date:20230206

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-2260{4,5,6,7,8,9}/binutils

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e6b916e8 by Salvatore Bonaccorso at 2023-02-07T08:53:53+01:00
Add CVE-2023-2260{4,5,6,7,8,9}/binutils

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -8122,16 +8122,40 @@ CVE-2023-22610 (A CWE-285: Improper Authorization 
vulnerability exists that coul
NOT-FOR-US: EcoStruxure Geo SCADA Expert
 CVE-2023-22609
RESERVED
+   - binutils 2.40-1 (unimportant)
+   NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29948
+   NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=a984f112b015b7d33c3c91230eb4c35695926539
 (binutils-2_40)
+   NOTE: binutils not covered by security support
 CVE-2023-22608
RESERVED
+   - binutils 2.40-1 (unimportant)
+   NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29936
+   NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=8af23b30edbaedf009bc9b243cd4dfa10ae1ac09
 (binutils-2_40)
+   NOTE: binutils not covered by security support
 CVE-2023-22607
RESERVED
+   - binutils 2.40-1 (unimportant)
+   NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29914
+   NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=42f39fdedcf3321cab9964945d3f5bca58967b80
 (binutils-2_40)
+   NOTE: binutils not covered by security support
 CVE-2023-22606
RESERVED
+   - binutils 2.40-1 (unimportant)
+   NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29908
+   NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=fa501b69309ccb03ec957101f24109ed7f737733
 (binutils-2_40)
+   NOTE: binutils not covered by security support
 CVE-2023-22605
RESERVED
+   - binutils 2.40-1 (unimportant)
+   NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29893
+   NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=956bc7a29fd952d709db29667b38f98cdd3db4c9
 (binutils-2_40)
+   NOTE: binutils not covered by security support
 CVE-2023-22604
RESERVED
+   - binutils 2.40-1 (unimportant)
+   NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29872
+   NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2f58a399cf3f946983398cdfe52d0eaa72bf877
 (binutils-2_40)
+   NOTE: binutils not covered by security support
 CVE-2023-22603
RESERVED
- binutils 2.40-1 (unimportant)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6b916e8744c9a84498e77ee54bfe1c43b8791dc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6b916e8744c9a84498e77ee54bfe1c43b8791dc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-22603/binutils

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3a219cd6 by Salvatore Bonaccorso at 2023-02-07T08:47:16+01:00
Add CVE-2023-22603/binutils

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -8134,6 +8134,10 @@ CVE-2023-22604
RESERVED
 CVE-2023-22603
RESERVED
+   - binutils 2.40-1 (unimportant)
+   NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29870
+   NOTE: 
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=f2f58a399cf3f946983398cdfe52d0eaa72bf877
 (binutils-2_40)
+   NOTE: binutils not covered by security support
 CVE-2023-0054 (Out-of-bounds Write in GitHub repository vim/vim prior to 
9.0.1145. ...)
- vim 
[bullseye] - vim  (Minor issue)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a219cd637b65b9c0b616e1f0e8c5a40b3f65b6e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a219cd637b65b9c0b616e1f0e8c5a40b3f65b6e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2022-23498/grafana

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5c9b4374 by Salvatore Bonaccorso at 2023-02-07T08:40:58+01:00
Add CVE-2022-23498/grafana

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -83823,7 +83823,7 @@ CVE-2022-23500 (TYPO3 is an open source PHP based web 
content management system.
 CVE-2022-23499 (HTML sanitizer is written in PHP, aiming to provide XSS-safe 
markup ba ...)
TODO: check
 CVE-2022-23498 (Grafana is an open-source platform for monitoring and 
observability. W ...)
-   TODO: check
+   - grafana 
 CVE-2022-23497 (FreshRSS is a free, self-hostable RSS aggregator. User 
configuration f ...)
NOT-FOR-US: FreshRSS
 CVE-2022-23496 (Yet Another UserAgent Analyzer (Yauaa) is a java library that 
tries to ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c9b437464133f82e90c80502a65ecbdef8560d2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c9b437464133f82e90c80502a65ecbdef8560d2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-0415 (wireshark) is not affecting buster.

2023-02-06 Thread Tobias Frost (@tobi)



Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
97153541 by Tobias Frost at 2023-02-07T08:38:00+01:00
CVE-2023-0415 (wireshark) is not affecting buster.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3614,8 +3614,11 @@ CVE-2023-0415 (iSCSI dissector crash in Wireshark 4.0.0 
to 4.0.2 and 3.6.0 to 3.
 CVE-2023-0416 (GNW dissector crash in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 
3.6.10 an ...)
- wireshark 4.0.3-1
[bullseye] - wireshark  (Minor issue, fix along in future 
update)
+   [buster] - wireshark  (Vulnerable code introduced later)
NOTE: https://www.wireshark.org/security/wnpa-sec-2023-04.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18779
+   NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/9322
+   NOTE: Vulnerable dissector introduced with 
https://gitlab.com/wireshark/wireshark/-/commit/a87e56aa79f62ba8967e63da9d408e464596cd85
 (first released with version 3.0.0)
 CVE-2023-0413 (Dissection engine bug in Wireshark 4.0.0 to 4.0.2 and 3.6.0 to 
3.6.10  ...)
- wireshark 4.0.3-1
[bullseye] - wireshark  (Minor issue, fix along in future 
update)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97153541089719fdacc65039d98517e310edf8f3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97153541089719fdacc65039d98517e310edf8f3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3310-1 for xorg-server

2023-02-06 Thread Thorsten Alteholz (@alteholz)



Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5d05f77f by Thorsten Alteholz at 2023-02-07T08:19:59+01:00
Reserve DLA-3310-1 for xorg-server

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[07 Feb 2023] DLA-3310-1 xorg-server - security update
+   {CVE-2023-0494}
+   [buster] - xorg-server 2:1.20.4-1+deb10u8
 [06 Feb 2023] DLA-3309-1 graphite-web - security update
{CVE-2022-4728 CVE-2022-4729 CVE-2022-4730}
[buster] - graphite-web 1.1.4-3+deb10u2


=
data/dla-needed.txt
=
@@ -350,8 +350,6 @@ xfig (gladk)
   NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/xfig.git
 --
-xorg-server (Thorsten Alteholz)
---
 xrdp
   NOTE: 20221225: Programming language: C.
   NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d05f77f13519504677a83e87e99e0a2007bd2a6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d05f77f13519504677a83e87e99e0a2007bd2a6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-20938/linux

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a21e4ab4 by Salvatore Bonaccorso at 2023-02-07T07:55:08+01:00
Add CVE-2023-20938/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21710,6 +21710,9 @@ CVE-2023-20939
RESERVED
 CVE-2023-20938
RESERVED
+   - linux 5.17.6-1
+   [bullseye] - linux 5.10.158-1
+   NOTE: https://source.android.com/docs/security/bulletin/2023-02-01
 CVE-2023-20937
RESERVED
 CVE-2023-20936



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a21e4ab44ec8ec887e0ad8bbd38c84be79bfd6a6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a21e4ab44ec8ec887e0ad8bbd38c84be79bfd6a6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-0494/xorg-server

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e51b47c1 by Salvatore Bonaccorso at 2023-02-07T07:17:44+01:00
Add CVE-2023-0494/xorg-server

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2525,8 +2525,11 @@ CVE-2023-0496
RESERVED
 CVE-2023-0495
RESERVED
-CVE-2023-0494
+CVE-2023-0494 [Xi: fix potential use-after-free in DeepCopyPointerClasses]
RESERVED
+   - xorg-server 
+   NOTE: https://www.openwall.com/lists/oss-security/2023/02/07/1
+   NOTE: 
https://gitlab.freedesktop.org/xorg/xserver/commit/0ba6d8c37071131a49790243cdac55392ecf71ec
 CVE-2022-4897
RESERVED
 CVE-2023-24513



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e51b47c166500f6e13a8b11c750af166754be334

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e51b47c166500f6e13a8b11c750af166754be334
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] claim xorg-server

2023-02-06 Thread Thorsten Alteholz (@alteholz)



Thorsten Alteholz pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
280d8a2f by Thorsten Alteholz at 2023-02-07T07:02:19+01:00
claim xorg-server

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -350,6 +350,8 @@ xfig (gladk)
   NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/xfig.git
 --
+xorg-server (Thorsten Alteholz)
+--
 xrdp
   NOTE: 20221225: Programming language: C.
   NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/280d8a2fbda2cb368dd83033dbfa72515edda5a6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/280d8a2fbda2cb368dd83033dbfa72515edda5a6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Tentatively take apr-util and apr from dsa-needed list

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
5957612b by Salvatore Bonaccorso at 2023-02-07T06:29:23+01:00
Tentatively take apr-util and apr from dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -12,9 +12,9 @@ To pick an issue, simply add your uid behind it.
 If needed, specify the release by adding a slash after the name of the source 
package.
 
