS as needed.
Bug#1081659: pgpool2: CVE-2024-45624
Source: pgpool2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for pgpool2. CVE-2024-45624[0]: | Exposure of sensitive information due to incompatible policies issue | exists in Pgpool-II. If a database user accesses a query cache, | table data unauthorized for the user may be retrieved. https://www.pgpool.net/mediawiki/index.php/Main_Page#Pgpool-II_4.5.4.2C_4.4.9.2C_4.3.12.2C_4.2.19_and_4.1.22_officially_released_.282024.2F09.2F09.29 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-45624 https://www.cve.org/CVERecord?id=CVE-2024-45624 Please adjust the affected versions in the BTS as needed.
Bug#1079959: Should imdbpy be removed from unstable?
On Thu, Aug 29, 2024 at 10:20:42PM +0200, Ana Guerrero Lopez wrote: > On Thu, Aug 29, 2024 at 09:34:14PM +0200, Helmut Grohne wrote: > > Hi Ana, > > > > On Thu, Aug 29, 2024 at 09:04:09PM +0200, Ana Guerrero Lopez wrote: > > > In short, imdbpy should have been removed from the archive already and > > > replaced by cinemagoer https://cinemagoer.github.io/ > > > I discussed some months ago with Moritz about imdbpy/cinemagoer and > > > he was interested in doing this. > > > > > > If Moritz doesn't have time, then while cinemagoer reachs Debian the > > > best is to remove the package. > > > > It is not clear how to interpret your reply. Do you mean to say that > > imdbpy should not be removed before cinemagoer has been uploaded to > > unstable? Or do you mean to say that imdbpy should be removed > > immediately as that is what will happen eventually? > > In short, I was saying it's Moritz's decision and reading your message > he has a month to reply. I currently don't the time for it, let's remove imdbpy right away and I'll make sure to package cinemagoer as it's replacement (with appropriate Conflicts/Replaces) before the freeze for trixie. Cheers, Moritz
Bug#1078880: [Pkg-javascript-devel] Bug#1078880: gettext.js: CVE-2024-43370
Hi Yadd, > here is a simple patch for this issue The debdiff looks fine, but I don't believe this needs a DSA, can you please submit this for the next point update instead? Cheers, Moritz
Bug#1059007: python-asyncssh: CVE-2023-48795
Am Tue, Apr 30, 2024 at 06:04:34PM +0100 schrieb Steve McIntyre: > Hi! > > On Tue, Dec 19, 2023 at 09:31:00AM +0100, Salvatore Bonaccorso wrote: > >Source: python-asyncssh > >Version: 2.10.1-2 > >Severity: important > >Tags: security upstream > >X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > > >Hi, > > > >The following vulnerability was published for python-asyncssh. > > > >CVE-2023-48795[0]: > >| The SSH transport protocol with certain OpenSSH extensions, found in > >| OpenSSH before 9.6 and other products, allows remote attackers to > >| bypass integrity checks such that some packets are omitted (from the > >| extension negotiation message), and a client and server may > >| consequently end up with a connection for which some security > >| features have been downgraded or disabled, aka a Terrapin attack. > >| This occurs because the SSH Binary Packet Protocol (BPP), > >| implemented by these extensions, mishandles the handshake phase and > >| mishandles use of sequence numbers. For example, there is an > >| effective attack against SSH's use of ChaCha20-Poly1305 (and CBC > >| with Encrypt-then-MAC). The bypass occurs in > >| chacha20-poly1...@openssh.com and (if CBC is used) the > >| -e...@openssh.com MAC algorithms. This also affects Maverick Synergy > >| Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh > >| before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before > >| 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, and > >| libssh2 through 1.11.0; and there could be effects on Bitvise SSH > >| through 9.31. > > We wanted this fixed in Pexip, so I've taken a look at this bug. > > The upstream bugfix just needs a small rework so it applies cleanly to > the version in bookworm. Here's a debdiff for that that in case it's > useful. Thanks Steve, I'm currently going through the longer tail of open security issues in Bookworm, will release this via a DSA in the next week. Cheers, Moritz
Bug#1078555: ofono: CVE-2024-7537 CVE-2024-7538 CVE-2024-7539 CVE-2024-7540 CVE-2024-7541 CVE-2024-7542 CVE-2024-7543 CVE-2024-7544 CVE-2024-7545 CVE-2024-7546 CVE-2024-7547
Source: ofono X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for ofono. CVE-2024-7537[0]: | oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure | Vulnerability. This vulnerability allows local attackers to disclose | sensitive information on affected installations of oFono. | Authentication is not required to exploit this vulnerability. The | specific flaw exists within the processing of SMS message lists. The | issue results from the lack of proper validation of user-supplied | data, which can result in a read past the end of an allocated | buffer. An attacker can leverage this in conjunction with other | vulnerabilities to execute arbitrary code in the context of root. | Was ZDI-CAN-23157. https://www.zerodayinitiative.com/advisories/ZDI-24-1077/ CVE-2024-7538[1]: | oFono CUSD AT Command Stack-based Buffer Overflow Code Execution | Vulnerability. This vulnerability allows local attackers to execute | arbitrary code on affected installations of oFono. An attacker must | first obtain the ability to execute code on the target modem in | order to exploit this vulnerability. The specific flaw exists | within the parsing of responses from AT Commands. The issue results | from the lack of proper validation of the length of user-supplied | data prior to copying it to a stack-based buffer. An attacker can | leverage this vulnerability to execute code in the context of root. | Was ZDI-CAN-23190. https://www.zerodayinitiative.com/advisories/ZDI-24-1078/ CVE-2024-7539[2]: | oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability. | This vulnerability allows local attackers to execute arbitrary code | on affected installations of oFono. An attacker must first obtain | the ability to execute code on the target modem in order to exploit | this vulnerability. The specific flaw exists within the parsing of | responses from AT+CUSD commands. The issue results from the lack of | proper validation of the length of user-supplied data prior to | copying it to a stack-based buffer. An attacker can leverage this | vulnerability to execute code in the context of root. Was ZDI- | CAN-23195. https://www.zerodayinitiative.com/advisories/ZDI-24-1079/ CVE-2024-7540[3]: | oFono AT CMGL Command Uninitialized Variable Information Disclosure | Vulnerability. This vulnerability allows local attackers to disclose | sensitive information on affected installations of oFono. An | attacker must first obtain the ability to execute code on the target | modem in order to exploit this vulnerability. The specific flaw | exists within the parsing of responses from AT+CMGL commands. The | issue results from the lack of proper initialization of memory prior | to accessing it. An attacker can leverage this in conjunction with | other vulnerabilities to execute arbitrary code in the context of | root. Was ZDI-CAN-23307. https://www.zerodayinitiative.com/advisories/ZDI-24-1080/ CVE-2024-7541[4]: | oFono AT CMT Command Uninitialized Variable Information Disclosure | Vulnerability. This vulnerability allows local attackers to disclose | sensitive information on affected installations of oFono. An | attacker must first obtain the ability to execute code on the target | modem in order to exploit this vulnerability. The specific flaw | exists within the parsing of responses from AT+CMT commands. The | issue results from the lack of proper initialization of memory prior | to accessing it. An attacker can leverage this in conjunction with | other vulnerabilities to execute arbitrary code in the context of | root. Was ZDI-CAN-23308. https://www.zerodayinitiative.com/advisories/ZDI-24-1081/ CVE-2024-7542[5]: | oFono AT CMGR Command Uninitialized Variable Information Disclosure | Vulnerability. This vulnerability allows local attackers to disclose | sensitive information on affected installations of oFono. An | attacker must first obtain the ability to execute code on the target | modem in order to exploit this vulnerability. The specific flaw | exists within the parsing of responses from AT+CMGR commands. The | issue results from the lack of proper initialization of memory prior | to accessing it. An attacker can leverage this in conjunction with | other vulnerabilities to execute arbitrary code in the context of | root. Was ZDI-CAN-23309. https://www.zerodayinitiative.com/advisories/ZDI-24-1082/ CVE-2024-7543[6]: | oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation | Vulnerability. This vulnerability allows local attackers to execute | arbitrary code on affected installations of oFono. An attacker must | first obtain the ability to execute code on the target modem in | order to exploit this vulnerability. The specific flaw exists | within the parsing of STK command PDUs. The issue results from the | lack of proper validation of the length of user-supplied data prior | to copying it to a heap-based buffer. An attacker can leverage t
Bug#1078553: zabbix: CVE-2024-22114 CVE-2024-22116 CVE-2024-22121 CVE-2024-22122 CVE-2024-22123 CVE-2024-36460 CVE-2024-36461 CVE-2024-36462
Source: zabbix X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for zabbix. CVE-2024-22114[0]: | User with no permission to any of the Hosts can access and view host | count & other statistics through System Information Widget in Global | View Dashboard. https://support.zabbix.com/browse/ZBX-25015 CVE-2024-22116[1]: | An administrator with restricted permissions can exploit the script | execution functionality within the Monitoring Hosts section. The | lack of default escaping for script parameters enabled this user | ability to execute arbitrary code via the Ping script, thereby | compromising infrastructure. https://support.zabbix.com/browse/ZBX-25016 CVE-2024-22121[2]: | A non-admin user can change or remove important features within the | Zabbix Agent application, thus impacting the integrity and | availability of the application. https://support.zabbix.com/browse/ZBX-25011 CVE-2024-22122[3]: | Zabbix allows to configure SMS notifications. AT command injection | occurs on "Zabbix Server" because there is no validation of "Number" | field on Web nor on Zabbix server side. Attacker can run test of SMS | providing specially crafted phone number and execute additional AT | commands on modem. https://support.zabbix.com/browse/ZBX-25012 CVE-2024-22123[4]: | Setting SMS media allows to set GSM modem file. Later this file is | used as Linux device. But due everything is a file for Linux, it is | possible to set another file, e.g. log file and zabbix_server will | try to communicate with it as modem. As a result, log file will be | broken with AT commands and small part for log file content will be | leaked to UI. https://support.zabbix.com/browse/ZBX-25013 CVE-2024-36460[5]: | The front-end audit log allows viewing of unprotected plaintext | passwords, where the passwords are displayed in plain text. https://support.zabbix.com/browse/ZBX-25017 CVE-2024-36461[6]: | Within Zabbix, users have the ability to directly modify memory | pointers in the JavaScript engine. https://support.zabbix.com/browse/ZBX-25018 CVE-2024-36462[7]: | Uncontrolled resource consumption refers to a software vulnerability | where a attacker or system uses excessive resources, such as CPU, | memory, or network bandwidth, without proper limitations or | controls. This can cause a denial-of-service (DoS) attack or degrade | the performance of the affected system. https://support.zabbix.com/browse/ZBX-25019 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22114 https://www.cve.org/CVERecord?id=CVE-2024-22114 [1] https://security-tracker.debian.org/tracker/CVE-2024-22116 https://www.cve.org/CVERecord?id=CVE-2024-22116 [2] https://security-tracker.debian.org/tracker/CVE-2024-22121 https://www.cve.org/CVERecord?id=CVE-2024-22121 [3] https://security-tracker.debian.org/tracker/CVE-2024-22122 https://www.cve.org/CVERecord?id=CVE-2024-22122 [4] https://security-tracker.debian.org/tracker/CVE-2024-22123 https://www.cve.org/CVERecord?id=CVE-2024-22123 [5] https://security-tracker.debian.org/tracker/CVE-2024-36460 https://www.cve.org/CVERecord?id=CVE-2024-36460 [6] https://security-tracker.debian.org/tracker/CVE-2024-36461 https://www.cve.org/CVERecord?id=CVE-2024-36461 [7] https://security-tracker.debian.org/tracker/CVE-2024-36462 https://www.cve.org/CVERecord?id=CVE-2024-36462 Please adjust the affected versions in the BTS as needed.
Bug#1077822: neatvnc: CVE-2024-42458
Source: neatvnc X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for neatvnc. CVE-2024-42458[0]: | server.c in Neat VNC (aka neatvnc) before 0.8.1 does not properly | validate the security type. https://www.openwall.com/lists/oss-security/2024/08/02/1 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-42458 https://www.cve.org/CVERecord?id=CVE-2024-42458 Please adjust the affected versions in the BTS as needed.
Bug#1077820: clickhouse: CVE-2024-6873
Source: clickhouse X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for clickhouse. CVE-2024-6873[0]: | It is possible to crash or redirect the execution flow of the | ClickHouse server process from an unauthenticated vector by sending | a specially crafted request to the ClickHouse server native | interface. This redirection is limited to what is available within a | 256-byte range of memory at the time of execution, and no known | remote code execution (RCE) code has been produced or exploited. | Fixes have been merged to all currently supported version of | ClickHouse. If you are maintaining your own forked version of | ClickHouse or using an older version and cannot upgrade, the fix for | this vulnerability can be found in this commit | https://github.com/ClickHouse/ClickHouse/pull/64024 . https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-432f-r822-j66f https://github.com/ClickHouse/ClickHouse/pull/64024 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-6873 https://www.cve.org/CVERecord?id=CVE-2024-6873 Please adjust the affected versions in the BTS as needed.
