[Git][security-tracker-team/security-tracker][master] Free DLA-3355-1
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 47d63ba9 by Tobias Frost at 2023-03-09T22:30:38+01:00 Free DLA-3355-1 - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,7 +1,5 @@ [09 Mar 2023] DLA-3356-1 wireless-regdb - security update [buster] - wireless-regdb 2022.04.08-2~deb10u1 -[09 Mar 2023] DLA-3355-1 wireless-regdb - security update - [buster] - wireless-regdb 2022.04.08-2~deb10u1 [06 Mar 2023] DLA-3354-1 kopanocore - security update {CVE-2019-19907 CVE-2022-26562} [buster] - kopanocore 8.7.0-3+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47d63ba935d6ed95ddd5e20e1a0c865c65b57ce6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47d63ba935d6ed95ddd5e20e1a0c865c65b57ce6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21f11c9a by Salvatore Bonaccorso at 2023-03-09T21:15:13+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -41,23 +41,23 @@ CVE-2023-1296 CVE-2023-1295 RESERVED CVE-2023-1294 (A vulnerability was found in SourceCodester File Tracker Manager Syste ...) - TODO: check + NOT-FOR-US: SourceCodester File Tracker Manager System CVE-2023-1293 (A vulnerability was found in SourceCodester Online Graduate Tracer Sys ...) - TODO: check + NOT-FOR-US: SourceCodester Online Graduate Tracer System CVE-2023-1292 (A vulnerability has been found in SourceCodester Sales Tracker Managem ...) - TODO: check + NOT-FOR-US: SourceCodester Sales Tracker Management System CVE-2023-1291 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Sales Tracker Management System CVE-2023-1290 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Sales Tracker Management System CVE-2023-1289 RESERVED CVE-2023-1288 (An XML External Entity injection (XXE) vulnerability in ENOVIA Live Co ...) - TODO: check + NOT-FOR-US: ENOVIA Live Collaboration V6R2013xE CVE-2023-1287 (An XSL template vulnerability in ENOVIA Live Collaboration V6R2013xE a ...) - TODO: check + NOT-FOR-US: ENOVIA Live Collaboration V6R2013xE CVE-2023-1286 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...) - TODO: check + NOT-FOR-US: pimcore CVE-2023-1285 RESERVED CVE-2023-27984 @@ -342,7 +342,7 @@ CVE-2023-1252 [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/9a254403760041528bc8f69fe2f5e1ef86950991 (5.16-rc1) CVE-2023-1251 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: Akinsoft Wolvox CVE-2023-1250 RESERVED CVE-2023-1249 [coredump: Use the vma snapshot in fill_files_note] @@ -4744,9 +4744,9 @@ CVE-2023-26211 CVE-2023-26210 RESERVED CVE-2023-26209 (A improper restriction of excessive authentication attempts vulnerabil ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-26208 (A improper restriction of excessive authentication attempts vulnerabil ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-26207 RESERVED CVE-2023-26206 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21f11c9a0fbc8b5677f6a1d56e4976f4c1e5b4ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21f11c9a0fbc8b5677f6a1d56e4976f4c1e5b4ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1efc0cd8 by security tracker role at 2023-03-09T20:10:27+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,65 @@ +CVE-2023-28004 + RESERVED +CVE-2023-28003 + RESERVED +CVE-2023-28002 + RESERVED +CVE-2023-28001 + RESERVED +CVE-2023-28000 + RESERVED +CVE-2023-27999 + RESERVED +CVE-2023-27998 + RESERVED +CVE-2023-27997 + RESERVED +CVE-2023-27996 + RESERVED +CVE-2023-27995 + RESERVED +CVE-2023-27994 + RESERVED +CVE-2023-27993 + RESERVED +CVE-2023-27992 + RESERVED +CVE-2023-27991 + RESERVED +CVE-2023-27990 + RESERVED +CVE-2023-27989 + RESERVED +CVE-2023-27988 + RESERVED +CVE-2023-27987 + RESERVED +CVE-2023-1297 + RESERVED +CVE-2023-1296 + RESERVED +CVE-2023-1295 + RESERVED +CVE-2023-1294 (A vulnerability was found in SourceCodester File Tracker Manager Syste ...) + TODO: check +CVE-2023-1293 (A vulnerability was found in SourceCodester Online Graduate Tracer Sys ...) + TODO: check +CVE-2023-1292 (A vulnerability has been found in SourceCodester Sales Tracker Managem ...) + TODO: check +CVE-2023-1291 (A vulnerability, which was classified as critical, was found in Source ...) + TODO: check +CVE-2023-1290 (A