[Git][security-tracker-team/security-tracker][master] 2 commits: semi-automatic unclaim after 2 weeks of inactivity
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 53f57d61 by Anton Gladky at 2023-02-20T08:26:17+01:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Anton Gladky gl...@debian.org - - - - - d2693455 by Anton Gladky at 2023-02-20T08:33:49+01:00 LTS: assign libgit2 to Tobias - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -23,7 +23,7 @@ amanda NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/amanda.git NOTE: 20230219: Special attention: Privilege escalation. -- -apache2 (Lee Garrett) +apache2 NOTE: 20221227: Programming language: C. NOTE: 20221227: VCS: https://salsa.debian.org/lts-team/packages/apache2.git NOTE: 20221227: Special attention: Double check an update! Package is used by many customers and users!. @@ -32,7 +32,7 @@ apr-util (Adrian Bunk) NOTE: 20230207: Programming language: C. NOTE: 20230208: VCS: https://salsa.debian.org/lts-team/packages/apr-util.git -- -asterisk (Lee Garrett) +asterisk NOTE: 20221211: Programming language: C. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/asterisk.git -- @@ -117,7 +117,7 @@ golang-yaml.v2 NOTE: 20230125: VCS: https://salsa.debian.org/lts-team/packages/golang-yaml.v2.git NOTE: 20230125: Special attention: limited support; requires rebuilding reverse build dependencies (though recent bullseye updates didn't). -- -imagemagick (Roberto C. Sánchez) +imagemagick NOTE: 20220904: Programming language: C. NOTE: 20220904: VCS: https://salsa.debian.org/lts-team/packages/imagemagick.git NOTE: 20220904: Should be synced with Stretch. (apo) @@ -138,7 +138,7 @@ libapache2-mod-auth-mellon (Utkarsh) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/libapache2-mod-auth-mellon.git NOTE: 20230220: upload prepped, testing remains. (utkarsh) -- -libgit2 (gladk) +libgit2 (tobi) NOTE: 20230126: Programming language: C. NOTE: 20230126: VCS: https://salsa.debian.org/debian/libgit2.git NOTE: 20230126: Please fix also CVE-2020* (gladk). @@ -167,7 +167,7 @@ nextcloud-desktop NOTE: 20221128: VCS: https://salsa.debian.org/owncloud-team/nextcloud-desktop NOTE: 20221128: Please coordinate with maintainer the usage of their git-repo (gladk). -- -nheko (Abhijith PA) +nheko NOTE: 20230101: Programming language: C++. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/nheko.git -- @@ -188,7 +188,7 @@ node-nth-check NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-nth-check.git -- -node-url-parse (guilhem) +node-url-parse NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 + check postponed issues (Beuc/front-desk) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-url-parse.git @@ -355,7 +355,7 @@ sssd NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git -- -thunderbird (Emilio) +thunderbird NOTE: 20230123: Programming language: C++ NOTE: 20230205: VCS: https://salsa.debian.org/mozilla-team/thunderbird.git NOTE: 20230205: Maintainer notes: Coordinate with maintainer @@ -390,7 +390,7 @@ xrdp NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git NOTE: 20230117: Fixed 6 out 10 CVEs. Testing (abhijith) -- -zabbix (Adrian Bunk) +zabbix NOTE: 20220911: At least CVE-2022-23134 was fixed in stretch so it should be fixed in buster too. NOTE: 20221209: Programming language: C. NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/zabbix.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/39aeedb1ddfe0c6bfd5efe0e459dbf900ccb0393...d2693455f1a83e058d61de02116ba0d5ce94964a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/39aeedb1ddfe0c6bfd5efe0e459dbf900ccb0393...d2693455f1a83e058d61de02116ba0d5ce94964a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 11 commits: Triage gpac for Buster as EOL.