Bug#1077548: anki: CVE-2024-26020 CVE-2024-32152 CVE-2024-32484 CVE-2024-29073
Source: anki X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for anki. CVE-2024-26020[0]: | An arbitrary script execution vulnerability exists in the MPV | functionality of Ankitects Anki 24.04. A specially crafted flashcard | can lead to a arbitrary code execution. An attacker can send | malicious flashcard to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1993 CVE-2024-32152[1]: | A blocklist bypass vulnerability exists in the LaTeX functionality | of Ankitects Anki 24.04. A specially crafted malicious flashcard can | lead to an arbitrary file creation at a fixed path. An attacker can | share a malicious flashcard to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1994 CVE-2024-32484[2]: | An reflected XSS vulnerability exists in the handling of invalid | paths in the Flask server in Ankitects Anki 24.04. A specially | crafted flashcard can lead to JavaScript code execution and result | in an arbitrary file read. An attacker can share a malicious | flashcard to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1995 CVE-2024-29073[3]: | An vulnerability in the handling of Latex exists in Ankitects Anki | 24.04. When Latex is sanitized to prevent unsafe commands, the | verbatim package, which comes installed by default in many Latex | distributions, has been overlooked. A specially crafted flashcard | can lead to an arbitrary file read. An attacker can share a | flashcard to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1992 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26020 https://www.cve.org/CVERecord?id=CVE-2024-26020 [1] https://security-tracker.debian.org/tracker/CVE-2024-32152 https://www.cve.org/CVERecord?id=CVE-2024-32152 [2] https://security-tracker.debian.org/tracker/CVE-2024-32484 https://www.cve.org/CVERecord?id=CVE-2024-32484 [3] https://security-tracker.debian.org/tracker/CVE-2024-29073 https://www.cve.org/CVERecord?id=CVE-2024-29073 Please adjust the affected versions in the BTS as needed.
Bug#1074430: adminer: CVE-2023-45196 CVE-2023-45195
Source: adminer X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for adminer. CVE-2023-45196[0]: | Adminer and AdminerEvo allow an unauthenticated remote attacker to | cause a denial of service by connecting to an attacker-controlled | service that responds with HTTP redirects. The denial of service is | subject to PHP configuration limits. Adminer is no longer supported, | but this issue was fixed in AdminerEvo version 4.8.4. https://github.com/adminerevo/adminerevo/pull/102/commits/23e7cdc0a32b3739e13d19ae504be0fe215142b6 CVE-2023-45195[1]: | Adminer and AdminerEvo are vulnerable to SSRF via database | connection fields. This could allow an unauthenticated remote | attacker to enumerate or access systems the attacker would not | otherwise have access to. Adminer is no longer supported, but this | issue was fixed in AdminerEvo version 4.8.4. https://github.com/adminerevo/adminerevo/pull/102/commits/18f3167bbcbec3bc746f62db72e016aa99144efc It seems adminer is dead upstream and adminerevo picked up development, so most likely Debian should follow the new upstream? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45196 https://www.cve.org/CVERecord?id=CVE-2023-45196 [1] https://security-tracker.debian.org/tracker/CVE-2023-45195 https://www.cve.org/CVERecord?id=CVE-2023-45195 Please adjust the affected versions in the BTS as needed.
Bug#1074284: squid: CVE-2024-37894
Source: squid X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for squid. CVE-2024-37894[0]: | Squid is a caching proxy for the Web supporting HTTP, HTTPS, FTP, | and more. Due to an Out-of-bounds Write error when assigning ESI | variables, Squid is susceptible to a Memory Corruption error. This | error can lead to a Denial of Service attack. https://github.com/squid-cache/squid/security/advisories/GHSA-wgvf-q977-9xjg https://github.com/squid-cache/squid/commit/920563e7a080155fae3ced73d6198781e8b0ff04 (master) https://github.com/squid-cache/squid/commit/67f5496f7b72e698ad0f5aa3512c83089424f27f (v6) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-37894 https://www.cve.org/CVERecord?id=CVE-2024-37894 Please adjust the affected versions in the BTS as needed.
Bug#1072530: smarty3: CVE-2024-35226
Source: smarty3 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for smarty3. CVE-2024-35226[0]: | Smarty is a template engine for PHP, facilitating the separation of | presentation (HTML/CSS) from application logic. In affected versions | template authors could inject php code by choosing a malicious file | name for an extends-tag. Sites that cannot fully trust template | authors should update asap. All users are advised to update. There | is no patch for users on the v3 branch. There are no known | workarounds for this vulnerability. https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2 (support/4) https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a (v5.2.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35226 https://www.cve.org/CVERecord?id=CVE-2024-35226 Please adjust the affected versions in the BTS as needed.
Bug#1072529: smarty4: CVE-2024-35226
Source: smarty4 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for smarty4. CVE-2024-35226[0]: | Smarty is a template engine for PHP, facilitating the separation of | presentation (HTML/CSS) from application logic. In affected versions | template authors could inject php code by choosing a malicious file | name for an extends-tag. Sites that cannot fully trust template | authors should update asap. All users are advised to update. There | is no patch for users on the v3 branch. There are no known | workarounds for this vulnerability. https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w https://github.com/smarty-php/smarty/commit/76881c8d33d80648f70c9b0339f770f5f69a87a2 (support/4) https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a (v5.2.0) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-35226 https://www.cve.org/CVERecord?id=CVE-2024-35226 Please adjust the affected versions in the BTS as needed.
Bug#1072126: frr: CVE-2024-31948
Source: frr X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for frr. CVE-2024-31948[0]: | In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix | SID attribute in a BGP UPDATE packet can cause the bgpd daemon to | crash. https://github.com/FRRouting/frr/pull/15628 Fixed by: https://github.com/FRRouting/frr/commit/ba6a8f1a31e1a88df2de69ea46068e8bd9b97138 Fixed by: https://github.com/FRRouting/frr/commit/babb23b74855e23c987a63f8256d24e28c044d07 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31948 https://www.cve.org/CVERecord?id=CVE-2024-31948 Please adjust the affected versions in the BTS as needed.
Bug#1072120: zabbix: CVE-2024-22120
Source: zabbix X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for zabbix. CVE-2024-22120[0]: | Zabbix server can perform command execution for configured scripts. | After command is executed, audit entry is added to "Audit Log". Due | to "clientip" field is not sanitized, it is possible to injection | SQL into "clientip" and exploit time based blind SQL injection. https://support.zabbix.com/browse/ZBX-24505 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-22120 https://www.cve.org/CVERecord?id=CVE-2024-22120 Please adjust the affected versions in the BTS as needed.
Bug#1072119: python-aiosmtpd: CVE-2024-34083
Source: python-aiosmtpd X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-aiosmtpd. CVE-2024-34083[0]: | aiosmptd is a reimplementation of the Python stdlib smtpd.py based | on asyncio. Prior to version 1.4.6, servers based on aiosmtpd accept | extra unencrypted commands after STARTTLS, treating them as if they | came from inside the encrypted connection. This could be exploited | by a man-in-the-middle attack. Version 1.4.6 contains a patch for | the issue. https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-wgjv-9j3q-jhg8 https://github.com/aio-libs/aiosmtpd/commit/b3a4a2c6ecfd228856a20d637dc383541fcdbfda (v1.4.6) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-34083 https://www.cve.org/CVERecord?id=CVE-2024-34083 Please adjust the affected versions in the BTS as needed.
Bug#1053004: CVE-2019-10784 and CVE-2023-40619
Am Wed, Mar 06, 2024 at 06:39:01AM -0300 schrieb Leandro Cunha: > Hi Christoph Berg, > > On Wed, Mar 6, 2024 at 5:42 AM Christoph Berg wrote: > > > > Re: Leandro Cunha > > > The > > > next job would be to make it available through backports and I would > > > choose to remove this package from stable. But I would only leave > > > bookworm backports due to other bugs found (this CVEs too) and fixed > > > in 7.14.7. > > > I have to search about the status of backports to oldstable. But I'm > > > also studying the possibility of working with patches for these two > > > versions. > > > > Why would you want to remove it from stable? In closed environments, > > CVEs are often not a problem. > > > > Christoph > > In addition to the CVEs, phppgadmin which is present in stable does > not connect to PostgreSQL 15 and 16 without a patch I inserted in > 7.13.0+dfsg-3, but I can add the same patch by reopening bug #1029516 > or opening another important bug (I am aware that the bug must have a > severity greater than important)[3] for the stable and submission of > new bug to the release team for approval. That way it would be > released in a future release a version with this issue fixed (if > approved). But CVE-2023-40619 is treated with critical severity and > CVE-2019-10784 is also critical according to the NVD[1][2]. The Debian > LTS team handled this with DLA-3644-1 (CVE-2023-40619)[4] in buster > (oldoldstable) and of OpenSUSE team also handled both CVEs in > Leap[5][6]. > Removing this package in stable will not leave users without them and > we can release it in backports. > I can treat this as a job of ensuring the quality of what is > distributed by Debian. Agreed, if the package is actually broken with the version of PostgreSQL in stable and if there's no sensible backport for the open security issues, then let's rather remove it by the next point release. Cheers, Moritz
Bug#1071628: python-pymysql: CVE-2024-36039
Source: python-pymysql X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-pymysql. We should also fix this in a DSA, could you prepare debdiffs for bookworm-security and bullseye-security? CVE-2024-36039[0]: | PyMySQL through 1.1.0 allows SQL injection if used with untrusted | JSON input because keys are not escaped by escape_dict. https://github.com/advisories/GHSA-v9hf-5j83-6xpp https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c (v1.1.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-36039 https://www.cve.org/CVERecord?id=CVE-2024-36039 Please adjust the affected versions in the BTS as needed.
Bug#1070859: npgsql: CVE-2024-32655
Source: npgsql X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for npgsql. CVE-2024-32655[0]: | Npgsql is the .NET data provider for PostgreSQL. The `WriteBind()` | method in `src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs` | uses `int` variables to store the message length and the sum of | parameter lengths. Both variables overflow when the sum of parameter | lengths becomes too large. This causes Npgsql to write a message | size that is too small when constructing a Postgres protocol message | to send it over the network to the database. When parsing the | message, the database will only read a small number of bytes and | treat any following bytes as new messages while they belong to the | old message. Attackers can abuse this to inject arbitrary Postgres | protocol messages into the connection, leading to the execution of | arbitrary SQL statements on the application's behalf. This | vulnerability is fixed in 4.0.14, 4.1.13, 5.0.18, 6.0.11, 7.0.7, and | 8.0.3. https://github.com/npgsql/npgsql/security/advisories/GHSA-x9vc-6hfv-hg8c https://github.com/npgsql/npgsql/commit/f7e7ead0702d776a8f551f5786c4cac2d65c4bc6 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32655 https://www.cve.org/CVERecord?id=CVE-2024-32655 Please adjust the affected versions in the BTS as needed.
Bug#1070395: tinyproxy: CVE-2023-40533 CVE-2023-49606
Source: tinyproxy X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for tinyproxy. CVE-2023-40533[0]: | An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1 | while parsing HTTP requests. In certain configurations, a specially | crafted HTTP request can result in disclosure of data allocated on | the heap, which could contain sensitive information. An attacker can | make an unauthenticated HTTP request to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2023-1902 CVE-2023-49606[1]: | A use-after-free vulnerability exists in the HTTP Connection Headers | parsing in Tinyproxy 1.11.1 and Tinyproxy 1.10.0. A specially | crafted HTTP header can trigger reuse of previously freed memory, | which leads to memory corruption and could lead to remote code | execution. An attacker needs to make an unauthenticated HTTP request | to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2023-1889 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-40533 https://www.cve.org/CVERecord?id=CVE-2023-40533 [1] https://security-tracker.debian.org/tracker/CVE-2023-49606 https://www.cve.org/CVERecord?id=CVE-2023-49606 Please adjust the affected versions in the BTS as needed.
Bug#1070388: jupyterhub: CVE-2024-28233
Source: jupyterhub X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for jupyterhub. CVE-2024-28233[0]: | JupyterHub is an open source multi-user server for Jupyter | notebooks. By tricking a user into visiting a malicious subdomain, | the attacker can achieve an XSS directly affecting the former's | session. More precisely, in the context of JupyterHub, this XSS | could achieve full access to JupyterHub API and user's single-user | server. The affected configurations are single-origin JupyterHub | deployments and JupyterHub deployments with user-controlled | applications running on subdomains or peer subdomains of either the | Hub or a single-user server. This vulnerability is fixed in 4.1.0. https://github.com/jupyterhub/jupyterhub/security/advisories/GHSA-7r3h-4ph8-w38g https://github.com/jupyterhub/jupyterhub/commit/e2798a088f5ad45340fe79cdf1386198e664f77f If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28233 https://www.cve.org/CVERecord?id=CVE-2024-28233 Please adjust the affected versions in the BTS as needed.
Bug#1070387: gdcm: CVE-2024-25569 CVE-2024-22373 CVE-2024-22391
Source: gdcm X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gdcm. These are fixed in 3.0.24: CVE-2024-25569[0]: | An out-of-bounds read vulnerability exists in the | RAWCodec::DecodeBytes functionality of Mathieu Malaterre Grassroot | DICOM 3.0.23. A specially crafted DICOM file can lead to an out-of- | bounds read. An attacker can provide a malicious file to trigger | this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1944 CVE-2024-22373[1]: | An out-of-bounds write vulnerability exists in the | JPEG2000Codec::DecodeByStreamsCommon functionality of Mathieu | Malaterre Grassroot DICOM 3.0.23. A specially crafted DICOM file can | lead to a heap buffer overflow. An attacker can provide a malicious | file to trigger this vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1935 CVE-2024-22391[2]: | A heap-based buffer overflow vulnerability exists in the | LookupTable::SetLUT functionality of Mathieu Malaterre Grassroot | DICOM 3.0.23. A specially crafted malformed file can lead to memory | corruption. An attacker can provide a malicious file to trigger this | vulnerability. https://talosintelligence.com/vulnerability_reports/TALOS-2024-1924 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25569 https://www.cve.org/CVERecord?id=CVE-2024-25569 [1] https://security-tracker.debian.org/tracker/CVE-2024-22373 https://www.cve.org/CVERecord?id=CVE-2024-22373 [2] https://security-tracker.debian.org/tracker/CVE-2024-22391 https://www.cve.org/CVERecord?id=CVE-2024-22391 Please adjust the affected versions in the BTS as needed.
Bug#1069763: matrix-synapse: CVE-2024-31208
Source: matrix-synapse X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for matrix-synapse. CVE-2024-31208[0]: | Synapse is an open-source Matrix homeserver. A remote Matrix user | with malicious intent, sharing a room with Synapse instances before | 1.105.1, can dispatch specially crafted events to exploit a weakness | in the V2 state resolution algorithm. This can induce high CPU | consumption and accumulate excessive data in the database of such | instances, resulting in a denial of service. Servers in private | federations, or those that do not federate, are not affected. Server | administrators should upgrade to 1.105.1 or later. Some workarounds | are available. One can ban the malicious users or ACL block servers | from the rooms and/or leave the room and purge the room using the | admin API. https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a (v1.105.1) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-31208 https://www.cve.org/CVERecord?id=CVE-2024-31208 Please adjust the affected versions in the BTS as needed.
Bug#1069762: pdns-recursor: CVE-2024-25583
Source: pdns-recursor X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for pdns-recursor. CVE-2024-25583[0]: PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of service in Recursor https://www.openwall.com/lists/oss-security/2024/04/24/1 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25583 https://www.cve.org/CVERecord?id=CVE-2024-25583 Please adjust the affected versions in the BTS as needed.
Bug#1069679: ofono: CVE-2023-2794
Source: ofono X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for ofono. CVE-2023-2794[0]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the decode_deliver() function | during the SMS decoding. It is assumed that the attack scenario is | accessible from a compromised modem, a malicious base station, or | just SMS. There is a bound check for this memcpy length in | decode_submit(), but it was forgotten in decode_deliver(). https://bugzilla.redhat.com/show_bug.cgi?id=2255387 https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=a90421d8e45d63b304dc010baba24633e7869682 https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=7f2adfa22fbae824f8e2c3ae86a3f51da31ee400 https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=07f48b23e3877ef7d15a7b0b8b79d32ad0a3607e https://git.kernel.org/pub/scm/network/ofono/ofono.git/commit/?id=8fa1fdfcb54e1edb588c6a5e260b065a39c9 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-2794 https://www.cve.org/CVERecord?id=CVE-2023-2794 Please adjust the affected versions in the BTS as needed.
Bug#1069677: rust-rustls: CVE-2024-32650
Source: rust-rustls X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for rust-rustls. CVE-2024-32650[0]: | Rustls is a modern TLS library written in Rust. | `rustls::ConnectionCommon::complete_io` could fall into an infinite | loop based on network input. When using a blocking rustls server, if | a client send a `close_notify` message immediately after | `client_hello`, the server's `complete_io` will get in an infinite | loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11. https://github.com/rustls/rustls/security/advisories/GHSA-6g7w-8wpp-frhj https://github.com/rustls/rustls/commit/2123576840aa31043a31b0770e6572136fbe0c2d (v/0.23.5) https://github.com/rustls/rustls/commit/6e938bcfe82a9da7a2e1cbf10b928c7eca26426e (v/0.23.5) https://rustsec.org/advisories/RUSTSEC-2024-0336.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-32650 https://www.cve.org/CVERecord?id=CVE-2024-32650 Please adjust the affected versions in the BTS as needed.
Bug#1069678: openjdk-8: CVE-2024-21011 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094
Source: openjdk-8 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for openjdk-8. CVE-2024-21011[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for | JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: | 20.3.13 and 21.3.9. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized ability to cause a partial denial of service | (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition. Note: This vulnerability can be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21068[1]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: | 17.0.10, 21.0.2 and 22; Oracle GraalVM Enterprise Edition: 21.3.9. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via multiple protocols to compromise Oracle Java | SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. | Successful attacks of this vulnerability can result in unauthorized | update, insert or delete access to some of Oracle Java SE, Oracle | GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. | Note: This vulnerability can be exploited by using APIs in the | specified Component, e.g., through a web service which supplies data | to the APIs. This vulnerability also applies to Java deployments, | typically in clients running sandboxed Java Web Start applications | or sandboxed Java applets, that load and run untrusted code (e.g., | code that comes from the internet) and rely on the Java sandbox for | security. CVSS 3.1 Base Score 3.7 (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2024-21085[2]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise | Edition product of Oracle Java SE (component: Concurrency). | Supported versions that are affected are Oracle Java SE: 8u401, | 8u401-perf, 11.0.22; Oracle GraalVM Enterprise Edition: 20.3.13 and | 21.3.9. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a partial denial of service (partial DOS) of Oracle Java SE, | Oracle GraalVM Enterprise Edition. Note: This vulnerability can be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. This vulnerability also | applies to Java deployments, typically in clients running sandboxed | Java Web Start applications or sandboxed Java applets, that load and | run untrusted code (e.g., code that comes from the internet) and | rely on the Java sandbox for security. CVSS 3.1 Base Score 3.7 | (Availability impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). CVE-2024-21094[3]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE (component: | Hotspot). Supported versions that are affected are Oracle Java SE: | 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for | JDK: 17.0.10, 21.0.2, 22; Oracle GraalVM Enterprise Edition: 20.3.13 | and 21.3.9. Difficult to exploit vulnerability allows | unauthenticated attacker with network access via multiple protocols | to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized update, insert or delete access to some of | Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability can be exploited | by using APIs in the specified Component, e.g., through a web | service which supplies data to the APIs. This vulnerability also | applies to Java deployme
Bug#1069189: mysql-8.0: CVE-2024-21102 CVE-2024-21096 CVE-2024-21087 CVE-2024-21069 CVE-2024-21062 CVE-2024-21060 CVE-2024-21054 CVE-2024-21047 CVE-2024-21013 CVE-2024-21009 CVE-2024-21008 CVE-2024-21
Source: mysql-8.0 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for mysql-8.0. CVE-2024-21102[0]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Thread Pooling). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21096[1]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Client: mysqldump). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to | exploit vulnerability allows unauthenticated attacker with logon to | the infrastructure where MySQL Server executes to compromise MySQL | Server. Successful attacks of this vulnerability can result in | unauthorized update, insert or delete access to some of MySQL Server | accessible data as well as unauthorized read access to a subset of | MySQL Server accessible data and unauthorized ability to cause a | partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 | Base Score 4.9 (Confidentiality, Integrity and Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L). CVE-2024-21087[2]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Group Replication Plugin). Supported versions | that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21069[3]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: DDL). Supported versions that are affected are | 8.0.36 and prior and 8.3.0 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access | via multiple protocols to compromise MySQL Server. Successful | attacks of this vulnerability can result in unauthorized ability to | cause a hang or frequently repeatable crash (complete DOS) of MySQL | Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS | Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21062[4]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21060[5]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Data Dictionary). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21054[6]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Optimizer). Supported versions that are | affected are 8.0.36 and prior and 8.3.0 and prior. Easily | exploitable vulnerability allows high privileged attacker with | network access via multiple protocols to compromise MySQL Server. | Successful attacks of this vulnerability can result in unauthorized | ability to cause a hang or frequently repeatable crash (complete | DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability | impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). CVE-2024-21047[7]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: InnoDB). Supported versions that are affected are | 8.0.36 and prior and 8.3.0 and prior. Easily exploitable | vulnerability allows high privileged attacker with network access | via multiple protocols to compromise MySQL S
Bug#1068818: sngrep: CVE-2024-3119 CVE-2024-3120
Source: sngrep X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for sngrep. CVE-2024-3119[0]: | A buffer overflow vulnerability exists in all versions of sngrep | since v0.4.2, due to improper handling of 'Call-ID' and 'X-Call-ID' | SIP headers. The functions sip_get_callid and sip_get_xcallid in | sip.c use the strncpy function to copy header contents into fixed- | size buffers without checking the data length. This flaw allows | remote attackers to execute arbitrary code or cause a denial of | service (DoS) through specially crafted SIP messages. https://github.com/irontec/sngrep/commit/dd5fec92730562af6f96891291cd4e102b80bfcc (v1.8.1) CVE-2024-3120[1]: | A stack-buffer overflow vulnerability exists in all versions of | sngrep since v1.4.1. The flaw is due to inadequate bounds checking | when copying 'Content-Length' and 'Warning' headers into fixed-size | buffers in the sip_validate_packet and sip_parse_extra_headers | functions within src/sip.c. This vulnerability allows remote | attackers to execute arbitrary code or cause a denial of service | (DoS) via crafted SIP messages. https://github.com/irontec/sngrep/commit/f3f8ed8ef38748e6d61044b39b0dabd7e37c6809 (v1.8.1) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3119 https://www.cve.org/CVERecord?id=CVE-2024-3119 [1] https://security-tracker.debian.org/tracker/CVE-2024-3120 https://www.cve.org/CVERecord?id=CVE-2024-3120 Please adjust the affected versions in the BTS as needed.
Bug#1068816: undertow: CVE-2024-1459
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for undertow. CVE-2024-1459[0]: | A path traversal vulnerability was found in Undertow. This issue may | allow a remote attacker to append a specially-crafted sequence to an | HTTP request for an application deployed to JBoss EAP, which may | permit access to privileged or restricted files and directories. The only reference here is at Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=2259475 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-1459 https://www.cve.org/CVERecord?id=CVE-2024-1459 Please adjust the affected versions in the BTS as needed.
Bug#1068462: gpac: CVE-2024-28318 CVE-2024-28319 CVE-2023-46426 CVE-2023-46427 CVE-2024-24265 CVE-2024-24266 CVE-2024-24267
Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2024-28318[0]: | gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain a | out of boundary write vulnerability via swf_get_string at | scene_manager/swf_parse.c:325 https://github.com/gpac/gpac/issues/2764 https://github.com/gpac/gpac/commit/ae831621a08a64e3325ce532f8b78811a1581716 CVE-2024-28319[1]: | gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain an | out of boundary read vulnerability via gf_dash_setup_period | media_tools/dash_client.c:6374 https://github.com/gpac/gpac/issues/2763 https://github.com/gpac/gpac/commit/cb3c29809bddfa32686e3deb231a76af67b68e1e CVE-2023-46426[2]: | Heap-based Buffer Overflow vulnerability in gpac version 2.3-DEV- | rev588-g7edc40fee-master, allows remote attackers to execute | arbitrary code and cause a denial of service (DoS) via gf_fwrite | component in at utils/os_file.c. https://github.com/gpac/gpac/issues/2642 https://github.com/gpac/gpac/commit/14ec709a1ffae23ad777c37320290caa0a754341 CVE-2023-46427[3]: | An issue was discovered in gpac version 2.3-DEV-rev588-g7edc40fee- | master, allows remote attackers to execute arbitrary code, cause a | denial of service (DoS), and obtain sensitive information via null | pointer deference in gf_dash_setup_period component in | media_tools/dash_client.c. https://github.com/gpac/gpac/issues/2641 https://github.com/gpac/gpac/commit/ed8424300fc4a1f5231ecd1d47f502ddd3621d1a CVE-2024-24265[4]: | gpac v2.2.1 was discovered to contain a memory leak via the | dst_props variable in the gf_filter_pid_merge_properties_internal | function. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_1.md CVE-2024-24266[5]: | gpac v2.2.1 was discovered to contain a Use-After-Free (UAF) | vulnerability via the dasher_configure_pid function at | /src/filters/dasher.c. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_2.md CVE-2024-24267[6]: | gpac v2.2.1 was discovered to contain a memory leak via the | gfio_blob variable in the gf_fileio_from_blob function. https://github.com/yinluming13579/gpac_defects/blob/main/gpac_3.md If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28318 https://www.cve.org/CVERecord?id=CVE-2024-28318 [1] https://security-tracker.debian.org/tracker/CVE-2024-28319 https://www.cve.org/CVERecord?id=CVE-2024-28319 [2] https://security-tracker.debian.org/tracker/CVE-2023-46426 https://www.cve.org/CVERecord?id=CVE-2023-46426 [3] https://security-tracker.debian.org/tracker/CVE-2023-46427 https://www.cve.org/CVERecord?id=CVE-2023-46427 [4] https://security-tracker.debian.org/tracker/CVE-2024-24265 https://www.cve.org/CVERecord?id=CVE-2024-24265 [5] https://security-tracker.debian.org/tracker/CVE-2024-24266 https://www.cve.org/CVERecord?id=CVE-2024-24266 [6] https://security-tracker.debian.org/tracker/CVE-2024-24267 https://www.cve.org/CVERecord?id=CVE-2024-24267 Please adjust the affected versions in the BTS as needed.
Bug#1068457: azure-uamqp-python: CVE-2024-29195
Source: azure-uamqp-python X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for azure-uamqp-python. CVE-2024-29195[0]: | The azure-c-shared-utility is a C library for AMQP/MQTT | communication to Azure Cloud Services. This library may be used by | the Azure IoT C SDK for communication between IoT Hub and IoT Hub | devices. An attacker can cause an integer wraparound or under- | allocation or heap buffer overflow due to vulnerabilities in | parameter checking mechanism, by exploiting the buffer length | parameter in Azure C SDK, which may lead to remote code execution. | Requirements for RCE are 1. Compromised Azure account allowing | malformed payloads to be sent to the device via IoT Hub service, 2. | By passing IoT hub service max message payload limit of 128KB, and | 3. Ability to overwrite code space with remote code. Fixed in commit | https://github.com/Azure/azure-c-shared- | utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2. https://github.com/Azure/azure-c-shared-utility/security/advisories/GHSA-m8wp-hc7w-x4xg https://github.com/Azure/azure-c-shared-utility/commit/1129147c38ac02ad974c4c701a1e01b2141b9fe2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-29195 https://www.cve.org/CVERecord?id=CVE-2024-29195 Please adjust the affected versions in the BTS as needed.
Bug#1068453: request-tracker5: CVE-2024-3262
Source: request-tracker5 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for request-tracker5. CVE-2024-3262[0]: | Information exposure vulnerability in RT software affecting version | 4.4.1. This vulnerability allows an attacker with local access to | the device to retrieve sensitive information about the application, | such as vulnerability tickets, because the application stores the | information in the browser cache, leading to information exposure | despite session termination. https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3262 https://www.cve.org/CVERecord?id=CVE-2024-3262 Please adjust the affected versions in the BTS as needed.
Bug#1068452: request-tracker4: CVE-2024-3262
Source: request-tracker4 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for request-tracker4. CVE-2024-3262[0]: | Information exposure vulnerability in RT software affecting version | 4.4.1. This vulnerability allows an attacker with local access to | the device to retrieve sensitive information about the application, | such as vulnerability tickets, because the application stores the | information in the browser cache, leading to information exposure | despite session termination. https://github.com/bestpractical/rt/commit/ea07e767eaef5b202e8883051616d09806b8b48a https://github.com/bestpractical/rt/commit/468f86bd3e82c3b5b5ef7087d416a7509d4b1abe If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-3262 https://www.cve.org/CVERecord?id=CVE-2024-3262 Please adjust the affected versions in the BTS as needed.
Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709
Source: apache2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for apache2. CVE-2024-27316[0]: https://www.kb.cert.org/vuls/id/421644 https://www.openwall.com/lists/oss-security/2024/04/04/4 CVE-2024-24795[1]: https://www.openwall.com/lists/oss-security/2024/04/04/5 CVE-2023-38709[2]: https://www.openwall.com/lists/oss-security/2024/04/04/3 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27316 https://www.cve.org/CVERecord?id=CVE-2024-27316 [1] https://security-tracker.debian.org/tracker/CVE-2024-24795 https://www.cve.org/CVERecord?id=CVE-2024-24795 [2] https://security-tracker.debian.org/tracker/CVE-2023-38709 https://www.cve.org/CVERecord?id=CVE-2023-38709 Please adjust the affected versions in the BTS as needed.
Bug#1068347: nodejs: CVE-2024-27983 CVE-2024-27982
Source: nodejs X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for nodejs. CVE-2024-27983[0]: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ CVE-2024-27982[1]: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27983 https://www.cve.org/CVERecord?id=CVE-2024-27983 [1] https://security-tracker.debian.org/tracker/CVE-2024-27982 https://www.cve.org/CVERecord?id=CVE-2024-27982 Please adjust the affected versions in the BTS as needed.
Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security
Hi Adrian,
> attached are proposed debdiffs for updating gtkwave to 3.3.118 in
> {bookworm,bullseye,buster}-security for review for a DSA
> (and as preview for buster).
Thanks!
> General notes:
>
> I checked a handful CVEs, and they were also present in buster.
> If anyone insists that I check for every single CVE whether it is also
> in buster I can do that, but that would be a lot of work.
Nah, no need.
> As mentioned in #1060407 there are different tarballs for GTK 2 and GTK 3.
> Looking closer I realized that this is actually one tarball that
> supports GTK 1+2, and one tarball that supports GTK 2+3.
> I did stay at the GTK 1+2 tarball that was already used before
> for bullseye and buster since there was anyway a different upstream
> tarball required for the +really version that is required to avoid
> creating file conflicts with ghwdump when upgrading to bookworm.
>
> What does the security team consider the best versioning for bullseye?
> In #1060407 I suggested 3.3.104+really3.3.118-0.1, but now I ended up
> preferring 3.3.104+really3.3.118-0+deb11u1
That's fine.
> debdiffs contain only changes to debian/
The bookworm/bullseye debdiffs looks good, please upload to security-master,
thanks!
Note that both need -sa, but dak needs some special attention when
uploading to security-master. You'll need to wait for the ACCEPTED mail
before you can upload the next one.
Cheers,
Moritz
Bug#1064967: fontforge: CVE-2024-25081 CVE-2024-25082
Source: fontforge X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for fontforge. CVE-2024-25081[0]: | Splinefont in FontForge through 20230101 allows command injection | via crafted filenames. CVE-2024-25082[1]: | Splinefont in FontForge through 20230101 allows command injection | via crafted archives or compressed files. Fixed by: https://github.com/fontforge/fontforge/pull/5367 https://github.com/fontforge/fontforge/commit/216eb14b558df344b206bf82e2bdaf03a1f2f429 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25081 https://www.cve.org/CVERecord?id=CVE-2024-25081 [1] https://security-tracker.debian.org/tracker/CVE-2024-25082 https://www.cve.org/CVERecord?id=CVE-2024-25082 Please adjust the affected versions in the BTS as needed.
Bug#1064516: ruby-rack: CVE-2024-26141 CVE-2024-25126 CVE-2024-26146
Source: ruby-rack X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for ruby-rack. CVE-2024-26141[0]: Reject Range headers which are too large https://github.com/rack/rack/releases/tag/v2.2.8.1 https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b (v2.2.8.1) CVE-2024-25126[1]: Fixed ReDoS in Content Type header parsing https://github.com/rack/rack/releases/tag/v2.2.8.1 CVE-2024-26146[2]: Fixed ReDoS in Accept header parsing https://github.com/rack/rack/releases/tag/v2.2.8.1 https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd (v2.2.8.1) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-26141 https://www.cve.org/CVERecord?id=CVE-2024-26141 [1] https://security-tracker.debian.org/tracker/CVE-2024-25126 https://www.cve.org/CVERecord?id=CVE-2024-25126 [2] https://security-tracker.debian.org/tracker/CVE-2024-26146 https://www.cve.org/CVERecord?id=CVE-2024-26146 Please adjust the affected versions in the BTS as needed.
Bug#1064514: pymatgen: CVE-2024-23346
Source: pymatgen X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for pymatgen. CVE-2024-23346[0]: | Pymatgen (Python Materials Genomics) is an open-source Python | library for materials analysis. A critical security vulnerability | exists in the | `JonesFaithfulTransformation.from_transformation_str()` method | within the `pymatgen` library prior to version 2024.2.20. This | method insecurely utilizes `eval()` for processing input, enabling | execution of arbitrary code when parsing untrusted input. Version | 2024.2.20 fixes this issue. https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-23346 https://www.cve.org/CVERecord?id=CVE-2024-23346 Please adjust the affected versions in the BTS as needed.
Bug#1064062: iwd: CVE-2023-52161
Source: iwd X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for iwd. CVE-2023-52161[0]: https://www.top10vpn.com/research/wifi-vulnerabilities/ While this mentions a patch for wpasupplication, it's not obvious if this was reported/fixed in iwd. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-52161 https://www.cve.org/CVERecord?id=CVE-2023-52161 Please adjust the affected versions in the BTS as needed.
Bug#1064061: wpa: CVE-2023-52160
Source: wpa X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for wpa. CVE-2023-52160[0]: https://www.top10vpn.com/research/wifi-vulnerabilities/ https://w1.fi/cgit/hostap/commit/?id=8e6485a1bcb0baff If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-52160 https://www.cve.org/CVERecord?id=CVE-2023-52160 Please adjust the affected versions in the BTS as needed.
Bug#1064055: nodejs: CVE-2023-46809 CVE-2024-22019 CVE-2024-21892
Source: nodejs X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for nodejs. CVE-2023-46809[0]: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#nodejs-is-vulnerable-to-the-marvin-attack-timing-variant-of-the-bleichenbacher-attack-against-pkcs1-v15-padding-cve-2023-46809---medium CVE-2024-22019[1]: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#reading-unprocessed-http-request-with-unbounded-chunk-extension-allows-dos-attacks-cve-2024-22019---high CVE-2024-21892[2]: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#code-injection-and-privilege-escalation-through-linux-capabilities-cve-2024-21892---high There are some other issues, but they only affect the version in expeirimental. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46809 https://www.cve.org/CVERecord?id=CVE-2023-46809 [1] https://security-tracker.debian.org/tracker/CVE-2024-22019 https://www.cve.org/CVERecord?id=CVE-2024-22019 [2] https://security-tracker.debian.org/tracker/CVE-2024-21892 https://www.cve.org/CVERecord?id=CVE-2024-21892 Please adjust the affected versions in the BTS as needed.
Bug#1064051: azure-uamqp-python: CVE-2024-25110
Source: azure-uamqp-python X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for azure-uamqp-python. CVE-2024-25110[0]: | The UAMQP is a general purpose C library for AMQP 1.0. During a call | to open_get_offered_capabilities, a memory allocation may fail | causing a use-after-free issue and if a client called it during | connection communication it may cause a remote code execution. Users | are advised to update the submodule with commit `30865c9c`. There | are no known workarounds for this vulnerability. azure-uamqp-python appears bundle azure-uamqp-c, so presumably it's also affected? https://github.com/Azure/azure-uamqp-c/commit/30865c9ccedaa32ddb036e87a8ebb52c3f18f695 https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-c646-4whf-r67v If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25110 https://www.cve.org/CVERecord?id=CVE-2024-25110 Please adjust the affected versions in the BTS as needed.
Bug#1060409: gpac: CVE-2024-0321 CVE-2024-0322
Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2024-0321[0]: | Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to | 2.3-DEV. https://huntr.com/bounties/4c027b94-8e9c-4c31-a169-893b25047769/ https://github.com/gpac/gpac/commit/d0ced41651b279bb054eb6390751e2d4eb84819a CVE-2024-0322[1]: | Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV. https://huntr.com/bounties/87611fc9-ed7c-43e9-8e52-d83cd270bbec/ https://github.com/gpac/gpac/commit/092904b80edbc4dce315684a59cc3184c45c1b70 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-0321 https://www.cve.org/CVERecord?id=CVE-2024-0321 [1] https://security-tracker.debian.org/tracker/CVE-2024-0322 https://www.cve.org/CVERecord?id=CVE-2024-0322 Please adjust the affected versions in the BTS as needed.
Bug#877016: Time to drop cpufrequtils?
Am Fri, Jan 05, 2024 at 12:08:54PM +0100 schrieb Chris Hofstaedtler: > On Sun, Sep 03, 2023 at 08:26:00PM +0200, Moritz Mühlenhoff wrote: > > severity 877016 serious > > thanks > > > > Am Thu, Sep 28, 2017 at 06:51:30AM -0700 schrieb Mattia Dongili: > > > On Wed, Sep 27, 2017 at 03:16:52PM -0400, Phil Susi wrote: > > > > Package: cpufrequtils > > > > Version: 008-1 > > > ... > > > > is the case, should cpufrequtils not be removed now? > > > > > > Yes, indeed it should. Thanks for nagging. > > > > Bumping the severity to RC to move forward with this for trixie. > > > > $ dak rm -nR cpufrequtils > Will remove the following packages from unstable: > > cpufrequtils | 008-2 | source, amd64, arm64, armel, armhf, i386, > mips64el, s390x > libcpufreq-dev | 008-2 | amd64, arm64, armel, armhf, i386, mips64el, > ppc64el, s390x > libcpufreq-dev | 008-2+b1 | riscv64 > libcpufreq0 | 008-2 | amd64, arm64, armel, armhf, i386, mips64el, > ppc64el, s390x > libcpufreq0 | 008-2+b1 | riscv64 > > Maintainer: Seunghun Han > > --- Reason --- > > -- > > Checking reverse dependencies... > No dependency problem found. > > Seems like it's good to go? Given the original bug to suggest it's removal is from 2017, I think it's safe to say that anyone had a chance to object to it's removal :-) Cheers, Moritz
Bug#1059307: ring: CVE-2023-38703
Source: ring X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for pjsig, which is bundled in ring: CVE-2023-38703[0]: | PJSIP is a free and open source multimedia communication library | written in C with high level API in C, C++, Java, C#, and Python | languages. SRTP is a higher level media transport which is stacked | upon a lower level media transport such as UDP and ICE. Currently a | higher level transport is not synchronized with its lower level | transport that may introduce use-after-free issue. This | vulnerability affects applications that have SRTP capability | (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other | than UDP. This vulnerability’s impact may range from unexpected | application termination to control flow hijack/memory corruption. | The patch is available as a commit in the master branch. https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66 https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0d (2.14) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-38703 https://www.cve.org/CVERecord?id=CVE-2023-38703 Please adjust the affected versions in the BTS as needed.
Bug#1059303: asterisk: CVE-2023-37457 CVE-2023-38703
Source: asterisk X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for asterisk. CVE-2023-37457[0]: | Asterisk is an open source private branch exchange and telephony | toolkit. In Asterisk versions 18.20.0 and prior, 20.5.0 and prior, | and 21.0.0; as well as ceritifed-asterisk 18.9-cert5 and prior, the | 'update' functionality of the PJSIP_HEADER dialplan function can | exceed the available buffer space for storing the new value of a | header. By doing so this can overwrite memory or cause a crash. This | is not externally exploitable, unless dialplan is explicitly written | to update a header based on data from an outside source. If the | 'update' functionality is not used the vulnerability does not occur. | A patch is available at commit | a1ca0268254374b515fa5992f01340f7717113fa. https://github.com/asterisk/asterisk/security/advisories/GHSA-98rc-4j27-74hh https://github.com/asterisk/asterisk/commit/a1ca0268254374b515fa5992f01340f7717113fa CVE-2023-38703[1]: | PJSIP is a free and open source multimedia communication library | written in C with high level API in C, C++, Java, C#, and Python | languages. SRTP is a higher level media transport which is stacked | upon a lower level media transport such as UDP and ICE. Currently a | higher level transport is not synchronized with its lower level | transport that may introduce use-after-free issue. This | vulnerability affects applications that have SRTP capability | (`PJMEDIA_HAS_SRTP` is set) and use underlying media transport other | than UDP. This vulnerability’s impact may range from unexpected | application termination to control flow hijack/memory corruption. | The patch is available as a commit in the master branch. https://github.com/pjsip/pjproject/security/advisories/GHSA-f76w-fh7c-pc66 https://github.com/pjsip/pjproject/commit/6dc9b8c181aff39845f02b4626e0812820d4ef0d (2.14) If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-37457 https://www.cve.org/CVERecord?id=CVE-2023-37457 [1] https://security-tracker.debian.org/tracker/CVE-2023-38703 https://www.cve.org/CVERecord?id=CVE-2023-38703 Please adjust the affected versions in the BTS as needed.
Bug#1059300: ruby-sidekiq: CVE-2023-26141
Source: ruby-sidekiq X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for ruby-sidekiq. CVE-2023-26141[0]: | Versions of the package sidekiq before 7.1.3 are vulnerable to | Denial of Service (DoS) due to insufficient checks in the dashboard- | charts.js file. An attacker can exploit this vulnerability by | manipulating the localStorage value which will cause excessive | polling requests. https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-5885107 https://github.com/sidekiq/sidekiq/commit/62c90d7c5a7d8a378d79909859d87c2e0702bf89 (v7.1.3) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-26141 https://www.cve.org/CVERecord?id=CVE-2023-26141 Please adjust the affected versions in the BTS as needed.
Bug#1059293: lrzip: CVE-2023-39741
Source: lrzip X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for lrzip. CVE-2023-39741[0]: | lrzip v0.651 was discovered to contain a heap overflow via the | libzpaq::PostProcessor::write(int) function at /libzpaq/libzpaq.cpp. | This vulnerability allows attackers to cause a Denial of Service | (DoS) via a crafted file. https://github.com/ckolivas/lrzip/issues/246 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-39741 https://www.cve.org/CVERecord?id=CVE-2023-39741 Please adjust the affected versions in the BTS as needed.
Bug#1059265: w3m: CVE-2023-4255
Source: w3m X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for w3m. CVE-2023-4255[0]: | An out-of-bounds write issue has been discovered in the backspace | handling of the checkType() function in etc.c within the W3M | application. This vulnerability is triggered by supplying a | specially crafted HTML file to the w3m binary. Exploitation of this | flaw could lead to application crashes, resulting in a denial of | service condition. https://github.com/tats/w3m/commit/edc602651c506aeeb60544b55534dd1722a340d3 https://github.com/tats/w3m/issues/268 https://github.com/tats/w3m/pull/273 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-4255 https://www.cve.org/CVERecord?id=CVE-2023-4255 Please adjust the affected versions in the BTS as needed.
Bug#1059261: clickhouse: CVE-2023-48298 CVE-2023-47118 CVE-2022-44011 CVE-2022-44010
Source: clickhouse X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for clickhouse. CVE-2023-48298[0]: | ClickHouse® is an open-source column-oriented database management | system that allows generating analytical data reports in real-time. | This vulnerability is an integer underflow resulting in crash due to | stack buffer overflow in decompression of FPC codec. It can be | triggered and exploited by an unauthenticated attacker. The | vulnerability is very similar to CVE-2023-47118 with how the | vulnerable function can be exploited. https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-qw9f-qv29-8938 https://github.com/ClickHouse/ClickHouse/pull/56795 CVE-2023-47118[1]: | ClickHouse® is an open-source column-oriented database management | system that allows generating analytical data reports in real-time. | A heap buffer overflow issue was discovered in ClickHouse server. An | attacker could send a specially crafted payload to the native | interface exposed by default on port 9000/tcp, triggering a bug in | the decompression logic of T64 codec that crashes the ClickHouse | server process. This attack does not require authentication. Note | that this exploit can also be triggered via HTTP protocol, however, | the attacker will need a valid credential as the HTTP authentication | take places first. This issue has been fixed in version | 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts and | 23.3.16.7-lts. https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v CVE-2022-44011[2]: | An issue was discovered in ClickHouse before 22.9.1.2603. An | authenticated user (with the ability to load data) could cause a | heap buffer overflow and crash the server by inserting a malformed | CapnProto object. The fixed versions are 22.9.1.2603, 22.8.2.11, | 22.7.4.16, 22.6.6.16, and 22.3.12.19. https://github.com/ClickHouse/ClickHouse/pull/40241 CVE-2022-44010[3]: | An issue was discovered in ClickHouse before 22.9.1.2603. An | attacker could send a crafted HTTP request to the HTTP Endpoint | (usually listening on port 8123 by default), causing a heap-based | buffer overflow that crashes the process. This does not require | authentication. The fixed versions are 22.9.1.2603, 22.8.2.11, | 22.7.4.16, 22.6.6.16, and 22.3.12.19. https://github.com/ClickHouse/ClickHouse/pull/40292 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-48298 https://www.cve.org/CVERecord?id=CVE-2023-48298 [1] https://security-tracker.debian.org/tracker/CVE-2023-47118 https://www.cve.org/CVERecord?id=CVE-2023-47118 [2] https://security-tracker.debian.org/tracker/CVE-2022-44011 https://www.cve.org/CVERecord?id=CVE-2022-44011 [3] https://security-tracker.debian.org/tracker/CVE-2022-44010 https://www.cve.org/CVERecord?id=CVE-2022-44010 Please adjust the affected versions in the BTS as needed.
Bug#1059259: lwip: CVE-2023-49287
Source: lwip X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for lwip. CVE-2023-49287[0]: | TinyDir is a lightweight C directory and file reader. Buffer | overflows in the `tinydir_file_open()` function. This vulnerability | has been patched in version 1.2.6. https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt falcosecurity-libs embeds a copy of tinydir, if it's not used to open files from potentially untrusted paths, feel free to downgrade. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49287 https://www.cve.org/CVERecord?id=CVE-2023-49287 Please adjust the affected versions in the BTS as needed.
Bug#1059257: gemmi: CVE-2023-49287
Source: gemmi X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for gemmi. CVE-2023-49287[0]: | TinyDir is a lightweight C directory and file reader. Buffer | overflows in the `tinydir_file_open()` function. This vulnerability | has been patched in version 1.2.6. https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt gemmi embeds a copy of tinydir, if it's not used to open files from potentially untrusted paths, feel free to downgrade. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49287 https://www.cve.org/CVERecord?id=CVE-2023-49287 Please adjust the affected versions in the BTS as needed.
Bug#1059256: falcosecurity-libs: CVE-2023-49287
Source: falcosecurity-libs X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for falcosecurity-libs. CVE-2023-49287[0]: | TinyDir is a lightweight C directory and file reader. Buffer | overflows in the `tinydir_file_open()` function. This vulnerability | has been patched in version 1.2.6. https://github.com/cxong/tinydir/security/advisories/GHSA-jf5r-wgf4-qhxf https://github.com/cxong/tinydir/commit/8124807260735a837226fa151493536591f6715d https://github.com/hnsecurity/vulns/blob/main/HNS-2023-04-tinydir.txt falcosecurity-libs embeds a copy of tinydir, if it's not used to open files from potentially untrusted paths, feel free to downgrade. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49287 https://www.cve.org/CVERecord?id=CVE-2023-49287 Please adjust the affected versions in the BTS as needed.
Bug#1059254: cacti: CVE-2023-49084 CVE-2023-49086
Source: cacti X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for cacti. CVE-2023-49084[0]: | Cacti is a robust performance and fault management framework and a | frontend to RRDTool - a Time Series Database (TSDB). While using the | detected SQL Injection and insufficient processing of the include | file path, it is possible to execute arbitrary code on the server. | Exploitation of the vulnerability is possible for an authorized | user. The vulnerable component is the `link.php`. Impact of the | vulnerability execution of arbitrary code on the server. https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc CVE-2023-49086[1]: | Cacti is a robust performance and fault management framework and a | frontend to RRDTool - a Time Series Database (TSDB). Bypassing an | earlier fix (CVE-2023-39360) that leads to a DOM XSS attack. | Exploitation of the vulnerability is possible for an authorized | user. The vulnerable component is the `graphs_new.php`. Impact of | the vulnerability - execution of arbitrary javascript code in the | attacked user's browser. This issue has been patched in version | 1.2.26. https://github.com/Cacti/cacti/security/advisories/GHSA-wc73-r2vw-59pr I think https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc should address both, but please doublecheck. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49084 https://www.cve.org/CVERecord?id=CVE-2023-49084 [1] https://security-tracker.debian.org/tracker/CVE-2023-49086 https://www.cve.org/CVERecord?id=CVE-2023-49086 Please adjust the affected versions in the BTS as needed.
Bug#1059056: gpac: CVE-2023-48958 CVE-2023-46871 CVE-2023-46932 CVE-2023-47465 CVE-2023-48039 CVE-2023-48090
Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2023-48958[0]: | gpac 2.3-DEV-rev617-g671976fcc-master contains memory leaks in | gf_mpd_resolve_url media_tools/mpd.c:4589. https://github.com/gpac/gpac/issues/2689 Fixed by: https://github.com/gpac/gpac/commit/249c9fc18704e6d3cb6a4b173034a41aa570e7e4 CVE-2023-46871[1]: | GPAC version 2.3-DEV-rev602-ged8424300-master in MP4Box contains a | memory leak in NewSFDouble scenegraph/vrml_tools.c:300. This | vulnerability may lead to a denial of service. https://github.com/gpac/gpac/issues/2658 Fixed by: https://github.com/gpac/gpac/commit/03760e34d32e502a0078b20d15ea83ecaf453a5c CVE-2023-46932[2]: | Heap Buffer Overflow vulnerability in GPAC version 2.3-DEV- | rev617-g671976fcc-master, allows attackers to execute arbitrary code | and cause a denial of service (DoS) via str2ulong class in | src/media_tools/avilib.c in gpac/MP4Box. https://github.com/gpac/gpac/issues/2669 https://github.com/gpac/gpac/commit/dfdf1681aae2f7b6265e58e97f8461a89825a74b CVE-2023-47465[3]: | An issue in GPAC v.2.2.1 and before allows a local attacker to cause | a denial of service (DoS) via the ctts_box_read function of file | src/isomedia/box_code_base.c. https://github.com/gpac/gpac/issues/2652 https://github.com/gpac/gpac/commit/a40a3b7ef7420c8df0a7d9411ab1fc267ca86c49 https://github.com/gpac/gpac/commit/613dbc5702b09063b101cfc3d6ad74b45ad87521 CVE-2023-48039[4]: | GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leak | in gf_mpd_parse_string media_tools/mpd.c:75. https://github.com/gpac/gpac/issues/2679 CVE-2023-48090[5]: | GPAC 2.3-DEV-rev617-g671976fcc-master is vulnerable to memory leaks | in extract_attributes media_tools/m3u8.c:329. https://github.com/gpac/gpac/issues/2680 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-48958 https://www.cve.org/CVERecord?id=CVE-2023-48958 [1] https://security-tracker.debian.org/tracker/CVE-2023-46871 https://www.cve.org/CVERecord?id=CVE-2023-46871 [2] https://security-tracker.debian.org/tracker/CVE-2023-46932 https://www.cve.org/CVERecord?id=CVE-2023-46932 [3] https://security-tracker.debian.org/tracker/CVE-2023-47465 https://www.cve.org/CVERecord?id=CVE-2023-47465 [4] https://security-tracker.debian.org/tracker/CVE-2023-48039 https://www.cve.org/CVERecord?id=CVE-2023-48039 [5] https://security-tracker.debian.org/tracker/CVE-2023-48090 https://www.cve.org/CVERecord?id=CVE-2023-48090 Please adjust the affected versions in the BTS as needed.
Bug#1059054: nss: CVE-2023-6135
Source: nss X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for nss. CVE-2023-6135[0]: | Multiple NSS NIST curves were susceptible to a side-channel attack | known as "Minerva". This attack could potentially allow an attacker | to recover the private key. This vulnerability affects Firefox < | 121. The bug linked from https://www.mozilla.org/en-US/security/advisories/mfsa2023-56/#CVE-2023-6135 is restricted, do you happen to have a commit reference for NSS itself? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-6135 https://www.cve.org/CVERecord?id=CVE-2023-6135 Please adjust the affected versions in the BTS as needed.
Bug#1056282: gpac: CVE-2023-47384 CVE-2023-4785 CVE-2023-48011 CVE-2023-48013 CVE-2023-48014 CVE-2023-5998 CVE-2023-46001
Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2023-47384[0]: | MP4Box GPAC v2.3-DEV-rev617-g671976fcc-master was discovered to | contain a memory leak in the function gf_isom_add_chapter at | /isomedia/isom_write.c. This vulnerability allows attackers to cause | a Denial of Service (DoS) via a crafted MP4 file. https://github.com/gpac/gpac/issues/2672 CVE-2023-4785[1]: | Lack of error handling in the TCP server in Google's gRPC starting | version 1.23 on posix-compatible platforms (ex. Linux) allows an | attacker to cause a denial of service by initiating a significant | number of connections with the server. Note that gRPC C++ Python, | and Ruby are affected, but gRPC Java, and Go are NOT affected. https://github.com/grpc/grpc/pull/33656 https://github.com/grpc/grpc/pull/33667 https://github.com/grpc/grpc/pull/33669 https://github.com/grpc/grpc/pull/33670 https://github.com/grpc/grpc/pull/33672 CVE-2023-48011[2]: | GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a | heap-use-after-free via the flush_ref_samples function at | /gpac/src/isomedia/movie_fragments.c. https://github.com/gpac/gpac/issues/2611 https://github.com/gpac/gpac/commit/c70f49dda4946d6db6aa55588f6a756b76bd84ea CVE-2023-48013[3]: | GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a | double free via the gf_filterpacket_del function at | /gpac/src/filter_core/filter.c. https://github.com/gpac/gpac/issues/2612 https://github.com/gpac/gpac/commit/cd8a95c1efb8f5bfc950b86c2ef77b4c76f6b893 CVE-2023-48014[4]: | GPAC v2.3-DEV-rev566-g50c2ab06f-master was discovered to contain a | stack overflow via the hevc_parse_vps_extension function at | /media_tools/av_parsers.c. https://github.com/gpac/gpac/issues/2613 https://github.com/gpac/gpac/commit/66abf0887c89c29a484d9e65e70882794e9e3a1b CVE-2023-5998[5]: | Out-of-bounds Read in GitHub repository gpac/gpac prior to | 2.3.0-DEV. https://huntr.com/bounties/ea02a231-b688-422b-a881-ef415bcf6113 https://github.com/gpac/gpac/commit/db74835944548fc3bdf03121b0e012373bdebb3e CVE-2023-46001[6]: | Buffer Overflow vulnerability in gpac MP4Box v.2.3-DEV- | rev573-g201320819-master allows a local attacker to cause a denial | of service via the gpac/src/isomedia/isom_read.c:2807:51 function in | gf_isom_get_user_data. https://github.com/gpac/gpac/issues/2629 https://github.com/gpac/gpac/commit/e79b0cf7e72404750630bc01340e999f3940dbc4 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-47384 https://www.cve.org/CVERecord?id=CVE-2023-47384 [1] https://security-tracker.debian.org/tracker/CVE-2023-4785 https://www.cve.org/CVERecord?id=CVE-2023-4785 [2] https://security-tracker.debian.org/tracker/CVE-2023-48011 https://www.cve.org/CVERecord?id=CVE-2023-48011 [3] https://security-tracker.debian.org/tracker/CVE-2023-48013 https://www.cve.org/CVERecord?id=CVE-2023-48013 [4] https://security-tracker.debian.org/tracker/CVE-2023-48014 https://www.cve.org/CVERecord?id=CVE-2023-48014 [5] https://security-tracker.debian.org/tracker/CVE-2023-5998 https://www.cve.org/CVERecord?id=CVE-2023-5998 [6] https://security-tracker.debian.org/tracker/CVE-2023-46001 https://www.cve.org/CVERecord?id=CVE-2023-46001 Please adjust the affected versions in the BTS as needed.
Bug#1056281: snort: CVE-2023-20246 CVE-2023-20031
Source: snort X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for snort. CVE-2023-20246[0]: | Multiple Cisco products are affected by a vulnerability in Snort | access control policies that could allow an unauthenticated, remote | attacker to bypass the configured policies on an affected system. | This vulnerability is due to a logic error that occurs when the | access control policies are being populated. An attacker could | exploit this vulnerability by establishing a connection to an | affected device. A successful exploit could allow the attacker to | bypass configured access control rules on the affected system. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort3acp-bypass-3bdR2BEh CVE-2023-20031[1]: | A vulnerability in the SSL/TLS certificate handling of Snort 3 | Detection Engine integration with Cisco Firepower Threat Defense | (FTD) Software could allow an unauthenticated, remote attacker to | cause the Snort 3 detection engine to restart. This vulnerability is | due to a logic error that occurs when an SSL/TLS certificate that is | under load is accessed when it is initiating an SSL connection. | Under specific, time-based constraints, an attacker could exploit | this vulnerability by sending a high rate of SSL/TLS connection | requests to be inspected by the Snort 3 detection engine on an | affected device. A successful exploit could allow the attacker to | cause the Snort 3 detection engine to reload, resulting in either a | bypass or a denial of service (DoS) condition, depending on device | configuration. The Snort detection engine will restart | automatically. No manual intervention is required. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort3-8U4HHxH8 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-20246 https://www.cve.org/CVERecord?id=CVE-2023-20246 [1] https://security-tracker.debian.org/tracker/CVE-2023-20031 https://www.cve.org/CVERecord?id=CVE-2023-20031 Please adjust the affected versions in the BTS as needed.
Bug#1055852: frr: CVE-2023-38407 CVE-2023-41361 CVE-2023-46752 CVE-2023-46753 CVE-2023-47234 CVE-2023-47235
Source: frr X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for frr. CVE-2023-38407[0]: | bgpd/bgp_label.c in FRRouting (FRR) before 8.5 attempts to read | beyond the end of the stream during labeled unicast parsing. https://github.com/FRRouting/frr/pull/12951 https://github.com/FRRouting/frr/commit/7404a914b0cafe046703c8381903a80d3def8f8b (base_9.0) https://github.com/FRRouting/frr/pull/12956 https://github.com/FRRouting/frr/commit/ab362eae68edec12c175d9bc488bcc3f8b73d36f (frr-8.5) CVE-2023-41361[1]: | An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c does | not check for an overly large length of the rcv software version. https://github.com/FRRouting/frr/pull/14241 Fixed by: https://github.com/FRRouting/frr/commit/b4d09af9194d20a7f9f16995a062f5d8e3d32840 Backport for 9.0 branch: https://github.com/FRRouting/frr/pull/14250 Fixed by: https://github.com/FRRouting/frr/commit/73ad93a83f18564bb7bff4659872f7ec1a64b05e CVE-2023-46752[2]: | An issue was discovered in FRRouting FRR through 9.0.1. It | mishandles malformed MP_REACH_NLRI data, leading to a crash. Fixed by: https://github.com/FRRouting/frr/commit/b08afc81c60607a4f736f418f2e3eb06087f1a35 (master) Fixed by: https://github.com/FRRouting/frr/commit/30b5c2a434d25981e16792f6f50162beb517ae4d (stable/8.5 branch) CVE-2023-46753[3]: | An issue was discovered in FRRouting FRR through 9.0.1. A crash can | occur for a crafted BGP UPDATE message without mandatory attributes, | e.g., one with only an unknown transit attribute. Fixed by: https://github.com/FRRouting/frr/commit/d8482bf011cb2b173e85b65b4bf3d5061250cdb9 (master) Fixed by: https://github.com/FRRouting/frr/commit/21418d64af11553c402f932b0311c812d98ac3e4 (stable/8.5 branch) CVE-2023-47234[4]: | An issue was discovered in FRRouting FRR through 9.0.1. A crash can | occur when processing a crafted BGP UPDATE message with a | MP_UNREACH_NLRI attribute and additional NLRI data (that lacks | mandatory path attributes). https://github.com/FRRouting/frr/commit/c37119df45bbf4ef713bc10475af2ee06e12f3bf CVE-2023-47235[5]: | An issue was discovered in FRRouting FRR through 9.0.1. A crash can | occur when a malformed BGP UPDATE message with an EOR is processed, | because the presence of EOR does not lead to a treat-as-withdraw | outcome. https://github.com/FRRouting/frr/commit/6814f2e0138a6ea5e1f83bdd9085d9a7700b If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-38407 https://www.cve.org/CVERecord?id=CVE-2023-38407 [1] https://security-tracker.debian.org/tracker/CVE-2023-41361 https://www.cve.org/CVERecord?id=CVE-2023-41361 [2] https://security-tracker.debian.org/tracker/CVE-2023-46752 https://www.cve.org/CVERecord?id=CVE-2023-46752 [3] https://security-tracker.debian.org/tracker/CVE-2023-46753 https://www.cve.org/CVERecord?id=CVE-2023-46753 [4] https://security-tracker.debian.org/tracker/CVE-2023-47234 https://www.cve.org/CVERecord?id=CVE-2023-47234 [5] https://security-tracker.debian.org/tracker/CVE-2023-47235 https://www.cve.org/CVERecord?id=CVE-2023-47235 Please adjust the affected versions in the BTS as needed.
Bug#1055179: salt: CVE-2023-34049
Source: salt X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for salt. CVE-2023-34049[0]: https://saltproject.io/security-announcements/2023-10-27-advisory/index.html If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-34049 https://www.cve.org/CVERecord?id=CVE-2023-34049 Please adjust the affected versions in the BTS as needed.
Bug#1055175: zabbix: CVE-2023-29449 CVE-2023-29450 CVE-2023-29451 CVE-2023-29452 CVE-2023-29453 CVE-2023-29454 CVE-2023-29455 CVE-2023-29456 CVE-2023-29457 CVE-2023-29458
Source: zabbix
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for zabbix.
CVE-2023-29449[0]:
| JavaScript preprocessing, webhooks and global scripts can cause
| uncontrolled CPU, memory, and disk I/O utilization.
| Preprocessing/webhook/global script configuration and testing are
| only available to Administrative roles (Admin and Superadmin).
| Administrative privileges should be typically granted to users who
| need to perform tasks that require more control over the system. The
| security risk is limited because not all users have this level of
| access.
https://support.zabbix.com/browse/ZBX-22589
Upstream patch for 5.0.32: https://github.com/zabbix/zabbix/commit/e90b8a3c62
applied in upstream release/5.0 branch:
https://github.com/zabbix/zabbix/commit/c21cf2fa656b75733e3abc09d8f20690735b3f22
vulnerable module introduced in
https://github.com/zabbix/zabbix/commit/18d2abfc40 (5.0.0alpha1)
CVE-2023-29450[1]:
| JavaScript pre-processing can be used by the attacker to gain access
| to the file system (read-only access on behalf of user "zabbix") on
| the Zabbix Server or Zabbix Proxy, potentially leading to
| unauthorized access to sensitive data.
https://support.zabbix.com/browse/ZBX-22588
Patch for 5.0.32rc1: https://github.com/zabbix/zabbix/commit/c3f1543e4
Patch for 6.0.14rc2: https://github.com/zabbix/zabbix/commit/76f6a80cb
CVE-2023-29451[2]:
| Specially crafted string can cause a buffer overrun in the JSON
| parser library leading to a crash of the Zabbix Server or a Zabbix
| Proxy.
https://support.zabbix.com/browse/ZBX-22587
CVE-2023-29452[3]:
| Currently, geomap configuration (Administration -> General ->
| Geographical maps) allows using HTML in the field “Attribution text”
| when selected “Other” Tile provider.
https://support.zabbix.com/browse/ZBX-22981
Patches links: https://support.zabbix.com/browse/ZBX-22720
vulnerable geopmap widget introduced in version with
https://github.com/zabbix/zabbix/commit/7e6a91149533b17b12c0317968b485e0c98d4ac2
(6.0.0alpha6)
CVE-2023-29453[4]:
| Templates do not properly consider backticks (`) as Javascript
| string delimiters, and do not escape them as expected. Backticks are
| used, since ES6, for JS template literals. If a template contains a
| Go template action within a Javascript template literal, the
| contents of the action can be used to terminate the literal,
| injecting arbitrary Javascript code into the Go template. As ES6
| template literals are rather complex, and themselves can do string
| interpolation, the decision was made to simply disallow Go template
| actions from being used inside of them (e.g., "var a = {{.}}"),
| since there is no obviously safe way to allow this behavior. This
| takes the same approach as github.com/google/safehtml. With fix,
| Template. Parse returns an Error when it encounters templates like
| this, with an ErrorCode of value 12. This ErrorCode is currently
| unexported but will be exported in the release of Go 1.21. Users who
| rely on the previous behavior can re-enable it using the GODEBUG
| flag jstmpllitinterp=1, with the caveat that backticks will now be
| escaped. This should be used with caution.
https://support.zabbix.com/browse/ZBX-23388
CVE-2023-29454[5]:
| Stored or persistent cross-site scripting (XSS) is a type of XSS
| where the attacker first sends the payload to the web application,
| then the application saves the payload (e.g., in a database or
| server-side text files), and finally, the application
| unintentionally executes the payload for every victim visiting its
| web pages.
https://support.zabbix.com/browse/ZBX-22985
CVE-2023-29455[6]:
| Reflected XSS attacks, also known as non-persistent attacks, occur
| when a malicious script is reflected off a web application to the
| victim's browser. The script is activated through a link, which
| sends a request to a website with a vulnerability that enables
| execution of malicious scripts.
https://support.zabbix.com/browse/ZBX-22986
CVE-2023-29456[7]:
| URL validation scheme receives input from a user and then parses it
| to identify its various components. The validation scheme can ensure
| that all URL components comply with internet standards.
https://support.zabbix.com/browse/ZBX-22987
CVE-2023-29457[8]:
| Reflected XSS attacks, occur when a malicious script is reflected
| off a web application to the victim's browser. The script can be
| activated through Action form fields, which can be sent as request
| to a website with a vulnerability that enables execution of
| malicious scripts.
https://support.zabbix.com/browse/ZBX-22988
CVE-2023-29458[9]:
| Duktape is an 3rd-party embeddable JavaScript engine, with a focus
| on portability and compact footprint. When adding too many values in
| valstack JavaScript will crash. This issue occurs due to bug in
| Duktape 2.6 which is an 3rd-party solution that we use.
This appears to be bug in Zabbix's use of dukta
Bug#1054667: node-browserify-sign: CVE-2023-46234
Source: node-browserify-sign X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for node-browserify-sign. CVE-2023-46234[0]: | browserify-sign is a package to duplicate the functionality of | node's crypto public key functions, much of this is based on Fedor | Indutny's work on indutny/tls.js. An upper bound check issue in | `dsaVerify` function allows an attacker to construct signatures that | can be successfully verified by any public key, thus leading to a | signature forgery attack. All places in this project that involve | DSA verification of user-input signatures will be affected by this | vulnerability. This issue has been patched in version 4.2.2. https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46234 https://www.cve.org/CVERecord?id=CVE-2023-46234 Please adjust the affected versions in the BTS as needed.
Bug#1054666: open-vm-tools: CVE-2023-34059 CVE-2023-34058
Source: open-vm-tools X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for open-vm-tools. CVE-2023-34059[0]: | open-vm-tools contains a file descriptor hijack vulnerability in the | vmware-user-suid-wrapper. A malicious actor with non-root privileges | may be able to hijack the /dev/uinput file descriptor allowing them | to simulate user inputs. https://www.openwall.com/lists/oss-security/2023/10/27/3 CVE-2023-34058[1]: | VMware Tools contains a SAML token signature bypass vulnerability. A | malicious actor that has been granted Guest Operation Privileges | https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere- | security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target | virtual machine may be able to elevate their privileges if that | target virtual machine has been assigned a more privileged Guest | Alias https://vdc-download.vmware.com/vmwb-repository/dcr- | public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd- | db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . https://www.openwall.com/lists/oss-security/2023/10/27/1 https://github.com/vmware/open-vm-tools/blob/CVE-2023-34058.patch/CVE-2023-34058.patch If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-34059 https://www.cve.org/CVERecord?id=CVE-2023-34059 [1] https://security-tracker.debian.org/tracker/CVE-2023-34058 https://www.cve.org/CVERecord?id=CVE-2023-34058 Please adjust the affected versions in the BTS as needed.
Bug#1054429: fastdds: CVE-2023-42459
Source: fastdds X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for fastdds. CVE-2023-42459[0]: | Fast DDS is a C++ implementation of the DDS (Data Distribution | Service) standard of the OMG (Object Management Group). In affected | versions specific DATA submessages can be sent to a discovery | locator which may trigger a free error. This can remotely crash any | Fast-DDS process. The call to free() could potentially leave the | pointer in the attackers control which could lead to a double free. | This issue has been addressed in versions 2.12.0, 2.11.3, 2.10.3, | and 2.6.7. Users are advised to upgrade. There are no known | workarounds for this vulnerability. https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-gq8g-fj58-22gm https://github.com/eProsima/Fast-DDS/issues/3207 https://github.com/eProsima/Fast-DDS/pull/3824 https://github.com/eProsima/Fast-DDS/commit/1e978c6f3d0ca1df6b323b37fd4902b0762ececb If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-42459 https://www.cve.org/CVERecord?id=CVE-2023-42459 Please adjust the affected versions in the BTS as needed.
Bug#1054427: trafficserver: CVE-2023-41752 CVE-2023-39456 CVE-2023-44487
Source: trafficserver X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for trafficserver. CVE-2023-41752[0]: | Exposure of Sensitive Information to an Unauthorized Actor | vulnerability in Apache Traffic Server.This issue affects Apache | Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. | Users are recommended to upgrade to version 8.1.9 or 9.2.3, which | fixes the issue. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/334839cb7a6724c71a5542e924251a8d931774b0 (8.1.x) https://github.com/apache/trafficserver/commit/de7c8a78edd5b75e311561dfaa133e9d71ea8a5e (9.2.x) CVE-2023-39456[1]: | Improper Input Validation vulnerability in Apache Traffic Server | with malformed HTTP/2 frames.This issue affects Apache Traffic | Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade | to version 9.2.3, which fixes the issue. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/4ca137b59bc6aaa25f8b14db2bdd2e72c43502e5 (9.2.x) CVE-2023-44487[2]: | The HTTP/2 protocol allows a denial of service (server resource | consumption) because request cancellation can reset many streams | quickly, as exploited in the wild in August through October 2023. https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.3-rc0) https://github.com/apache/trafficserver/commit/d742d74039aaa548dda0148ab4ba207906abc620 (8.1.x) For oldstable-security let's move to 8.1.8 and for stable-security to 9.2.3? If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-41752 https://www.cve.org/CVERecord?id=CVE-2023-41752 [1] https://security-tracker.debian.org/tracker/CVE-2023-39456 https://www.cve.org/CVERecord?id=CVE-2023-39456 [2] https://security-tracker.debian.org/tracker/CVE-2023-44487 https://www.cve.org/CVERecord?id=CVE-2023-44487 Please adjust the affected versions in the BTS as needed.
Bug#1053880: node-babel7: CVE-2023-45133
Source: node-babel7 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for node-babel7. CVE-2023-45133[0]: | Babel is a compiler for writingJavaScript. In `@babel/traverse` | prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of | `babel-traverse`, using Babel to compile code that was specifically | crafted by an attacker can lead to arbitrary code execution during | compilation, when using plugins that rely on the `path.evaluate()`or | `path.evaluateTruthy()` internal Babel methods. Known affected | plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` | when using its `useBuiltIns` option; and any "polyfill provider" | plugin that depends on `@babel/helper-define-polyfill-provider`, | such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill- | corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill- | regenerator`. No other plugins under the `@babel/` namespace are | impacted, but third-party plugins might be. Users that only compile | trusted code are not impacted. The vulnerability has been fixed in | `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those | who cannot upgrade `@babel/traverse` and are using one of the | affected packages mentioned above should upgrade them to their | latest version to avoid triggering the vulnerable code path in | affected `@babel/traverse` versions: `@babel/plugin-transform- | runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper- | define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` | v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin- | polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` | v0.5.3. https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92 https://github.com/babel/babel/pull/16033 https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45133 https://www.cve.org/CVERecord?id=CVE-2023-45133 Please adjust the affected versions in the BTS as needed.
Bug#1053877: zabbix: CVE-2023-32721 CVE-2023-32722 CVE-2023-32723 CVE-2023-32724
Source: zabbix X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for zabbix. CVE-2023-32721[0]: | A stored XSS has been found in the Zabbix web application in the | Maps element if a URL field is set with spaces before URL. https://support.zabbix.com/browse/ZBX-23389 CVE-2023-32722[1]: | The zabbix/src/libs/zbxjson module is vulnerable to a buffer | overflow when parsing JSON files via zbx_json_open. https://support.zabbix.com/browse/ZBX-23390 CVE-2023-32723[2]: | Request to LDAP is sent before user permissions are checked. https://support.zabbix.com/browse/ZBX-23230 CVE-2023-32724[3]: | Memory pointer is in a property of the Ducktape object. This leads | to multiple vulnerabilities related to direct memory access and | manipulation. https://support.zabbix.com/browse/ZBX-23391 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-32721 https://www.cve.org/CVERecord?id=CVE-2023-32721 [1] https://security-tracker.debian.org/tracker/CVE-2023-32722 https://www.cve.org/CVERecord?id=CVE-2023-32722 [2] https://security-tracker.debian.org/tracker/CVE-2023-32723 https://www.cve.org/CVERecord?id=CVE-2023-32723 [3] https://security-tracker.debian.org/tracker/CVE-2023-32724 https://www.cve.org/CVERecord?id=CVE-2023-32724 Please adjust the affected versions in the BTS as needed.
Bug#1053801: trafficserver: CVE-2023-44487
Source: trafficserver X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for trafficserver. CVE-2023-44487[0]: | The HTTP/2 protocol allows a denial of service (server resource | consumption) because request cancellation can reset many streams | quickly, as exploited in the wild in August through October 2023. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44487 https://www.cve.org/CVERecord?id=CVE-2023-44487 Please adjust the affected versions in the BTS as needed. Fixed in 9.2.3: https://lists.apache.org/thread/5py8h42mxfsn8l1wy6o41xwhsjlsd87q https://github.com/apache/trafficserver/commit/b28ad74f117307e8de206f1de70c3fa716f90682 (9.2.x)
Bug#1053769: nghttp2: CVE-2023-44487
Source: nghttp2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for nghttp2. CVE-2023-44487[0]: | The HTTP/2 protocol allows a denial of service (server resource | consumption) because request cancellation can reset many streams | quickly, as exploited in the wild in August through October 2023. https://github.com/nghttp2/nghttp2/security/advisories/GHSA-vx74-f528-fxqg https://github.com/nghttp2/nghttp2/pull/1961 https://github.com/nghttp2/nghttp2/commit/72b4af6143681f528f1d237b21a9a7aee1738832 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-44487 https://www.cve.org/CVERecord?id=CVE-2023-44487 Please adjust the affected versions in the BTS as needed.
Bug#1051889: freeimage: CVE-2020-22524
Source: freeimage X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for freeimage. CVE-2020-22524[0]: | Buffer Overflow vulnerability in FreeImage_Load function in | FreeImage Library 3.19.0(r1828) allows attackers to cuase a denial | of service via crafted PFM file. https://sourceforge.net/p/freeimage/bugs/319/ Fixed with r1848 from http://svn.code.sf.net/p/freeimage/svn/FreeImage/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-22524 https://www.cve.org/CVERecord?id=CVE-2020-22524 Please adjust the affected versions in the BTS as needed.
Bug#1051740: gpac: CVE-2023-3012 CVE-2023-3013 CVE-2023-3291 CVE-2023-39562 CVE-2023-4678 CVE-2023-4681 CVE-2023-4682 CVE-2023-4683 CVE-2023-4720 CVE-2023-4721 CVE-2023-4722 CVE-2023-4754 CVE-2023-475
Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2023-3012[0]: | NULL Pointer Dereference in GitHub repository gpac/gpac prior to | 2.2.2. https://huntr.dev/bounties/916b787a-c603-409d-afc6-25bb02070e69 https://github.com/gpac/gpac/commit/53387aa86c1af1228d0fa57c67f9c7330716d5a7 CVE-2023-3013[1]: | Unchecked Return Value in GitHub repository gpac/gpac prior to | 2.2.2. https://huntr.dev/bounties/52f95edc-cc03-4a9f-9bf8-74f641260073 https://github.com/gpac/gpac/commit/78e539b43293829a14a32e821f5267e3b7417594 CVE-2023-3291[2]: | Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to | 2.2.2. https://huntr.dev/bounties/526954e6-8683-4697-bfa2-886c3204a1d5/ https://github.com/gpac/gpac/commit/6a748ccc3f76ff10e3ae43014967ea4b0c088aaf CVE-2023-39562[3]: | GPAC v2.3-DEV-rev449-g5948e4f70-master was discovered to contain a | heap-use-after-free via the gf_bs_align function at bitstream.c. | This vulnerability allows attackers to cause a Denial of Service | (DoS) via supplying a crafted file. https://github.com/gpac/gpac/issues/2537 https://github.com/gpac/gpac/commit/9024531ee8e6ae8318a8fe0cbb64710d1acc31f6 CVE-2023-4678[4]: | Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV. https://github.com/gpac/gpac/commit/4607052c482a51dbdacfe1ade10645c181d07b07 https://huntr.dev/bounties/688a4a01-8c18-469d-8cbe-a2e79e80c877 CVE-2023-4681[5]: | NULL Pointer Dereference in GitHub repository gpac/gpac prior to | 2.3-DEV. https://github.com/gpac/gpac/commit/4bac19ad854159b21ba70d8ab7c4e1cd1db8ea1c https://huntr.dev/bounties/d67c5619-ab36-41cc-93b7-04828e25f60e CVE-2023-4682[6]: | Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to | 2.3-DEV. https://github.com/gpac/gpac/commit/b1042c3eefca87c4bc32afb404ed6518d693e5be https://huntr.dev/bounties/15232a74-e3b8-43f0-ae8a-4e89d56c474c CVE-2023-4683[7]: | NULL Pointer Dereference in GitHub repository gpac/gpac prior to | 2.3-DEV. https://github.com/gpac/gpac/commit/112767e8b178fc82dec3cf82a1ca14d802cdb8ec https://huntr.dev/bounties/7852e4d2-af4e-4421-a39e-db23e0549922 CVE-2023-4720[8]: | Floating Point Comparison with Incorrect Operator in GitHub | repository gpac/gpac prior to 2.3-DEV. https://github.com/gpac/gpac/commit/e396648e48c57e2d53988d3fd4465b068b96c89a https://huntr.dev/bounties/1dc2954c-8497-49fa-b2af-113e1e9381ad CVE-2023-4721[9]: | Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV. https://github.com/gpac/gpac/commit/3ec93d73d048ed7b46fe6e9f307cc7a0cc13db63 https://huntr.dev/bounties/f457dc62-3cff-47bd-8fd2-1cb2b4a832fc CVE-2023-4722[10]: | Integer Overflow or Wraparound in GitHub repository gpac/gpac prior | to 2.3-DEV. https://github.com/gpac/gpac/commit/de7f3a852bef72a52825fd307cf4e8f486401a76 https://huntr.dev/bounties/ddfdb41d-e708-4fec-afe5-68ff1f88f830 CVE-2023-4754[11]: | Out-of-bounds Write in GitHub repository gpac/gpac prior to 2.3-DEV. https://github.com/gpac/gpac/commit/7e2e92feb1b30fac1d659f6620d743b5a188ffe0 https://huntr.dev/bounties/b7ed24ad-7d0b-40b7-8f4d-3c18a906620c CVE-2023-4755[12]: | Use After Free in GitHub repository gpac/gpac prior to 2.3-DEV. https://github.com/gpac/gpac/commit/895ac12da168435eb8db3f96978ffa4c69d66c3a https://huntr.dev/bounties/463474b7-a4e8-42b6-8b30-e648a77ee6b3 CVE-2023-4756[13]: | Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to | 2.3-DEV. https://github.com/gpac/gpac/commit/6914d016e2b540bac2c471c4aea156ddef8e8e01 https://huntr.dev/bounties/2342da0e-f097-4ce7-bfdc-3ec0ba446e05 CVE-2023-4758[14]: | Buffer Over-read in GitHub repository gpac/gpac prior to 2.3-DEV. https://github.com/gpac/gpac/commit/193633b1648582444fc99776cd741d7ba0125e86 https://huntr.dev/bounties/2f496261-1090-45ac-bc89-cc93c82090d6 CVE-2023-4778[15]: | Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV. https://huntr.dev/bounties/abb450fb-4ab2-49b0-90da-3d878eea5397/ https://github.com/gpac/gpac/commit/d553698050af478049e1a09e44a15ac884f223ed If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-3012 https://www.cve.org/CVERecord?id=CVE-2023-3012 [1] https://security-tracker.debian.org/tracker/CVE-2023-3013 https://www.cve.org/CVERecord?id=CVE-2023-3013 [2] https://security-tracker.debian.org/tracker/CVE-2023-3291 https://www.cve.org/CVERecord?id=CVE-2023-3291 [3] https://security-tracker.debian.org/tracker/CVE-2023-39562 https://www.cve.org/CVERecord?id=CVE-2023-39562 [4] https://security-tracker.debian.org/tracker/CVE-2023-4678 https://www.cve.org/CVERecord?id=CVE-2023-4678 [5] https://security-tracker.debian.org/tracker/CVE-2023-4681 https://www.cve.org/CVERecord?id=CVE-2023-4681 [6] https://security-tracker.debian.org/tracker/CVE-2023-4
Bug#1051738: freeimage: CVE-2020-21428
Source: freeimage X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for freeimage. CVE-2020-21428[0]: | Buffer Overflow vulnerability in function LoadRGB in PluginDDS.cpp | in FreeImage 3.18.0 allows remote attackers to run arbitrary code | and cause other impacts via crafted image file. https://sourceforge.net/p/freeimage/bugs/299/ This appears to be fixed in r1877 of the upstream Subversion repository If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-21428 https://www.cve.org/CVERecord?id=CVE-2020-21428 Please adjust the affected versions in the BTS as needed.
Bug#1050835: nuget: CVE-2023-29337
Source: nuget X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for nuget. CVE-2023-29337[0]: Does https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29337 affect nuget as packaged in Debian? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-29337 https://www.cve.org/CVERecord?id=CVE-2023-29337 Please adjust the affected versions in the BTS as needed.
Bug#1041430: ruby-sanitize: CVE-2023-36823
Source: ruby-sanitize X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for ruby-sanitize. CVE-2023-36823[0]: | Sanitize is an allowlist-based HTML and CSS sanitizer. Using | carefully crafted input, an attacker may be able to sneak arbitrary | HTML and CSS through Sanitize starting with version 3.0.0 and prior | to version 6.0.2 when Sanitize is configured to use the built-in | "relaxed" config or when using a custom config that allows `style` | elements and one or more CSS at-rules. This could result in cross- | site scripting or other undesired behavior when the malicious HTML | and CSS are rendered in a browser. Sanitize 6.0.2 performs | additional escaping of CSS in `style` element content, which fixes | this issue. Users who are unable to upgrade can prevent this issue | by using a Sanitize config that doesn't allow `style` elements, | using a Sanitize config that doesn't allow CSS at-rules, or by | manually escaping the character sequence `https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220 (v6.0.2) https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-36823 https://www.cve.org/CVERecord?id=CVE-2023-36823 Please adjust the affected versions in the BTS as needed.
Bug#1041429: restrictedpython: CVE-2023-37271
Source: restrictedpython X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for restrictedpython. CVE-2023-37271[0]: | RestrictedPython is a tool that helps to define a subset of the | Python language which allows users to provide a program input into a | trusted environment. RestrictedPython does not check access to stack | frames and their attributes. Stack frames are accessible within at | least generators and generator expressions, which are allowed inside | RestrictedPython. Prior to versions 6.1 and 5.3, an attacker with | access to a RestrictedPython environment can write code that gets | the current stack frame in a generator and then walk the stack all | the way beyond the RestrictedPython invocation boundary, thus | breaking out of the restricted sandbox and potentially allowing | arbitrary code execution in the Python interpreter. All | RestrictedPython deployments that allow untrusted users to write | Python code in the RestrictedPython environment are at risk. In | terms of Zope and Plone, this would mean deployments where the | administrator allows untrusted users to create and/or edit objects | of type `Script (Python)`, `DTML Method`, `DTML Document` or `Zope | Page Template`. This is a non-default configuration and likely to be | extremely rare. The problem has been fixed in versions 6.1 and 5.3. https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-wqc8-x2pr-7jqh https://github.com/zopefoundation/RestrictedPython/commit/c8eca66ae49081f0016d2e1f094c3d72095ef531 (master) https://github.com/zopefoundation/RestrictedPython/commit/d8c5aa72c5d0ec8eceab635d93d6bc8321116002 (5.3) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-37271 https://www.cve.org/CVERecord?id=CVE-2023-37271 Please adjust the affected versions in the BTS as needed.
Bug#1041427: bitcoin: CVE-2023-37192
Source: bitcoin X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for bitcoin. CVE-2023-37192[0]: | Memory management and protection issues in Bitcoin Core v22 allows | attackers to modify the stored sending address within the app's | memory, potentially allowing them to redirect Bitcoin transactions | to wallets of their own choosing. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-37192 https://www.cve.org/CVERecord?id=CVE-2023-37192 Please adjust the affected versions in the BTS as needed.
Bug#1041423: cjose: CVE-2023-37464
Source: cjose X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for cjose. CVE-2023-37464[0]: | OpenIDC/cjose is a C library implementing the Javascript Object | Signing and Encryption (JOSE). The AES GCM decryption routine | incorrectly uses the Tag length from the actual Authentication Tag | provided in the JWE. The spec says that a fixed length of 16 octets | must be applied. Therefore this bug allows an attacker to provide a | truncated Authentication Tag and to modify the JWE accordingly. | Users should upgrade to a version >= 0.6.2.2. Users unable to | upgrade should avoid using AES GCM encryption and replace it with | another encryption algorithm (e.g. AES CBC). https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj https://github.com/OpenIDC/cjose/commit/7325e9a5e71e2fc0e350487ecac7d84acdf0ed5e (v0.6.2.2) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-37464 https://www.cve.org/CVERecord?id=CVE-2023-37464 Please adjust the affected versions in the BTS as needed.
Bug#1041110: sox: CVE-2023-34432
Source: sox X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for sox. CVE-2023-34432[0]: | A heap buffer overflow vulnerability was found in sox, in the | lsx_readbuf function at sox/src/formats_i.c:98:16. This flaw can | lead to a denial of service, code execution, or information | disclosure. https://bugzilla.redhat.com/show_bug.cgi?id=2212291 https://sourceforge.net/p/sox/bugs/367/ If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-34432 https://www.cve.org/CVERecord?id=CVE-2023-34432 Please adjust the affected versions in the BTS as needed.
Bug#1034732: fixed in gpac 2.2.1+dfsg1-1
Am Tue, Jun 20, 2023 at 06:06:26PM + schrieb Debian FTP Masters: > Source: gpac > Source-Version: 2.2.1+dfsg1-1 > Done: Reinhard Tartler > Changes: > gpac (2.2.1+dfsg1-1) experimental; urgency=medium > . >* New upstream version, > closes: #1033116, #1034732, #1034187, #1036701, #1034890 A single upload a week after the release doesn't change the fact that gpac isn't supportable unless you massively step up in maintenance (which would also involve taking care of bullseye-security), so #1034732 should not be closed with the upload to unstable. If GPAC magically becomes more stable over the next 1.5 years, we can reconsider. Cheers, Moritz
Bug#1025011: fixed in netatalk 3.1.15~ds-1
reopen 1025011 thanks Am Tue, May 02, 2023 at 07:03:55PM + schrieb Debian FTP Masters: >[ Jonas Smedegaard ] >* adopt package, thanks to renewed interest in the Netatalk team; > add Daniel Markstedt as uploader; > closes: bug#1013308; > closes: bug#1025011, thanks to Moritz Mühlenhoff It's nice that there's renewed interest, but this involves also taking care of netatalk in stable, there's a range of issues (full list at https://security-tracker.debian.org/tracker/source-package/netatalk) which need to be backported to bullseye-security. I'm reopening the bug, it can be closed with the respective upload to bullseye-security. Cheers, Moritz
Bug#1036697: asterisk: CVE-2023-27585
Source: asterisk X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for asterisk. CVE-2023-27585[0]: | PJSIP is a free and open source multimedia communication library | written in C. A buffer overflow vulnerability in versions 2.13 and | prior affects applications that use PJSIP DNS resolver. It doesn't | affect PJSIP users who do not utilise PJSIP DNS resolver. This | vulnerability is related to CVE-2022-24793. The difference is that | this issue is in parsing the query record `parse_query()`, while the | issue in CVE-2022-24793 is in `parse_rr()`. A patch is available as | commit `d1c5e4d` in the `master` branch. A workaround is to disable | DNS resolution in PJSIP config (by setting `nameserver_count` to zero) | or use an external resolver implementation instead. https://github.com/pjsip/pjproject/security/advisories/GHSA-q9cp-8wcq-7pfr https://github.com/pjsip/pjproject/security/advisories/GHSA-p6g5-v97c-w5q4 https://github.com/pjsip/pjproject/commit/d1c5e4da5bae7f220bc30719888bb389c905c0c5 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-27585 https://www.cve.org/CVERecord?id=CVE-2023-27585 Please adjust the affected versions in the BTS as needed.
Bug#1036281: libraw: CVE-2023-1729
Source: libraw X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for libraw. CVE-2023-1729[0]: | A flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex() | caused by a maliciously crafted file may lead to an application crash. https://bugzilla.redhat.com/show_bug.cgi?id=2188240 https://github.com/LibRaw/LibRaw/issues/557 Fixed by: https://github.com/LibRaw/LibRaw/commit/9ab70f6dca19229cb5caad7cc31af4e7501bac93 (master) Fixed by: https://github.com/LibRaw/LibRaw/commit/477e0719ffc07190c89b4f3d12d51b1292e75828 (0.21-stable) If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-1729 https://www.cve.org/CVERecord?id=CVE-2023-1729 Please adjust the affected versions in the BTS as needed.
Bug#1036280: openjdk-11: CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968
Source: openjdk-11 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for openjdk-11. CVE-2023-21930[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: JSSE). Supported versions that | are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, | 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. | Difficult to exploit vulnerability allows unauthenticated attacker | with network access via TLS to compromise Oracle Java SE, Oracle | GraalVM Enterprise Edition. Successful attacks of this vulnerability | can result in unauthorized creation, deletion or modification access | to critical data or all Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data as well as unauthorized access to critical | data or complete access to all Oracle Java SE, Oracle GraalVM | Enterprise Edition accessible data. Note: This vulnerability applies | to Java deployments, typically in clients running sandboxed Java Web | Start applications or sandboxed Java applets, that load and run | untrusted code (e.g., code that comes from the internet) and rely on | the Java sandbox for security. This vulnerability can also be | exploited by using APIs in the specified Component, e.g., through a | web service which supplies data to the APIs. CVSS 3.1 Base Score 7.4 | (Confidentiality and Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). CVE-2023-21937[1]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Networking). Supported versions | that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, | 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and | 22.3.1. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks | of this vulnerability can result in unauthorized update, insert or | delete access to some of Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability can also be exploited by | using APIs in the specified Component, e.g., through a web service | which supplies data to the APIs. CVSS 3.1 Base Score 3.7 (Integrity | impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2023-21938[2]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Libraries). Supported versions | that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, | 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and | 22.3.0. Difficult to exploit vulnerability allows unauthenticated | attacker with network access via multiple protocols to compromise | Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks | of this vulnerability can result in unauthorized update, insert or | delete access to some of Oracle Java SE, Oracle GraalVM Enterprise | Edition accessible data. Note: This vulnerability applies to Java | deployments, typically in clients running sandboxed Java Web Start | applications or sandboxed Java applets, that load and run untrusted | code (e.g., code that comes from the internet) and rely on the Java | sandbox for security. This vulnerability does not apply to Java | deployments, typically in servers, that load and run only trusted code | (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 | (Integrity impacts). CVSS Vector: | (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). CVE-2023-21939[3]: | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition | product of Oracle Java SE (component: Swing). Supported versions that | are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, | 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. | Easily exploitable vulnerability allows unauthenticated attacker with | network access via HTTP to compromise Oracle Java SE, Oracle GraalVM | Enterprise Edition. Successful attacks of this vulnerability can | result in unauthorized update, insert or delete access to some of | Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. | Note: This vulnerability applies to Java deployments, typically in | clients running sandboxed Java Web Start applications or sandboxed | Java applets, that load and run untrusted code (e.g., code that comes | from the internet) and rely on the Java sandbox for security. This | vulnerability can also be exploited by using APIs in the specified | Component, e.g., through a web service which
