[Git][security-tracker-team/security-tracker][master] LTS: claim libde265 in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: c0529747 by Tobias Frost at 2023-03-04T08:25:01+01:00 LTS: claim libde265 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -119,7 +119,7 @@ libapache2-mod-auth-mellon (Utkarsh) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/libapache2-mod-auth-mellon.git NOTE: 20230220: upload prepped, testing remains. (utkarsh) -- -libde265 +libde265 (tobi) NOTE: 20230303: Programming language: C++. NOTE: 20230303: VCS: https://salsa.debian.org/lts-team/packages/libde265.git NOTE: 20230303: Cf. DSA-5346-1 (by tobi); maybe consider bumping minor upstream version too (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0529747e573e368ad700ae276b2106fafc7ec48 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0529747e573e368ad700ae276b2106fafc7ec48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Document progress on firmware-nonfree.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: ec9ad475 by Tobias Frost at 2023-03-04T08:04:20+01:00 Document progress on firmware-nonfree. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -53,6 +53,8 @@ firmware-nonfree (tobi) NOTE: 20221204: Coming soon in the first week of December. (apo) NOTE: 20221211: Programming language: Binary blob NOTE: 20221211: VCS: https://salsa.debian.org/lts-team/packages/firmware-nonfree.git + NOTE: 20230302: Prepared new upstream version 20220913, with all firmwarefiles + NOTE: 20230302: re-added which had been dropped since buster-version and asked Ben for feedback. -- fusiondirectory NOTE: 20221203: Programming language: PHP. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec9ad47590d5607e8e7cc0a5f93c5e1a0418db76 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec9ad47590d5607e8e7cc0a5f93c5e1a0418db76 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3347-2 for spip
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 28f9bc33 by Guilhem Moulin at 2023-03-03T23:38:10+01:00 Reserve DLA-3347-2 for spip - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[03 Mar 2023] DLA-3347-2 spip - regression update + [buster] - spip 3.2.4-1+deb10u11 [03 Mar 2023] DLA-3351-1 apache2 - security update {CVE-2006-20001 CVE-2019-0215 CVE-2020-1927 CVE-2021-33193 CVE-2022-36760 CVE-2022-37436} [buster] - apache2 2.4.38-3+deb10u9 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28f9bc333742873381954728426a7458ac4a02b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28f9bc333742873381954728426a7458ac4a02b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 46f18d6e by Salvatore Bonaccorso at 2023-03-03T22:41:02+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3819,9 +3819,9 @@ CVE-2014-125087 (A vulnerability was found in java-xmlbuilder up to 1.1. It has CVE-2012-10007 (A vulnerability was found in madgicweb BuddyStream Plugin up to 3.2.7. ...) NOT-FOR-US: madgicweb BuddyStream Plugin CVE-2023-26056 (XWiki Platform is a generic wiki platform. Starting in version 3.0-mil ...) - TODO: check + NOT-FOR-US: XWiki CVE-2023-26055 (XWiki Commons are technical libraries common to several other top leve ...) - TODO: check + NOT-FOR-US: XWiki CVE-2023-26054 RESERVED CVE-2023-26053 (Gradle is a build tool with a focus on build automation and support fo ...) @@ -6807,7 +6807,7 @@ CVE-2023-25019 CVE-2023-0657 RESERVED CVE-2023-0656 (A Stack-based buffer overflow vulnerability in the SonicOS allows a re ...) - TODO: check + NOT-FOR-US: SonicOS CVE-2023-0655 (SonicWall Email Security contains a vulnerability that could permit a ...) NOT-FOR-US: SonicWall CVE-2023-0654 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46f18d6e15ee3015c858831f9b04c4c612165842 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46f18d6e15ee3015c858831f9b04c4c612165842 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-27560/php-phpseclib3
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a9d85004 by Salvatore Bonaccorso at 2023-03-03T21:50:50+01:00 Add CVE-2023-27560/php-phpseclib3 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,7 +23,9 @@ CVE-2008-10003 CVE-2008-10002 RESERVED CVE-2023-27560 (Math/PrimeField.php in phpseclib through 2.0.41 has an infinite loop w ...) - TODO: check + - php-phpseclib3 + NOTE: Introduced by: https://github.com/phpseclib/phpseclib/commit/0398f7a81550a487170edca0ed39f360d4509e83 (3.0.0) + NOTE: Fixed by: https://github.com/phpseclib/phpseclib/commit/6298d1cd55c3ffa44533bd41906caec246b60440 CVE-2023-27559 RESERVED CVE-2023-27558 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9d85004cdb371fc787bc55371033c8284c7991f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9d85004cdb371fc787bc55371033c8284c7991f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-4645/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 52bfc79e by Salvatore Bonaccorso at 2023-03-03T21:37:27+01:00 Add CVE-2022-4645/tiff - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -16029,7 +16029,9 @@ CVE-2022-4647 (Cross-site Scripting (XSS) - Stored in GitHub repository microweb CVE-2022-4646 (Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffwe ...) - rdiffweb (bug #969974) CVE-2022-4645 (LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:94 ...) - TODO: check + - tiff 4.4.0-5 + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/277 + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/e813112545942107551433d61afd16ac094ff246 CVE-2022-4644 (Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.4. ...) - rdiffweb (bug #969974) CVE-2022-4643 (A vulnerability was found in docconv up to 1.2.0. It has been declared ...) = data/DSA/list = @@ -104,7 +104,7 @@ {CVE-2022-45060} [bullseye] - varnish 6.5.1-1+deb11u3 [29 Jan 2023] DSA-5333-1 tiff - security update - {CVE-2022-1354 CVE-2022-1355 CVE-2022-1622 CVE-2022-1623 CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 CVE-2022-2953 CVE-2022-3570 CVE-2022-3597 CVE-2022-3598 CVE-2022-3599 CVE-2022-3626 CVE-2022-3627 CVE-2022-3636 CVE-2022-3970 CVE-2022-34526 CVE-2022-48281} + {CVE-2022-1354 CVE-2022-1355 CVE-2022-1622 CVE-2022-1623 CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 CVE-2022-2519 CVE-2022-2520 CVE-2022-2521 CVE-2022-2867 CVE-2022-2868 CVE-2022-2869 CVE-2022-2953 CVE-2022-3570 CVE-2022-3597 CVE-2022-3598 CVE-2022-3599 CVE-2022-3626 CVE-2022-3627 CVE-2022-3636 CVE-2022-3970 CVE-2022-4645 CVE-2022-34526 CVE-2022-48281} [bullseye] - tiff 4.2.0-1+deb11u3 [29 Jan 2023] DSA-5332-1 git - security update {CVE-2022-23521 CVE-2022-24765 CVE-2022-29187 CVE-2022-39253 CVE-2022-39260 CVE-2022-41903} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52bfc79e0d4c7963c72964e1e46e1fe2eb835246 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/52bfc79e0d4c7963c72964e1e46e1fe2eb835246 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-26604/systemd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4885d3b8 by Salvatore Bonaccorso at 2023-03-03T21:23:57+01:00 Add CVE-2023-26604/systemd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2229,7 +2229,10 @@ CVE-2023-26605 (In the Linux kernel 6.0.8, there is a use-after-free in inode_cg - linux NOTE: https://lkml.org/lkml/2023/2/22/3 CVE-2023-26604 (systemd before 247 does not adequately block local privilege escalatio ...) - TODO: check + - systemd 247.1-2 + NOTE: https://medium.com/%40zenmoviefornotification/saidov-maxim-cve-2023-26604-c1232a526ba7 + NOTE: https://github.com/systemd/systemd/blob/main/NEWS#L4335-L4340 + NOTE: https://blog.compass-security.com/2012/10/dangerous-sudoers-entries-part-2-insecure-functionality/ CVE-2023-26603 RESERVED CVE-2022-48363 (In MPD before 0.23.8, as used on Automotive Grade Linux and other plat ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4885d3b8d52956cbc47e473841a03d2bf53b13b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4885d3b8d52956cbc47e473841a03d2bf53b13b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1892e4f9 by security tracker role at 2023-03-03T20:10:37+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,27 @@ +CVE-2023-1168 + RESERVED +CVE-2023-1167 + RESERVED +CVE-2023-1166 + RESERVED +CVE-2022-4929 + RESERVED +CVE-2022-4928 + RESERVED +CVE-2022-4927 + RESERVED +CVE-2021-4329 + RESERVED +CVE-2015-10088 + RESERVED +CVE-2014-125091 + RESERVED +CVE-2014-125090 + RESERVED +CVE-2008-10003 + RESERVED +CVE-2008-10002 + RESERVED CVE-2023-27560 (Math/PrimeField.php in phpseclib through 2.0.41 has an infinite loop w ...) TODO: check CVE-2023-27559 @@ -42,7 +66,7 @@ CVE-2023-27540 RESERVED CVE-2023-1165 (A vulnerability was found in Zhong Bang CRMEB Java 1.3.4. It has been ...) NOT-FOR-US: Zhong Bang CRMEB Java -CVE-2023-1164 (A vulnerability was found in kylin-activation and classified as critic ...) +CVE-2023-1164 (A vulnerability was found in KylinSoft kylin-activation and classified ...) TODO: check CVE-2023-1163 (A vulnerability has been found in DrayTek Vigor 2960 1.5.1.4 and class ...) NOT-FOR-US: DrayTek Vigor 2960 @@ -2204,8 +2228,8 @@ CVE-2023-26606 (In the Linux kernel 6.0.8, there is a use-after-free in ntfs_tri CVE-2023-26605 (In the Linux kernel 6.0.8, there is a use-after-free in inode_cgwb_mov ...) - linux NOTE: https://lkml.org/lkml/2023/2/22/3 -CVE-2023-26604 - RESERVED +CVE-2023-26604 (systemd before 247 does not adequately block local privilege escalatio ...) + TODO: check CVE-2023-26603 RESERVED CVE-2022-48363 (In MPD before 0.23.8, as used on Automotive Grade Linux and other plat ...) @@ -6240,6 +6264,7 @@ CVE-2023-25223 CVE-2023-25222 (A heap-based buffer overflow vulnerability exits in GNU LibreDWG v0.12 ...) - libredwg (bug #595191) CVE-2023-25221 (Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vuln ...) + {DSA-5346-1} - libde265 1.0.11-1 NOTE: https://github.com/strukturag/libde265/issues/388 NOTE: https://github.com/strukturag/libde265/commit/857290982330e82d9e25d9d39527c6737021aa7d (v1.0.11) @@ -7523,32 +7548,39 @@ CVE-2023-24760 CVE-2023-24759 RESERVED CVE-2023-24758 (libde265 v1.0.10 was discovered to contain a NULL pointer dereference ...) + {DSA-5346-1} - libde265 1.0.11-1 NOTE: https://github.com/strukturag/libde265/issues/383 NOTE: https://github.com/strukturag/libde265/commit/bfb6de155f9fb015d2904cb4ef07809f17995276 (v1.0.11) CVE-2023-24757 (libde265 v1.0.10 was discovered to contain a NULL pointer dereference ...) + {DSA-5346-1} - libde265 1.0.11-1 NOTE: https://github.com/strukturag/libde265/issues/385 NOTE: https://github.com/strukturag/libde265/commit/48eb7dafe204b825b4a62948ed171a0cd3f1bda2 (v1.0.11) CVE-2023-24756 (libde265 v1.0.10 was discovered to contain a NULL pointer dereference ...) + {DSA-5346-1} - libde265 1.0.11-1 NOTE: https://github.com/strukturag/libde265/issues/380 NOTE: https://github.com/strukturag/libde265/commit/48eb7dafe204b825b4a62948ed171a0cd3f1bda2 (v1.0.11) CVE-2023-24755 (libde265 v1.0.10 was discovered to contain a NULL pointer dereference ...) + {DSA-5346-1} - libde265 1.0.11-1 NOTE: https://github.com/strukturag/libde265/issues/384 NOTE: https://github.com/strukturag/libde265/commit/48eb7dafe204b825b4a62948ed171a0cd3f1bda2 (v1.0.11) CVE-2023-24754 (libde265 v1.0.10 was discovered to contain a NULL pointer dereference ...) + {DSA-5346-1} - libde265 1.0.11-1 NOTE: https://github.com/strukturag/libde265/issues/382 NOTE: https://github.com/strukturag/libde265/commit/bfb6de155f9fb015d2904cb4ef07809f17995276 (v1.0.11) CVE-2023-24753 RESERVED CVE-2023-24752 (libde265 v1.0.10 was discovered to contain a NULL pointer dereference ...) + {DSA-5346-1} - libde265 1.0.11-1 NOTE: https://github.com/strukturag/libde265/issues/378 NOTE: https://github.com/strukturag/libde265/commit/052bacb2535cf0024042eefde58e48df2c778f7c (v1.0.11) CVE-2023-24751 (libde265 v1.0.10 was discovered to contain a NULL pointer dereference ...) + {DSA-5346-1} - libde265 1.0.11-1 NOTE: https://github.com/strukturag/libde265/issues/379 NOTE: https://github.com/strukturag/libde265/commit/7ea8e3cbb010bc02fa38419e87ed2281d7933850 (v1.0.11) @@ -12436,6 +12468,7 @@ CVE-2023-23011 (Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via CVE-2023-23010 (Cross Site Scripting (XSS) vulnerability in Ecommerce-CodeIgniter-Boot ...) NOT-FOR-US: Ecommerce-CodeIgni
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for libreswan update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 22478f42 by Salvatore Bonaccorso at 2023-03-03T20:49:07+01:00 Reserve DSA number for libreswan update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[03 Mar 2023] DSA-5368-1 libreswan - security update + {CVE-2023-23009} + [bullseye] - libreswan 4.3-1+deb11u3 [02 Mar 2023] DSA-5367-1 spip - security update {CVE-2023-27372} [bullseye] - spip 3.2.11-3+deb11u7 = data/dsa-needed.txt = @@ -17,9 +17,6 @@ apr (carnil) jupyter-core Maintainer asked for availability to prepare updates -- -libreswan - Maintainer preparing updates --- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v5.10.y versions View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22478f426f52a2400fcdaeb3b2f54bfa392d2300 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22478f426f52a2400fcdaeb3b2f54bfa392d2300 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e27f195 by Moritz Muehlenhoff at 2023-03-03T20:18:19+01:00 bookworm triage - - - - - 2 changed files: - data/CVE/list - data/embedded-code-copies Changes: = data/CVE/list = @@ -29488,9 +29488,10 @@ CVE-2022-44036 (** DISPUTED ** In b2evolution 7.2.5, if configured with admins_c CVE-2022-44035 RESERVED CVE-2022-44034 (An issue was discovered in the Linux kernel through 6.0.6. drivers/cha ...) - - linux + - linux (unimportant) NOTE: https://lore.kernel.org/lkml/20220916050333.GA188358@ubuntu/ NOTE: https://lore.kernel.org/lkml/20220919101825.GA313940@ubuntu/ + NOTE: Negligible security impact, would need physical access to "exploit" CVE-2022-44033 (An issue was discovered in the Linux kernel through 6.0.6. drivers/cha ...) - linux (unimportant) NOTE: https://lore.kernel.org/lkml/20220915020834.GA110086@ubuntu/ @@ -56854,7 +56855,7 @@ CVE-2022-34668 (NVFLARE, versions prior to 2.1.4, contains a vulnerability that NOT-FOR-US: NVFLARE CVE-2022-34667 (NVIDIA CUDA Toolkit SDK contains a stack-based buffer overflow vulnera ...) [experimental] - nvidia-cuda-toolkit 11.8.0-1 - - nvidia-cuda-toolkit (bug #1021625) + - nvidia-cuda-toolkit 11.8.0-2 (bug #1021625) [bullseye] - nvidia-cuda-toolkit (Non-free not supported) [buster] - nvidia-cuda-toolkit (Minor issue) NOTE: https://nvidia.custhelp.com/app/answers/detail/a_id/5373 @@ -69827,9 +69828,7 @@ CVE-2022-30046 RESERVED CVE-2022-30045 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...) - mapcache (unimportant; bug #1014389) - - scilab (bug #1014391) - [bullseye] - scilab (Minor issue) - [buster] - scilab (Minor issue) + - scilab (unimportant; bug #1014391) - netcdf 1:4.9.0-1 [bullseye] - netcdf (Minor issue) [buster] - netcdf (Minor issue) @@ -137211,9 +137210,7 @@ CVE-2021-31598 (An issue was discovered in libezxml.a in ezXML 0.8.6. The functi {DLA-2705-1} - mapcache (unimportant; bug #989363) [stretch] - mapcache (Minor issue) - - scilab (bug #989364) - [bullseye] - scilab (Minor issue) - [buster] - scilab (Minor issue) + - scilab (unimportant; bug #989364) - netcdf 1:4.9.0-1 (bug #989360) [bullseye] - netcdf (Minor issue) [buster] - netcdf (Minor issue) @@ -137856,9 +137853,7 @@ CVE-2021-31349 (The usage of an internal HTTP header created an authentication b CVE-2021-31348 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...) {DLA-2705-1} - mapcache (unimportant; bug #989363) - - scilab (bug #989364) - [bullseye] - scilab (Minor issue) - [buster] - scilab (Minor issue) + - scilab (unimportant; bug #989364) - netcdf 1:4.9.0-1 (bug #989360) [bullseye] - netcdf (Minor issue) [buster] - netcdf (Minor issue) @@ -137871,9 +137866,7 @@ CVE-2021-31348 (An issue was discovered in libezxml.a in ezXML 0.8.6. The functi CVE-2021-31347 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...) {DLA-2705-1} - mapcache (unimportant; bug #989363) - - scilab (bug #989364) - [bullseye] - scilab (Minor issue) - [buster] - scilab (Minor issue) + - scilab (unimportant; bug #989364) - netcdf 1:4.9.0-1 (bug #989360) [bullseye] - netcdf (Minor issue) [buster] - netcdf (Minor issue) @@ -138172,9 +138165,7 @@ CVE-2021-31230 CVE-2021-31229 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...) {DLA-2705-1} - mapcache (unimportant; bug #989363) - - scilab (bug #989364) - [bullseye] - scilab (Minor issue) - [buster] - scilab (Minor issue) + - scilab (unimportant; bug #989364) - netcdf 1:4.9.0-1 (bug #989360) [bullseye] - netcdf (Minor issue) [buster] - netcdf (Minor issue) @@ -140292,9 +140283,7 @@ CVE-2021-30486 (SysAid 20.3.64 b14 is affected by Blind and Stacker SQL injectio CVE-2021-30485 (An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezx ...) {DLA-2705-1} - mapcache (unimportant; bug #989363) - - scilab (bug #989364) - [bullseye] - scilab (Minor issue) - [buster] - scilab (Minor issue) + - scilab (unimportant; bug #989364) - netcdf 1:4.9.0-1 (bug #989360) [bullseye] - netcdf (Minor issue) [buster] - netcdf (Minor issue) @@ -151056,10 +151045,7 @@ CVE-2021-26223 (SQL injection vulnerability in SourceCodester CASAP Automated En NOT-FOR-US: SourceCodester CASAP Automated Enrollment System CVE-2021-26222 (The ezxml_new function in
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 9501e698 by Moritz Muehlenhoff at 2023-03-03T19:43:39+01:00 bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2651,6 +2651,7 @@ CVE-2023-0992 RESERVED CVE-2022-48345 (sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via ...) - node-mermaid (bug #1032313) + [bullseye] - node-mermaid (Minor issue) NOTE: https://github.com/braintree/sanitize-url/commit/d4bdc89f1743fe3cdb7c3f24b06e4c875f349b0c CVE-2023-26464 RESERVED @@ -2687,6 +2688,7 @@ CVE-2022-48342 (In JetBrains TeamCity before 2022.10.2 jVMTI was enabled by defa CVE-2023-26463 RESERVED - strongswan 5.9.8-4 + [bullseye] - strongswan (Vulnerable code not present) NOTE: https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-2023-26463).html CVE-2023-26462 (ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privi ...) NOT-FOR-US: ThingsBoard @@ -45603,8 +45605,9 @@ CVE-2022-2962 (A DMA reentrancy issue was found in the Tulip device emulation in NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1171 NOTE: https://gitlab.com/qemu-project/qemu/-/commit/36a894aeb64a2e02871016da1c37d4a4ca109182 CVE-2022-2961 (A use-after-free flaw was found in the Linux kernel’s PLP Rose f ...) - - linux + - linux (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2120595 + NOTE: Mitigated by hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch CVE-2022-2960 RESERVED CVE-2022-2959 (A race condition was found in the Linux kernel's watch queue due to a ...) @@ -73897,8 +73900,9 @@ CVE-2022-1250 (The LifterLMS PayPal WordPress plugin before 1.4.0 does not sanit CVE-2022-1248 (A vulnerability was found in SAP Information System 1.0 which has been ...) NOT-FOR-US: SAP CVE-2022-1247 (An issue found in linux-kernel that leads to a race condition in rose_ ...) - - linux + - linux (unimportant) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2066799 + NOTE: Mitigated by hamradio-disable-auto-loading-as-mitigation-against-local-exploits.patch CVE-2022-1246 REJECTED CVE-2022-1245 (A privilege escalation flaw was found in the token exchange feature of ...) @@ -81746,6 +81750,7 @@ CVE-2022-25928 RESERVED CVE-2022-25927 (Versions of the package ua-parser-js from 0.7.30 and before 0.7.33, fr ...) - node-ua-parser-js + [bullseye] - node-ua-parser-js (Minor issue) NOTE: https://github.com/faisalman/ua-parser-js/commit/a6140a17dd0300a35cfc9cff999545f267889411 NOTE: https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450 NOTE: https://github.com/faisalman/ua-parser-js/security/advisories/GHSA-fhg7-m89q-25r3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9501e698ef0205aff58f2d2f92aabaa73856ca72 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9501e698ef0205aff58f2d2f92aabaa73856ca72 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim pcre2 in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 76425fc6 by Guilhem Moulin at 2023-03-03T19:37:51+01:00 LTS: claim pcre2 in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -194,7 +194,7 @@ openimageio (Markus Koschany) NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git -- -pcre2 +pcre2 (guilhem) NOTE: 20230303: Programming language: C. NOTE: 20230303: Follow fixes from bullseye 11.5 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76425fc63bb85f288f87835466056feee1ba4e26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/76425fc63bb85f288f87835466056feee1ba4e26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: dla: add pcre2
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: a0633596 by Sylvain Beucler at 2023-03-03T17:20:33+01:00 dla: add pcre2 - - - - - b9124777 by Sylvain Beucler at 2023-03-03T17:26:12+01:00 dla: add docker.io - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -32,6 +32,10 @@ consul NOTE: 20221031: Concluded that the package should be fixed by the CVE description. Source code not analyzed in detail. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/consul.git -- +docker.io + NOTE: 20230303: Programming language: Go. + NOTE: 20230303: Follow fixes from bullseye 11.2 (Beuc/front-desk) +-- emacs (Adrian Bunk) NOTE: 20230223: Programming language: Lisp. NOTE: 20230223: VCS: https://salsa.debian.org/lts-team/packages/emacs.git @@ -190,6 +194,10 @@ openimageio (Markus Koschany) NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/openimageio.git -- +pcre2 + NOTE: 20230303: Programming language: C. + NOTE: 20230303: Follow fixes from bullseye 11.5 (Beuc/front-desk) +-- php-cas NOTE: 20221105: Programming language: PHP. NOTE: 20221105: The fix is not backwards compatible. Should be investigated further whether this issue should be solved or ignored.. (ola) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b44551f87972d3cfb608a147869d72452f3e7a67...b912477729a056428a2ac361a55920c1e3658965 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b44551f87972d3cfb608a147869d72452f3e7a67...b912477729a056428a2ac361a55920c1e3658965 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-25824/mod-gnutls: buster postponed
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f2612ab by Sylvain Beucler at 2023-03-03T17:06:30+01:00 CVE-2023-25824/mod-gnutls: buster postponed - - - - - b44551f8 by Sylvain Beucler at 2023-03-03T17:06:32+01:00 CVE-2019-25072/tendermint-go-common: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4404,6 +4404,7 @@ CVE-2023-25825 (ZoneMinder is a free, open source Closed-circuit television soft NOTE: https://github.com/ZoneMinder/zoneminder/commit/e1028c1d7f23cc1e0941b7b37bb6ae5a04364308 CVE-2023-25824 (Mod_gnutls is a TLS module for Apache HTTPD based on GnuTLS. Versions ...) - mod-gnutls (bug #942737) + [buster] - mod-gnutls (Minor issue, DoS) NOTE: https://github.com/airtower-luna/mod_gnutls/security/advisories/GHSA-6cfv-fvgm-7pc8 NOTE: https://github.com/airtower-luna/mod_gnutls/commit/d7eec4e598158ab6a98bf505354e84352f9715ec (mod_gnutls/0.12.1) CVE-2023-25823 (Gradio is an open-source Python library to build machine learning and ...) @@ -50415,6 +50416,7 @@ CVE-2020-36559 (Due to improper santization of user input, HTTPEngine.Handle all NOT-FOR-US: aah framework CVE-2019-25072 (Due to support of Gzip compression in request bodies, as well as a lac ...) - tendermint-go-common + [buster] - tendermint-go-common (Limited support, minor issue, DoS) CVE-2018-25046 (Due to improper path santization, archives containing relative file pa ...) NOT-FOR-US: GO code.cloudfoundry.org/archiver CVE-2017-20146 (Usage of the CORS handler may apply improper CORS headers, allowing th ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9b235067f561ecba94443a9f842d31dc8f0f8284...b44551f87972d3cfb608a147869d72452f3e7a67 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/9b235067f561ecba94443a9f842d31dc8f0f8284...b44551f87972d3cfb608a147869d72452f3e7a67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2022-48345/node-mermaid
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b235067 by Salvatore Bonaccorso at 2023-03-03T16:58:25+01:00 Add Debian bug reference for CVE-2022-48345/node-mermaid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2650,7 +2650,7 @@ CVE-2023-0993 CVE-2023-0992 RESERVED CVE-2022-48345 (sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via ...) - - node-mermaid + - node-mermaid (bug #1032313) NOTE: https://github.com/braintree/sanitize-url/commit/d4bdc89f1743fe3cdb7c3f24b06e4c875f349b0c CVE-2023-26464 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b235067f561ecba94443a9f842d31dc8f0f8284 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b235067f561ecba94443a9f842d31dc8f0f8284 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2019-25104/iortcw: buster end-of-life
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: bd644ef8 by Sylvain Beucler at 2023-03-03T16:48:06+01:00 CVE-2019-25104/iortcw: buster end-of-life - - - - - cc047d3e by Sylvain Beucler at 2023-03-03T16:52:26+01:00 CVE-2022-25901/node-cookiejar: buster postponed - - - - - d6725b60 by Sylvain Beucler at 2023-03-03T16:52:59+01:00 CVE-2023-25155/redis: buster postponed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3746,6 +3746,7 @@ CVE-2023-0912 (A vulnerability classified as critical has been found in SourceCo CVE-2019-25104 (A vulnerability has been found in rtcwcoop 1.0.2 and classified as pro ...) - iortcw (bug #1031732) [bullseye] - iortcw (Minor issue) + [buster] - iortcw (games are not supported in LTS) NOTE: https://github.com/rtcwcoop/rtcwcoop/pull/45 NOTE: Reported against a version based on iortcw, but seems missing in iortcw CVE-2016-15026 (A vulnerability was found in 3breadt dd-plist 1.17 and classified as p ...) @@ -6466,6 +6467,7 @@ CVE-2023-25156 (Kiwi TCMS, an open source test management system, does not impos CVE-2023-25155 (Redis is an in-memory database that persists on disk. Authenticated us ...) - redis (bug #1032279) [bullseye] - redis (Minor issue) + [buster] - redis (Minor issue, DoS) NOTE: https://github.com/redis/redis/security/advisories/GHSA-x2r7-j9vw-3w83 NOTE: https://github.com/redis/redis/commit/2a2a582e7cd99ba3b531336b8bd41df2b566e619 (7.0.9) CVE-2023-25154 (Misskey is an open source, decentralized social media platform. In ver ...) @@ -81787,6 +81789,7 @@ CVE-2022-25902 CVE-2022-25901 (Versions of the package cookiejar before 2.1.4 are vulnerable to Regul ...) - node-cookiejar 2.1.4+~2.1.2-1 [bullseye] - node-cookiejar (Minor issue) + [buster] - node-cookiejar (Minor issue, ReDoS) NOTE: https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984 NOTE: https://github.com/bmeck/node-cookiejar/pull/39 NOTE: https://github.com/bmeck/node-cookiejar/commit/eaa00021caf6ae09449dde826108153b578348e5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d9c2cc69cbac3ef5d0cf41c9bd355a435c015ce7...d6725b60ee87a5077c039c334aab49ab4b1ca580 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d9c2cc69cbac3ef5d0cf41c9bd355a435c015ce7...d6725b60ee87a5077c039c334aab49ab4b1ca580 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: add libde265
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: d9c2cc69 by Sylvain Beucler at 2023-03-03T16:33:34+01:00 dla: add libde265 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -113,6 +113,11 @@ libapache2-mod-auth-mellon (Utkarsh) NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/libapache2-mod-auth-mellon.git NOTE: 20230220: upload prepped, testing remains. (utkarsh) -- +libde265 + NOTE: 20230303: Programming language: C++. + NOTE: 20230303: VCS: https://salsa.debian.org/lts-team/packages/libde265.git + NOTE: 20230303: Cf. DSA-5346-1 (by tobi); maybe consider bumping minor upstream version too (Beuc/front-desk) +-- libreoffice NOTE: 20221012: Programming language: C++. NOTE: 20230111: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9c2cc69cbac3ef5d0cf41c9bd355a435c015ce7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9c2cc69cbac3ef5d0cf41c9bd355a435c015ce7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] golang* buster triage/harmonization
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e5eda01 by Sylvain Beucler at 2023-03-03T16:16:00+01:00 golang* buster triage/harmonization - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8419,6 +8419,7 @@ CVE-2023-0476 (A LDAP injection vulnerability exists in Tenable.sc due to improp NOT-FOR-US: Tenable CVE-2023-0475 (HashiCorp go-getter up to 1.6.2 and 2.1.1 is vulnerable to decompressi ...) - golang-github-hashicorp-go-getter (bug #1032100) + [buster] - golang-github-hashicorp-go-getter (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE: https://discuss.hashicorp.com/t/hcsec-2023-4-go-getter-vulnerable-to-denial-of-service-via-malicious-compressed-archive/50125 CVE-2023-0474 (Use after free in GuestView in Google Chrome prior to 109.0.5414.119 a ...) {DSA-5328-1} @@ -37702,6 +37703,7 @@ CVE-2022-41728 RESERVED CVE-2022-41727 (An attacker can craft a malformed TIFF image which will consume a sign ...) - golang-golang-x-image 0.5.0-1 + [buster] - golang-golang-x-image (Limited support, minor issue, DoS) CVE-2022-41726 RESERVED CVE-2022-41725 (A denial of service is possible from excessive resource consumption in ...) @@ -50332,7 +50334,7 @@ CVE-2021-4236 (Web Sockets do not execute any AuthenticateMethod methods which m NOT-FOR-US: ecnepsnai/web CVE-2021-4235 (Due to unbounded alias chasing, a maliciously crafted YAML file can ca ...) - golang-yaml.v2 2.2.8-1 - [buster] - golang-yaml.v2 (Limited support, minor issue, DoS, follow bullseye DSAs/point-releases) + [buster] - golang-yaml.v2 (Limited support, minor issue, DoS) NOTE: https://github.com/go-yaml/yaml/commit/bb4e33bf68bf89cad44d386192cbed201f35b241 (v2.2.3) NOTE: https://github.com/go-yaml/yaml/pull/375 NOTE: https://pkg.go.dev/vuln/GO-2021-0061 @@ -50340,13 +50342,14 @@ CVE-2020-36569 (Authentication is globally bypassed in github.com/nanobox-io/gol NOT-FOR-US: golang-nanoauth CVE-2020-36568 (Unsanitized input in the query parser in github.com/revel/revel before ...) - golang-github-revel-revel 1.0.0-1 + [buster] - golang-github-revel-revel (Limited support, minor issue, DoS) NOTE: https://github.com/revel/revel/pull/1427 NOTE: https://github.com/revel/revel/commit/d160ecb72207824005b19778594cbdc272e8a605 (v1.0.0) NOTE: https://github.com/revel/revel/issues/1424 NOTE: https://pkg.go.dev/vuln/GO-2020-0003 CVE-2020-36567 (Unsanitized input in the default logger in github.com/gin-gonic/gin be ...) - golang-github-gin-gonic-gin 1.6.3-1 - [buster] - golang-github-gin-gonic-gin (Limited support, minor issue, follow bullseye DSAs/point-releases) + [buster] - golang-github-gin-gonic-gin (Limited support, minor issue) NOTE: https://github.com/gin-gonic/gin/pull/2237 NOTE: https://github.com/gin-gonic/gin/commit/a71af9c144f9579f6dbe945341c1df37aaf09c0d (v1.6.0) CVE-2020-36566 (Due to improper path santization, archives containing relative file pa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e5eda018f4e1f8cfcfda4ea33c7c7b28bfe5131 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e5eda018f4e1f8cfcfda4ea33c7c7b28bfe5131 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2023-0215
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 466c9304 by Salvatore Bonaccorso at 2023-03-03T16:14:04+01:00 Add reference for CVE-2023-0215 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12228,6 +12228,7 @@ CVE-2023-0215 (The public API function BIO_new_NDEF is a helper function used fo NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=f040f2577891d2bdb7610566c172233844cf673a (OpenSSL_1_1_1t) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=8818064ce3c3c0f1b740a5aaba2a987e75bfbafd (openssl-3.0.8) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=f596ec8a6f9f5fcfa8e46a73b60f78a609725294 (openssl-3.0.8) + NOTE: https://www.openwall.com/lists/oss-security/2023/03/03/1 CVE-2023-0214 (A cross-site scripting vulnerability in Skyhigh SWG in main releases 1 ...) NOT-FOR-US: Skyhigh SWG CVE-2023-0213 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/466c9304e4e1d0624ee6f6544fc28a2787be9711 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/466c9304e4e1d0624ee6f6544fc28a2787be9711 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fuse-exfat fixed in experimental
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 835c6c91 by Moritz Muehlenhoff at 2023-03-03T16:13:20+01:00 fuse-exfat fixed in experimental - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -69982,6 +69982,7 @@ CVE-2022-29975 (An Authenticated Reflected Cross-site scripting at CC Parameter CVE-2022-29974 RESERVED CVE-2022-29973 (relan exFAT 1.3.0 allows local users to obtain sensitive information ( ...) + [experimental] - fuse-exfat 1.4.0-1 - fuse-exfat (bug #1014538) [bookworm] - fuse-exfat (Minor issue) [bullseye] - fuse-exfat (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/835c6c91b1cb4a2f4d2b452a71b7c5190b1d94ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/835c6c91b1cb4a2f4d2b452a71b7c5190b1d94ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libmicrohttpd fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: ad594cdc by Moritz Muehlenhoff at 2023-03-03T16:12:15+01:00 libmicrohttpd fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -526,7 +526,7 @@ CVE-2023-1100 (A vulnerability classified as critical has been found in SourceCo CVE-2023-1099 (A vulnerability was found in SourceCodester Online Student Management ...) NOT-FOR-US: SourceCodester Online Student Management System CVE-2023-27371 (GNU libmicrohttpd before 0.9.76 allows remote DoS (Denial of Service) ...) - - libmicrohttpd + - libmicrohttpd 0.9.75-6 NOTE: https://git.gnunet.org/libmicrohttpd.git/commit/?id=e0754d1638c602382384f1eface30854b1defeec (v0.9.76) NOTE: https://lists.gnu.org/archive/html/libmicrohttpd/2023-02/msg0.html CVE-2023-27370 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad594cdc1fe4bf9ee598d974771403a367fdad96 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ad594cdc1fe4bf9ee598d974771403a367fdad96 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
HIMSS 2023 leads
Hello, We have the complete contact information of the updated Visitor email list from The Healthcare Information & Management Systems - HIMSS - 2023. Attendees are: CXO, Healthcare Emerging Leaders, International Attendee - APAC Region, International Attendee - EMEA Region, International Attendee - Latin American Region, Investor/Entrepreneur, Nurses, Physician and More. If you're interested, I'll send you an email with all of the numbers and pricing information Thank you, Samantha Cane Event Marketing ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3351-1 for apache2
Lee Garrett pushed to branch master at Debian Security Tracker / security-tracker Commits: f2f77ff7 by Lee Garrett at 2023-03-03T15:45:45+01:00 Reserve DLA-3351-1 for apache2 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -132879,7 +132879,6 @@ CVE-2021-33194 (golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allow CVE-2021-33193 (A crafted method sent through HTTP/2 will bypass validation and be for ...) - apache2 2.4.48-4 [bullseye] - apache2 2.4.48-3.1+deb11u1 - [buster] - apache2 (Fix along with next DLA) [stretch] - apache2 (Revisit when a suitable backport is available for 2.4.25) NOTE: https://portswigger.net/research/http2 NOTE: https://github.com/apache/httpd/commit/ecebcc035ccd8d0e2984fe41420d9e944f456b3c (2.4.49) = data/DLA/list = @@ -1,3 +1,6 @@ +[03 Mar 2023] DLA-3351-1 apache2 - security update + {CVE-2006-20001 CVE-2019-0215 CVE-2020-1927 CVE-2021-33193 CVE-2022-36760 CVE-2022-37436} + [buster] - apache2 2.4.38-3+deb10u9 [03 Mar 2023] DLA-3350-1 node-css-what - security update {CVE-2021-33587 CVE-2022-21222} [buster] - node-css-what 2.1.0-1+deb10u1 = data/dla-needed.txt = @@ -18,12 +18,6 @@ rather than remove/replace existing ones. NOTE: 20221231: Few users. Low prio. (opal). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/389-ds-base.git -- -apache2 (Lee Garrett) - NOTE: 20221227: Programming language: C. - NOTE: 20221227: VCS: https://salsa.debian.org/lts-team/packages/apache2.git - NOTE: 20221227: Special attention: Double check an update! Package is used by many customers and users!. - NOTE: 20230222: CVE-2019-17567 requires 1000+ LoC patch, too intrusive (lee) --- ceph NOTE: 20221031: Programming language: C++. NOTE: 20221031: To be checked further. Not clear whether the vulnerability can be exploited in a Debian system. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2f77ff74b00362432d4aa36f3a23c9251fadbe2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f2f77ff74b00362432d4aa36f3a23c9251fadbe2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] record additional CVEs fixed in libde265 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b5138ac3 by Moritz Muehlenhoff at 2023-03-03T13:57:30+01:00 record additional CVEs fixed in libde265 DSA - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -62,7 +62,7 @@ {CVE-2022-44267 CVE-2022-44268} [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u1 [10 Feb 2023] DSA-5346-1 libde265 - security update - {CVE-2020-21594 CVE-2020-21595 CVE-2020-21596 CVE-2020-21597 CVE-2020-21598 CVE-2020-21599 CVE-2020-21600 CVE-2020-21601 CVE-2020-21602 CVE-2020-21603 CVE-2020-21604 CVE-2020-21605 CVE-2020-21606 CVE-2021-35452 CVE-2021-36408 CVE-2021-36409 CVE-2021-36410 CVE-2021-36411 CVE-2022-1253 CVE-2022-43235 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43243 CVE-2022-43244 CVE-2022-43245 CVE-2022-43248 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252 CVE-2022-43253 CVE-2022-47655} + {CVE-2020-21594 CVE-2020-21595 CVE-2020-21596 CVE-2020-21597 CVE-2020-21598 CVE-2020-21599 CVE-2020-21600 CVE-2020-21601 CVE-2020-21602 CVE-2020-21603 CVE-2020-21604 CVE-2020-21605 CVE-2020-21606 CVE-2021-35452 CVE-2021-36408 CVE-2021-36409 CVE-2021-36410 CVE-2021-36411 CVE-2022-1253 CVE-2022-43235 CVE-2022-43236 CVE-2022-43237 CVE-2022-43238 CVE-2022-43239 CVE-2022-43240 CVE-2022-43241 CVE-2022-43242 CVE-2022-43243 CVE-2022-43244 CVE-2022-43245 CVE-2022-43248 CVE-2022-43249 CVE-2022-43250 CVE-2022-43252 CVE-2022-43253 CVE-2022-47655 CVE-2023-25221 CVE-2023-24758 CVE-2023-24757 CVE-2023-24756 CVE-2023-24755 CVE-2023-24754 CVE-2023-24752 CVE-2023-24751} [bullseye] - libde265 1.0.11-0+deb11u1 [08 Feb 2023] DSA-5345-1 chromium - security update {CVE-2023-0696 CVE-2023-0697 CVE-2023-0698 CVE-2023-0699 CVE-2023-0700 CVE-2023-0701 CVE-2023-0702 CVE-2023-0703 CVE-2023-0704 CVE-2023-0705} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5138ac30e8d0b6cbf275b11ba9c45c5f8f21c85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5138ac30e8d0b6cbf275b11ba9c45c5f8f21c85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim wordpress in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: d53d9714 by Guilhem Moulin at 2023-03-03T13:35:50+01:00 LTS: claim wordpress in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -317,7 +317,7 @@ trafficserver NOTE: 20230209: could find informatin for CVE-2022-31779, might be the same fix as CVE-2022-31778 (marked as to be ignored), but no proof on that… NOTE: 20230209: not sure, maybe the safest way would be to update to 8.1.6. -- -wordpress +wordpress (guilhem) NOTE: 20230302: Programming language: PHP. NOTE: 20230302: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/wordpress.html NOTE: 20230302: buster is 6 CVEs behind bullseye (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d53d9714c8cd401dea05844b3aa452334bd2ccb4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d53d9714c8cd401dea05844b3aa452334bd2ccb4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] gradle n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 37162791 by Moritz Muehlenhoff at 2023-03-03T13:00:06+01:00 gradle n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3793,9 +3793,8 @@ CVE-2023-26055 (XWiki Commons are technical libraries common to several other to CVE-2023-26054 RESERVED CVE-2023-26053 (Gradle is a build tool with a focus on build automation and support fo ...) - - gradle + - gradle (The version of Gradle in Debian doesn't support dependency verification yet) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2174854 - TODO: check, said that only 6.2 to 7.6 are impacted (upstream reference?) CVE-2023-26052 (Saleor is a headless, GraphQL commerce platform delivering personalize ...) TODO: check CVE-2023-26051 (Saleor is a headless, GraphQL commerce platform delivering personalize ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3716279184e32f34be6620ebcb0e07d0b9668739 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3716279184e32f34be6620ebcb0e07d0b9668739 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7fdc140f by Moritz Muehlenhoff at 2023-03-03T11:24:22+01:00 bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -6466,6 +6466,7 @@ CVE-2023-25156 (Kiwi TCMS, an open source test management system, does not impos NOT-FOR-US: Kiwi TCMS CVE-2023-25155 (Redis is an in-memory database that persists on disk. Authenticated us ...) - redis (bug #1032279) + [bullseye] - redis (Minor issue) NOTE: https://github.com/redis/redis/security/advisories/GHSA-x2r7-j9vw-3w83 NOTE: https://github.com/redis/redis/commit/2a2a582e7cd99ba3b531336b8bd41df2b566e619 (7.0.9) CVE-2023-25154 (Misskey is an open source, decentralized social media platform. In ver ...) @@ -37296,8 +37297,8 @@ CVE-2022-41860 (In freeradius, when an EAP-SIM supplicant sends an unknown SIM o CVE-2022-41859 (In freeradius, the EAP-PWD function compute_password_element() leaks i ...) {DLA-3342-1} - freeradius 3.2.0+dfsg-1 + [bullseye] - freeradius (Minor issue) NOTE: https://github.com/FreeRADIUS/freeradius-server/commit/9e5e8f2f912ad2da8ac6e176ac3a606333469937 (release_3_0_26) - TODO: check details on fix CVE-2022-41858 (A flaw was found in the Linux kernel. A NULL pointer dereference may o ...) - linux 5.17.6-1 [bullseye] - linux 5.10.113-1 @@ -37310,10 +37311,10 @@ CVE-2022-41856 CVE-2022-41855 REJECTED CVE-2022-41854 (Those using Snakeyaml to parse untrusted YAML files may be vulnerable ...) - - snakeyaml 1.33-1 + - snakeyaml 1.33-1 (unimportant) [buster] - snakeyaml 1.23-1+deb10u1 NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50355 - TODO: check details + NOTE: No suitable for parsing untrusted YAML, see README.Debian.security CVE-2022-41853 (Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb ...) {DSA-5313-1 DLA-3234-1} - hsqldb 2.7.1-1 (bug #1023573) = data/dsa-needed.txt = @@ -38,6 +38,8 @@ php-horde-mime-viewer -- php-horde-turba -- +py7zr +-- rails (aron) -- ring View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fdc140f1370c83b3d3418e2815f1c65aff48fe1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7fdc140f1370c83b3d3418e2815f1c65aff48fe1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-33587 to DLA-3350-1
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 62bc18bc by Bastien Roucariès at 2023-03-03T10:03:57+00:00 Add CVE-2021-33587 to DLA-3350-1 - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,5 +1,5 @@ [03 Mar 2023] DLA-3350-1 node-css-what - security update - {CVE-2022-21222} + {CVE-2021-33587 CVE-2022-21222} [buster] - node-css-what 2.1.0-1+deb10u1 [02 Mar 2023] DLA-3349-1 linux-5.10 - security update {CVE-2022-2873 CVE-2022-3545 CVE-2022-3623 CVE-2022-4696 CVE-2022-36280 CVE-2022-41218 CVE-2022-45934 CVE-2022-47929 CVE-2023-0179 CVE-2023-0240 CVE-2023-0266 CVE-2023-0394 CVE-2023-23454 CVE-2023-23455 CVE-2023-23586} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62bc18bc0c6a70007261183d17acb7deef3db7e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62bc18bc0c6a70007261183d17acb7deef3db7e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix version for DLA-3350-1
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: f149409a by Bastien Roucariès at 2023-03-03T09:55:16+00:00 Fix version for DLA-3350-1 - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,6 +1,6 @@ [03 Mar 2023] DLA-3350-1 node-css-what - security update {CVE-2022-21222} - [buster] - node-css-what 2.1.0-1 + [buster] - node-css-what 2.1.0-1+deb10u1 [02 Mar 2023] DLA-3349-1 linux-5.10 - security update {CVE-2022-2873 CVE-2022-3545 CVE-2022-3623 CVE-2022-4696 CVE-2022-36280 CVE-2022-41218 CVE-2022-45934 CVE-2022-47929 CVE-2023-0179 CVE-2023-0240 CVE-2023-0266 CVE-2023-0394 CVE-2023-23454 CVE-2023-23455 CVE-2023-23586} [buster] - linux-5.10 5.10.162-1~deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f149409aca5f0e229cd929e8c6bb80a09dd9e11c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f149409aca5f0e229cd929e8c6bb80a09dd9e11c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3350-1 for node-css-what
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 02536be7 by Bastien Roucariès at 2023-03-03T09:52:53+00:00 Reserve DLA-3350-1 for node-css-what - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[03 Mar 2023] DLA-3350-1 node-css-what - security update + {CVE-2022-21222} + [buster] - node-css-what 2.1.0-1 [02 Mar 2023] DLA-3349-1 linux-5.10 - security update {CVE-2022-2873 CVE-2022-3545 CVE-2022-3623 CVE-2022-4696 CVE-2022-36280 CVE-2022-41218 CVE-2022-45934 CVE-2022-47929 CVE-2023-0179 CVE-2023-0240 CVE-2023-0266 CVE-2023-0394 CVE-2023-23454 CVE-2023-23455 CVE-2023-23586} [buster] - linux-5.10 5.10.162-1~deb10u1 = data/dla-needed.txt = @@ -150,11 +150,6 @@ nheko (Dominik George) NOTE: 20230101: Programming language: C++. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/nheko.git -- -node-css-what (rouca) - NOTE: 20221031: Programming language: Javascript. - NOTE: 20230130: Module has been rewritten in Typescript since Buster released (guilhem). - NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-css-what.git --- node-got NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02536be783d894abad40be239c1de71c0fa47f86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02536be783d894abad40be239c1de71c0fa47f86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5c665ac7 by Salvatore Bonaccorso at 2023-03-03T09:18:40+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41,13 +41,13 @@ CVE-2023-27541 CVE-2023-27540 RESERVED CVE-2023-1165 (A vulnerability was found in Zhong Bang CRMEB Java 1.3.4. It has been ...) - TODO: check + NOT-FOR-US: Zhong Bang CRMEB Java CVE-2023-1164 (A vulnerability was found in kylin-activation and classified as critic ...) TODO: check CVE-2023-1163 (A vulnerability has been found in DrayTek Vigor 2960 1.5.1.4 and class ...) - TODO: check + NOT-FOR-US: DrayTek Vigor 2960 CVE-2023-1162 (A vulnerability, which was classified as critical, was found in DrayTe ...) - TODO: check + NOT-FOR-US: DrayTek Vigor 2960 CVE-2023-1161 RESERVED CVE-2023-1160 (Use of Platform-Dependent Third Party Components in GitHub repository ...) @@ -59,7 +59,7 @@ CVE-2023-1158 CVE-2023-1157 (A vulnerability, which was classified as problematic, was found in fin ...) TODO: check CVE-2023-1156 (A vulnerability classified as problematic was found in SourceCodester ...) - TODO: check + NOT-FOR-US: SourceCodester Health Center Patient Record Management System CVE-2021-4328 (A vulnerability has been found in 狮子鱼CMS and clas ...) TODO: check CVE-2020-36665 @@ -520,7 +520,7 @@ CVE-2023-1103 (Cross-site Scripting (XSS) - Stored in GitHub repository flatpres CVE-2023-1102 RESERVED CVE-2023-1101 (SonicOS SSLVPN improper restriction of excessive MFA attempts vulnerab ...) - TODO: check + NOT-FOR-US: SonicOS SSLVPN CVE-2023-1100 (A vulnerability classified as critical has been found in SourceCodeste ...) NOT-FOR-US: SourceCodester Online Catering Reservation System CVE-2023-1099 (A vulnerability was found in SourceCodester Online Student Management ...) @@ -2596,17 +2596,17 @@ CVE-2023-26477 (XWiki Platform is a generic wiki platform. Starting in versions CVE-2023-26476 (XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, ...) NOT-FOR-US: XWiki CVE-2023-26475 (XWiki Platform is a generic wiki platform. Starting in version 2.3-mil ...) - TODO: check + NOT-FOR-US: XWiki CVE-2023-26474 (XWiki Platform is a generic wiki platform. Starting in version 13.10, ...) - TODO: check + NOT-FOR-US: XWiki CVE-2023-26473 (XWiki Platform is a generic wiki platform. Starting in version 1.3-rc- ...) - TODO: check + NOT-FOR-US: XWiki CVE-2023-26472 (XWiki Platform is a generic wiki platform. Starting in version 6.2-mil ...) - TODO: check + NOT-FOR-US: XWiki CVE-2023-26471 (XWiki Platform is a generic wiki platform. Starting in version 11.6-rc ...) - TODO: check + NOT-FOR-US: XWiki CVE-2023-26470 (XWiki Platform is a generic wiki platform offering runtime services fo ...) - TODO: check + NOT-FOR-US: XWiki CVE-2023-26469 RESERVED CVE-2023-26468 (Cerebrate 1.12 does not properly consider organisation_id during creat ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c665ac783f2e2341642085509fc457cc5eb58c7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5c665ac783f2e2341642085509fc457cc5eb58c7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab84b5a8 by Salvatore Bonaccorso at 2023-03-03T09:16:00+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13846,7 +13846,7 @@ CVE-2023-0086 (The JetWidgets for Elementor plugin for WordPress is vulnerable t CVE-2023-0085 (The Metform Elementor Contact Form Builder plugin for WordPress is vul ...) NOT-FOR-US: Metform Elementor Contact Form Builder plugin for WordPress CVE-2023-0084 (The Metform Elementor Contact Form Builder plugin for WordPress is vul ...) - TODO: check + NOT-FOR-US: Metform Elementor Contact Form Builder plugin for WordPress CVE-2023-0083 RESERVED CVE-2023-0082 (The ExactMetrics WordPress plugin before 7.12.1 does not validate and ...) @@ -53894,7 +53894,7 @@ CVE-2022-35647 CVE-2022-35646 (IBM Security Verify Governance, Identity Manager 10.0.1 software compo ...) NOT-FOR-US: IBM CVE-2022-35645 (IBM Maximo Asset Management 7.6.1.1, 7.6.1.2, 7.6.1.3 and IBM Maximo A ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-35644 RESERVED CVE-2022-35643 (IBM PowerVM VIOS 3.1 could allow a remote attacker to tamper with syst ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab84b5a8b2ef119052f04612f0f5f0a94c85b0b3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab84b5a8b2ef119052f04612f0f5f0a94c85b0b3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ba343b5 by security tracker role at 2023-03-03T08:10:18+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,73 @@ +CVE-2023-27560 (Math/PrimeField.php in phpseclib through 2.0.41 has an infinite loop w ...) + TODO: check +CVE-2023-27559 + RESERVED +CVE-2023-27558 + RESERVED +CVE-2023-27557 + RESERVED +CVE-2023-27556 + RESERVED +CVE-2023-27555 + RESERVED +CVE-2023-27554 + RESERVED +CVE-2023-27553 + RESERVED +CVE-2023-27552 + RESERVED +CVE-2023-27551 + RESERVED +CVE-2023-27550 + RESERVED +CVE-2023-27549 + RESERVED +CVE-2023-27548 + RESERVED +CVE-2023-27547 + RESERVED +CVE-2023-27546 + RESERVED +CVE-2023-27545 + RESERVED +CVE-2023-27544 + RESERVED +CVE-2023-27543 + RESERVED +CVE-2023-27542 + RESERVED +CVE-2023-27541 + RESERVED +CVE-2023-27540 + RESERVED +CVE-2023-1165 (A vulnerability was found in Zhong Bang CRMEB Java 1.3.4. It has been ...) + TODO: check +CVE-2023-1164 (A vulnerability was found in kylin-activation and classified as critic ...) + TODO: check +CVE-2023-1163 (A vulnerability has been found in DrayTek Vigor 2960 1.5.1.4 and class ...) + TODO: check +CVE-2023-1162 (A vulnerability, which was classified as critical, was found in DrayTe ...) + TODO: check +CVE-2023-1161 + RESERVED +CVE-2023-1160 (Use of Platform-Dependent Third Party Components in GitHub repository ...) + TODO: check +CVE-2023-1159 + RESERVED +CVE-2023-1158 + RESERVED +CVE-2023-1157 (A vulnerability, which was classified as problematic, was found in fin ...) + TODO: check +CVE-2023-1156 (A vulnerability classified as problematic was found in SourceCodester ...) + TODO: check +CVE-2021-4328 (A vulnerability has been found in 狮子鱼CMS and clas ...) + TODO: check +CVE-2020-36665 + RESERVED +CVE-2020-36664 + RESERVED +CVE-2020-36663 + RESERVED CVE-2023-27539 RESERVED CVE-2023-27538 @@ -449,8 +519,8 @@ CVE-2023-1103 (Cross-site Scripting (XSS) - Stored in GitHub repository flatpres NOT-FOR-US: flatpressblog CVE-2023-1102 RESERVED -CVE-2023-1101 - RESERVED +CVE-2023-1101 (SonicOS SSLVPN improper restriction of excessive MFA attempts vulnerab ...) + TODO: check CVE-2023-1100 (A vulnerability classified as critical has been found in SourceCodeste ...) NOT-FOR-US: SourceCodester Online Catering Reservation System CVE-2023-1099 (A vulnerability was found in SourceCodester Online Student Management ...) @@ -2525,18 +2595,18 @@ CVE-2023-26477 (XWiki Platform is a generic wiki platform. Starting in versions NOT-FOR-US: XWiki CVE-2023-26476 (XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, ...) NOT-FOR-US: XWiki -CVE-2023-26475 - RESERVED -CVE-2023-26474 - RESERVED -CVE-2023-26473 - RESERVED -CVE-2023-26472 - RESERVED -CVE-2023-26471 - RESERVED -CVE-2023-26470 - RESERVED +CVE-2023-26475 (XWiki Platform is a generic wiki platform. Starting in version 2.3-mil ...) + TODO: check +CVE-2023-26474 (XWiki Platform is a generic wiki platform. Starting in version 13.10, ...) + TODO: check +CVE-2023-26473 (XWiki Platform is a generic wiki platform. Starting in version 1.3-rc- ...) + TODO: check +CVE-2023-26472 (XWiki Platform is a generic wiki platform. Starting in version 6.2-mil ...) + TODO: check +CVE-2023-26471 (XWiki Platform is a generic wiki platform. Starting in version 11.6-rc ...) + TODO: check +CVE-2023-26470 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + TODO: check CVE-2023-26469 RESERVED CVE-2023-26468 (Cerebrate 1.12 does not properly consider organisation_id during creat ...) @@ -2958,8 +3028,8 @@ CVE-2023-0959 RESERVED CVE-2023-0958 RESERVED -CVE-2023-0957 - RESERVED +CVE-2023-0957 (An issue was discovered in Gitpod versions prior to release-2022.11.2. ...) + TODO: check CVE-2023-0956 RESERVED CVE-2023-0955 @@ -3716,20 +3786,20 @@ CVE-2014-125087 (A vulnerability was found in java-xmlbuilder up to 1.1. It has NOT-FOR-US: java-xmlbuilder CVE-2012-10007 (A vulnerability was found in madgicweb BuddyStream Plugin up to 3.2.7. ...) NOT-FOR-US: madgicweb BuddyStream Plugin -CVE-2023-26056 - RESERVED -CVE-2023-26055 - RESERVED +CVE-2023-26056 (XWiki Platform is a generic wiki platform. Starting in version 3.0-mil ...) + TODO: check +CVE-2023-26055 (XWiki Commons are technical libraries common to several other top leve ...) + TODO: check CVE-2023-26054 RESERVED CVE-2023-26053 (Gradle is a bu