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 0efe7456 by Markus Koschany at 2023-02-20T00:28:43+01:00 Triage gpac for Buster as EOL. - - - - - 73e31c31 by Markus Koschany at 2023-02-20T00:28:43+01:00 LTS: add curl to dla-needed.txt - - - - - a035b7b9 by Markus Koschany at 2023-02-20T00:28:43+01:00 LTS: add sofia-sip to dla-needed.txt - - - - - ec9c34ea by Markus Koschany at 2023-02-20T00:28:43+01:00 LTS: add clamav to dla-needed.txt - - - - - e4b1027d by Markus Koschany at 2023-02-20T00:28:43+01:00 CVE-2023-23082,kodi: Buster is no-dsa Minor issue - - - - - 3c8575fd by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2022-3560,pesign: Buster is no-dsa Minor issue - - - - - 503c323b by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2023-22332,pgpool2: Buster is no-dsa Minor issue - - - - - c35ede04 by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2023-24607,qtbase-opensource-src: Buster is no-dsa Minor issue - - - - - 2cb655fd by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2023-22799,ruby-globalid: Buster is no-dsa Minor issue - - - - - 7824121b by Markus Koschany at 2023-02-20T00:28:44+01:00 CVE-2023-23627,ruby-sanitize: Buster is no-dsa Minor issue - - - - - 39aeedb1 by Markus Koschany at 2023-02-20T00:28:44+01:00 Triage symfony CVE as no-dsa for Buster Minor issues - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -431,6 +431,7 @@ CVE-2023-0867 CVE-2023-0866 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3 ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/7d3c5792-d20b-4cb6-9c6d-bb14f3430d7f NOTE: https://github.com/gpac/gpac/commit/b964fe4226f1424cf676d5822ef898b6b01f5937 CVE-2023-0865 @@ -844,16 +845,19 @@ CVE-2023-0820 CVE-2023-0819 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to v2. ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/35793610-dccc-46c8-9f55-6a24c621e4ef NOTE: https://github.com/gpac/gpac/commit/d067ab3ccdeaa340e8c045a0fd5bcfc22b809e8f CVE-2023-0818 (Off-by-one Error in GitHub repository gpac/gpac prior to v2.3.0-DEV. ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/038e7472-f3e9-46c2-9aea-d6dafb62a18a NOTE: https://github.com/gpac/gpac/commit/377ab25f3e502db2934a9cf4b54739e1c89a02ff CVE-2023-0817 (Buffer Over-read in GitHub repository gpac/gpac prior to v2.3.0-DEV. ...) - gpac [bullseye] - gpac (Vulnerable code not present) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/cb730bc5-d79c-4de6-9e57-10e8c3ce2cf3 NOTE: https://github.com/gpac/gpac/commit/be9f8d395bbd196e3812e9cd80708f06bcc206f7 CVE-2023-25754 @@ -1377,6 +1381,7 @@ CVE-2023-0771 (SQL Injection in GitHub repository ampache/ampache prior to 5.5.7 CVE-2023-0770 (Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2. ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/e0fdeee5-7909-446e-9bd0-db80fd80e8dd NOTE: https://github.com/gpac/gpac/commit/c31941822ee275a35bc148382bafef1c53ec1c26 CVE-2023-0769 @@ -1467,6 +1472,7 @@ CVE-2023-0761 CVE-2023-0760 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to V2. ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/d06223df-a473-4c82-96d0-23726b844b21 NOTE: https://github.com/gpac/gpac/commit/ea7395f39f601a7750d48d606e9d10ea0b7beefe CVE-2023-0759 (Privilege Chaining in GitHub repository cockpit-hq/cockpit prior to 2. ...) @@ -4101,6 +4107,7 @@ CVE-2023-24607 [When using the Qt SQL ODBC driver plugin, then it is possible to RESERVED - qtbase-opensource-src [bullseye] - qtbase-opensource-src (Minor issue) + [buster] - qtbase-opensource-src (Minor issue) - qt6-base - qtbase-opensource-src-gles [bullseye] - qtbase-opensource-src-gles (Minor issue) @@ -6850,6 +6857,7 @@ CVE-2023-23628 (Metabase is an open source data analytics platform. Affected ver CVE-2023-23627 (Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 ...) - ruby-sanitize (bug #1030047) [bullseye] - ruby-sanitize (Minor issue) + [buster] - ruby-sanitize (Minor issue) NOTE: https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7 NOTE:
[Git][security-tracker-team/security-tracker][master] 2 commits: Drop tmux from dla-needed
Utkarsh Gupta pushed to branch master at Debian Security Tracker / security-tracker Commits: 85981430 by Utkarsh Gupta at 2023-02-20T03:07:03+05:30 Drop tmux from dla-needed even if the upload was already made, weve decided to ignore it completely; cf: #debian-lts. - - - - - b3e1ae1a by Utkarsh Gupta at 2023-02-20T03:10:53+05:30 Add notes for packages - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -125,6 +125,7 @@ libapache2-mod-auth-mellon (Utkarsh) NOTE: 20230105: Programming language: C. NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/libapache2-mod-auth-mellon.git + NOTE: 20230220: upload prepped, testing remains. (utkarsh) -- libgit2 (gladk) NOTE: 20230126: Programming language: C. @@ -302,6 +303,7 @@ ruby-sidekiq (Utkarsh) NOTE: 20221231: Programming language: Ruby. NOTE: 20221231: CVE-2022-23837 was fixed in stretch so should be fixed in buster for consistency even though it is not that severe. (opal). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/ruby-sidekiq.git + NOTE: 20230220: almost done-ish. Will roll out the DLA this week. (utkarsh) -- runc (Sylvain Beucler) NOTE: 20220905: Programming language: Go. @@ -352,10 +354,6 @@ tinymce NOTE: 20221227: Programming language: PHP. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/tinymce.git -- -tmux (Utkarsh) - NOTE: 20230129: Programming language: C. - NOTE: 20230129: VCS: https://salsa.debian.org/lts-team/packages/tmux.git --- trafficserver NOTE: 20230202: Programming language: C. NOTE: 20230202: Note recent DLA-3279-1 update. Removed notes (2d9f50586010) suggest CVE-2022-31779 may have already been investigated. (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/900565f6d1ee995b7b3dadb93769bd5cbf112254...b3e1ae1a031ccb1a8fa0dd6aab7e85fb75a6bc68 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/900565f6d1ee995b7b3dadb93769bd5cbf112254...b3e1ae1a031ccb1a8fa0dd6aab7e85fb75a6bc68 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 11 commits: LTS: add freeradius to dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 92ad2370 by Markus Koschany at 2023-02-19T21:27:08+01:00 LTS: add freeradius to dla-needed.txt - - - - - 7a305a92 by Markus Koschany at 2023-02-19T21:27:09+01:00 CVE-2023-25193,harfbuzz: Buster is no-dsa Minor issue - - - - - aa8f8b08 by Markus Koschany at 2023-02-19T21:27:09+01:00 LTS: add intel-microcode to dla-needed.txt - - - - - 32e325e3 by Markus Koschany at 2023-02-19T21:27:09+01:00 LTS: add nss to dla-needed.txt - - - - - 6e4df0b7 by Markus Koschany at 2023-02-19T21:27:09+01:00 LTS: add python-cryptography to dla-needed.txt - - - - - b7273199 by Markus Koschany at 2023-02-19T21:27:09+01:00 LTS: add python-django to dla-needed.txt - - - - - f00ec304 by Markus Koschany at 2023-02-19T21:27:09+01:00 LTS: add python-werkzeug to dla-needed.txt - - - - - bdad6aed by Markus Koschany at 2023-02-19T21:27:10+01:00 CVE-2022-4254,sssd: Mark Buster as no-dsa Minor issue - - - - - 493b9372 by Markus Koschany at 2023-02-19T21:27:12+01:00 CVE-2022-4254,sssd: Remove superfluous Bullseye entry The issue was fixed in 2.3.1 and Bullseye has 2.4.1 - - - - - 45bb9012 by Markus Koschany at 2023-02-19T21:27:12+01:00 LTS: add amanda to dla-needed.txt - - - - - 900565f6 by Markus Koschany at 2023-02-19T21:27:23+01:00 Claim nss in dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2565,6 +2565,7 @@ CVE-2015-10073 (A vulnerability, which was classified as problematic, was found CVE-2023-25193 (hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to ...) - harfbuzz (bug #1030612) [bullseye] - harfbuzz (Minor issue) + [buster] - harfbuzz (Minor issue) NOTE: https://github.com/harfbuzz/harfbuzz/commit/85be877925ddbf34f74a1229f3ca1716bb6170dc CVE-2014-125086 (A vulnerability has been found in Gimmie Plugin 1.2.2 and classified a ...) NOT-FOR-US: Gimmie @@ -18036,7 +18037,7 @@ CVE-2022-4255 (An info leak issue was identified in all versions of GitLab EE fr - gitlab (Specific to EE) CVE-2022-4254 (sssd: libsss_certmap fails to sanitise certificate data used in LDAP f ...) - sssd 2.3.1-1 - [bullseye] - sssd (Minor issue) + [buster] - sssd (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2149894 NOTE: https://github.com/SSSD/sssd/issues/5135 NOTE: https://github.com/SSSD/sssd/commit/a2b9a84460429181f2a4fa7e2bb5ab49fd561274 = data/dla-needed.txt = @@ -18,6 +18,11 @@ rather than remove/replace existing ones. NOTE: 20221231: Few users. Low prio. (opal). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/389-ds-base.git -- +amanda + NOTE: 20230219: Programming language: C. + NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/amanda.git + NOTE: 20230219: Special attention: Privilege escalation. +-- apache2 (Lee Garrett) NOTE: 20221227: Programming language: C. NOTE: 20221227: VCS: https://salsa.debian.org/lts-team/packages/apache2.git @@ -57,6 +62,10 @@ firmware-nonfree NOTE: 20221211: Programming language: Binary blob NOTE: 20221211: VCS: https://salsa.debian.org/lts-team/packages/firmware-nonfree.git -- +freeradius + NOTE: 20230219: Programming language: C. + NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/freeradius.git +-- fusiondirectory NOTE: 20221203: Programming language: PHP. NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk). @@ -103,6 +112,10 @@ imagemagick (Roberto C. Sánchez) NOTE: 20220904: Should be synced with Stretch. (apo) NOTE: 20221212: Integrated patches for 31 CVEs so far and continuing to work. (roberto) -- +intel-microcode + NOTE: 20230219: Programming language: Binary blob. + NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/intel-microcode.git +-- kopanocore NOTE: 20220801: Programming language: C++. NOTE: 20220811: Proposed a patch to CVE-2022-26562 (#1016973) (gusnan/retired) @@ -174,6 +187,10 @@ nodejs NOTE: 20221105: Source code not checked. It may be so that the vulnerability is not present in buster. NOTE: 20221209: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/nodejs.html -- +nss (Markus Koschany) + NOTE: 20230219: Programming language: C. + NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/nss.git +-- nvidia-graphics-drivers NOTE: 20221225: Programming language: binary blob. NOTE: 20230103: Cf. on-going discussion on nvidia support (Beuc/front-desk) @@ -216,10 +233,23 @@ puppet-module-puppetlabs-mysql NOTE: 20221107: Programming language: Puppet, Ruby. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/puppet-module-puppetlabs-mysql.git -- +python
[Git][security-tracker-team/security-tracker][master] Track proposed c-ares update via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 213baf8d by Salvatore Bonaccorso at 2023-02-19T21:18:20+01:00 Track proposed c-ares update via bullseye-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -126,3 +126,5 @@ CVE-2023-25153 [bullseye] - containerd 1.4.13~ds1-1~deb11u4 CVE-2023-25173 [bullseye] - containerd 1.4.13~ds1-1~deb11u4 +CVE-2022-4904 + [bullseye] - c-ares 1.17.1-1+deb11u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/213baf8d1f9ad63cbb3f35165afe73e046c33918 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/213baf8d1f9ad63cbb3f35165afe73e046c33918 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 870beef3 by Salvatore Bonaccorso at 2023-02-19T21:17:04+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2023-0919 (Missing Authentication for Critical Function in GitHub repository kare ...) TODO: check CVE-2023-0918 (A vulnerability has been found in codeprojects Pharmacy Management Sys ...) - TODO: check + NOT-FOR-US: codeprojects Pharmacy Management System CVE-2023-0917 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Simple Customer Relationship Management System CVE-2023-0916 (A vulnerability