 --
-apr-util
+apr-util (carnil)
 --
-apr
+apr (carnil)
 --
 frr
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5957612bdb76428392dd24625b1a5b5ea42e54f4

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5957612bdb76428392dd24625b1a5b5ea42e54f4
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Take haproxy from dsa-needed list

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7dfdeffe by Salvatore Bonaccorso at 2023-02-07T06:24:35+01:00
Take haproxy from dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -18,7 +18,7 @@ apr
 --
 frr
 --
-haproxy
+haproxy (carnil)
 --
 jupyter-core
   Maintainer asked for availability to prepare updates



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dfdeffea8a7234c2bb53e459659e9ad6eb688c3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dfdeffea8a7234c2bb53e459659e9ad6eb688c3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] add p0 reference

2023-02-06 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
728807db by Moritz Muehlenhoff at 2023-02-06T22:58:48+01:00
add p0 reference

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -21731,6 +21731,7 @@ CVE-2023-20928 (In binder_vma_close of binder.c, there 
is a possible use after f
[buster] - linux  (Vulnerable code not present)
NOTE: https://android.googlesource.com/kernel/common/+/201d5f4a3ec1
NOTE: https://source.android.com/docs/security/bulletin/2023-01-01
+   NOTE: https://bugs.chromium.org/p/project-zero/issues/detail?id=2374
 CVE-2023-20927
RESERVED
 CVE-2023-20926



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/728807db9973785b162da56180841e0f4e19c94b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/728807db9973785b162da56180841e0f4e19c94b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2022-42330/xen via unstable

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a81045a9 by Salvatore Bonaccorso at 2023-02-06T22:28:50+01:00
Track fixed version for CVE-2022-42330/xen via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -29991,7 +29991,7 @@ CVE-2022-42332
 CVE-2022-42331
RESERVED
 CVE-2022-42330 (Guests can cause Xenstore crash via soft reset When a guest 
issues a " ...)
-   - xen  (bug #1029830)
+   - xen 4.17.0+24-g2f8851c37f-2 (bug #1029830)
[bullseye] - xen  (Only affects 4.17)
[buster] - xen  (Only affects 4.17)
NOTE: https://xenbits.xen.org/xsa/advisory-425.html



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a81045a97f6c22c9fe14a807513f8769cef5eda0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a81045a97f6c22c9fe14a807513f8769cef5eda0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for three fava issues fixed via unstable

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a7c1252c by Salvatore Bonaccorso at 2023-02-06T22:25:38+01:00
Track fixed version for three fava issues fixed via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -44167,7 +44167,7 @@ CVE-2022-2590 (A race condition was found in the way 
the Linux kernel's memory s
NOTE: 
https://lore.kernel.org/all/b314c287-5fc2-9f61-53f6-33282a2be...@redhat.com/
NOTE: https://www.openwall.com/lists/oss-security/2022/08/08/1
 CVE-2022-2589 (Cross-site Scripting (XSS) - Reflected in GitHub repository 
beancount/ ...)
-   - fava  (bug #1016971)
+   - fava 1.23.1-1 (bug #1016971)
[bullseye] - fava  (Minor issue)
[buster] - fava  (Minor issue)
NOTE: https://huntr.dev/bounties/8705800d-cf2f-433d-9c3e-dbef6a3f7e08/
@@ -45694,7 +45694,7 @@ CVE-2022-34859
 CVE-2022-33963
RESERVED
 CVE-2022-2523 (Cross-site Scripting (XSS) - Reflected in GitHub repository 
beancount/ ...)
-   - fava  (bug #1016971)
+   - fava 1.23.1-1 (bug #1016971)
[bullseye] - fava  (Minor issue)
[buster] - fava  (Minor issue)
NOTE: https://huntr.dev/bounties/2a1802d8-1c2e-4919-96a7-d4dcf7ffcf8f
@@ -45851,7 +45851,7 @@ CVE-2022-33142 (Authenticated (subscriber+) Denial Of 
Service (DoS) vulnerabilit
 CVE-2022-2515 (The Simple Banner plugin for WordPress is vulnerable to Stored 
Cross-S ...)
NOT-FOR-US: Simple Banner plugin for WordPress
 CVE-2022-2514 (The time and filter parameters in Fava prior to v1.22 are 
vulnerable t ...)
-   - fava  (bug #1016971)
+   - fava 1.23.1-1 (bug #1016971)
[bullseye] - fava  (Minor issue)
[buster] - fava  (Minor issue)
NOTE: https://huntr.dev/bounties/dbf77139-4384-4dc5-9994-45a5e0747429



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7c1252c4de476d60d3550e5f807a99369ebdfde

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7c1252c4de476d60d3550e5f807a99369ebdfde
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: Add meta-information

2023-02-06 Thread Anton Gladky (@gladk)



Anton Gladky pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3dcbc257 by Anton Gladky at 2023-02-06T22:15:14+01:00
LTS: Add meta-information

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -94,6 +94,9 @@ golang-yaml.v2
   NOTE: 20230125: Special attention: limited support; requires rebuilding 
reverse build dependencies (though recent bullseye updates didn't).
 --
 heimdal (Helmut Grohne)
+  NOTE: 20230206: Programming language: C
+  NOTE: 20230206: Special attention: Do review patches, even those, coming 
from upstream.
+  NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/heimdal/
 --
 imagemagick (Roberto C. Sánchez)
   NOTE: 20220904: Programming language: C.
@@ -312,6 +315,8 @@ sox (Helmut Grohne)
 --
 spip
   NOTE: 20230206: Programming language: PHP.
+  NOTE: 20230206: Special attention: Please contact maintainer regarding VCS 
usage
+  NOTE: 20230206: VCS: https://salsa.debian.org/debian/spip.git
 --
 sssd
   NOTE: 20230131: Programming language: C.



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dcbc2571082ea43963d86a583445ef8abf6a1c6

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3dcbc2571082ea43963d86a583445ef8abf6a1c6
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3309-1 for graphite-web

2023-02-06 Thread Chris Lamb (@lamby)



Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c40a689c by Chris Lamb at 2023-02-06T13:05:52-08:00
Reserve DLA-3309-1 for graphite-web

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[06 Feb 2023] DLA-3309-1 graphite-web - security update
+   {CVE-2022-4728 CVE-2022-4729 CVE-2022-4730}
+   [buster] - graphite-web 1.1.4-3+deb10u2
 [06 Feb 2023] DLA-3308-1 webkit2gtk - security update
{CVE-2022-42826 CVE-2023-23517 CVE-2023-23518}
[buster] - webkit2gtk 2.38.4-2~deb10u1


=
data/dla-needed.txt
=
@@ -93,10 +93,6 @@ golang-yaml.v2
   NOTE: 20230125: VCS: 
https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git
   NOTE: 20230125: Special attention: limited support; requires rebuilding 
reverse build dependencies (though recent bullseye updates didn't).
 --
-graphite-web (Chris Lamb)
-  NOTE: 20221229: Programming language: Python.
-  NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/graphite-web.git
---
 heimdal (Helmut Grohne)
 --
 imagemagick (Roberto C. Sánchez)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c40a689c4ef584c73fe2830210335380f3da112a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c40a689c4ef584c73fe2830210335380f3da112a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add three new CVEs for zammad: CVE-2022-4802{1,2,3}

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
316b7987 by Salvatore Bonaccorso at 2023-02-06T22:02:06+01:00
Add three new CVEs for zammad: CVE-2022-4802{1,2,3}