vulnerability, which was classified as critical, has been found in S ...) + TODO: check +CVE-2023-1289 + RESERVED +CVE-2023-1288 (An XML External Entity injection (XXE) vulnerability in ENOVIA Live Co ...) + TODO: check +CVE-2023-1287 (An XSL template vulnerability in ENOVIA Live Collaboration V6R2013xE a ...) + TODO: check +CVE-2023-1286 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...) + TODO: check +CVE-2023-1285 + RESERVED CVE-2023-27984 RESERVED CVE-2023-27983 @@ -279,8 +341,8 @@ CVE-2023-1252 [bullseye] - linux 5.10.84-1 [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/9a254403760041528bc8f69fe2f5e1ef86950991 (5.16-rc1) -CVE-2023-1251 - RESERVED +CVE-2023-1251 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check CVE-2023-1250 RESERVED CVE-2023-1249 [coredump: Use the vma snapshot in fill_files_note] @@ -395,75 +457,99 @@ CVE-2023-1238 (Cross-site Scripting (XSS) - Stored in GitHub repository answerde CVE-2023-1237 (Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/ans ...) NOT-FOR-US: Answer CVE-2023-1236 (Inappropriate implementation in Internals in Google Chrome prior to 11 ...) + {DSA-5371-1} - chromium 111.0.5563.64-1 [buster] - chromium (see DSA 5046) CVE-2023-1235 (Type confusion in DevTools in Google Chrome prior to 111.0.5563.64 all ...) + {DSA-5371-1} - chromium 111.0.5563.64-1 [buster] - chromium (see DSA 5046) CVE-2023-1234 (Inappropriate implementation in Intents in Google Chrome on Android pr ...) + {DSA-5371-1} - chromium 111.0.5563.64-1 [buster] - chromium (see DSA 5046) CVE-2023-1233 (Insufficient policy enforcement in Resource Timing in Google Chrome pr ...) + {DSA-5371-1} - chromium 111.0.5563.64-1 [buster] - chromium (see DSA 5046) CVE-2023-1232 (Insufficient policy enforcement in Resource Timing in Google Chrome pr ...) + {DSA-5371-1} - chromium 111.0.5563.64-1 [buster] - chromium (see DSA 5046) CVE-2023-1231 (Inappropriate implementation in Autofill in Google Chrome on Android p ...) + {DSA-5371-1} - chromium 111.0.5563.64-1 [buster] - chromium (see DSA 5046) CVE-2023-1230 (Inappropriate implementation in WebApp Installs in Google Chrome on An ...) + {DSA-5371-1} - chromium 111.0.5563.64-1 [buster] - chromium (see DSA 5046) CVE-2023-1229 (Inappropriate implementation in Permission prompts in Google Chrome pr ...) + {DSA-5371-1} - chromium 111.0.5563.64-1 [buster] - chromium (see DSA 5046) CVE-2023-1228 (Insufficient policy enforcement in Intents in Google Chrome on Android ...) + {DSA-5371-1} - chromium 111.0.5563.64-1 [buster] - chromium (see DSA 5046) CVE-2023-1227 (Use after free in Core in Google Chrome on Lacros prior to 111.0.5563. ...) + {DSA-5371-1} - chromium 111.0.5563.64-1 [buster] - chromium (see DSA 5046) CVE-2023-1226 (Insufficient policy enforcement in Web Payments API in Google Chrome p ...) + {DSA-5371-1} - chromium 111.0.5563.64-1 [buster] - chromium (see DSA 5046) CVE-2023-1225 (Insufficient policy enforcement in Navigation in Google Chrome on iOS ...) + {DSA-5371-1} - chro
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3356-1 for wireless-regdb
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 7dd0c36f by Tobias Frost at 2023-03-09T20:22:09+01:00 Reserve DLA-3356-1 for wireless-regdb - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,7 @@ +[09 Mar 2023] DLA-3356-1 wireless-regdb - security update + [buster] - wireless-regdb 2022.04.08-2~deb10u1 +[09 Mar 2023] DLA-3355-1 wireless-regdb - security update + [buster] - wireless-regdb 2022.04.08-2~deb10u1 [06 Mar 2023] DLA-3354-1 kopanocore - security update {CVE-2019-19907 CVE-2022-26562} [buster] - kopanocore 8.7.0-3+deb10u1 = data/dla-needed.txt = @@ -318,11 +318,6 @@ trafficserver NOTE: 20230209: could find informatin for CVE-2022-31779, might be the same fix as CVE-2022-31778 (marked as to be ignored), but no proof on that… NOTE: 20230209: not sure, maybe the safest way would be to update to 8.1.6. -- -wireless-regdb (tobi) - NOTE: 20230306: Programming language: database. - NOTE: 20230306: VCS: https://salsa.debian.org/kernel-team/wireless-regdb - NOTE: 20230306: Maintainer notes: To be updated regularly; used by linux-image. --- wordpress (guilhem) NOTE: 20230302: Programming language: PHP. NOTE: 20230302: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/wordpress.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dd0c36f0226230da4c4cec84de6d6bdf4dde915 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dd0c36f0226230da4c4cec84de6d6bdf4dde915 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d834c14 by Moritz Mühlenhoff at 2023-03-09T20:15:59+01:00 chromium DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[09 Mar 2023] DSA-5371-1 chromium - security update + {CVE-2023-1213 CVE-2023-1214 CVE-2023-1215 CVE-2023-1216 CVE-2023-1217 CVE-2023-1218 CVE-2023-1219 CVE-2023-1220 CVE-2023-1221 CVE-2023-1222 CVE-2023-1223 CVE-2023-1224 CVE-2023-1225 CVE-2023-1226 CVE-2023-1227 CVE-2023-1228 CVE-2023-1229 CVE-2023-1230 CVE-2023-1231 CVE-2023-1232 CVE-2023-1233 CVE-2023-1234 CVE-2023-1235 CVE-2023-1236} + [bullseye] - chromium 111.0.5563.64-1~deb11u1 [07 Mar 2023] DSA-5370-1 apr - security update {CVE-2022-24963} [bullseye] - apr 1.7.0-6+deb11u2 = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- apache2 (jmm) -- -chromium (jmm) --- jupyter-core Maintainer asked for availability to prepare updates -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d834c148e9f2ab610e0fb390208d5a137e16dfd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1d834c148e9f2ab610e0fb390208d5a137e16dfd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 932653e2 by Moritz Muehlenhoff at 2023-03-09T20:06:33+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,7 @@ CVE-2023-27976 CVE-2023-27975 RESERVED CVE-2023-27974 (** DISPUTED ** Bitwarden through 2023.2.1 offers password auto-fill wh ...) - TODO: check + NOT-FOR-US: Bitwarden CVE-2023-27973 RESERVED CVE-2023-27972 @@ -29,7 +29,7 @@ CVE-2023-27971 CVE-2023-1284 RESERVED CVE-2023-1283 (Code Injection in GitHub repository builderio/qwik prior to 0.21.0. ...) - TODO: check + NOT-FOR-US: qwik CVE-2023-1282 RESERVED CVE-2023-1281 @@ -39,11 +39,11 @@ CVE-2023-1280 CVE-2023-1279 RESERVED CVE-2023-1278 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: IBOS CVE-2023-1277 (A vulnerability, which was classified as critical, was found in kylin- ...) - TODO: check + NOT-FOR-US: kylin-system-updater CVE-2018-25081 (** DISPUTED ** Bitwarden through 2023.2.1 offers password auto-fill wi ...) - TODO: check + NOT-FOR-US: Bitwarden CVE-2017-20182 RESERVED CVE-2014-125093 @@ -1461,7 +1461,7 @@ CVE-2023-27488 CVE-2023-27487 RESERVED CVE-2023-27486 (xCAT is a toolkit for deployment and administration of computer cluste ...) - TODO: check + NOT-FOR-US: xCAT CVE-2023-27485 (thmmniii/fbs-core is an open source feedback system for students. In v ...) NOT-FOR-US: thmmniii/fbs-core CVE-2023-27484 @@ -1469,7 +1469,7 @@ CVE-2023-27484 CVE-2023-27483 RESERVED CVE-2023-27482 (homeassistant is an open source home automation tool. A remotely explo ...) - TODO: check + - homeassistant (bug #839786) CVE-2023-27481 (Directus is a real-time API and App dashboard for managing SQL databas ...) NOT-FOR-US: Directus CVE-2023-27480 (XWiki Platform is a generic wiki platform offering runtime services fo ...) @@ -1489,7 +1489,7 @@ CVE-2023-27476 (OWSLib is a Python package for client programming with Open Geos - owslib NOTE: https://github.com/geopython/OWSLib/commit/d91267303a695d69e73fa71efa100a035852a063 CVE-2023-27475 (Goutil is a collection of miscellaneous functionality for the go langu ...) - TODO: check + NOT-FOR-US: Goutil CVE-2023-27474 (Directus is a real-time API and App dashboard for managing SQL databas ...) NOT-FOR-US: Directus CVE-2023-27473 @@ -2826,7 +2826,7 @@ CVE-2023-26924 CVE-2023-26923 RESERVED CVE-2023-26922 (SQL injection vulnerability found in Varisicte matrix-gui v.2 allows a ...) - TODO: check + NOT-FOR-US: Varisicte CVE-2023-26921 RESERVED CVE-2023-26920 @@ -9507,7 +9507,7 @@ CVE-2023-24535 CVE-2023-24534 RESERVED CVE-2023-24533 (Multiplication of certain unreduced P-256 scalars produce incorrect re ...) - TODO: check + NOT-FOR-US: filippo.io/nistec (also included in golang, but tracked as CVE-2023-24533 for it) CVE-2023-24532 (The ScalarMult and ScalarBaseMult methods of the P256 Curve may return ...) - golang-1.20 1.20.2-1 [experimental] - golang-1.19 1.19.7-1 @@ -11600,7 +11600,7 @@ CVE-2023-23762 CVE-2023-23761 RESERVED CVE-2023-23760 (A path traversal vulnerability was identified in GitHub Enterprise Ser ...) - TODO: check + NOT-FOR-US: Github Enterprise Server CVE-2023-23759 RESERVED CVE-2023-23758 @@ -90933,7 +90933,6 @@ CVE-2022-23639 (crossbeam-utils provides atomics, synchronization primitives, sc - rust-crossbeam-utils-0.7 NOTE: https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-qc84-gqf4-9926 NOTE: https://github.com/crossbeam-rs/crossbeam/pull/781 - TODO: check, crossbeam-utils are vendored in various other sources, in particular rustc to be checked CVE-2022-23638 (svg-sanitizer is a SVG/XML sanitizer written in PHP. A cross-site scri ...) NOT-FOR-US: darylldoyle svg-sanitizer CVE-2022-23637 (K-Box is a web-based application to manage documents, images, videos a ...) @@ -99373,7 +99372,7 @@ CVE-2022-21952 (An Uncontrolled Resource Consumption vulnerability in spacewalk- CVE-2022-21951 (A Missing Encryption of Sensitive Data vulnerability in SUSE Rancher, ...) NOT-FOR-US: Rancher CVE-2022-21950 (A Improper Access Control vulnerability in the systemd service of cana ...) - TODO: check + NOT-FOR-US: SuSE CVE-2022-21949 (A Improper Restriction of XML External Entity Reference vulnerability ...) - ruby-xmlhash (bug #1010667) [bullseye] - ruby-xmlhash (Minor issue) @@ -112797,7 +112796,6 @@ CVE-2021-3838 - php-dompdf 2.0.2+dfsg-1 NOTE: https://github.com/dompdf/dompdf/issues/
[Git][security-tracker-team/security-tracker][master] qemu: quick recheck for recent pending patches
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 41cf69b6 by Sylvain Beucler at 2023-03-09T17:15:38+01:00 qemu: quick recheck for recent pending patches - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11960,6 +11960,7 @@ CVE-2023-0330 (A vulnerability in the lsi53c895a device affects the latest versi [bullseye] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2160151 NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-01/msg03411.html + NOTE: No sanctioned upstream patch as of 2023-03-09 CVE-2023-0329 RESERVED CVE-2022-48261 (There is a misinterpretation of input vulnerability in BiSheng-WNM FW ...) @@ -27315,6 +27316,7 @@ CVE-2022-3872 (An off-by-one read/write issue was found in the SDHCI device of Q NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2140567 NOTE: patch proposal 1: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01068.html NOTE: patch proposal 2: https://lists.nongnu.org/archive/html/qemu-devel/2022-11/msg01161.html + NOTE: No sanctioned upstream patch as of 2023-03-09 CVE-2022-45043 (Tenda AX12 V22.03.01.16_cn is vulnerable to command injection via gofo ...) NOT-FOR-US: Tenda CVE-2022-45042 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41cf69b657066985b5775bd986dbde637ec8b1ac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41cf69b657066985b5775bd986dbde637ec8b1ac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: qemu: quick recheck for old pending patches
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 1a29c3f3 by Sylvain Beucler at 2023-03-09T16:55:53+01:00 qemu: quick recheck for old pending patches - - - - - 07076ab5 by Sylvain Beucler at 2023-03-09T16:55:55+01:00 CVE-2022-1050/qemu: referenced merged patch - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78376,9 +78376,8 @@ CVE-2022-1051 (The WPQA Builder Plugin WordPress plugin before 5.2, used as a co CVE-2022-1050 (A flaw was found in the QEMU implementation of VMWare's paravirtual RD ...) - qemu 1:7.1+dfsg-2 (bug #1014589) [bullseye] - qemu (Minor issue) - [buster] - qemu (Minor issue, waiting for sanctioned patch, patch included in unstable) [stretch] - qemu (rdma devices introduced in v2.12) - NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2022-04/msg00273.html + NOTE: https://gitlab.com/qemu-project/qemu/-/commit/31c4b6fb0293e359f9ef8a61892667e76eea4c99 (master, after v7.2.0) CVE-2022-1049 (A flaw was found in the Pacemaker configuration tool (pcs). The pcs da ...) {DSA-5226-1 DLA-3108-1} - pcs 0.11.3-1 @@ -117160,7 +117159,7 @@ CVE-2021-3735 (A deadlock issue was found in the AHCI controller device of QEMU. [bullseye] - qemu (Minor issue) [buster] - qemu (Minor issue, waiting for patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1997184 - NOTE: No upstream patch as of 2022-11-08 + NOTE: No upstream patch as of 2023-03-09 CVE-2021-40083 (Knot Resolver before 5.3.2 is prone to an assertion failure, triggerab ...) [experimental] - knot-resolver 5.4.1-1 - knot-resolver 5.4.1-2 (bug #991463) @@ -168425,7 +168424,7 @@ CVE-2021-20255 (A stack overflow via an infinite recursion vulnerability was fou [buster] - qemu (Minor issue, waiting for sanctioned patch, fixed in stretch-lts) NOTE: https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Feepro100_stackoverflow1 - NOTE: No sanctioned upstream patch as of 2022-11-08 + NOTE: No sanctioned upstream patch as of 2023-03-09 CVE-2021-20254 (A flaw was found in samba. The Samba smbd file server must map Windows ...) {DLA-2668-1} - samba 2:4.13.5+dfsg-2 (bug #987811) @@ -169278,7 +169277,7 @@ CVE-2020-35503 (A NULL pointer dereference flaw was found in the megasas-gen2 SC [buster] - qemu (Minor issue, waiting for sanctioned patch) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1910346 NOTE: https://lists.gnu.org/archive/html/qemu-devel/2020-12/msg06065.html - NOTE: No sanctioned upstream patch as of 2022-11-08 + NOTE: No sanctioned upstream patch as of 2023-03-09 CVE-2020-35502 (A flaw was found in Privoxy in versions before 3.0.29. Memory leaks wh ...) {DLA-2548-1} - privoxy 3.0.29-1 @@ -185305,7 +185304,7 @@ CVE-2020-25743 (hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer der [buster] - qemu (Minor issue, waiting for sanctioned patch) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg01568.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Fide_nullptr1 - NOTE: No sanctioned upstream patch as of 2022-11-08 + NOTE: No sanctioned upstream patch as of 2023-03-09 CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL p ...) - qemu (bug #971390) [bookworm] - qemu (Minor issue, revisit when fixed upstream) @@ -185313,7 +185312,7 @@ CVE-2020-25742 (pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a [buster] - qemu (Minor issue, waiting for sanctioned patch) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg05294.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Flsi_nullptr1 - NOTE: No sanctioned upstream patch as of 2022-11-08 + NOTE: No sanctioned upstream patch as of 2023-03-09 CVE-2020-25741 (fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer d ...) - qemu (bug #970939) [bookworm] - qemu (Minor issue, revisit when fixed upstream) @@ -185321,7 +185320,7 @@ CVE-2020-25741 (fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL poi [buster] - qemu (Minor issue, waiting for sanctioned patch) NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2020-09/msg07779.html NOTE: https://ruhr-uni-bochum.sciebo.de/s/NNWP2GfwzYKeKwE?path=%2Ffdc_nullptr1 - NOTE: No sanctioned upstream patch as of 2022-11-08 + NOTE: No sanctioned upstream patch as of 2023-03-09 CVE-2020-25740 RESERVED CVE-2020-25739 (An issue was discovered in the gon gem before gon-6.4.0 for Ruby. Mult ...)
[Git][security-tracker-team/security-tracker][master] Add CVE-2021-37519/memcached
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e8636ece by Salvatore Bonaccorso at 2023-03-09T15:49:09+01:00 Add CVE-2021-37519/memcached - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -123757,7 +123757,10 @@ CVE-2021-37521 CVE-2021-37520 RESERVED CVE-2021-37519 (Buffer Overflow vulnerability in authfile.c memcached 1.6.9 allows att ...) - TODO: check + - memcached 1.6.10+dfsg-1 + [bullseye] - memcached (Minor issue) + NOTE: https://github.com/memcached/memcached/issues/805 + NOTE: https://github.com/memcached/memcached/commit/ddee3e27a031be22f5f28c160be18fd3cb9bc63d (1.6.10) CVE-2021-37518 (Universal Cross Site Scripting (UXSS) vulnerability in Vimium Extensio ...) NOT-FOR-US: Vivium CVE-2021-37517 (An Access Control vulnerability exists in Dolibarr ERP/CRM 13.0.2, fix ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8636ece86cad8f4007a6de747253f2e44c25f71 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8636ece86cad8f4007a6de747253f2e44c25f71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8d955929 by Salvatore Bonaccorso at 2023-03-09T15:44:53+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14203,13 +14203,13 @@ CVE-2023-22894 CVE-2023-22893 RESERVED CVE-2023-22892 (There exists an information disclosure vulnerability in SmartBear Zeph ...) - TODO: check + NOT-FOR-US: SmartBear Zephyr Enterprise CVE-2023-22891 (There exists a privilege escalation vulnerability in SmartBear Zephyr ...) - TODO: check + NOT-FOR-US: SmartBear Zephyr Enterprise CVE-2023-22890 (SmartBear Zephyr Enterprise through 7.15.0 allows unauthenticated user ...) - TODO: check + NOT-FOR-US: SmartBear Zephyr Enterprise CVE-2023-22889 (SmartBear Zephyr Enterprise through 7.15.0 mishandles user-defined inp ...) - TODO: check + NOT-FOR-US: SmartBear Zephyr Enterprise CVE-2023-22888 RESERVED CVE-2023-22887 @@ -21914,7 +21914,7 @@ CVE-2022-46754 (Wyse Management Suite 3.8 and below contain an improper access c CVE-2022-46753 RESERVED CVE-2022-46752 (Dell BIOS contains an Improper Authorization vulnerability. An unauthe ...) - TODO: check + NOT-FOR-US: Dell CVE-2022-46751 RESERVED CVE-2022-4340 (The BookingPress WordPress plugin before 1.0.31 suffers from an Insecu ...) @@ -22917,7 +22917,7 @@ CVE-2022-46396 CVE-2022-46395 (An issue was discovered in the Arm Mali GPU Kernel Driver. A non-privi ...) NOT-FOR-US: Arm Mali CVE-2022-46394 (An issue was discovered in the Arm Mali GPU Kernel Driver. A non-privi ...) - TODO: check + NOT-FOR-US: Arm Mali CVE-2022-46393 (An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0 ...) - mbedtls 2.28.2-1 [bullseye] - mbedtls (The vulnerable code was introduced later) @@ -49234,7 +49234,7 @@ CVE-2022-37941 CVE-2022-37940 RESERVED CVE-2022-37939 (A potential security vulnerability has been identified in HPE Superdom ...) - TODO: check + NOT-FOR-US: HPE CVE-2022-37938 (Unauthenticated server side request forgery in HPE Serviceguard Manage ...) NOT-FOR-US: HPE CVE-2022-37937 (Pre-auth memory corruption in HPE Serviceguard ...) @@ -83846,7 +83846,7 @@ CVE-2022-25711 (Memory corruption in camera due to improper validation of array CVE-2022-25710 (Denial of service due to null pointer dereference when GATT is disconn ...) NOT-FOR-US: Snapdragon CVE-2022-25709 (Memory corruption in modem due to use of out of range pointer offset w ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2022-25708 (Memory corruption in WLAN due to buffer copy without checking size of ...) NOT-FOR-US: Qualcomm CVE-2022-25707 @@ -83854,7 +83854,7 @@ CVE-2022-25707 CVE-2022-25706 (Information disclosure in Bluetooth driver due to buffer over-read whi ...) NOT-FOR-US: Qualcomm CVE-2022-25705 (Memory corruption in modem due to integer overflow to buffer overflow ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2022-25704 RESERVED CVE-2022-25703 @@ -83876,7 +83876,7 @@ CVE-2022-25696 (Memory corruption in display due to time-of-check time-of-use ra CVE-2022-25695 (Memory corruption in MODEM due to Improper Validation of Array Index w ...) NOT-FOR-US: Snapdragon CVE-2022-25694 (Memory corruption in Modem due to usage of Out-of-range pointer offset ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2022-25693 (Memory corruption in graphics due to use-after-free while graphics pro ...) NOT-FOR-US: Qualcomm CVE-2022-25692 (Denial of service in Modem due to reachable assertion while processing ...) @@ -83954,7 +83954,7 @@ CVE-2022-25657 (Memory corruption due to buffer overflow occurs while processing CVE-2022-25656 (Possible integer overflow and memory corruption due to improper valida ...) NOT-FOR-US: Qualcomm CVE-2022-25655 (Memory corruption in WLAN HAL while arbitrary value is passed in WMI U ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2022-25654 (Memory corruption in kernel due to improper input validation while pro ...) NOT-FOR-US: Qualcomm CVE-2022-25653 (Information disclosure in video due to buffer over-read while processi ...) @@ -95664,7 +95664,7 @@ CVE-2022-22299 (A format string vulnerability [CWE-134] in the command line inte CVE-2022-22298 RESERVED CVE-2022-22297 (An incomplete filtering of one or more instances of special elements v ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2022-22296 (Sourcecodester Hospital's Patient Records Management System 1.0 is vul ...) NOT-FOR-US: Sourcecodester CVE-2022-22295 (Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability ...) @@ -97680,11 +97680,11 @@ CVE-2021-45480
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d2ebeb82 by Salvatore Bonaccorso at 2023-03-09T10:17:36+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1483,7 +1483,7 @@ CVE-2023-27478 (libmemcached-awesome is an open source C/C++ client library and NOTE: Introduced with: https://github.com/awesomized/libmemcached/commit/d7a0084bf99d618d1dc26a54fd413db7ae8b8e63 (1.1.0-beta1) NOTE: Fixed by: https://github.com/awesomized/libmemcached/commit/48dcc61a4919f6f3d5ee164630a843f2d8b8ade9 (1.1.4) CVE-2023-27477 (wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code ...) - TODO: check + NOT-FOR-US: wasmtime CVE-2023-27476 (OWSLib is a Python package for client programming with Open Geospatial ...) [experimental] - owslib 0.28.1-1~exp1 - owslib @@ -2494,7 +2494,7 @@ CVE-2023-27090 CVE-2023-27089 RESERVED CVE-2023-27088 (feiqu-opensource Background Vertical authorization vulnerability exist ...) - TODO: check + NOT-FOR-US: feiqu-opensource Background Vertical CVE-2023-27087 RESERVED CVE-2023-27086 @@ -2758,7 +2758,7 @@ CVE-2023-26958 CVE-2023-26957 RESERVED CVE-2023-26956 (onekeyadmin v1.3.9 was discovered to contain an arbitrary file read vu ...) - TODO: check + NOT-FOR-US: onekeyadmin CVE-2023-26955 (onekeyadmin v1.3.9 was discovered to contain a stored cross-site scrip ...) NOT-FOR-US: onekeyadmin CVE-2023-26954 (onekeyadmin v1.3.9 was discovered to contain a stored cross-site scrip ...) @@ -2766,15 +2766,15 @@ CVE-2023-26954 (onekeyadmin v1.3.9 was discovered to contain a stored cross-site CVE-2023-26953 (onekeyadmin v1.3.9 was discovered to contain a stored cross-site scrip ...) NOT-FOR-US: onekeyadmin CVE-2023-26952 (onekeyadmin v1.3.9 was discovered to contain a stored cross-site scrip ...) - TODO: check + NOT-FOR-US: onekeyadmin CVE-2023-26951 RESERVED CVE-2023-26950 (onekeyadmin v1.3.9 was discovered to contain a stored cross-site scrip ...) - TODO: check + NOT-FOR-US: onekeyadmin CVE-2023-26949 (An arbitrary file upload vulnerability in the component /admin1/config ...) NOT-FOR-US: onekeyadmin CVE-2023-26948 (onekeyadmin v1.3.9 was discovered to contain an arbitrary file read vu ...) - TODO: check + NOT-FOR-US: onekeyadmin CVE-2023-26947 RESERVED CVE-2023-26946 @@ -3843,7 +3843,7 @@ CVE-2023-26491 (RSSHub is an open source and extensible RSS feed generator. When CVE-2023-26490 (mailcow is a dockerized email package, with multiple containers linked ...) NOT-FOR-US: mailcow CVE-2023-26489 (wasmtime is a fast and secure runtime for WebAssembly. In affected ver ...) - TODO: check + NOT-FOR-US: wasmtime CVE-2023-26488 (OpenZeppelin Contracts is a library for secure smart contract developm ...) NOT-FOR-US: OpenZeppelin CVE-2023-26487 (Vega is a visualization grammar, a declarative format for creating, sa ...) @@ -8771,7 +8771,7 @@ CVE-2023-24784 CVE-2023-24783 RESERVED CVE-2023-24782 (Funadmin v3.2.0 was discovered to contain a SQL injection vulnerabilit ...) - TODO: check + NOT-FOR-US: Funadmin CVE-2023-24781 (Funadmin v3.2.0 was discovered to contain a SQL injection vulnerabilit ...) NOT-FOR-US: Funadmin CVE-2023-24780 (Funadmin v3.2.0 was discovered to contain a SQL injection vulnerabilit ...) @@ -8781,7 +8781,7 @@ CVE-2023-24779 CVE-2023-24778 RESERVED CVE-2023-24777 (Funadmin v3.2.0 was discovered to contain a SQL injection vulnerabilit ...) - TODO: check + NOT-FOR-US: Funadmin CVE-2023-24776 (Funadmin v3.2.0 was discovered to contain a remote code execution (RCE ...) NOT-FOR-US: Funadmin CVE-2023-24775 (Funadmin v3.2.0 was discovered to contain a SQL injection vulnerabilit ...) @@ -10234,7 +10234,7 @@ CVE-2023-24284 CVE-2023-24283 RESERVED CVE-2023-24282 (An arbitrary file upload vulnerability in Poly Trio 8800 7.2.2.1094 al ...) - TODO: check + NOT-FOR-US: Poly Trio 8800 CVE-2023-24281 RESERVED CVE-2023-24280 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2ebeb826bbe84b865e402c53ce99fe2d2d28a43 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d2ebeb826bbe84b865e402c53ce99fe2d2d28a43 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f0edc4ba by security tracker role at 2023-03-09T08:10:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,55 @@ +CVE-2023-27984 + RESERVED +CVE-2023-27983 + RESERVED +CVE-2023-27982 + RESERVED +CVE-2023-27981 + RESERVED +CVE-2023-27980 + RESERVED +CVE-2023-27979 + RESERVED +CVE-2023-27978 + RESERVED +CVE-2023-27977 + RESERVED +CVE-2023-27976 + RESERVED +CVE-2023-27975 + RESERVED +CVE-2023-27974 (** DISPUTED ** Bitwarden through 2023.2.1 offers password auto-fill wh ...) + TODO: check +CVE-2023-27973 + RESERVED +CVE-2023-27972 + RESERVED +CVE-2023-27971 + RESERVED +CVE-2023-1284 + RESERVED +CVE-2023-1283 (Code Injection in GitHub repository builderio/qwik prior to 0.21.0. ...) + TODO: check +CVE-2023-1282 + RESERVED +CVE-2023-1281 + RESERVED +CVE-2023-1280 + RESERVED +CVE-2023-1279 + RESERVED +CVE-2023-1278 (A vulnerability, which was classified as problematic, has been found i ...) + TODO: check +CVE-2023-1277 (A vulnerability, which was classified as critical, was found in kylin- ...) + TODO: check +CVE-2018-25081 (** DISPUTED ** Bitwarden through 2023.2.1 offers password auto-fill wi ...) + TODO: check +CVE-2017-20182 + RESERVED +CVE-2014-125093 + RESERVED +CVE-2013-10020 + RESERVED CVE-2023-27970 RESERVED CVE-2023-27969 @@ -104,14 +156,14 @@ CVE-2023-1268 RESERVED CVE-2023-1267 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: Ulkem Company PtteM Kart -CVE-2023-27986 [emacsclient-mail.desktop Emacs Lisp code injection] +CVE-2023-27986 (emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to E ...) - emacs (bug #1032538) [bullseye] - emacs (Vulnerable code not present, introduced in 28.1) [buster] - emacs (Vulnerable code not present, introduced in 28.1) NOTE: https://www.openwall.com/lists/oss-security/2023/03/08/2 NOTE: Introduced by: http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=b1b05c828d67930bb3b897fe98e1992db42cf23c (emacs-28.0.90) NOTE: Fixed by: http://git.savannah.gnu.org/cgit/emacs.git/commit/?h=emacs-29&id=3c1693d08b0a71d40a77e7b40c0ebc42dca2d2cc -CVE-2023-27985 [emacsclient-mail.desktop shell command injection] +CVE-2023-27985 (emacsclient-mail.desktop in Emacs 28.1 through 28.2 is vulnerable to s ...) - emacs (bug #1032538) [bullseye] - emacs (Vulnerable code not present, introduced in 28.1) [buster] - emacs (Vulnerable code not present, introduced in 28.1) @@ -1408,8 +1460,8 @@ CVE-2023-27488 RESERVED CVE-2023-27487 RESERVED -CVE-2023-27486 - RESERVED +CVE-2023-27486 (xCAT is a toolkit for deployment and administration of computer cluste ...) + TODO: check CVE-2023-27485 (thmmniii/fbs-core is an open source feedback system for students. In v ...) NOT-FOR-US: thmmniii/fbs-core CVE-2023-27484 @@ -1430,8 +1482,8 @@ CVE-2023-27478 (libmemcached-awesome is an open source C/C++ client library and [buster] - libmemcached (Vulnerable code introduced later) NOTE: Introduced with: https://github.com/awesomized/libmemcached/commit/d7a0084bf99d618d1dc26a54fd413db7ae8b8e63 (1.1.0-beta1) NOTE: Fixed by: https://github.com/awesomized/libmemcached/commit/48dcc61a4919f6f3d5ee164630a843f2d8b8ade9 (1.1.4) -CVE-2023-27477 - RESERVED +CVE-2023-27477 (wasmtime is a fast and secure runtime for WebAssembly. Wasmtime's code ...) + TODO: check CVE-2023-27476 (OWSLib is a Python package for client programming with Open Geospatial ...) [experimental] - owslib 0.28.1-1~exp1 - owslib @@ -2705,8 +2757,8 @@ CVE-2023-26958 RESERVED CVE-2023-26957 RESERVED -CVE-2023-26956 - RESERVED +CVE-2023-26956 (onekeyadmin v1.3.9 was discovered to contain an arbitrary file read vu ...) + TODO: check CVE-2023-26955 (onekeyadmin v1.3.9 was discovered to contain a stored cross-site scrip ...) NOT-FOR-US: onekeyadmin CVE-2023-26954 (onekeyadmin v1.3.9 was discovered to contain a stored cross-site scrip ...) @@ -2721,8 +2773,8 @@ CVE-2023-26950 (onekeyadmin v1.3.9 was discovered to contain a stored cross-site TODO: check CVE-2023-26949 (An arbitrary file upload vulnerability in the component /admin1/config ...) NOT-FOR-US: onekeyadmin -CVE-2023-26948 - RESERVED +CVE-2023-26948 (onekeyadmin v1.3.9 was discovered to contain an arbitrary file read vu ...) + TODO: check CVE-2023-26947 RESERVED CVE-2023-26946 @@ -3790,8 +3842,8 @@ CVE-2023-26491 (RSSHub is an open source and extensible