classified as critical was found in SourceCodester Aut ...) - TODO: check + NOT-FOR-US: SourceCodester Auto Dealer Management System CVE-2023-0915 (A vulnerability classified as critical has been found in SourceCodeste ...) - TODO: check + NOT-FOR-US: SourceCodester Auto Dealer Management System CVE-2017-20178 RESERVED CVE-2016-15027 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/870beef37871e3a810af3becdc9a855e76d06e7c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/870beef37871e3a810af3becdc9a855e76d06e7c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 74224966 by security tracker role at 2023-02-19T20:10:29+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,23 @@ +CVE-2023-0919 (Missing Authentication for Critical Function in GitHub repository kare ...) + TODO: check +CVE-2023-0918 (A vulnerability has been found in codeprojects Pharmacy Management Sys ...) + TODO: check +CVE-2023-0917 (A vulnerability, which was classified as critical, was found in Source ...) + TODO: check +CVE-2023-0916 (A vulnerability classified as critical was found in SourceCodester Aut ...) + TODO: check +CVE-2023-0915 (A vulnerability classified as critical has been found in SourceCodeste ...) + TODO: check +CVE-2017-20178 + RESERVED +CVE-2016-15027 + RESERVED +CVE-2015-10082 + RESERVED +CVE-2015-10081 + RESERVED +CVE-2014-125089 + RESERVED CVE-2023-0914 (Improper Authorization in GitHub repository pixelfed/pixelfed prior to ...) NOT-FOR-US: pixelfed CVE-2023-0913 (A vulnerability classified as critical was found in SourceCodester Aut ...) @@ -38,12 +58,12 @@ CVE-2023-0903 (A vulnerability was found in SourceCodester Employee Task Managem NOT-FOR-US: SourceCodester Employee Task Management System CVE-2023-0902 (A vulnerability was found in SourceCodester Simple Food Ordering Syste ...) NOT-FOR-US: SourceCodester Simple Food Ordering System -CVE-2016-15024 - RESERVED -CVE-2014-125087 - RESERVED -CVE-2012-10007 - RESERVED +CVE-2016-15024 (A vulnerability was found in doomsider shadow. It has been classified ...) + TODO: check +CVE-2014-125087 (A vulnerability was found in java-xmlbuilder up to 1.1. It has been ra ...) + TODO: check +CVE-2012-10007 (A vulnerability was found in madgicweb BuddyStream Plugin up to 3.2.7. ...) + TODO: check CVE-2023-26056 RESERVED CVE-2023-26055 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/742249665f0342e6b29842f10991b2632c1b4541 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/742249665f0342e6b29842f10991b2632c1b4541 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-25012/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8404e0cb by Salvatore Bonaccorso at 2023-02-19T21:04:07+01:00 Update information for CVE-2023-25012/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3032,6 +3032,7 @@ CVE-2023-25013 (An issue was discovered in the femanager extension before 5.5.3, NOT-FOR-US: TYPO3 extension CVE-2023-25012 (The Linux kernel through 6.1.9 has a Use-After-Free in bigben_remove i ...) - linux + [buster] - linux (Vulnerable code not present) NOTE: https://lore.kernel.org/all/20230125-hid-unregister-leds-v1-1-9a5192dce...@diag.uniroma1.it/ CVE-2023-25011 (PC settings tool Ver10.1.26.0 and earlier, PC settings tool Ver11.0.22 ...) NOT-FOR-US: PC settings tool View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8404e0cb80ff734f0c6d659e4b58990d0d777a85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8404e0cb80ff734f0c6d659e4b58990d0d777a85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for various tiff issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 919f8c7b by Salvatore Bonaccorso at 2023-02-19T20:57:11+01:00 Track fixed version for various tiff issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1092,43 +1092,43 @@ CVE-2023-25691 CVE-2023-0805 RESERVED CVE-2023-0804 (LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop ...) - - tiff (bug #1031632) + - tiff 4.5.0-5 (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/497 CVE-2023-0803 (LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop ...) - - tiff (bug #1031632) + - tiff 4.5.0-5 (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/501 CVE-2023-0802 (LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop ...) - - tiff (bug #1031632) + - tiff 4.5.0-5 (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/500 CVE-2023-0801 (LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in libtiff/tif_un ...) - - tiff (bug #1031632) + - tiff 4.5.0-5 (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/498 CVE-2023-0800 (LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop ...) - - tiff (bug #1031632) + - tiff 4.5.0-5 (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/496 CVE-2023-0799 (LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop. ...) - - tiff (bug #1031632) + - tiff 4.5.0-5 (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/494 CVE-2023-0798 (LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop. ...) - - tiff (bug #1031632) + - tiff 4.5.0-5 (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/492 CVE-2023-0797 (LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_uni ...) - - tiff (bug #1031632) + - tiff 4.5.0-5 (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/495 CVE-2023-0796 (LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop. ...) - - tiff (bug #1031632) + - tiff 4.5.0-5 (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/499 CVE-2023-0795 (LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop. ...) - - tiff (bug #1031632) + - tiff 4.5.0-5 (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/493 CVE-2022-4925 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/919f8c7bc3305adea4835ca0a7b24a48e592ec25 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/919f8c7bc3305adea4835ca0a7b24a48e592ec25 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2022-1471,snakeyaml: unimportant
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8b5ce926 by Markus Koschany at 2023-02-19T17:30:56+01:00 CVE-2022-1471,snakeyaml: unimportant Snakeyaml is not designed to process untrusted YAML input. This has been clarified for users in version 1.33-2 with a README.Debian.security file. See also Debian bug #1030046 - - - - - 823329f4 by Markus Koschany at 2023-02-19T17:33:20+01:00 CVE-2022-41854,snakeyaml: fixed in 1.33-1 According to the Google fuzzer this issue was fixed between 20220911 and 20220912. Version 1.32 was released back then. The first version in Debian was 1.33-1 and I assume this is fixed now. According to the CVE description the parser would crash by stack overflow. A limit to the nesting depth of YAML files has been already introduced with other CVE fixes, so that shouldnt be a problem anymore. - - - - - 8cada0ea by Markus Koschany at 2023-02-19T17:38:31+01:00 CVE-2022-41854,snakeyaml: Buster is not affected because this issue was addressed in version 1.23-1+deb10u1. Bullseye will be fixed with a point update in the near future. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33392,7 +33392,8 @@ CVE-2022-41856 CVE-2022-41855 REJECTED CVE-2022-41854 (Those using Snakeyaml to parse untrusted YAML files may be vulnerable ...) - - snakeyaml + - snakeyaml 1.33-1 + [buster] - snakeyaml 1.23-1+deb10u1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355 TODO: check details CVE-2022-41853 (Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb ...) @@ -66712,7 +66713,7 @@ CVE-2022-1473 (The OPENSSL_LH_flush() function, which empties a hash table, cont CVE-2022-1472 (The Better Find and Replace WordPress plugin before 1.3.6 does not pro ...) NOT-FOR-US: WordPress plugin CVE-2022-1471 (SnakeYaml's Constructor() class does not restrict types which can be i ...) - - snakeyaml + - snakeyaml (unimportant) NOTE: https://github.com/google/security-research/security/advisories/GHSA-mjmj-j48q-9wg2 CVE-2022-1470 (The Ultimate WooCommerce CSV Importer WordPress plugin through 2.0 doe ...) NOT-FOR-US: WordPress plugin View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7810985b3197b87328b0961c533dab1911a47e9d...8cada0ea4fb8132e0d35bae7b26fd955f3a1fc5f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7810985b3197b87328b0961c533dab1911a47e9d...8cada0ea4fb8132e0d35bae7b26fd955f3a1fc5f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for tiff issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7810985b by Salvatore Bonaccorso at 2023-02-19T16:58:08+01:00 Add Debian bug references for tiff issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1092,43 +1092,43 @@ CVE-2023-25691 CVE-2023-0805 RESERVED CVE-2023-0804 (LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop ...) - - tiff + - tiff (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/497 CVE-2023-0803 (LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop ...) - - tiff + - tiff (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/501 CVE-2023-0802 (LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop ...) - - tiff + - tiff (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/500 CVE-2023-0801 (LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in libtiff/tif_un ...) - - tiff + - tiff (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/498 CVE-2023-0800 (LibTIFF 4.4.0 has an out-of-bounds write in tiffcrop in tools/tiffcrop ...) - - tiff + - tiff (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/33aee1275d9d1384791d2206776eb8152d397f00 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/496 CVE-2023-0799 (LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop. ...) - - tiff + - tiff (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/494 CVE-2023-0798 (LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop. ...) - - tiff + - tiff (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/492 CVE-2023-0797 (LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in libtiff/tif_uni ...) - - tiff + - tiff (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/495 CVE-2023-0796 (LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop. ...) - - tiff + - tiff (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/499 CVE-2023-0795 (LibTIFF 4.4.0 has an out-of-bounds read in tiffcrop in tools/tiffcrop. ...) - - tiff + - tiff (bug #1031632) NOTE: https://gitlab.com/libtiff/libtiff/-/commit/afaabc3e50d4e5d80a94143f7e3c997e7e410f68 NOTE: https://gitlab.com/libtiff/libtiff/-/issues/493 CVE-2022-4925 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7810985b3197b87328b0961c533dab1911a47e9d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7810985b3197b87328b0961c533dab1911a47e9d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-25744/thunderbird via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df19d3db by Salvatore Bonaccorso at 2023-02-19T16:25:07+01:00 Track fixed version for CVE-2023-25744/thunderbird via unstable It was addressed as well with the 1:102.8.0-1, but we missed to track it with the initial commit to track the fixed version. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -868,7 +868,7 @@ CVE-2023-25744 {DSA-5355-1 DSA-5350-1 DLA-3319-1} - firefox 110.0-1 - firefox-esr 102.8.0esr-1 - - thunderbird + - thunderbird 1:102.8.