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -9167,11 +9167,11 @@ CVE-2022-48025
 CVE-2022-48024
RESERVED
 CVE-2022-48023 (Insufficient privilege verification in Zammad v5.3.0 allows an 
authent ...)
-   TODO: check
+   - zammad  (bug #841355)
 CVE-2022-48022 (An issue in the component /api/v1/mentions of Zammad v5.3.0 
allows aut ...)
-   TODO: check
+   - zammad  (bug #841355)
 CVE-2022-48021 (A vulnerability in Zammad v5.3.0 allows attackers to execute 
arbitrary ...)
-   TODO: check
+   - zammad  (bug #841355)
 CVE-2022-48020
RESERVED
 CVE-2022-48019 (The components wfshbr64.sys and wfshbr32.sys in Another Eden 
before v3 ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/316b7987acd4c4b6460709a9586b74b18d4638a5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/316b7987acd4c4b6460709a9586b74b18d4638a5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
005711b1 by Salvatore Bonaccorso at 2023-02-06T22:01:26+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -604,7 +604,7 @@ CVE-2023-0687 (A vulnerability was found in GNU C Library 
2.38. It has been decl
NOTE: 
https://patchwork.sourceware.org/project/glibc/patch/20230204114138.5436-1-...@yuriev.ru/
TODO: check
 CVE-2023-0686 (A vulnerability was found in SourceCodester Online Eyewear Shop 
1.0. I ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Online Eyewear Shop
 CVE-2023-0685
RESERVED
 CVE-2023-0684
@@ -618,7 +618,7 @@ CVE-2023-0681
 CVE-2023-0680
RESERVED
 CVE-2023-0679 (A vulnerability was found in SourceCodester Canteen Management 
System  ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Canteen Management System
 CVE-2022-48316
RESERVED
 CVE-2022-48315
@@ -648,7 +648,7 @@ CVE-2023-25194
 CVE-2022-4902 (A vulnerability classified as problematic has been found in eXo 
Chat A ...)
TODO: check
 CVE-2020-36660 (A vulnerability was found in paxswill EVE Ship Replacement 
Program 0.1 ...)
-   TODO: check
+   NOT-FOR-US: paxswill EVE Ship Replacement Program
 CVE-2017-20177
RESERVED
 CVE-2015-10073
@@ -3295,29 +3295,29 @@ CVE-2023-24204
 CVE-2023-24203
RESERVED
 CVE-2023-24202 (Raffle Draw System v1.0 was discovered to contain a local file 
inclusi ...)
-   TODO: check
+   NOT-FOR-US: Raffle Draw System
 CVE-2023-24201 (Raffle Draw System v1.0 was discovered to contain a SQL 
injection vuln ...)
-   TODO: check
+   NOT-FOR-US: Raffle Draw System
 CVE-2023-24200 (Raffle Draw System v1.0 was discovered to contain a SQL 
injection vuln ...)
-   TODO: check
+   NOT-FOR-US: Raffle Draw System
 CVE-2023-24199 (Raffle Draw System v1.0 was discovered to contain a SQL 
injection vuln ...)
-   TODO: check
+   NOT-FOR-US: Raffle Draw System
 CVE-2023-24198 (Raffle Draw System v1.0 was discovered to contain multiple SQL 
injecti ...)
-   TODO: check
+   NOT-FOR-US: Raffle Draw System
 CVE-2023-24197 (Online Food Ordering System v2 was discovered to contain a SQL 
injecti ...)
-   TODO: check
+   NOT-FOR-US: Online Food Ordering System
 CVE-2023-24196
RESERVED
 CVE-2023-24195 (Online Food Ordering System v2 was discovered to contain a 
cross-site  ...)
-   TODO: check
+   NOT-FOR-US: Online Food Ordering System
 CVE-2023-24194 (Online Food Ordering System v2 was discovered to contain a 
cross-site  ...)
-   TODO: check
+   NOT-FOR-US: Online Food Ordering System
 CVE-2023-24193
RESERVED
 CVE-2023-24192 (Online Food Ordering System v2 was discovered to contain a 
cross-site  ...)
-   TODO: check
+   NOT-FOR-US: Online Food Ordering System
 CVE-2023-24191 (Online Food Ordering System v2 was discovered to contain a 
cross-site  ...)
-   TODO: check
+   NOT-FOR-US: Online Food Ordering System
 CVE-2023-24190
RESERVED
 CVE-2023-24189
@@ -4110,7 +4110,7 @@ CVE-2023-0402 (The Social Warfare plugin for WordPress is 
vulnerable to authoriz
 CVE-2023-0401
RESERVED
 CVE-2023-0400 (The protection bypass vulnerability in DLP for Windows 11.9.x 
is addre ...)
-   TODO: check
+   NOT-FOR-US: DLP for Windows
 CVE-2023-0399
RESERVED
 CVE-2023-0398 (Cross-Site Request Forgery (CSRF) in GitHub repository 
modoboa/modoboa ...)
@@ -7057,9 +7057,9 @@ CVE-2023-0126 (Pre-authentication path traversal 
vulnerability in SMA1000 firmwa
 CVE-2023-0125 (A vulnerability was found in Control iD Panel. It has been 
declared as ...)
NOT-FOR-US: Control iD Panel
 CVE-2023-0124 (Delta Electronics DOPSoft versions 4.00.16.22 and prior are 
vulnerable ...)
-   TODO: check
+   NOT-FOR-US: Delta Electronics DOPSoft
 CVE-2023-0123 (Delta Electronics DOPSoft versions 4.00.16.22 and prior are 
vulnerable ...)
-   TODO: check
+   NOT-FOR-US: Delta Electronics DOPSoft
 CVE-2022-48251 (** DISPUTED ** The AES instructions on the ARMv8 platform do 
not have  ...)
NOT-FOR-US: ARM hardware design issue
 CVE-2021-46871 (tag.ex in Phoenix Phoenix.HTML (aka phoenix_html) before 3.0.4 
allows  ...)
@@ -8883,9 +8883,9 @@ CVE-2022-48167
 CVE-2022-48166
RESERVED
 CVE-2022-48165 (An access control issue in the component 
/cgi-bin/ExportLogs.sh of Wav ...)
-   TODO: check
+   NOT-FOR-US: Wavlink
 CVE-2022-48164 (An access control issue in the component 
/cgi-bin/ExportLogs.sh of Wav ...)
-   TODO: check
+   NOT-FOR-US: Wavlink
 CVE-2022-48163
RESERVED
 CVE-2022-48162
@@ -8933,7 +8933,7 @@ CVE-2022-48142
 CVE-2022-48141
RESERVED
 CVE-2022-48140 (DedeCMS v5.7.97 was discovered to contain a cross-site 
scripting (XSS) ...)
-   TODO: check
+   NOT-FOR-US: D

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-0687/glibc

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
56ed23ae by Salvatore Bonaccorso at 2023-02-06T21:56:29+01:00
Add CVE-2023-0687/glibc

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -599,6 +599,9 @@ CVE-2023-25200
 CVE-2023-25199
RESERVED
 CVE-2023-0687 (A vulnerability was found in GNU C Library 2.38. It has been 
declared  ...)
+   - glibc 
+   NOTE: https://sourceware.org/bugzilla/show_bug.cgi?id=29444
+   NOTE: 
https://patchwork.sourceware.org/project/glibc/patch/20230204114138.5436-1-...@yuriev.ru/
TODO: check
 CVE-2023-0686 (A vulnerability was found in SourceCodester Online Eyewear Shop 
1.0. I ...)
TODO: check



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56ed23ae38153415465ca78e72cb9ca4a7fab99b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56ed23ae38153415465ca78e72cb9ca4a7fab99b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process two NFUs

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c5fc4428 by Salvatore Bonaccorso at 2023-02-06T21:35:47+01:00
Process two NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -3144,7 +3144,7 @@ CVE-2023-24278
 CVE-2023-24277
RESERVED
 CVE-2023-24276 (TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to 
contain a co ...)
-   TODO: check
+   NOT-FOR-US: TOTOLINK
 CVE-2023-24275
RESERVED
 CVE-2023-24274
@@ -39718,7 +39718,7 @@ CVE-2022-2935 (The Image Hover Effects Ultimate plugin 
for WordPress is vulnerab
 CVE-2022-2934 (The Beaver Builder – WordPress Page Builder for WordPress 
is vul ...)
NOT-FOR-US: WordPress Page Builder
 CVE-2022-2933 (The 0mk Shortener plugin for WordPress is vulnerable to 
Cross-Site Req ...)
-   TODO: check
+   NOT-FOR-US: 0mk Shortener plugin for WordPress
 CVE-2022-2932 (Cross-site Scripting (XSS) - Reflected in GitHub repository 
bustle/mob ...)
NOT-FOR-US: Mobiledoc Kit
 CVE-2022-2931 (A potential DOS vulnerability was discovered in GitLab CE/EE 
affecting ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5fc4428de2ffc4a2bf1119d94d0300e03cc1bf9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c5fc4428de2ffc4a2bf1119d94d0300e03cc1bf9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
0a4a6839 by security tracker role at 2023-02-06T20:10:25+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,631 @@
+CVE-2023-25498
+   RESERVED
+CVE-2023-25497
+   RESERVED
+CVE-2023-25496
+   RESERVED
+CVE-2023-25495
+   RESERVED
+CVE-2023-25494
+   RESERVED
+CVE-2023-25493
+   RESERVED
+CVE-2023-25492
+   RESERVED
+CVE-2023-25491
+   RESERVED
+CVE-2023-25490
+   RESERVED
+CVE-2023-25489
+   RESERVED
+CVE-2023-25488
+   RESERVED
+CVE-2023-25487
+   RESERVED
+CVE-2023-25486
+   RESERVED
+CVE-2023-25485
+   RESERVED
+CVE-2023-25484
+   RESERVED
+CVE-2023-25483
+   RESERVED
+CVE-2023-25482
+   RESERVED
+CVE-2023-25481
+   RESERVED
+CVE-2023-25480
+   RESERVED
+CVE-2023-25479
+   RESERVED
+CVE-2023-25478
+   RESERVED
+CVE-2023-25477
+   RESERVED
+CVE-2023-25476
+   RESERVED
+CVE-2023-25475
+   RESERVED
+CVE-2023-25474
+   RESERVED
+CVE-2023-25473
+   RESERVED
+CVE-2023-25472
+   RESERVED
+CVE-2023-25471
+   RESERVED
+CVE-2023-25470
+   RESERVED
+CVE-2023-25469
+   RESERVED
+CVE-2023-25468
+   RESERVED
+CVE-2023-25467
+   RESERVED
+CVE-2023-25466
+   RESERVED
+CVE-2023-25465
+   RESERVED
+CVE-2023-25464
+   RESERVED
+CVE-2023-25463
+   RESERVED
+CVE-2023-25462
+   RESERVED
+CVE-2023-25461
+   RESERVED
+CVE-2023-25460
+   RESERVED
+CVE-2023-25459
+   RESERVED
+CVE-2023-25458
+   RESERVED
+CVE-2023-25457
+   RESERVED
+CVE-2023-25456
+   RESERVED
+CVE-2023-25455
+   RESERVED
+CVE-2023-25454
+   RESERVED
+CVE-2023-25453
+   RESERVED
+CVE-2023-25452
+   RESERVED
+CVE-2023-25451
+   RESERVED
+CVE-2023-25450
+   RESERVED
+CVE-2023-25449
+   RESERVED
+CVE-2023-25448
+   RESERVED
+CVE-2023-25447
+   RESERVED
+CVE-2023-25446
+   RESERVED
+CVE-2023-25445
+   RESERVED
+CVE-2023-25444
+   RESERVED
+CVE-2023-25443
+   RESERVED
+CVE-2023-25442
+   RESERVED
+CVE-2023-25441
+   RESERVED
+CVE-2023-25440
+   RESERVED
+CVE-2023-25439
+   RESERVED
+CVE-2023-25438
+   RESERVED
+CVE-2023-25437
+   RESERVED
+CVE-2023-25436
+   RESERVED
+CVE-2023-25435
+   RESERVED
+CVE-2023-25434
+   RESERVED
+CVE-2023-25433
+   RESERVED
+CVE-2023-25432
+   RESERVED
+CVE-2023-25431
+   RESERVED
+CVE-2023-25430
+   RESERVED
+CVE-2023-25429
+   RESERVED
+CVE-2023-25428
+   RESERVED
+CVE-2023-25427
+   RESERVED
+CVE-2023-25426
+   RESERVED
+CVE-2023-25425
+   RESERVED
+CVE-2023-25424
+   RESERVED
+CVE-2023-25423
+   RESERVED
+CVE-2023-25422
+   RESERVED
+CVE-2023-25421
+   RESERVED
+CVE-2023-25420
+   RESERVED
+CVE-2023-25419
+   RESERVED
+CVE-2023-25418
+   RESERVED
+CVE-2023-25417
+   RESERVED
+CVE-2023-25416
+   RESERVED
+CVE-2023-25415
+   RESERVED
+CVE-2023-25414
+   RESERVED
+CVE-2023-25413
+   RESERVED
+CVE-2023-25412
+   RESERVED
+CVE-2023-25411
+   RESERVED
+CVE-2023-25410
+   RESERVED
+CVE-2023-25409
+   RESERVED
+CVE-2023-25408
+   RESERVED
+CVE-2023-25407
+   RESERVED
+CVE-2023-25406
+   RESERVED
+CVE-2023-25405
+   RESERVED
+CVE-2023-25404
+   RESERVED
+CVE-2023-25403
+   RESERVED
+CVE-2023-25402
+   RESERVED
+CVE-2023-25401
+   RESERVED
+CVE-2023-25400
+   RESERVED
+CVE-2023-25399
+   RESERVED
+CVE-2023-25398
+   RESERVED
+CVE-2023-25397
+   RESERVED
+CVE-2023-25396
+   RESERVED
+CVE-2023-25395
+   RESERVED
+CVE-2023-25394
+   RESERVED
+CVE-2023-25393
+   RESERVED
+CVE-2023-25392
+   RESERVED
+CVE-2023-25391
+   RESERVED
+CVE-2023-25390
+   RESERVED
+CVE-2023-25389
+   RESERVED
+CVE-2023-25388
+   RESERVED
+CVE-2023-25387
+   RESERVED
+CVE-2023-25386
+   RESERVED
+CVE-2023-25385
+   RESERVED
+CVE-2023-25384
+   RESERVED
+CVE-2023-25383
+   RESERVED
+CVE-2023-25382
+   RESERVED
+CVE-2023-25381
+   RESERVED
+CVE-2023-25380
+   RESERVED
+CVE-2023-25379
+   RESERVED
+CVE-2023-25378
+   RESERVED
+CVE-2023-25377
+   RESERVED
+CVE-2023-25376
+   RESERVED
+CVE-2023-25375
+   RESERVED
+CVE-2023-25374
+   RESERVED
+CVE-2023-25373
+   RESERVED
+CVE-2023-25372
+   RESERVED
+CVE-2023-25371
+   RESERVED
+CVE-2023-25370
+   RESERVED
+CVE-2023-25369
+   RESERVED
+CVE-2023-25368
+   RESERVED
+CVE-2023-25367
+   RESERVED
+CVE-2023-25366
+   RESERVED
+CVE-2023-25365
+   RESERVED
+CVE-2023-25364
+   RESERVED
+CVE-2023-25363
+   RESERVED
+CVE-2023-25362
+   RESERVED
+CVE-2023-25361
+   RESERVED
+CVE-2023-25360
+   RESERVED
+CVE-2023-25359
+   RESERVED
+CVE-2023-25358
+   RESE

[Git][security-tracker-team/security-tracker][master] Update information for CVE-2021-23385/flask-security

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a37aca57 by Salvatore Bonaccorso at 2023-02-06T21:05:47+01:00
Update information for CVE-2021-23385/flask-security

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -151069,10 +151069,14 @@ CVE-2021-23387 (The package trailing-slash before 
2.0.1 are vulnerable to Open R
 CVE-2021-23386 (This affects the package dns-packet before 5.2.2. It creates 
buffers w ...)
NOT-FOR-US: Node dns-packet
 CVE-2021-23385 (This affects all versions of package Flask-Security. When 
using the ge ...)
-   - flask-security  (bug #1021279)
+   - flask-security 5.0.2-1 (bug #1021279)
[bullseye] - flask-security  (Minor issue)
[buster] - flask-security  (Minor issue)
NOTE: https://security.snyk.io/vuln/SNYK-PYTHON-FLASKSECURITY-1293234
+   NOTE: https://github.com/Flask-Middleware/flask-security/issues/724
+   NOTE: https://github.com/Flask-Middleware/flask-security/issues/486
+   NOTE: 
https://github.com/Flask-Middleware/flask-security/security/advisories/GHSA-6qmf-fj6m-686c
+   NOTE: 
https://github.com/Flask-Middleware/flask-security/commit/e39bb04615050448c1b8ba4caa7dacc0edd3e405
 (4.1.0)
 CVE-2021-23384 (The package koa-remove-trailing-slashes before 2.0.2 are 
vulnerable to ...)
NOT-FOR-US: Node koa-remove-trailing-slashes before
 CVE-2021-23383 (The package handlebars before 4.7.7 are vulnerable to 
Prototype Pollut ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a37aca57c89ce1033a4e44d326b20e27bd2fa72b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a37aca57c89ce1033a4e44d326b20e27bd2fa72b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3308-1 for webkit2gtk

2023-02-06 Thread Emilio Pozuelo Monfort (@pochu)



Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
38ec7eba by Emilio Pozuelo Monfort at 2023-02-06T20:02:38+01:00
Reserve DLA-3308-1 for webkit2gtk

- - - - -


2 changed files:

- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[06 Feb 2023] DLA-3308-1 webkit2gtk - security update
+   {CVE-2022-42826 CVE-2023-23517 CVE-2023-23518}
+   [buster] - webkit2gtk 2.38.4-2~deb10u1
 [06 Feb 2023] DLA-3307-1 openjdk-11 - security update
{CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 
CVE-2022-39399 CVE-2023-21835 CVE-2023-21843}
[buster] - openjdk-11 11.0.18+10-1~deb10u1


=
data/dla-needed.txt
=
@@ -339,10 +339,6 @@ trafficserver
NOTE: 20230202: Note recent DLA-3279-1 update. Removed notes (2d9f50586010) 
suggest CVE-2022-31779 may have already been investigated. (lamby)
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/trafficserver.git
 --
-webkit2gtk (Emilio)
-  NOTE: 20230203: Programming language: C++.
-  NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/webkit2gtk.git
---
 wireshark (tobi)
   NOTE: 20230123: Programming language: C.
   NOTE: 20230123: 7 new CVEs + 3 postponed ones. Would be good to not let them 
pile up like last time. (utkarsh).



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38ec7eba5eca04d3be2a64ab6cd76909f1e860c9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/38ec7eba5eca04d3be2a64ab6cd76909f1e860c9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFUs

2023-02-06 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
00d88108 by Moritz Muehlenhoff at 2023-02-06T17:52:59+01:00
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -27,11 +27,11 @@ CVE-2023-25193 (hb-ot-layout-gsubgpos.hh in HarfBuzz 
through 6.0.0 allows attack
[bullseye] - harfbuzz  (Minor issue)
NOTE: 
https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc
 CVE-2014-125086 (A vulnerability has been found in Gimmie Plugin 1.2.2 and 
classified a ...)
-   TODO: check
+   NOT-FOR-US: Gimmie
 CVE-2014-125085 (A vulnerability, which was classified as critical, was found 
in Gimmie ...)
-   TODO: check
+   NOT-FOR-US: Gimmie
 CVE-2014-125084 (A vulnerability, which was classified as critical, has been 
found in G ...)
-   TODO: check
+   NOT-FOR-US: Gimmie
 CVE-2023-25192
RESERVED
 CVE-2023-25191
@@ -51,9 +51,9 @@ CVE-2023-0674 (A vulnerability, which was classified as 
problematic, has been fo
 CVE-2023-0673 (A vulnerability classified as critical was found in 
SourceCodester Onl ...)
NOT-FOR-US: SourceCodester Online Eyewear Shop
 CVE-2017-20176 (A vulnerability classified as problematic was found in 
ciubotaru share ...)
-   TODO: check
+   NOT-FOR-US: share-on-diaspora
 CVE-2017-20175 (A vulnerability classified as problematic has been found in 
DaSchTour  ...)
-   TODO: check
+   NOT-FOR-US: Mamoto extension for MediaWiki
 CVE-2023-25189
RESERVED
 CVE-2023-25188
@@ -324,9 +324,9 @@ CVE-2019-25101 (A vulnerability classified as critical has 
been found in OnShift
 CVE-2018-25080 (A vulnerability, which was classified as problematic, has been 
found i ...)
NOT-FOR-US: MobileDetect
 CVE-2018-25079 (A vulnerability was found in Segmentio is-url up to 1.2.2. It 
has been ...)
-   TODO: check
+   NOT-FOR-US: Node is-url
 CVE-2015-10072 (A vulnerability classified as problematic was found in NREL 
api-umbrel ...)
-   TODO: check
+   NOT-FOR-US: api-umbrella-web
 CVE-2013-10018 (A vulnerability was found in fanzila WebFinance 0.5. It has 
been decla ...)
NOT-FOR-US: fanzila WebFinance
 CVE-2013-10017 (A vulnerability was found in fanzila WebFinance 0.5. It has 
been class ...)
@@ -1467,7 +1467,7 @@ CVE-2023-24612 (The PdfBook extension through 2.0.5 
before b07b6a64 for MediaWik
 CVE-2023-24611
RESERVED
 CVE-2023-24610 (NOSH 4a5cfdb allows remote authenticated users to execute PHP 
arbitrar ...)
-   TODO: check
+   NOT-FOR-US: NOSH
 CVE-2023-24609
RESERVED
 CVE-2023-24608
@@ -3312,7 +3312,7 @@ CVE-2023-23942
 CVE-2023-23941 (SwagPayPal is a PayPal integration for shopware/platform. If 
JavaScrip ...)
NOT-FOR-US: SwagPayPal
 CVE-2023-23940 (OpenZeppelin Contracts for Cairo is a library for secure smart 
contrac ...)
-   TODO: check
+   NOT-FOR-US: OpenZeppelin Contracts
 CVE-2023-23939
RESERVED
 CVE-2023-23938
@@ -3328,7 +3328,7 @@ CVE-2023-23934
 CVE-2023-23933 (OpenSearch Anomaly Detection identifies atypical data and 
receives aut ...)
NOT-FOR-US: OpenSearch Anomaly Detection
 CVE-2023-23932 (OpenDDS is an open source C++ implementation of the Object 
Management  ...)
-   TODO: check
+   NOT-FOR-US: OpenDDS
 CVE-2023-23931
RESERVED
 CVE-2023-23930
@@ -3342,7 +3342,7 @@ CVE-2023-23927
 CVE-2023-23926
RESERVED
 CVE-2023-23925 (Switcher Client is a JavaScript SDK to work with Switcher API 
which is ...)
-   TODO: check
+   NOT-FOR-US: Switcher
 CVE-2023-23924 (Dompdf is an HTML to PDF converter. The URI validation on 
dompdf 2.0.1 ...)
- php-dompdf  (Vulnerable code not in any Debian released 
version)
NOTE: 
https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg
@@ -5639,9 +5639,9 @@ CVE-2023-23122
 CVE-2023-23121
RESERVED
 CVE-2023-23120 (The use of the cyclic redundancy check (CRC) algorithm for 
integrity c ...)
-   TODO: check
+   NOT-FOR-US: TRENDnet
 CVE-2023-23119 (The use of the cyclic redundancy check (CRC) algorithm for 
integrity c ...)
-   TODO: check
+   NOT-FOR-US: TRENDnet
 CVE-2023-23118
RESERVED
 CVE-2023-23117
@@ -5659,7 +5659,7 @@ CVE-2023-23112
 CVE-2023-23111
RESERVED
 CVE-2023-23110 (An exploitable firmware modification vulnerability was 
discovered in c ...)
-   TODO: check
+   NOT-FOR-US: Netgear
 CVE-2023-23109
RESERVED
 CVE-2023-23108
@@ -5756,9 +5756,9 @@ CVE-2013-10010 (A vulnerability classified as problematic 
has been found in zero
 CVE-2023-23088 (Buffer OverFlow Vulnerability in Barenboim json-parser master 
and v1.1 ...)
TODO: check
 CVE-2023-23087 (An issue was found in MojoJson v1.2.3 allows attackers to 
execute arbi ...)
-   TODO: check
+   NOT-FOR-US: MojoJson
 CVE-2023-23086 (Buffer OverFlow

[Git][security-tracker-team/security-tracker][master] CVE-2023-0414 (wireshark) is not affecting buster.

2023-02-06 Thread Tobias Frost (@tobi)



Tobias Frost pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d895a354 by Tobias Frost at 2023-02-06T17:23:27+01:00
CVE-2023-0414 (wireshark) is not affecting buster.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2995,8 +2995,10 @@ CVE-2023-0417 (Memory leak in the NFS dissector in 
Wireshark 4.0.0 to 4.0.2 and
 CVE-2023-0414 (Crash in the EAP dissector in Wireshark 4.0.0 to 4.0.2 allows 
denial o ...)
- wireshark 4.0.3-1
[bullseye] - wireshark  (Minor issue, fix along in future 
update)
+   [buster] - wireshark  (Vulnerable code introduced later)
NOTE: https://www.wireshark.org/security/wnpa-sec-2023-01.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/18622
+   NOTE: introduced by 
https://gitlab.com/wireshark/wireshark/-/merge_requests/6838
 CVE-2023-24059 (Grand Theft Auto V for PC allows attackers to achieve partial 
remote c ...)
NOT-FOR-US: Grand Theft Auto V for PC
 CVE-2023-24058 (Booked Scheduler 2.5.5 allows authenticated users to create 
and schedu ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d895a3545db0922eb4b1706de2f1a5a204973c55

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d895a3545db0922eb4b1706de2f1a5a204973c55
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bullseye triage

2023-02-06 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
891d9dab by Moritz Muehlenhoff at 2023-02-06T16:53:15+01:00
bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -526,10 +526,11 @@ CVE-2023-25002
 CVE-2023-25001
RESERVED
 CVE-2023-0634 (An uncontrolled process operation was found in the newgrp 
command prov ...)
-   - shadow 
+   - shadow  (unimportant)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2166544
NOTE: https://github.com/shadow-maint/shadow/pull/642
NOTE: 
https://github.com/shadow-maint/shadow/commit/62172f6fb51519a8cf56e35e4ce2b76cc301a7fc
+   NOTE: Crash in CLI tool, no security impact
 CVE-2023-0633
RESERVED
 CVE-2023-0632
@@ -27436,6 +27437,7 @@ CVE-2022-3561 (Cross-site Scripting (XSS) - Generic in 
GitHub repository librenm
NOT-FOR-US: LibreNMS
 CVE-2022-3560 (A flaw was found in pesign. The pesign package provides a 
systemd serv ...)
- pesign  (bug #1030168)
+   [bullseye] - pesign  (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/01/31/6
NOTE: https://www.openwall.com/lists/oss-security/2023/02/01/2
NOTE: 
https://github.com/rhboot/pesign/commit/d8a8c259994d0278c59b30b41758a8dd0abff998
 (116)
@@ -78149,10 +78151,12 @@ CVE-2022-24896 (Tuleap is a Free & Open Source 
Suite to manage software deve
NOT-FOR-US: Tuleap
 CVE-2022-24895 (Symfony is a PHP framework for web and console applications 
and a set  ...)
- symfony 5.4.20+dfsg-1
+   [bullseye] - symfony  (Minor issue)
NOTE: 
https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m
NOTE: 
https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4
 CVE-2022-24894 (Symfony is a PHP framework for web and console applications 
and a set  ...)
- symfony 5.4.20+dfsg-1
+   [bullseye] - symfony  (Minor issue)
NOTE: 
https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv
NOTE: 
https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb
 CVE-2022-24893 (ESP-IDF is the official development framework for Espressif 
SoCs. In E ...)


=
data/dsa-needed.txt
=
@@ -11,9 +11,15 @@ To pick an issue, simply add your uid behind it.
 
 If needed, specify the release by adding a slash after the name of the source 
package.
 
+--
+apr-util
+--
+apr
 --
 frr
 --
+haproxy
+--
 jupyter-core
   Maintainer asked for availability to prepare updates
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/891d9dab823803c5fa72786a7d4f30558b57b1de

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/891d9dab823803c5fa72786a7d4f30558b57b1de
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] webkit2gtk DSA-5340-1 and wpewebkit DSA-5341-1

2023-02-06 Thread Alberto Garcia (@berto)



Alberto Garcia pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
1634dc77 by Alberto Garcia at 2023-02-06T16:32:30+01:00
webkit2gtk DSA-5340-1 and wpewebkit DSA-5341-1

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,9 @@
+[06 Feb 2023] DSA-5341-1 wpewebkit - security update
+   {CVE-2022-42826 CVE-2023-23517 CVE-2023-23518}
+   [bullseye] - wpewebkit 2.38.4-1~deb11u1
+[06 Feb 2023] DSA-5340-1 webkit2gtk - security update
+   {CVE-2022-42826 CVE-2023-23517 CVE-2023-23518}
+   [bullseye] - webkit2gtk 2.38.4-2~deb11u1
 [05 Feb 2023] DSA-5339-1 libhtml-stripscripts-perl - security update
{CVE-2023-24038}
[bullseye] - libhtml-stripscripts-perl 1.06-1+deb11u1


=
data/dsa-needed.txt
=
@@ -57,10 +57,6 @@ thunderbird (jmm)
 --
 tiff (aron)
 --
-webkit2gtk (berto)
---
-wpewebkit (berto)
---
 xrdp
   needs some additional clarification, tentatively DSA worthy
   maybe upgrade to 0.9.21 within bullseye?



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1634dc77e8c0db4afcda97317740f1174f3434a8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1634dc77e8c0db4afcda97317740f1174f3434a8
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] lts: CVE-2023-23456/upx-ucl no-dsa on buster

2023-02-06 Thread Emilio Pozuelo Monfort (@pochu)



Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8a60123f by Emilio Pozuelo Monfort at 2023-02-06T16:13:06+01:00
lts: CVE-2023-23456/upx-ucl no-dsa on buster

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -4870,6 +4870,7 @@ CVE-2023-23457 (A Segmentation fault was found in UPX in 
PackLinuxElf64::invert_
NOTE: https://github.com/upx/upx/issues/631
 CVE-2023-23456 (A heap-based buffer overflow issue was discovered in UPX in 
PackTmt::p ...)
- upx-ucl 
+   [buster] - upx-ucl  (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2160381
NOTE: 
https://github.com/upx/upx/commit/510505a85cbe45e51fbd470f1aa8b02157c429d4
NOTE: https://github.com/upx/upx/issues/632



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a60123fe610935441a5deff6325b05f2b23b893

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a60123fe610935441a5deff6325b05f2b23b893
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Reserve DLA-3307-1 for openjdk-11

2023-02-06 Thread Emilio Pozuelo Monfort (@pochu)



Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
05217da4 by Emilio Pozuelo Monfort at 2023-02-06T15:57:55+01:00
Reserve DLA-3307-1 for openjdk-11

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=
data/CVE/list
=
@@ -36748,7 +36748,6 @@ CVE-2022-39400 (Vulnerability in the MySQL Server 
product of Oracle MySQL (compo
 CVE-2022-39399 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise 
Edition ...)
{DSA-5335-1 DSA-5331-1}
- openjdk-11 11.0.17+8-1
-   [buster] - openjdk-11  (Minor issue, fix along with next CPU)
- openjdk-17 17.0.5+8-1
 CVE-2022-39398 (tasklists is a tasklists plugin for GLPI (Kanban). Versions 
prior to 2 ...)
NOT-FOR-US: GLPI plugin
@@ -96102,7 +96101,6 @@ CVE-2022-21628 (Vulnerability in the Oracle Java SE, 
Oracle GraalVM Enterprise E
{DSA-5335-1 DSA-5331-1}
- openjdk-8 8u352-ga-1
- openjdk-11 11.0.17+8-1
-   [buster] - openjdk-11  (Minor issue, fix along with next CPU)
- openjdk-17 17.0.5+8-1
 CVE-2022-21627 (Vulnerability in the Oracle VM VirtualBox product of Oracle 
Virtualiza ...)
- virtualbox 6.1.40-dfsg-1
@@ -96111,14 +96109,12 @@ CVE-2022-21626 (Vulnerability in the Oracle Java SE, 
Oracle GraalVM Enterprise E
{DSA-5331-1}
- openjdk-8 8u352-ga-1
- openjdk-11 11.0.17+8-1
-   [buster] - openjdk-11  (Minor issue, fix along with next CPU)
 CVE-2022-21625 (Vulnerability in the MySQL Server product of Oracle MySQL 
(component:  ...)
- mysql-8.0 8.0.31-1 (bug #1024016)
 CVE-2022-21624 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise 
Edition ...)
{DSA-5335-1 DSA-5331-1}
- openjdk-8 8u352-ga-1
- openjdk-11 11.0.17+8-1
-   [buster] - openjdk-11  (Minor issue, fix along with next CPU)
- openjdk-17 17.0.5+8-1
 CVE-2022-21623 (Vulnerability in the Enterprise Manager Base Platform product 
of Oracl ...)
NOT-FOR-US: Oracle
@@ -96134,7 +96130,6 @@ CVE-2022-21619 (Vulnerability in the Oracle Java SE, 
Oracle GraalVM Enterprise E
{DSA-5335-1 DSA-5331-1}
- openjdk-8 8u352-ga-1
- openjdk-11 11.0.17+8-1
-   [buster] - openjdk-11  (Minor issue, fix along with next CPU)
- openjdk-17 17.0.5+8-1
 CVE-2022-21618 (Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise 
Edition ...)
{DSA-5335-1}


=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[06 Feb 2023] DLA-3307-1 openjdk-11 - security update
+   {CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 
CVE-2022-39399 CVE-2023-21835 CVE-2023-21843}
+   [buster] - openjdk-11 11.0.18+10-1~deb10u1
 [01 Feb 2023] DLA-3306-1 python-django - security update
{CVE-2023-23969}
[buster] - python-django 1:1.11.29-1+deb10u6


=
data/dla-needed.txt
=
@@ -196,10 +196,6 @@ openimageio
   NOTE: 20221225: Programming language: C.
   NOTE: 20221225: VCS: 
https://salsa.debian.org/lts-team/packages/openimageio.git
 --
-openjdk-11 (Emilio)
-  NOTE: 20230123: Programming language: Java.
-  NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/openjdk-11.git
---
 php-cas
   NOTE: 20221105: Programming language: PHP.
   NOTE: 20221105: The fix is not backwards compatible. Should be investigated 
further whether this issue should be solved or ignored.. (ola)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05217da4e2f52e14a0191946f22bc24d9a54ecd2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/05217da4e2f52e14a0191946f22bc24d9a54ecd2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: add spip to dla-needed.txt

2023-02-06 Thread Emilio Pozuelo Monfort (@pochu)



Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
daeeb120 by Emilio Pozuelo Monfort at 2023-02-06T15:55:58+01:00
LTS: add spip to dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -318,6 +318,9 @@ sox (Helmut Grohne)
   NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/sox.git
   NOTE: 20230127: There is no point in dealing with sox. No upstream commit in 
1.5 years. No answer to Enrico's upstream ticket. RedHat issued notabug. 
Unfixed in stable and unstable. Don't run sox on untrusted input. (Helmut)
 --
+spip
+  NOTE: 20230206: Programming language: PHP.
+--
 sssd
   NOTE: 20230131: Programming language: C.
   NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/daeeb120b4dda0e218fd4eb7b5830cfd46d7572a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/daeeb120b4dda0e218fd4eb7b5830cfd46d7572a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] LTS: claim heimdal

2023-02-06 Thread Helmut Grohne (@helmutg)



Helmut Grohne pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
ead49fad by Helmut Grohne at 2023-02-06T13:41:16+01:00
LTS: claim heimdal

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -97,6 +97,8 @@ graphite-web (Chris Lamb)
   NOTE: 20221229: Programming language: Python.
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/graphite-web.git
 --
+heimdal (Helmut Grohne)
+--
 imagemagick (Roberto C. Sánchez)
   NOTE: 20220904: Programming language: C.
   NOTE: 20220904: VCS: 
https://salsa.debian.org/lts-team/packages/imagemagick.git



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ead49fad3b3df5e559b3de0486e85473ac1d7cdc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ead49fad3b3df5e559b3de0486e85473ac1d7cdc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] zabbix fixed in sid

2023-02-06 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9c2f6127 by Moritz Muehlenhoff at 2023-02-06T12:47:49+01:00
zabbix fixed in sid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -13979,7 +13979,7 @@ CVE-2022-4342 (An issue has been discovered in GitLab 
CE/EE affecting all versio
 CVE-2022-4341 (A vulnerability has been found in csliuwy coder-chain_gdut and 
classif ...)
NOT-FOR-US: csliuwy coder-chain_gdut
 CVE-2022-46768 (Arbitrary file read vulnerability exists in Zabbix Web Service 
Report  ...)
-   - zabbix  (bug #1026847)
+   - zabbix 1:6.0.13+dfsg-1 (bug #1026847)
[bullseye] - zabbix  (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-22087
 CVE-2022-46767
@@ -25990,7 +25990,7 @@ CVE-2022-43517 (A vulnerability has been identified in 
Simcenter STAR-CCM+ (All
 CVE-2022-43516 (A Firewall Rule which allows all incoming TCP connections to 
all progr ...)
- zabbix  (Specific to Windows)
 CVE-2022-43515 (Zabbix Frontend provides a feature that allows admins to 
maintain the  ...)
-   - zabbix  (bug #1026847)
+   - zabbix 1:6.0.13+dfsg-1 (bug #1026847)
[bullseye] - zabbix  (Minor issue)
NOTE: https://support.zabbix.com/browse/ZBX-22050
 CVE-2022-43514 (A vulnerability has been identified in Automation License 
Manager V5 ( ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c2f612734f89626224fb7346e2fdfdaef7cce07

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c2f612734f89626224fb7346e2fdfdaef7cce07
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFU

2023-02-06 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
725c1659 by Moritz Muehlenhoff at 2023-02-06T12:46:49+01:00
NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -16945,7 +16945,7 @@ CVE-2022-45788 (A CWE-754: Improper Check for Unusual 
or Exceptional Conditions
 CVE-2022-45787 (Unproper laxist permissions on the temporary files used by 
MIME4J Temp ...)
NOT-FOR-US: Apache James
 CVE-2022-45786 (There are issues with the AGE drivers for Golang and Python 
that enabl ...)
-   TODO: check
+   NOT-FOR-US: Apache AGE
 CVE-2022-4121 (In libetpan a null pointer dereference in 
mailimap_mailbox_data_status ...)
{DLA-3261-1}
- libetpan 1.9.4-3.1 (bug #1025120)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/725c1659c3cc3e5930cc981db23575fd50367ac5

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/725c1659c3cc3e5930cc981db23575fd50367ac5
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] lts: take webkit2gtk

2023-02-06 Thread Emilio Pozuelo Monfort (@pochu)



Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f1b5cd3b by Emilio Pozuelo Monfort at 2023-02-06T09:38:03+01:00
lts: take webkit2gtk

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -338,8 +338,8 @@ trafficserver
NOTE: 20230202: Note recent DLA-3279-1 update. Removed notes (2d9f50586010) 
suggest CVE-2022-31779 may have already been investigated. (lamby)
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/trafficserver.git
 --
-webkit2gtk
-   NOTE: 20230203: Programming language: C+
+webkit2gtk (Emilio)
+  NOTE: 20230203: Programming language: C++.
   NOTE: 20230206: VCS: 
https://salsa.debian.org/lts-team/packages/webkit2gtk.git
 --
 wireshark (tobi)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1b5cd3b0dc015e80e8269885f30467fb954761b

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1b5cd3b0dc015e80e8269885f30467fb954761b
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] NFU

2023-02-06 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d9ddbc94 by Moritz Muehlenhoff at 2023-02-06T09:36:15+01:00
NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -75360,7 +75360,7 @@ CVE-2022-21195 (All versions of package url-regex are 
vulnerable to Regular Expr
 CVE-2022-21192 (All versions of the package serve-lite are vulnerable to 
Directory Tra ...)
TODO: check
 CVE-2022-21191 (Versions of the package global-modules-path before 3.0.0 are 
vulnerabl ...)
-   TODO: check
+   NOT-FOR-US: Node global-modules-path
 CVE-2022-21190 (This affects the package convict before 6.2.3. This is a 
bypass of [CV ...)
NOT-FOR-US: Node convict
 CVE-2022-21189 (The package dexie before 3.2.2, from 4.0.0-alpha.1 and before 
4.0.0-al ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9ddbc94fb37c34efedcf9cc64bbd17c3f47e2d0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9ddbc94fb37c34efedcf9cc64bbd17c3f47e2d0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] puppet-module-puppetlabs-apt fixed in sid

2023-02-06 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
93ad7f8c by Moritz Muehlenhoff at 2023-02-06T09:34:48+01:00
puppet-module-puppetlabs-apt fixed in sid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -32186,7 +32186,7 @@ CVE-2022-3276 (Command injection is possible in the 
puppetlabs-mysql module prio
NOTE: 
https://github.com/puppetlabs/puppetlabs-mysql/commit/6f531ad85c22ceeb5076347e6998e1d25b056dfd
 (v13.0.0)
NOTE: 
https://github.com/puppetlabs/puppetlabs-mysql/commit/e70e7fd130aaa2fe1cefe4ccb628b304ad3c180a
 (v13.0.0)
 CVE-2022-3275 (Command injection is possible in the puppetlabs-apt module 
prior to ve ...)
-   - puppet-module-puppetlabs-apt  (bug #1023625)
+   - puppet-module-puppetlabs-apt 9.0.1-1 (bug #1023625)
[bullseye] - puppet-module-puppetlabs-apt  (Minor issue)
[buster] - puppet-module-puppetlabs-apt  (Minor issue, rare 
condition, follow buster status)
NOTE: https://puppet.com/security/cve/CVE-2022-3275



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93ad7f8c0c8cb100e04dde798ea9891140397c63

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/93ad7f8c0c8cb100e04dde798ea9891140397c63
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] ruby-rails-html-sanitizer fixed in sid

2023-02-06 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
30285ea2 by Moritz Muehlenhoff at 2023-02-06T09:34:03+01:00
ruby-rails-html-sanitizer fixed in sid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -83115,19 +83115,19 @@ CVE-2022-23521 (Git is distributed revision control 
system. gitattributes are a
NOTE: 
https://github.com/git/git/commit/3c50032ff5289cc45659f21949c8d09e52164579
NOTE: 
https://github.com/git/git/files/10430260/X41-OSTIF-Gitlab-Git-Security-Audit-20230117-public.pdf
 CVE-2022-23520 (rails-html-sanitizer is responsible for sanitizing HTML 
fragments in R ...)
-   - ruby-rails-html-sanitizer  (bug #1027153)
+   - ruby-rails-html-sanitizer 1.4.4-1 (bug #1027153)
[buster] - ruby-rails-html-sanitizer  (Minor issue)
NOTE: 
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8
 CVE-2022-23519 (rails-html-sanitizer is responsible for sanitizing HTML 
fragments in R ...)
-   - ruby-rails-html-sanitizer  (bug #1027153)
+   - ruby-rails-html-sanitizer 1.4.4-1 (bug #1027153)
[buster] - ruby-rails-html-sanitizer  (Minor issue can be 
fixed later)
NOTE: 
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h
 CVE-2022-23518 (rails-html-sanitizer is responsible for sanitizing HTML 
fragments in R ...)
-   - ruby-rails-html-sanitizer  (bug #1027153)
+   - ruby-rails-html-sanitizer 1.4.4-1 (bug #1027153)
NOTE: https://github.com/rails/rails-html-sanitizer/issues/135
NOTE: 
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m
 CVE-2022-23517 (rails-html-sanitizer is responsible for sanitizing HTML 
fragments in R ...)
-   - ruby-rails-html-sanitizer  (bug #1027153)
+   - ruby-rails-html-sanitizer 1.4.4-1 (bug #1027153)
[buster] - ruby-rails-html-sanitizer  (Minor issue)
NOTE: 
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w
NOTE: 
https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30285ea217facef06892cd4e3ed6ec2b29be2f69

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30285ea217facef06892cd4e3ed6ec2b29be2f69
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2023-02-06 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
272931f4 by security tracker role at 2023-02-06T08:10:13+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,17 @@
+CVE-2023-25198
+   RESERVED
+CVE-2023-25197
+   RESERVED
+CVE-2023-25196
+   RESERVED
+CVE-2023-25195
+   RESERVED
+CVE-2022-48314
+   RESERVED
+CVE-2022-48313
+   RESERVED
+CVE-2022-48312
+   RESERVED
 CVE-2023-25194
RESERVED
 CVE-2022-4902
@@ -12,12 +26,12 @@ CVE-2023-25193 (hb-ot-layout-gsubgpos.hh in HarfBuzz 
through 6.0.0 allows attack
- harfbuzz  (bug #1030612)
[bullseye] - harfbuzz  (Minor issue)
NOTE: 
https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc
-CVE-2014-125086
-   RESERVED
-CVE-2014-125085
-   RESERVED
-CVE-2014-125084
-   RESERVED
+CVE-2014-125086 (A vulnerability has been found in Gimmie Plugin 1.2.2 and 
classified a ...)
+   TODO: check
+CVE-2014-125085 (A vulnerability, which was classified as critical, was found 
in Gimmie ...)
+   TODO: check
+CVE-2014-125084 (A vulnerability, which was classified as critical, has been 
found in G ...)
+   TODO: check
 CVE-2023-25192
RESERVED
 CVE-2023-25191
@@ -36,10 +50,10 @@ CVE-2023-0674 (A vulnerability, which was classified as 
problematic, has been fo
NOT-FOR-US: XXL-JOB
 CVE-2023-0673 (A vulnerability classified as critical was found in 
SourceCodester Onl ...)
NOT-FOR-US: SourceCodester Online Eyewear Shop
-CVE-2017-20176
-   RESERVED
-CVE-2017-20175
-   RESERVED
+CVE-2017-20176 (A vulnerability classified as problematic was found in 
ciubotaru share ...)
+   TODO: check
+CVE-2017-20175 (A vulnerability classified as problematic has been found in 
DaSchTour  ...)
+   TODO: check
 CVE-2023-25189
RESERVED
 CVE-2023-25188
@@ -11851,12 +11865,12 @@ CVE-2022-47454
RESERVED
 CVE-2022-47453
RESERVED
-CVE-2022-47452
-   RESERVED
-CVE-2022-47451
-   RESERVED
-CVE-2022-47450
-   RESERVED
+CVE-2022-47452 (In gnss driver, there is a possible out of bounds write due to 
a missi ...)
+   TODO: check
+CVE-2022-47451 (In wlan driver, there is a possible missing params check. This 
could l ...)
+   TODO: check
+CVE-2022-47450 (In wlan driver, there is a possible missing permission check. 
This cou ...)
+   TODO: check
 CVE-2022-46732 (Even if the authentication fails for local service 
authentication, the ...)
NOT-FOR-US: GE Digital
 CVE-2022-46660 (An unauthorized user could alter or write files with full 
control over ...)
@@ -12389,42 +12403,42 @@ CVE-2019-25078 (A vulnerability classified as 
problematic was found in pacparser
[buster] - pacparser  (Minor issue)
NOTE: https://github.com/manugarg/pacparser/issues/99
NOTE: 
https://github.com/manugarg/pacparser/commit/853e8f45607cb07b877ffd270c63dbcdd5201ad9
 (v1.4.0)
-CVE-2022-47371
-   RESERVED
-CVE-2022-47370
-   RESERVED
-CVE-2022-47369
-   RESERVED
-CVE-2022-47368
-   RESERVED
-CVE-2022-47367
-   RESERVED
-CVE-2022-47366
-   RESERVED
-CVE-2022-47365
-   RESERVED
-CVE-2022-47364
-   RESERVED
-CVE-2022-47363
-   RESERVED
+CVE-2022-47371 (In bt driver, there is a thread competition leads to early 
release of  ...)
+   TODO: check
+CVE-2022-47370 (In wlan driver, there is a possible missing params check. This 
could l ...)
+   TODO: check
+CVE-2022-47369 (In wlan driver, there is a possible missing params check. This 
could l ...)
+   TODO: check
+CVE-2022-47368 (In wlan driver, there is a possible missing params check. This 
could l ...)
+   TODO: check
+CVE-2022-47367 (In bluetooth driver, there is a missing permission check. This 
could l ...)
+   TODO: check
+CVE-2022-47366 (In wlan driver, there is a possible out of bounds write due to 
a missi ...)
+   TODO: check
+CVE-2022-47365 (In wlan driver, there is a possible out of bounds write due to 
a missi ...)
+   TODO: check
+CVE-2022-47364 (In wlan driver, there is a possible out of bounds write due to 
a missi ...)
+   TODO: check
+CVE-2022-47363 (In wlan driver, there is a possible out of bounds read due to 
a missin ...)
+   TODO: check
 CVE-2022-47362
RESERVED
-CVE-2022-47361
-   RESERVED
-CVE-2022-47360
-   RESERVED
-CVE-2022-47359
-   RESERVED
-CVE-2022-47358
-   RESERVED
-CVE-2022-47357
-   RESERVED
-CVE-2022-47356
-   RESERVED
-CVE-2022-47355
-   RESERVED
-CVE-2022-47354
-   RESERVED
+CVE-2022-47361 (In firewall service, there is a missing permission check. This 
could l ...)
+   TODO: check
+CVE-2022-47360 (In log service, there is a missing permission check. This 
could lead t ...)
+   TODO: check
+CVE-2022-47359 (In log service, there is a mis

37 matches

Mail list logo