[Git][security-tracker-team/security-tracker][master] Add CVE-2023-2260{4,5,6,7,8,9}/binutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6b916e8 by Salvatore Bonaccorso at 2023-02-07T08:53:53+01:00 Add CVE-2023-2260{4,5,6,7,8,9}/binutils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8122,16 +8122,40 @@ CVE-2023-22610 (A CWE-285: Improper Authorization vulnerability exists that coul NOT-FOR-US: EcoStruxure Geo SCADA Expert CVE-2023-22609 RESERVED + - binutils 2.40-1 (unimportant) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29948 + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a984f112b015b7d33c3c91230eb4c35695926539 (binutils-2_40) + NOTE: binutils not covered by security support CVE-2023-22608 RESERVED + - binutils 2.40-1 (unimportant) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29936 + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8af23b30edbaedf009bc9b243cd4dfa10ae1ac09 (binutils-2_40) + NOTE: binutils not covered by security support CVE-2023-22607 RESERVED + - binutils 2.40-1 (unimportant) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29914 + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=42f39fdedcf3321cab9964945d3f5bca58967b80 (binutils-2_40) + NOTE: binutils not covered by security support CVE-2023-22606 RESERVED + - binutils 2.40-1 (unimportant) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29908 + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fa501b69309ccb03ec957101f24109ed7f737733 (binutils-2_40) + NOTE: binutils not covered by security support CVE-2023-22605 RESERVED + - binutils 2.40-1 (unimportant) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29893 + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=956bc7a29fd952d709db29667b38f98cdd3db4c9 (binutils-2_40) + NOTE: binutils not covered by security support CVE-2023-22604 RESERVED + - binutils 2.40-1 (unimportant) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29872 + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2f58a399cf3f946983398cdfe52d0eaa72bf877 (binutils-2_40) + NOTE: binutils not covered by security support CVE-2023-22603 RESERVED - binutils 2.40-1 (unimportant) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6b916e8744c9a84498e77ee54bfe1c43b8791dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6b916e8744c9a84498e77ee54bfe1c43b8791dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-22603/binutils
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a219cd6 by Salvatore Bonaccorso at 2023-02-07T08:47:16+01:00 Add CVE-2023-22603/binutils - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8134,6 +8134,10 @@ CVE-2023-22604 RESERVED CVE-2023-22603 RESERVED + - binutils 2.40-1 (unimportant) + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29870 + NOTE: https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2f58a399cf3f946983398cdfe52d0eaa72bf877 (binutils-2_40) + NOTE: binutils not covered by security support CVE-2023-0054 (Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145. ...) - vim [bullseye] - vim (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a219cd637b65b9c0b616e1f0e8c5a40b3f65b6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a219cd637b65b9c0b616e1f0e8c5a40b3f65b6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-23498/grafana
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c9b4374 by Salvatore Bonaccorso at 2023-02-07T08:40:58+01:00 Add CVE-2022-23498/grafana - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83823,7 +83823,7 @@ CVE-2022-23500 (TYPO3 is an open source PHP based web content management system. CVE-2022-23499 (HTML sanitizer is written in PHP, aiming to provide XSS-safe markup ba ...) TODO: check CVE-2022-23498 (Grafana is an open-source platform for monitoring and observability. W ...) - TODO: check + - grafana CVE-2022-23497 (FreshRSS is a free, self-hostable RSS aggregator. User configuration f ...) NOT-FOR-US: FreshRSS CVE-2022-23496 (Yet Another UserAgent Analyzer (Yauaa) is a java library that tries to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c9b437464133f82e90c80502a65ecbdef8560d2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c9b437464133f82e90c80502a65ecbdef8560d2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-0415 (wireshark) is not affecting buster.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 97153541 by Tobias Frost at 2023-02-07T08:38:00+01:00 CVE-2023-0415 (wireshark) is not affecting buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3614,8 +3614,11 @@ CVE-2023-0415 (iSCSI dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3. CVE-2023-0416 (GNW dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 an ...) - wireshark 4.0.3-1 [bullseye] - wireshark (Minor issue, fix along in future update) + [buster] - wireshark (Vulnerable code introduced later) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-04.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18779 + NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/9322 + NOTE: Vulnerable dissector introduced with https://gitlab.com/wireshark/wireshark/-/commit/a87e56aa79f62ba8967e63da9d408e464596cd85 (first released with version 3.0.0) CVE-2023-0413 (Dissection engine bug in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 3.6.10 ...) - wireshark 4.0.3-1 [bullseye] - wireshark (Minor issue, fix along in future update) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97153541089719fdacc65039d98517e310edf8f3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97153541089719fdacc65039d98517e310edf8f3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3310-1 for xorg-server
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d05f77f by Thorsten Alteholz at 2023-02-07T08:19:59+01:00 Reserve DLA-3310-1 for xorg-server - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Feb 2023] DLA-3310-1 xorg-server - security update + {CVE-2023-0494} + [buster] - xorg-server 2:1.20.4-1+deb10u8 [06 Feb 2023] DLA-3309-1 graphite-web - security update {CVE-2022-4728 CVE-2022-4729 CVE-2022-4730} [buster] - graphite-web 1.1.4-3+deb10u2 = data/dla-needed.txt = @@ -350,8 +350,6 @@ xfig (gladk) NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/xfig.git -- -xorg-server (Thorsten Alteholz) --- xrdp NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d05f77f13519504677a83e87e99e0a2007bd2a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d05f77f13519504677a83e87e99e0a2007bd2a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-20938/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a21e4ab4 by Salvatore Bonaccorso at 2023-02-07T07:55:08+01:00 Add CVE-2023-20938/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21710,6 +21710,9 @@ CVE-2023-20939 RESERVED CVE-2023-20938 RESERVED + - linux 5.17.6-1 + [bullseye] - linux 5.10.158-1 + NOTE: https://source.android.com/docs/security/bulletin/2023-02-01 CVE-2023-20937 RESERVED CVE-2023-20936 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a21e4ab44ec8ec887e0ad8bbd38c84be79bfd6a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a21e4ab44ec8ec887e0ad8bbd38c84be79bfd6a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-0494/xorg-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e51b47c1 by Salvatore Bonaccorso at 2023-02-07T07:17:44+01:00 Add CVE-2023-0494/xorg-server - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2525,8 +2525,11 @@ CVE-2023-0496 RESERVED CVE-2023-0495 RESERVED -CVE-2023-0494 +CVE-2023-0494 [Xi: fix potential use-after-free in DeepCopyPointerClasses] RESERVED + - xorg-server + NOTE: https://www.openwall.com/lists/oss-security/2023/02/07/1 + NOTE: https://gitlab.freedesktop.org/xorg/xserver/commit/0ba6d8c37071131a49790243cdac55392ecf71ec CVE-2022-4897 RESERVED CVE-2023-24513 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e51b47c166500f6e13a8b11c750af166754be334 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e51b47c166500f6e13a8b11c750af166754be334 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim xorg-server
Thorsten Alteholz pushed to branch master at Debian Security Tracker / security-tracker Commits: 280d8a2f by Thorsten Alteholz at 2023-02-07T07:02:19+01:00 claim xorg-server - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -350,6 +350,8 @@ xfig (gladk) NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/xfig.git -- +xorg-server (Thorsten Alteholz) +-- xrdp NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/280d8a2fbda2cb368dd83033dbfa72515edda5a6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/280d8a2fbda2cb368dd83033dbfa72515edda5a6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Tentatively take apr-util and apr from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5957612b by Salvatore Bonaccorso at 2023-02-07T06:29:23+01:00 Tentatively take apr-util and apr from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -12,9 +12,9 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. -- -apr-util +apr-util (carnil) -- -apr +apr (carnil) -- frr -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5957612bdb76428392dd24625b1a5b5ea42e54f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5957612bdb76428392dd24625b1a5b5ea42e54f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Take haproxy from dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7dfdeffe by Salvatore Bonaccorso at 2023-02-07T06:24:35+01:00 Take haproxy from dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -18,7 +18,7 @@ apr -- frr -- -haproxy +haproxy (carnil) -- jupyter-core Maintainer asked for availability to prepare updates View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dfdeffea8a7234c2bb53e459659e9ad6eb688c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dfdeffea8a7234c2bb53e459659e9ad6eb688c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add p0 reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 728807db by Moritz Muehlenhoff at 2023-02-06T22:58:48+01:00 add p0 reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21731,6 +21731,7 @@ CVE-2023-20928 (In binder_vma_close of binder.c, there is a possible use after f [buster] - linux (Vulnerable code not present) NOTE: https://android.googlesource.com/kernel/common/+/201d5f4a3ec1 NOTE: https://source.android.com/docs/security/bulletin/2023-01-01 + NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2374 CVE-2023-20927 RESERVED CVE-2023-20926 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/728807db9973785b162da56180841e0f4e19c94b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/728807db9973785b162da56180841e0f4e19c94b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-42330/xen via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a81045a9 by Salvatore Bonaccorso at 2023-02-06T22:28:50+01:00 Track fixed version for CVE-2022-42330/xen via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29991,7 +29991,7 @@ CVE-2022-42332 CVE-2022-42331 RESERVED CVE-2022-42330 (Guests can cause Xenstore crash via soft reset When a guest issues a " ...) - - xen (bug #1029830) + - xen 4.17.0+24-g2f8851c37f-2 (bug #1029830) [bullseye] - xen (Only affects 4.17) [buster] - xen (Only affects 4.17) NOTE: https://xenbits.xen.org/xsa/advisory-425.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a81045a97f6c22c9fe14a807513f8769cef5eda0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a81045a97f6c22c9fe14a807513f8769cef5eda0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for three fava issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a7c1252c by Salvatore Bonaccorso at 2023-02-06T22:25:38+01:00 Track fixed version for three fava issues fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44167,7 +44167,7 @@ CVE-2022-2590 (A race condition was found in the way the Linux kernel's memory s NOTE: https://lore.kernel.org/all/b314c287-5fc2-9f61-53f6-33282a2be...@redhat.com/ NOTE: https://www.openwall.com/lists/oss-security/2022/08/08/1 CVE-2022-2589 (Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/ ...) - - fava (bug #1016971) + - fava 1.23.1-1 (bug #1016971) [bullseye] - fava (Minor issue) [buster] - fava (Minor issue) NOTE: https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08/ @@ -45694,7 +45694,7 @@ CVE-2022-34859 CVE-2022-33963 RESERVED CVE-2022-2523 (Cross-site Scripting (XSS) - Reflected in GitHub repository beancount/ ...) - - fava (bug #1016971) + - fava 1.23.1-1 (bug #1016971) [bullseye] - fava (Minor issue) [buster] - fava (Minor issue) NOTE: https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f @@ -45851,7 +45851,7 @@ CVE-2022-33142 (Authenticated (subscriber+) Denial Of Service (DoS) vulnerabilit CVE-2022-2515 (The Simple Banner plugin for WordPress is vulnerable to Stored Cross-S ...) NOT-FOR-US: Simple Banner plugin for WordPress CVE-2022-2514 (The time and filter parameters in Fava prior to v1.22 are vulnerable t ...) - - fava (bug #1016971) + - fava 1.23.1-1 (bug #1016971) [bullseye] - fava (Minor issue) [buster] - fava (Minor issue) NOTE: https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7c1252c4de476d60d3550e5f807a99369ebdfde -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7c1252c4de476d60d3550e5f807a99369ebdfde You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: Add meta-information
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 3dcbc257 by Anton Gladky at 2023-02-06T22:15:14+01:00 LTS: Add meta-information - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -94,6 +94,9 @@ golang-yaml.v2 NOTE: 20230125: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't). -- heimdal (Helmut Grohne) + NOTE: 20230206: Programming language: C + NOTE: 20230206: Special attention: Do review patches, even those, coming from upstream. + NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/heimdal/ -- imagemagick (Roberto C. Sánchez) NOTE: 20220904: Programming language: C. @@ -312,6 +315,8 @@ sox (Helmut Grohne) -- spip NOTE: 20230206: Programming language: PHP. + NOTE: 20230206: Special attention: Please contact maintainer regarding VCS usage + NOTE: 20230206: VCS: https://salsa.debian.org/debian/spip.git -- sssd NOTE: 20230131: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dcbc2571082ea43963d86a583445ef8abf6a1c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dcbc2571082ea43963d86a583445ef8abf6a1c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3309-1 for graphite-web
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c40a689c by Chris Lamb at 2023-02-06T13:05:52-08:00 Reserve DLA-3309-1 for graphite-web - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Feb 2023] DLA-3309-1 graphite-web - security update + {CVE-2022-4728 CVE-2022-4729 CVE-2022-4730} + [buster] - graphite-web 1.1.4-3+deb10u2 [06 Feb 2023] DLA-3308-1 webkit2gtk - security update {CVE-2022-42826 CVE-2023-23517 CVE-2023-23518} [buster] - webkit2gtk 2.38.4-2~deb10u1 = data/dla-needed.txt = @@ -93,10 +93,6 @@ golang-yaml.v2 NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git NOTE: 20230125: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't). -- -graphite-web (Chris Lamb) - NOTE: 20221229: Programming language: Python. - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/graphite-web.git --- heimdal (Helmut Grohne) -- imagemagick (Roberto C. Sánchez) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c40a689c4ef584c73fe2830210335380f3da112a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c40a689c4ef584c73fe2830210335380f3da112a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add three new CVEs for zammad: CVE-2022-4802{1,2,3}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 316b7987 by Salvatore Bonaccorso at 2023-02-06T22:02:06+01:00 Add three new CVEs for zammad: CVE-2022-4802{1,2,3} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9167,11 +9167,11 @@ CVE-2022-48025 CVE-2022-48024 RESERVED CVE-2022-48023 (Insufficient privilege verification in Zammad v5.3.0 allows an authent ...) - TODO: check + - zammad (bug #841355) CVE-2022-48022 (An issue in the component /api/v1/mentions of Zammad v5.3.0 allows aut ...) - TODO: check + - zammad (bug #841355) CVE-2022-48021 (A vulnerability in Zammad v5.3.0 allows attackers to execute arbitrary ...) - TODO: check + - zammad (bug #841355) CVE-2022-48020 RESERVED CVE-2022-48019 (The components wfshbr64.sys and wfshbr32.sys in Another Eden before v3 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/316b7987acd4c4b6460709a9586b74b18d4638a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/316b7987acd4c4b6460709a9586b74b18d4638a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 005711b1 by Salvatore Bonaccorso at 2023-02-06T22:01:26+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -604,7 +604,7 @@ CVE-2023-0687 (A vulnerability was found in GNU C Library 2.38. It has been decl NOTE: https://patchwork.sourceware.org/project/glibc/patch/20230204114138.5436-1-...@yuriev.ru/ TODO: check CVE-2023-0686 (A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. I ...) - TODO: check + NOT-FOR-US: SourceCodester Online Eyewear Shop CVE-2023-0685 RESERVED CVE-2023-0684 @@ -618,7 +618,7 @@ CVE-2023-0681 CVE-2023-0680 RESERVED CVE-2023-0679 (A vulnerability was found in SourceCodester Canteen Management System ...) - TODO: check + NOT-FOR-US: SourceCodester Canteen Management System CVE-2022-48316 RESERVED CVE-2022-48315 @@ -648,7 +648,7 @@ CVE-2023-25194 CVE-2022-4902 (A vulnerability classified as problematic has been found in eXo Chat A ...) TODO: check CVE-2020-36660 (A vulnerability was found in paxswill EVE Ship Replacement Program 0.1 ...) - TODO: check + NOT-FOR-US: paxswill EVE Ship Replacement Program CVE-2017-20177 RESERVED CVE-2015-10073 @@ -3295,29 +3295,29 @@ CVE-2023-24204 CVE-2023-24203 RESERVED CVE-2023-24202 (Raffle Draw System v1.0 was discovered to contain a local file inclusi ...) - TODO: check + NOT-FOR-US: Raffle Draw System CVE-2023-24201 (Raffle Draw System v1.0 was discovered to contain a SQL injection vuln ...) - TODO: check + NOT-FOR-US: Raffle Draw System CVE-2023-24200 (Raffle Draw System v1.0 was discovered to contain a SQL injection vuln ...) - TODO: check + NOT-FOR-US: Raffle Draw System CVE-2023-24199 (Raffle Draw System v1.0 was discovered to contain a SQL injection vuln ...) - TODO: check + NOT-FOR-US: Raffle Draw System CVE-2023-24198 (Raffle Draw System v1.0 was discovered to contain multiple SQL injecti ...) - TODO: check + NOT-FOR-US: Raffle Draw System CVE-2023-24197 (Online Food Ordering System v2 was discovered to contain a SQL injecti ...) - TODO: check + NOT-FOR-US: Online Food Ordering System CVE-2023-24196 RESERVED CVE-2023-24195 (Online Food Ordering System v2 was discovered to contain a cross-site ...) - TODO: check + NOT-FOR-US: Online Food Ordering System CVE-2023-24194 (Online Food Ordering System v2 was discovered to contain a cross-site ...) - TODO: check + NOT-FOR-US: Online Food Ordering System CVE-2023-24193 RESERVED CVE-2023-24192 (Online Food Ordering System v2 was discovered to contain a cross-site ...) - TODO: check + NOT-FOR-US: Online Food Ordering System CVE-2023-24191 (Online Food Ordering System v2 was discovered to contain a cross-site ...) - TODO: check + NOT-FOR-US: Online Food Ordering System CVE-2023-24190 RESERVED CVE-2023-24189 @@ -4110,7 +4110,7 @@ CVE-2023-0402 (The Social Warfare plugin for WordPress is vulnerable to authoriz CVE-2023-0401 RESERVED CVE-2023-0400 (The protection bypass vulnerability in DLP for Windows 11.9.x is addre ...) - TODO: check + NOT-FOR-US: DLP for Windows CVE-2023-0399 RESERVED CVE-2023-0398 (Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa ...) @@ -7057,9 +7057,9 @@ CVE-2023-0126 (Pre-authentication path traversal vulnerability in SMA1000 firmwa CVE-2023-0125 (A vulnerability was found in Control iD Panel. It has been declared as ...) NOT-FOR-US: Control iD Panel CVE-2023-0124 (Delta Electronics DOPSoft versions 4.00.16.22 and prior are vulnerable ...) - TODO: check + NOT-FOR-US: Delta Electronics DOPSoft CVE-2023-0123 (Delta Electronics DOPSoft versions 4.00.16.22 and prior are vulnerable ...) - TODO: check + NOT-FOR-US: Delta Electronics DOPSoft CVE-2022-48251 (** DISPUTED ** The AES instructions on the ARMv8 platform do not have ...) NOT-FOR-US: ARM hardware design issue CVE-2021-46871 (tag.ex in Phoenix Phoenix.HTML (aka phoenix_html) before 3.0.4 allows ...) @@ -8883,9 +8883,9 @@ CVE-2022-48167 CVE-2022-48166 RESERVED CVE-2022-48165 (An access control issue in the component /cgi-bin/ExportLogs.sh of Wav ...) - TODO: check + NOT-FOR-US: Wavlink CVE-2022-48164 (An access control issue in the component /cgi-bin/ExportLogs.sh of Wav ...) - TODO: check + NOT-FOR-US: Wavlink CVE-2022-48163 RESERVED CVE-2022-48162 @@ -8933,7 +8933,7 @@ CVE-2022-48142 CVE-2022-48141 RESERVED CVE-2022-48140 (DedeCMS v5.7.97 was discovered to contain a cross-site scripting (XSS) ...) - TODO: check + NOT-FOR-US: D
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-0687/glibc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 56ed23ae by Salvatore Bonaccorso at 2023-02-06T21:56:29+01:00 Add CVE-2023-0687/glibc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -599,6 +599,9 @@ CVE-2023-25200 CVE-2023-25199 RESERVED CVE-2023-0687 (A vulnerability was found in GNU C Library 2.38. It has been declared ...) + - glibc + NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29444 + NOTE: https://patchwork.sourceware.org/project/glibc/patch/20230204114138.5436-1-...@yuriev.ru/ TODO: check CVE-2023-0686 (A vulnerability was found in SourceCodester Online Eyewear Shop 1.0. I ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56ed23ae38153415465ca78e72cb9ca4a7fab99b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56ed23ae38153415465ca78e72cb9ca4a7fab99b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c5fc4428 by Salvatore Bonaccorso at 2023-02-06T21:35:47+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3144,7 +3144,7 @@ CVE-2023-24278 CVE-2023-24277 RESERVED CVE-2023-24276 (TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a co ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-24275 RESERVED CVE-2023-24274 @@ -39718,7 +39718,7 @@ CVE-2022-2935 (The Image Hover Effects Ultimate plugin for WordPress is vulnerab CVE-2022-2934 (The Beaver Builder – WordPress Page Builder for WordPress is vul ...) NOT-FOR-US: WordPress Page Builder CVE-2022-2933 (The 0mk Shortener plugin for WordPress is vulnerable to Cross-Site Req ...) - TODO: check + NOT-FOR-US: 0mk Shortener plugin for WordPress CVE-2022-2932 (Cross-site Scripting (XSS) - Reflected in GitHub repository bustle/mob ...) NOT-FOR-US: Mobiledoc Kit CVE-2022-2931 (A potential DOS vulnerability was discovered in GitLab CE/EE affecting ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5fc4428de2ffc4a2bf1119d94d0300e03cc1bf9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5fc4428de2ffc4a2bf1119d94d0300e03cc1bf9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a4a6839 by security tracker role at 2023-02-06T20:10:25+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,631 @@ +CVE-2023-25498 + RESERVED +CVE-2023-25497 + RESERVED +CVE-2023-25496 + RESERVED +CVE-2023-25495 + RESERVED +CVE-2023-25494 + RESERVED +CVE-2023-25493 + RESERVED +CVE-2023-25492 + RESERVED +CVE-2023-25491 + RESERVED +CVE-2023-25490 + RESERVED +CVE-2023-25489 + RESERVED +CVE-2023-25488 + RESERVED +CVE-2023-25487 + RESERVED +CVE-2023-25486 + RESERVED +CVE-2023-25485 + RESERVED +CVE-2023-25484 + RESERVED +CVE-2023-25483 + RESERVED +CVE-2023-25482 + RESERVED +CVE-2023-25481 + RESERVED +CVE-2023-25480 + RESERVED +CVE-2023-25479 + RESERVED +CVE-2023-25478 + RESERVED +CVE-2023-25477 + RESERVED +CVE-2023-25476 + RESERVED +CVE-2023-25475 + RESERVED +CVE-2023-25474 + RESERVED +CVE-2023-25473 + RESERVED +CVE-2023-25472 + RESERVED +CVE-2023-25471 + RESERVED +CVE-2023-25470 + RESERVED +CVE-2023-25469 + RESERVED +CVE-2023-25468 + RESERVED +CVE-2023-25467 + RESERVED +CVE-2023-25466 + RESERVED +CVE-2023-25465 + RESERVED +CVE-2023-25464 + RESERVED +CVE-2023-25463 + RESERVED +CVE-2023-25462 + RESERVED +CVE-2023-25461 + RESERVED +CVE-2023-25460 + RESERVED +CVE-2023-25459 + RESERVED +CVE-2023-25458 + RESERVED +CVE-2023-25457 + RESERVED +CVE-2023-25456 + RESERVED +CVE-2023-25455 + RESERVED +CVE-2023-25454 + RESERVED +CVE-2023-25453 + RESERVED +CVE-2023-25452 + RESERVED +CVE-2023-25451 + RESERVED +CVE-2023-25450 + RESERVED +CVE-2023-25449 + RESERVED +CVE-2023-25448 + RESERVED +CVE-2023-25447 + RESERVED +CVE-2023-25446 + RESERVED +CVE-2023-25445 + RESERVED +CVE-2023-25444 + RESERVED +CVE-2023-25443 + RESERVED +CVE-2023-25442 + RESERVED +CVE-2023-25441 + RESERVED +CVE-2023-25440 + RESERVED +CVE-2023-25439 + RESERVED +CVE-2023-25438 + RESERVED +CVE-2023-25437 + RESERVED +CVE-2023-25436 + RESERVED +CVE-2023-25435 + RESERVED +CVE-2023-25434 + RESERVED +CVE-2023-25433 + RESERVED +CVE-2023-25432 + RESERVED +CVE-2023-25431 + RESERVED +CVE-2023-25430 + RESERVED +CVE-2023-25429 + RESERVED +CVE-2023-25428 + RESERVED +CVE-2023-25427 + RESERVED +CVE-2023-25426 + RESERVED +CVE-2023-25425 + RESERVED +CVE-2023-25424 + RESERVED +CVE-2023-25423 + RESERVED +CVE-2023-25422 + RESERVED +CVE-2023-25421 + RESERVED +CVE-2023-25420 + RESERVED +CVE-2023-25419 + RESERVED +CVE-2023-25418 + RESERVED +CVE-2023-25417 + RESERVED +CVE-2023-25416 + RESERVED +CVE-2023-25415 + RESERVED +CVE-2023-25414 + RESERVED +CVE-2023-25413 + RESERVED +CVE-2023-25412 + RESERVED +CVE-2023-25411 + RESERVED +CVE-2023-25410 + RESERVED +CVE-2023-25409 + RESERVED +CVE-2023-25408 + RESERVED +CVE-2023-25407 + RESERVED +CVE-2023-25406 + RESERVED +CVE-2023-25405 + RESERVED +CVE-2023-25404 + RESERVED +CVE-2023-25403 + RESERVED +CVE-2023-25402 + RESERVED +CVE-2023-25401 + RESERVED +CVE-2023-25400 + RESERVED +CVE-2023-25399 + RESERVED +CVE-2023-25398 + RESERVED +CVE-2023-25397 + RESERVED +CVE-2023-25396 + RESERVED +CVE-2023-25395 + RESERVED +CVE-2023-25394 + RESERVED +CVE-2023-25393 + RESERVED +CVE-2023-25392 + RESERVED +CVE-2023-25391 + RESERVED +CVE-2023-25390 + RESERVED +CVE-2023-25389 + RESERVED +CVE-2023-25388 + RESERVED +CVE-2023-25387 + RESERVED +CVE-2023-25386 + RESERVED +CVE-2023-25385 + RESERVED +CVE-2023-25384 + RESERVED +CVE-2023-25383 + RESERVED +CVE-2023-25382 + RESERVED +CVE-2023-25381 + RESERVED +CVE-2023-25380 + RESERVED +CVE-2023-25379 + RESERVED +CVE-2023-25378 + RESERVED +CVE-2023-25377 + RESERVED +CVE-2023-25376 + RESERVED +CVE-2023-25375 + RESERVED +CVE-2023-25374 + RESERVED +CVE-2023-25373 + RESERVED +CVE-2023-25372 + RESERVED +CVE-2023-25371 + RESERVED +CVE-2023-25370 + RESERVED +CVE-2023-25369 + RESERVED +CVE-2023-25368 + RESERVED +CVE-2023-25367 + RESERVED +CVE-2023-25366 + RESERVED +CVE-2023-25365 + RESERVED +CVE-2023-25364 + RESERVED +CVE-2023-25363 + RESERVED +CVE-2023-25362 + RESERVED +CVE-2023-25361 + RESERVED +CVE-2023-25360 + RESERVED +CVE-2023-25359 + RESERVED +CVE-2023-25358 + RESE
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2021-23385/flask-security
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a37aca57 by Salvatore Bonaccorso at 2023-02-06T21:05:47+01:00 Update information for CVE-2021-23385/flask-security - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -151069,10 +151069,14 @@ CVE-2021-23387 (The package trailing-slash before 2.0.1 are vulnerable to Open R CVE-2021-23386 (This affects the package dns-packet before 5.2.2. It creates buffers w ...) NOT-FOR-US: Node dns-packet CVE-2021-23385 (This affects all versions of package Flask-Security. When using the ge ...) - - flask-security (bug #1021279) + - flask-security 5.0.2-1 (bug #1021279) [bullseye] - flask-security (Minor issue) [buster] - flask-security (Minor issue) NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-FLASKSECURITY-1293234 + NOTE: https://github.com/Flask-Middleware/flask-security/issues/724 + NOTE: https://github.com/Flask-Middleware/flask-security/issues/486 + NOTE: https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c + NOTE: https://github.com/Flask-Middleware/flask-security/commit/e39bb04615050448c1b8ba4caa7dacc0edd3e405 (4.1.0) CVE-2021-23384 (The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to ...) NOT-FOR-US: Node koa-remove-trailing-slashes before CVE-2021-23383 (The package handlebars before 4.7.7 are vulnerable to Prototype Pollut ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a37aca57c89ce1033a4e44d326b20e27bd2fa72b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a37aca57c89ce1033a4e44d326b20e27bd2fa72b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3308-1 for webkit2gtk
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 38ec7eba by Emilio Pozuelo Monfort at 2023-02-06T20:02:38+01:00 Reserve DLA-3308-1 for webkit2gtk - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Feb 2023] DLA-3308-1 webkit2gtk - security update + {CVE-2022-42826 CVE-2023-23517 CVE-2023-23518} + [buster] - webkit2gtk 2.38.4-2~deb10u1 [06 Feb 2023] DLA-3307-1 openjdk-11 - security update {CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 CVE-2022-39399 CVE-2023-21835 CVE-2023-21843} [buster] - openjdk-11 11.0.18+10-1~deb10u1 = data/dla-needed.txt = @@ -339,10 +339,6 @@ trafficserver NOTE: 20230202: Note recent DLA-3279-1 update. Removed notes (2d9f50586010) suggest CVE-2022-31779 may have already been investigated. (lamby) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/trafficserver.git -- -webkit2gtk (Emilio) - NOTE: 20230203: Programming language: C++. - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/webkit2gtk.git --- wireshark (tobi) NOTE: 20230123: Programming language: C. NOTE: 20230123: 7 new CVEs + 3 postponed ones. Would be good to not let them pile up like last time. (utkarsh). View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38ec7eba5eca04d3be2a64ab6cd76909f1e860c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38ec7eba5eca04d3be2a64ab6cd76909f1e860c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 00d88108 by Moritz Muehlenhoff at 2023-02-06T17:52:59+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,11 +27,11 @@ CVE-2023-25193 (hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attack [bullseye] - harfbuzz (Minor issue) NOTE: https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc CVE-2014-125086 (A vulnerability has been found in Gimmie Plugin 1.2.2 and classified a ...) - TODO: check + NOT-FOR-US: Gimmie CVE-2014-125085 (A vulnerability, which was classified as critical, was found in Gimmie ...) - TODO: check + NOT-FOR-US: Gimmie CVE-2014-125084 (A vulnerability, which was classified as critical, has been found in G ...) - TODO: check + NOT-FOR-US: Gimmie CVE-2023-25192 RESERVED CVE-2023-25191 @@ -51,9 +51,9 @@ CVE-2023-0674 (A vulnerability, which was classified as problematic, has been fo CVE-2023-0673 (A vulnerability classified as critical was found in SourceCodester Onl ...) NOT-FOR-US: SourceCodester Online Eyewear Shop CVE-2017-20176 (A vulnerability classified as problematic was found in ciubotaru share ...) - TODO: check + NOT-FOR-US: share-on-diaspora CVE-2017-20175 (A vulnerability classified as problematic has been found in DaSchTour ...) - TODO: check + NOT-FOR-US: Mamoto extension for MediaWiki CVE-2023-25189 RESERVED CVE-2023-25188 @@ -324,9 +324,9 @@ CVE-2019-25101 (A vulnerability classified as critical has been found in OnShift CVE-2018-25080 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: MobileDetect CVE-2018-25079 (A vulnerability was found in Segmentio is-url up to 1.2.2. It has been ...) - TODO: check + NOT-FOR-US: Node is-url CVE-2015-10072 (A vulnerability classified as problematic was found in NREL api-umbrel ...) - TODO: check + NOT-FOR-US: api-umbrella-web CVE-2013-10018 (A vulnerability was found in fanzila WebFinance 0.5. It has been decla ...) NOT-FOR-US: fanzila WebFinance CVE-2013-10017 (A vulnerability was found in fanzila WebFinance 0.5. It has been class ...) @@ -1467,7 +1467,7 @@ CVE-2023-24612 (The PdfBook extension through 2.0.5 before b07b6a64 for MediaWik CVE-2023-24611 RESERVED CVE-2023-24610 (NOSH 4a5cfdb allows remote authenticated users to execute PHP arbitrar ...) - TODO: check + NOT-FOR-US: NOSH CVE-2023-24609 RESERVED CVE-2023-24608 @@ -3312,7 +3312,7 @@ CVE-2023-23942 CVE-2023-23941 (SwagPayPal is a PayPal integration for shopware/platform. If JavaScrip ...) NOT-FOR-US: SwagPayPal CVE-2023-23940 (OpenZeppelin Contracts for Cairo is a library for secure smart contrac ...) - TODO: check + NOT-FOR-US: OpenZeppelin Contracts CVE-2023-23939 RESERVED CVE-2023-23938 @@ -3328,7 +3328,7 @@ CVE-2023-23934 CVE-2023-23933 (OpenSearch Anomaly Detection identifies atypical data and receives aut ...) NOT-FOR-US: OpenSearch Anomaly Detection CVE-2023-23932 (OpenDDS is an open source C++ implementation of the Object Management ...) - TODO: check + NOT-FOR-US: OpenDDS CVE-2023-23931 RESERVED CVE-2023-23930 @@ -3342,7 +3342,7 @@ CVE-2023-23927 CVE-2023-23926 RESERVED CVE-2023-23925 (Switcher Client is a JavaScript SDK to work with Switcher API which is ...) - TODO: check + NOT-FOR-US: Switcher CVE-2023-23924 (Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 ...) - php-dompdf (Vulnerable code not in any Debian released version) NOTE: https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg @@ -5639,9 +5639,9 @@ CVE-2023-23122 CVE-2023-23121 RESERVED CVE-2023-23120 (The use of the cyclic redundancy check (CRC) algorithm for integrity c ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2023-23119 (The use of the cyclic redundancy check (CRC) algorithm for integrity c ...) - TODO: check + NOT-FOR-US: TRENDnet CVE-2023-23118 RESERVED CVE-2023-23117 @@ -5659,7 +5659,7 @@ CVE-2023-23112 CVE-2023-23111 RESERVED CVE-2023-23110 (An exploitable firmware modification vulnerability was discovered in c ...) - TODO: check + NOT-FOR-US: Netgear CVE-2023-23109 RESERVED CVE-2023-23108 @@ -5756,9 +5756,9 @@ CVE-2013-10010 (A vulnerability classified as problematic has been found in zero CVE-2023-23088 (Buffer OverFlow Vulnerability in Barenboim json-parser master and v1.1 ...) TODO: check CVE-2023-23087 (An issue was found in MojoJson v1.2.3 allows attackers to execute arbi ...) - TODO: check + NOT-FOR-US: MojoJson CVE-2023-23086 (Buffer OverFlow
[Git][security-tracker-team/security-tracker][master] CVE-2023-0414 (wireshark) is not affecting buster.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: d895a354 by Tobias Frost at 2023-02-06T17:23:27+01:00 CVE-2023-0414 (wireshark) is not affecting buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2995,8 +2995,10 @@ CVE-2023-0417 (Memory leak in the NFS dissector in Wireshark 4.0.0 to 4.0.2 and CVE-2023-0414 (Crash in the EAP dissector in Wireshark 4.0.0 to 4.0.2 allows denial o ...) - wireshark 4.0.3-1 [bullseye] - wireshark (Minor issue, fix along in future update) + [buster] - wireshark (Vulnerable code introduced later) NOTE: https://www.wireshark.org/security/wnpa-sec-2023-01.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18622 + NOTE: introduced by https://gitlab.com/wireshark/wireshark/-/merge_requests/6838 CVE-2023-24059 (Grand Theft Auto V for PC allows attackers to achieve partial remote c ...) NOT-FOR-US: Grand Theft Auto V for PC CVE-2023-24058 (Booked Scheduler 2.5.5 allows authenticated users to create and schedu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d895a3545db0922eb4b1706de2f1a5a204973c55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d895a3545db0922eb4b1706de2f1a5a204973c55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 891d9dab by Moritz Muehlenhoff at 2023-02-06T16:53:15+01:00 bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -526,10 +526,11 @@ CVE-2023-25002 CVE-2023-25001 RESERVED CVE-2023-0634 (An uncontrolled process operation was found in the newgrp command prov ...) - - shadow + - shadow (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2166544 NOTE: https://github.com/shadow-maint/shadow/pull/642 NOTE: https://github.com/shadow-maint/shadow/commit/62172f6fb51519a8cf56e35e4ce2b76cc301a7fc + NOTE: Crash in CLI tool, no security impact CVE-2023-0633 RESERVED CVE-2023-0632 @@ -27436,6 +27437,7 @@ CVE-2022-3561 (Cross-site Scripting (XSS) - Generic in GitHub repository librenm NOT-FOR-US: LibreNMS CVE-2022-3560 (A flaw was found in pesign. The pesign package provides a systemd serv ...) - pesign (bug #1030168) + [bullseye] - pesign (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2023/01/31/6 NOTE: https://www.openwall.com/lists/oss-security/2023/02/01/2 NOTE: https://github.com/rhboot/pesign/commit/d8a8c259994d0278c59b30b41758a8dd0abff998 (116) @@ -78149,10 +78151,12 @@ CVE-2022-24896 (Tuleap is a Free & Open Source Suite to manage software deve NOT-FOR-US: Tuleap CVE-2022-24895 (Symfony is a PHP framework for web and console applications and a set ...) - symfony 5.4.20+dfsg-1 + [bullseye] - symfony (Minor issue) NOTE: https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m NOTE: https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4 CVE-2022-24894 (Symfony is a PHP framework for web and console applications and a set ...) - symfony 5.4.20+dfsg-1 + [bullseye] - symfony (Minor issue) NOTE: https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv NOTE: https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb CVE-2022-24893 (ESP-IDF is the official development framework for Espressif SoCs. In E ...) = data/dsa-needed.txt = @@ -11,9 +11,15 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. +-- +apr-util +-- +apr -- frr -- +haproxy +-- jupyter-core Maintainer asked for availability to prepare updates -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/891d9dab823803c5fa72786a7d4f30558b57b1de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/891d9dab823803c5fa72786a7d4f30558b57b1de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] webkit2gtk DSA-5340-1 and wpewebkit DSA-5341-1
Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker Commits: 1634dc77 by Alberto Garcia at 2023-02-06T16:32:30+01:00 webkit2gtk DSA-5340-1 and wpewebkit DSA-5341-1 - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,9 @@ +[06 Feb 2023] DSA-5341-1 wpewebkit - security update + {CVE-2022-42826 CVE-2023-23517 CVE-2023-23518} + [bullseye] - wpewebkit 2.38.4-1~deb11u1 +[06 Feb 2023] DSA-5340-1 webkit2gtk - security update + {CVE-2022-42826 CVE-2023-23517 CVE-2023-23518} + [bullseye] - webkit2gtk 2.38.4-2~deb11u1 [05 Feb 2023] DSA-5339-1 libhtml-stripscripts-perl - security update {CVE-2023-24038} [bullseye] - libhtml-stripscripts-perl 1.06-1+deb11u1 = data/dsa-needed.txt = @@ -57,10 +57,6 @@ thunderbird (jmm) -- tiff (aron) -- -webkit2gtk (berto) --- -wpewebkit (berto) --- xrdp needs some additional clarification, tentatively DSA worthy maybe upgrade to 0.9.21 within bullseye? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1634dc77e8c0db4afcda97317740f1174f3434a8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1634dc77e8c0db4afcda97317740f1174f3434a8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: CVE-2023-23456/upx-ucl no-dsa on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a60123f by Emilio Pozuelo Monfort at 2023-02-06T16:13:06+01:00 lts: CVE-2023-23456/upx-ucl no-dsa on buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4870,6 +4870,7 @@ CVE-2023-23457 (A Segmentation fault was found in UPX in PackLinuxElf64::invert_ NOTE: https://github.com/upx/upx/issues/631 CVE-2023-23456 (A heap-based buffer overflow issue was discovered in UPX in PackTmt::p ...) - upx-ucl + [buster] - upx-ucl (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2160381 NOTE: https://github.com/upx/upx/commit/510505a85cbe45e51fbd470f1aa8b02157c429d4 NOTE: https://github.com/upx/upx/issues/632 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a60123fe610935441a5deff6325b05f2b23b893 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a60123fe610935441a5deff6325b05f2b23b893 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3307-1 for openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 05217da4 by Emilio Pozuelo Monfort at 2023-02-06T15:57:55+01:00 Reserve DLA-3307-1 for openjdk-11 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -36748,7 +36748,6 @@ CVE-2022-39400 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2022-39399 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5335-1 DSA-5331-1} - openjdk-11 11.0.17+8-1 - [buster] - openjdk-11 (Minor issue, fix along with next CPU) - openjdk-17 17.0.5+8-1 CVE-2022-39398 (tasklists is a tasklists plugin for GLPI (Kanban). Versions prior to 2 ...) NOT-FOR-US: GLPI plugin @@ -96102,7 +96101,6 @@ CVE-2022-21628 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E {DSA-5335-1 DSA-5331-1} - openjdk-8 8u352-ga-1 - openjdk-11 11.0.17+8-1 - [buster] - openjdk-11 (Minor issue, fix along with next CPU) - openjdk-17 17.0.5+8-1 CVE-2022-21627 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 6.1.40-dfsg-1 @@ -96111,14 +96109,12 @@ CVE-2022-21626 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E {DSA-5331-1} - openjdk-8 8u352-ga-1 - openjdk-11 11.0.17+8-1 - [buster] - openjdk-11 (Minor issue, fix along with next CPU) CVE-2022-21625 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 8.0.31-1 (bug #1024016) CVE-2022-21624 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5335-1 DSA-5331-1} - openjdk-8 8u352-ga-1 - openjdk-11 11.0.17+8-1 - [buster] - openjdk-11 (Minor issue, fix along with next CPU) - openjdk-17 17.0.5+8-1 CVE-2022-21623 (Vulnerability in the Enterprise Manager Base Platform product of Oracl ...) NOT-FOR-US: Oracle @@ -96134,7 +96130,6 @@ CVE-2022-21619 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise E {DSA-5335-1 DSA-5331-1} - openjdk-8 8u352-ga-1 - openjdk-11 11.0.17+8-1 - [buster] - openjdk-11 (Minor issue, fix along with next CPU) - openjdk-17 17.0.5+8-1 CVE-2022-21618 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition ...) {DSA-5335-1} = data/DLA/list = @@ -1,3 +1,6 @@ +[06 Feb 2023] DLA-3307-1 openjdk-11 - security update + {CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 CVE-2022-39399 CVE-2023-21835 CVE-2023-21843} + [buster] - openjdk-11 11.0.18+10-1~deb10u1 [01 Feb 2023] DLA-3306-1 python-django - security update {CVE-2023-23969} [buster] - python-django 1:1.11.29-1+deb10u6 = data/dla-needed.txt = @@ -196,10 +196,6 @@ openimageio NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git -- -openjdk-11 (Emilio) - NOTE: 20230123: Programming language: Java. - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/openjdk-11.git --- php-cas NOTE: 20221105: Programming language: PHP. NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05217da4e2f52e14a0191946f22bc24d9a54ecd2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05217da4e2f52e14a0191946f22bc24d9a54ecd2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add spip to dla-needed.txt
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: daeeb120 by Emilio Pozuelo Monfort at 2023-02-06T15:55:58+01:00 LTS: add spip to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -318,6 +318,9 @@ sox (Helmut Grohne) NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/sox.git NOTE: 20230127: There is no point in dealing with sox. No upstream commit in 1.5 years. No answer to Enrico's upstream ticket. RedHat issued notabug. Unfixed in stable and unstable. Don't run sox on untrusted input. (Helmut) -- +spip + NOTE: 20230206: Programming language: PHP. +-- sssd NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/daeeb120b4dda0e218fd4eb7b5830cfd46d7572a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/daeeb120b4dda0e218fd4eb7b5830cfd46d7572a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim heimdal
Helmut Grohne pushed to branch master at Debian Security Tracker / security-tracker Commits: ead49fad by Helmut Grohne at 2023-02-06T13:41:16+01:00 LTS: claim heimdal - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -97,6 +97,8 @@ graphite-web (Chris Lamb) NOTE: 20221229: Programming language: Python. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/graphite-web.git -- +heimdal (Helmut Grohne) +-- imagemagick (Roberto C. Sánchez) NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ead49fad3b3df5e559b3de0486e85473ac1d7cdc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ead49fad3b3df5e559b3de0486e85473ac1d7cdc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] zabbix fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c2f6127 by Moritz Muehlenhoff at 2023-02-06T12:47:49+01:00 zabbix fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13979,7 +13979,7 @@ CVE-2022-4342 (An issue has been discovered in GitLab CE/EE affecting all versio CVE-2022-4341 (A vulnerability has been found in csliuwy coder-chain_gdut and classif ...) NOT-FOR-US: csliuwy coder-chain_gdut CVE-2022-46768 (Arbitrary file read vulnerability exists in Zabbix Web Service Report ...) - - zabbix (bug #1026847) + - zabbix 1:6.0.13+dfsg-1 (bug #1026847) [bullseye] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-22087 CVE-2022-46767 @@ -25990,7 +25990,7 @@ CVE-2022-43517 (A vulnerability has been identified in Simcenter STAR-CCM+ (All CVE-2022-43516 (A Firewall Rule which allows all incoming TCP connections to all progr ...) - zabbix (Specific to Windows) CVE-2022-43515 (Zabbix Frontend provides a feature that allows admins to maintain the ...) - - zabbix (bug #1026847) + - zabbix 1:6.0.13+dfsg-1 (bug #1026847) [bullseye] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-22050 CVE-2022-43514 (A vulnerability has been identified in Automation License Manager V5 ( ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c2f612734f89626224fb7346e2fdfdaef7cce07 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c2f612734f89626224fb7346e2fdfdaef7cce07 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 725c1659 by Moritz Muehlenhoff at 2023-02-06T12:46:49+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16945,7 +16945,7 @@ CVE-2022-45788 (A CWE-754: Improper Check for Unusual or Exceptional Conditions CVE-2022-45787 (Unproper laxist permissions on the temporary files used by MIME4J Temp ...) NOT-FOR-US: Apache James CVE-2022-45786 (There are issues with the AGE drivers for Golang and Python that enabl ...) - TODO: check + NOT-FOR-US: Apache AGE CVE-2022-4121 (In libetpan a null pointer dereference in mailimap_mailbox_data_status ...) {DLA-3261-1} - libetpan 1.9.4-3.1 (bug #1025120) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/725c1659c3cc3e5930cc981db23575fd50367ac5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/725c1659c3cc3e5930cc981db23575fd50367ac5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take webkit2gtk
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: f1b5cd3b by Emilio Pozuelo Monfort at 2023-02-06T09:38:03+01:00 lts: take webkit2gtk - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -338,8 +338,8 @@ trafficserver NOTE: 20230202: Note recent DLA-3279-1 update. Removed notes (2d9f50586010) suggest CVE-2022-31779 may have already been investigated. (lamby) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/trafficserver.git -- -webkit2gtk - NOTE: 20230203: Programming language: C+ +webkit2gtk (Emilio) + NOTE: 20230203: Programming language: C++. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/webkit2gtk.git -- wireshark (tobi) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1b5cd3b0dc015e80e8269885f30467fb954761b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1b5cd3b0dc015e80e8269885f30467fb954761b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d9ddbc94 by Moritz Muehlenhoff at 2023-02-06T09:36:15+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -75360,7 +75360,7 @@ CVE-2022-21195 (All versions of package url-regex are vulnerable to Regular Expr CVE-2022-21192 (All versions of the package serve-lite are vulnerable to Directory Tra ...) TODO: check CVE-2022-21191 (Versions of the package global-modules-path before 3.0.0 are vulnerabl ...) - TODO: check + NOT-FOR-US: Node global-modules-path CVE-2022-21190 (This affects the package convict before 6.2.3. This is a bypass of [CV ...) NOT-FOR-US: Node convict CVE-2022-21189 (The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 4.0.0-al ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9ddbc94fb37c34efedcf9cc64bbd17c3f47e2d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9ddbc94fb37c34efedcf9cc64bbd17c3f47e2d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] puppet-module-puppetlabs-apt fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 93ad7f8c by Moritz Muehlenhoff at 2023-02-06T09:34:48+01:00 puppet-module-puppetlabs-apt fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -32186,7 +32186,7 @@ CVE-2022-3276 (Command injection is possible in the puppetlabs-mysql module prio NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/6f531ad85c22ceeb5076347e6998e1d25b056dfd (v13.0.0) NOTE: https://github.com/puppetlabs/puppetlabs-mysql/commit/e70e7fd130aaa2fe1cefe4ccb628b304ad3c180a (v13.0.0) CVE-2022-3275 (Command injection is possible in the puppetlabs-apt module prior to ve ...) - - puppet-module-puppetlabs-apt (bug #1023625) + - puppet-module-puppetlabs-apt 9.0.1-1 (bug #1023625) [bullseye] - puppet-module-puppetlabs-apt (Minor issue) [buster] - puppet-module-puppetlabs-apt (Minor issue, rare condition, follow buster status) NOTE: https://puppet.com/security/cve/CVE-2022-3275 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93ad7f8c0c8cb100e04dde798ea9891140397c63 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93ad7f8c0c8cb100e04dde798ea9891140397c63 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ruby-rails-html-sanitizer fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 30285ea2 by Moritz Muehlenhoff at 2023-02-06T09:34:03+01:00 ruby-rails-html-sanitizer fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83115,19 +83115,19 @@ CVE-2022-23521 (Git is distributed revision control system. gitattributes are a NOTE: https://github.com/git/git/commit/3c50032ff5289cc45659f21949c8d09e52164579 NOTE: https://github.com/git/git/files/10430260/X41-OSTIF-Gitlab-Git-Security-Audit-20230117-public.pdf CVE-2022-23520 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - - ruby-rails-html-sanitizer (bug #1027153) + - ruby-rails-html-sanitizer 1.4.4-1 (bug #1027153) [buster] - ruby-rails-html-sanitizer (Minor issue) NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8 CVE-2022-23519 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - - ruby-rails-html-sanitizer (bug #1027153) + - ruby-rails-html-sanitizer 1.4.4-1 (bug #1027153) [buster] - ruby-rails-html-sanitizer (Minor issue can be fixed later) NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h CVE-2022-23518 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - - ruby-rails-html-sanitizer (bug #1027153) + - ruby-rails-html-sanitizer 1.4.4-1 (bug #1027153) NOTE: https://github.com/rails/rails-html-sanitizer/issues/135 NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m CVE-2022-23517 (rails-html-sanitizer is responsible for sanitizing HTML fragments in R ...) - - ruby-rails-html-sanitizer (bug #1027153) + - ruby-rails-html-sanitizer 1.4.4-1 (bug #1027153) [buster] - ruby-rails-html-sanitizer (Minor issue) NOTE: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w NOTE: https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30285ea217facef06892cd4e3ed6ec2b29be2f69 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30285ea217facef06892cd4e3ed6ec2b29be2f69 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 272931f4 by security tracker role at 2023-02-06T08:10:13+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2023-25198 + RESERVED +CVE-2023-25197 + RESERVED +CVE-2023-25196 + RESERVED +CVE-2023-25195 + RESERVED +CVE-2022-48314 + RESERVED +CVE-2022-48313 + RESERVED +CVE-2022-48312 + RESERVED CVE-2023-25194 RESERVED CVE-2022-4902 @@ -12,12 +26,12 @@ CVE-2023-25193 (hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attack - harfbuzz (bug #1030612) [bullseye] - harfbuzz (Minor issue) NOTE: https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc -CVE-2014-125086 - RESERVED -CVE-2014-125085 - RESERVED -CVE-2014-125084 - RESERVED +CVE-2014-125086 (A vulnerability has been found in Gimmie Plugin 1.2.2 and classified a ...) + TODO: check +CVE-2014-125085 (A vulnerability, which was classified as critical, was found in Gimmie ...) + TODO: check +CVE-2014-125084 (A vulnerability, which was classified as critical, has been found in G ...) + TODO: check CVE-2023-25192 RESERVED CVE-2023-25191 @@ -36,10 +50,10 @@ CVE-2023-0674 (A vulnerability, which was classified as problematic, has been fo NOT-FOR-US: XXL-JOB CVE-2023-0673 (A vulnerability classified as critical was found in SourceCodester Onl ...) NOT-FOR-US: SourceCodester Online Eyewear Shop -CVE-2017-20176 - RESERVED -CVE-2017-20175 - RESERVED +CVE-2017-20176 (A vulnerability classified as problematic was found in ciubotaru share ...) + TODO: check +CVE-2017-20175 (A vulnerability classified as problematic has been found in DaSchTour ...) + TODO: check CVE-2023-25189 RESERVED CVE-2023-25188 @@ -11851,12 +11865,12 @@ CVE-2022-47454 RESERVED CVE-2022-47453 RESERVED -CVE-2022-47452 - RESERVED -CVE-2022-47451 - RESERVED -CVE-2022-47450 - RESERVED +CVE-2022-47452 (In gnss driver, there is a possible out of bounds write due to a missi ...) + TODO: check +CVE-2022-47451 (In wlan driver, there is a possible missing params check. This could l ...) + TODO: check +CVE-2022-47450 (In wlan driver, there is a possible missing permission check. This cou ...) + TODO: check CVE-2022-46732 (Even if the authentication fails for local service authentication, the ...) NOT-FOR-US: GE Digital CVE-2022-46660 (An unauthorized user could alter or write files with full control over ...) @@ -12389,42 +12403,42 @@ CVE-2019-25078 (A vulnerability classified as problematic was found in pacparser [buster] - pacparser (Minor issue) NOTE: https://github.com/manugarg/pacparser/issues/99 NOTE: https://github.com/manugarg/pacparser/commit/853e8f45607cb07b877ffd270c63dbcdd5201ad9 (v1.4.0) -CVE-2022-47371 - RESERVED -CVE-2022-47370 - RESERVED -CVE-2022-47369 - RESERVED -CVE-2022-47368 - RESERVED -CVE-2022-47367 - RESERVED -CVE-2022-47366 - RESERVED -CVE-2022-47365 - RESERVED -CVE-2022-47364 - RESERVED -CVE-2022-47363 - RESERVED +CVE-2022-47371 (In bt driver, there is a thread competition leads to early release of ...) + TODO: check +CVE-2022-47370 (In wlan driver, there is a possible missing params check. This could l ...) + TODO: check +CVE-2022-47369 (In wlan driver, there is a possible missing params check. This could l ...) + TODO: check +CVE-2022-47368 (In wlan driver, there is a possible missing params check. This could l ...) + TODO: check +CVE-2022-47367 (In bluetooth driver, there is a missing permission check. This could l ...) + TODO: check +CVE-2022-47366 (In wlan driver, there is a possible out of bounds write due to a missi ...) + TODO: check +CVE-2022-47365 (In wlan driver, there is a possible out of bounds write due to a missi ...) + TODO: check +CVE-2022-47364 (In wlan driver, there is a possible out of bounds write due to a missi ...) + TODO: check +CVE-2022-47363 (In wlan driver, there is a possible out of bounds read due to a missin ...) + TODO: check CVE-2022-47362 RESERVED -CVE-2022-47361 - RESERVED -CVE-2022-47360 - RESERVED -CVE-2022-47359 - RESERVED -CVE-2022-47358 - RESERVED -CVE-2022-47357 - RESERVED -CVE-2022-47356 - RESERVED -CVE-2022-47355 - RESERVED -CVE-2022-47354 - RESERVED +CVE-2022-47361 (In firewall service, there is a missing permission check. This could l ...) + TODO: check +CVE-2022-47360 (In log service, there is a missing permission check. This could lead t ...) + TODO: check +CVE-2022-47359 (In log service, there is a mis