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-05/#CVE-2023-25744 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-06/#CVE-2023-25744 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/#CVE-2023-25744 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df19d3db90a627e1f22c558e82090efd33f0ad57 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df19d3db90a627e1f22c558e82090efd33f0ad57 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed bullseye-pu update for containerd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 10c0b781 by Salvatore Bonaccorso at 2023-02-19T16:21:51+01:00 Track proposed bullseye-pu update for containerd - - - - - 2 changed files: - data/CVE/list - data/next-point-update.txt Changes: = data/CVE/list = @@ -2628,6 +2628,7 @@ CVE-2022-48311 (**UNSUPPORTED WHEN ASSIGNED** Cross Site Scripting (XSS) in HP D NOT-FOR-US: HP CVE-2023-25173 (containerd is an open source container runtime. A bug was found in con ...) - containerd 1.6.18~ds1-1 + [bullseye] - containerd (Minor issue; will be fixed via point release) NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p CVE-2023-25172 RESERVED @@ -2669,6 +2670,7 @@ CVE-2023-25154 RESERVED CVE-2023-25153 (containerd is an open source container runtime. Before versions 1.6.18 ...) - containerd 1.6.18~ds1-1 + [bullseye] - containerd (Minor issue; will be fixed via point release) NOTE: https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2 CVE-2023-25152 (Wings is Pterodactyl's server control plane. Affected versions are sub ...) NOT-FOR-US: Wings = data/next-point-update.txt = @@ -122,3 +122,7 @@ CVE-2023-20032 [bullseye] - clamav 0.103.8+dfsg-0+deb11u1 CVE-2023-20052 [bullseye] - clamav 0.103.8+dfsg-0+deb11u1 +CVE-2023-25153 + [bullseye] - containerd 1.4.13~ds1-1~deb11u4 +CVE-2023-25173 + [bullseye] - containerd 1.4.13~ds1-1~deb11u4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10c0b78108398e2a02403e765d246f341bfbbde0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/10c0b78108398e2a02403e765d246f341bfbbde0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f203b784 by Salvatore Bonaccorso at 2023-02-19T09:16:27+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2023-0914 (Improper Authorization in GitHub repository pixelfed/pixelfed prior to ...) - TODO: check + NOT-FOR-US: pixelfed CVE-2023-0913 (A vulnerability classified as critical was found in SourceCodester Aut ...) - TODO: check + NOT-FOR-US: SourceCodester Auto Dealer Management System CVE-2023-0912 (A vulnerability classified as critical has been found in SourceCodeste ...) - TODO: check + NOT-FOR-US: SourceCodester Auto Dealer Management System CVE-2019-25104 RESERVED CVE-2016-15026 @@ -97,7 +97,7 @@ CVE-2023-26032 CVE-2023-26031 RESERVED CVE-2023-0901 (Exposure of Sensitive Information to an Unauthorized Actor in GitHub r ...) - TODO: check + NOT-FOR-US: pixelfed CVE-2023-0900 RESERVED CVE-2023-0899 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f203b7848bc76b4bc3e7f60443bc8c2ece6c84ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f203b7848bc76b4bc3e7f60443bc8c2ece6c84ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 04ad2c97 by security tracker role at 2023-02-19T08:10:14+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,23 @@ +CVE-2023-0914 (Improper Authorization in GitHub repository pixelfed/pixelfed prior to ...) + TODO: check +CVE-2023-0913 (A vulnerability classified as critical was found in SourceCodester Aut ...) + TODO: check +CVE-2023-0912 (A vulnerability classified as critical has been found in SourceCodeste ...) + TODO: check +CVE-2019-25104 + RESERVED +CVE-2016-15026 + RESERVED +CVE-2016-15025 + RESERVED +CVE-2015-10080 + RESERVED +CVE-2014-125088 + RESERVED +CVE-2013-10019 + RESERVED +CVE-2012-10008 + RESERVED CVE-2023-0911 RESERVED CVE-2023-0910 (A vulnerability has been found in SourceCodester Online Pizza Ordering ...) @@ -1437,6 +1457,7 @@ CVE-2023-0757 RESERVED CVE-2022-4904 RESERVED + {DLA-3323-1} - c-ares 1.18.1-2 (bug #1031525) [bullseye] - c-ares (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2168631 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04ad2c978db354053d6da543676ca45395f85161 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/04ad2c978db354053d6da543676ca45395f85161 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits