[Git][security-tracker-team/security-tracker][master] dla: reference xapian-core work
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: c61590af by Sylvain Beucler at 2023-03-17T22:45:15+01:00 dla: reference xapian-core work - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -319,6 +319,11 @@ wordpress (guilhem) NOTE: 20230302: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/wordpress.html NOTE: 20230302: buster is 6 CVEs behind bullseye (Beuc/front-desk) -- +xapian-core (Olly Betts, maintainer) + NOTE: 20230317: Programming language: C/C++. + NOTE: 20230317: VCS: https://salsa.debian.org/olly/xapian-core + NOTE: 20230317: Olly is preparing an update fixing critical bug, referencing here for when we'll do the announcement. (Beuc) +-- xrdp (Dominik George) NOTE: 20221225: Programming language: C. NOTE: 20221225: VCS: https://salsa.debian.org/lts-team/packages/xrdp.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c61590af47553e3cb3598d1105211a09a3fe4493 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c61590af47553e3cb3598d1105211a09a3fe4493 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-2676{7,8,9}/liblouis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3507ae5f by Salvatore Bonaccorso at 2023-03-17T22:38:03+01:00 Add CVE-2023-2676{7,8,9}/liblouis - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5140,11 +5140,22 @@ CVE-2023-26771 CVE-2023-26770 RESERVED CVE-2023-26769 (Buffer Overflow vulnerability found in Liblouis Lou_Trace v.3.24.0 all ...) - TODO: check + - liblouis + NOTE: https://github.com/liblouis/liblouis/pull/1300 + NOTE: https://github.com/liblouis/liblouis/commit/d45430431f8c75941f863328eb3f7fc09f902b2e (v3.25.0) + NOTE: https://github.com/liblouis/liblouis/commit/6f39e88745e8ec602ccc46042c305a6188f28b0a (v3.25.0) + NOTE: https://github.com/liblouis/liblouis/commit/9f6cec9b63c1d9396fcc32fed77267a2815b648f (v3.25.0) CVE-2023-26768 (Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a remo ...) - TODO: check + - liblouis + NOTE: https://github.com/liblouis/liblouis/issues/1301 + NOTE: https://github.com/liblouis/liblouis/pull/1302 + NOTE: https://github.com/liblouis/liblouis/commit/565ac66ec0c187ffb442226487de3db376702958 (v3.25.0) + NOTE: https://github.com/liblouis/liblouis/commit/47822bb418fb77564c159469e3be79989b11aced (v3.25.0) CVE-2023-26767 (Buffer Overflow vulnerability found in Liblouis v.3.24.0 allows a remo ...) - TODO: check + - liblouis + NOTE: https://github.com/liblouis/liblouis/issues/1292 + NOTE: https://github.com/liblouis/liblouis/pull/1297 + NOTE: https://github.com/liblouis/liblouis/commit/f432de31058b5a94874d47405216d07910c18a9a (v3.25.0) CVE-2023-26766 RESERVED CVE-2023-26765 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3507ae5ffe58d1b3c0a47b727aa34181cc450854 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3507ae5ffe58d1b3c0a47b727aa34181cc450854 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4b04785e by Salvatore Bonaccorso at 2023-03-17T22:29:26+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -281,7 +281,7 @@ CVE-2023-1455 (A vulnerability classified as critical was found in SourceCodeste CVE-2023-1454 (A vulnerability classified as critical has been found in jeecg-boot 3. ...) TODO: check CVE-2023-1453 (A vulnerability was found in Watchdog Anti-Virus 1.4.214.0. It has bee ...) - TODO: check + NOT-FOR-US: Watchdog Anti-Virus CVE-2023-1452 (A vulnerability was found in GPAC 2.3-DEV-rev35-gbbca86917-master. It ...) - gpac NOTE: https://github.com/gpac/gpac/issues/2386 @@ -299,23 +299,23 @@ CVE-2023-1448 (A vulnerability, which was classified as problematic, was found i NOTE: https://github.com/gpac/gpac/issues/2388 NOTE: https://github.com/gpac/gpac/commit/8db20cb634a546c536c31caac94e1f74b778b463 CVE-2023-1447 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: SourceCodester Medicine Tracker System CVE-2023-1446 (A vulnerability classified as problematic was found in Watchdog Anti-V ...) - TODO: check + NOT-FOR-US: Watchdog Anti-Virus CVE-2023-1445 (A vulnerability classified as problematic has been found in Filseclab ...) - TODO: check + NOT-FOR-US: Filseclab Twister Antivirus CVE-2023-1444 (A vulnerability was found in Filseclab Twister Antivirus 8. It has bee ...) - TODO: check + NOT-FOR-US: Filseclab Twister Antivirus CVE-2023-1443 (A vulnerability was found in Filseclab Twister Antivirus 8. It has bee ...) - TODO: check + NOT-FOR-US: Filseclab Twister Antivirus CVE-2023-1442 (A vulnerability was found in Meizhou Qingyunke QYKCMS 4.3.0. It has be ...) - TODO: check + NOT-FOR-US: Meizhou Qingyunke QYKCMS CVE-2023-1441 (A vulnerability has been found in SourceCodester Automatic Question Pa ...) - TODO: check + NOT-FOR-US: SourceCodester Automatic Question Paper Generator System CVE-2023-1440 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Automatic Question Paper Generator System CVE-2023-1439 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Medicine Tracker System CVE-2023-1438 RESERVED CVE-2023-1437 @@ -327,15 +327,15 @@ CVE-2023-1435 CVE-2023-1434 RESERVED CVE-2023-1433 (A vulnerability was found in SourceCodester Gadget Works Online Orderi ...) - TODO: check + NOT-FOR-US: SourceCodester Gadget Works Online Ordering System CVE-2023-1432 (A vulnerability was found in SourceCodester Online Food Ordering Syste ...) - TODO: check + NOT-FOR-US: SourceCodester Online Food Ordering System CVE-2023-1431 (The WP Simple Shopping Cart plugin for WordPress is vulnerable to Sens ...) NOT-FOR-US: WP Simple Shopping Cart plugin for WordPress CVE-2023-1430 RESERVED CVE-2023-1429 (Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pi ...) - TODO: check + NOT-FOR-US: pimcore CVE-2023-1428 RESERVED CVE-2023-1427 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b04785e518bed3edac211c4f167cdf658dd6895 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4b04785e518bed3edac211c4f167cdf658dd6895 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process three gpac issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ca6655c3 by Salvatore Bonaccorso at 2023-03-17T22:28:22+01:00 Process three gpac issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -283,15 +283,21 @@ CVE-2023-1454 (A vulnerability classified as critical has been found in jeecg-bo CVE-2023-1453 (A vulnerability was found in Watchdog Anti-Virus 1.4.214.0. It has bee ...) TODO: check CVE-2023-1452 (A vulnerability was found in GPAC 2.3-DEV-rev35-gbbca86917-master. It ...) - TODO: check + - gpac + NOTE: https://github.com/gpac/gpac/issues/2386 + NOTE: https://github.com/gpac/gpac/commit/a5efec8187de02d1f0a412140b0bf030a6747d3f CVE-2023-1451 (A vulnerability was found in MP4v2 2.1.2. It has been classified as pr ...) TODO: check CVE-2023-1450 (A vulnerability was found in MP4v2 2.1.2 and classified as problematic ...) TODO: check CVE-2023-1449 (A vulnerability has been found in GPAC 2.3-DEV-rev35-gbbca86917-master ...) - TODO: check + - gpac + NOTE: https://github.com/gpac/gpac/issues/2387 + NOTE: https://github.com/gpac/gpac/commit/8ebbfd61c73d61a2913721a492e5a81fb8d9f9a9 CVE-2023-1448 (A vulnerability, which was classified as problematic, was found in GPA ...) - TODO: check + - gpac + NOTE: https://github.com/gpac/gpac/issues/2388 + NOTE: https://github.com/gpac/gpac/commit/8db20cb634a546c536c31caac94e1f74b778b463 CVE-2023-1447 (A vulnerability, which was classified as problematic, has been found i ...) TODO: check CVE-2023-1446 (A vulnerability classified as problematic was found in Watchdog Anti-V ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca6655c395b0d9bc11f398d9dbe0f1acf71069ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca6655c395b0d9bc11f398d9dbe0f1acf71069ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-1463/teampass
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e7317a5 by Salvatore Bonaccorso at 2023-03-17T22:27:09+01:00 Add CVE-2023-1463/teampass - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -261,7 +261,7 @@ CVE-2023-1465 CVE-2023-1464 (A vulnerability, which was classified as critical, was found in Source ...) NOT-FOR-US: SourceCodester Medicine Tracker System CVE-2023-1463 (Improper Authorization in GitHub repository nilsteampassnet/teampass p ...) - TODO: check + - teampass (bug #730180) CVE-2023-1462 RESERVED CVE-2023-1461 (A vulnerability was found in SourceCodester Canteen Management System ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e7317a594e2f21d8cecac92d3761711f0ec8db3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0e7317a594e2f21d8cecac92d3761711f0ec8db3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 13b173f9 by Salvatore Bonaccorso at 2023-03-17T21:56:22+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -237,9 +237,9 @@ CVE-2023-1477 CVE-2023-1476 RESERVED CVE-2023-1475 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Canteen Management System CVE-2023-1474 (A vulnerability classified as critical was found in SourceCodester Aut ...) - TODO: check + NOT-FOR-US: SourceCodester Automatic Question Paper Generator System CVE-2023-1473 RESERVED CVE-2023-1472 (The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnera ...) @@ -251,25 +251,25 @@ CVE-2023-1470 (The eCommerce Product Catalog plugin for WordPress is vulnerable CVE-2023-1469 (The WP Express Checkout plugin for WordPress is vulnerable to Stored C ...) NOT-FOR-US: WP Express Checkout plugin for WordPress CVE-2023-1468 (A vulnerability classified as critical was found in SourceCodester Stu ...) - TODO: check + NOT-FOR-US: SourceCodester Student Study Center Desk Management System CVE-2023-1467 (A vulnerability classified as critical has been found in SourceCodeste ...) - TODO: check + NOT-FOR-US: SourceCodester Student Study Center Desk Management System CVE-2023-1466 (A vulnerability was found in SourceCodester Student Study Center Desk ...) - TODO: check + NOT-FOR-US: SourceCodester Student Study Center Desk Management System CVE-2023-1465 RESERVED CVE-2023-1464 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Medicine Tracker System CVE-2023-1463 (Improper Authorization in GitHub repository nilsteampassnet/teampass p ...) TODO: check CVE-2023-1462 RESERVED CVE-2023-1461 (A vulnerability was found in SourceCodester Canteen Management System ...) - TODO: check + NOT-FOR-US: SourceCodester Canteen Management System CVE-2023-1460 (A vulnerability was found in SourceCodester Online Pizza Ordering Syst ...) - TODO: check + NOT-FOR-US: SourceCodester Online Pizza Ordering System CVE-2023-1459 (A vulnerability was found in SourceCodester Canteen Management System ...) - TODO: check + NOT-FOR-US: SourceCodester Canteen Management System CVE-2023-1458 RESERVED CVE-2023-1457 @@ -277,7 +277,7 @@ CVE-2023-1457 CVE-2023-1456 RESERVED CVE-2023-1455 (A vulnerability classified as critical was found in SourceCodester Onl ...) - TODO: check + NOT-FOR-US: SourceCodester Online Pizza Ordering System CVE-2023-1454 (A vulnerability classified as critical has been found in jeecg-boot 3. ...) TODO: check CVE-2023-1453 (A vulnerability was found in Watchdog Anti-Virus 1.4.214.0. It has bee ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13b173f9eb1ecb56ea356f231fdc601db589a0ec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13b173f9eb1ecb56ea356f231fdc601db589a0ec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-28531/openssh
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a2c64254 by Salvatore Bonaccorso at 2023-03-17T21:43:37+01:00 Add CVE-2023-28531/openssh - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -143,7 +143,9 @@ CVE-2023-28533 CVE-2023-28532 RESERVED CVE-2023-28531 (ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without ...) - TODO: check + - openssh + [bullseye] - openssh (Vulnerable code introduced later; per-hop desination constraints support added in OpenSSH 8.9) + [buster] - openssh (Vulnerable code introduced later; per-hop desination constraints support added in OpenSSH 8.9) CVE-2023-28530 RESERVED CVE-2023-28529 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2c6425490871be313f9c0348226c96e2bc00726 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2c6425490871be313f9c0348226c96e2bc00726 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 412b6cf6 by Salvatore Bonaccorso at 2023-03-17T21:24:43+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -241,13 +241,13 @@ CVE-2023-1474 (A vulnerability classified as critical was found in SourceCodeste CVE-2023-1473 RESERVED CVE-2023-1472 (The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnera ...) - TODO: check + NOT-FOR-US: RapidLoad Power-Up for Autoptimize plugin for WordPress CVE-2023-1471 (The WP Popup Banners plugin for WordPress is vulnerable to SQL Injecti ...) - TODO: check + NOT-FOR-US: WP Popup Banners plugin for WordPress CVE-2023-1470 (The eCommerce Product Catalog plugin for WordPress is vulnerable to St ...) - TODO: check + NOT-FOR-US: eCommerce Product Catalog plugin for WordPress CVE-2023-1469 (The WP Express Checkout plugin for WordPress is vulnerable to Stored C ...) - TODO: check + NOT-FOR-US: WP Express Checkout plugin for WordPress CVE-2023-1468 (A vulnerability classified as critical was found in SourceCodester Stu ...) TODO: check CVE-2023-1467 (A vulnerability classified as critical has been found in SourceCodeste ...) @@ -323,7 +323,7 @@ CVE-2023-1433 (A vulnerability was found in SourceCodester Gadget Works Online O CVE-2023-1432 (A vulnerability was found in SourceCodester Online Food Ordering Syste ...) TODO: check CVE-2023-1431 (The WP Simple Shopping Cart plugin for WordPress is vulnerable to Sens ...) - TODO: check + NOT-FOR-US: WP Simple Shopping Cart plugin for WordPress CVE-2023-1430 RESERVED CVE-2023-1429 (Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pi ...) @@ -2282,7 +2282,7 @@ CVE-2023-27877 CVE-2023-27876 RESERVED CVE-2023-27875 (IBM Aspera Faspex 5.0.4 could allow an authenticated user to change ot ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-27874 RESERVED CVE-2023-27873 @@ -3184,7 +3184,7 @@ CVE-2023-1174 CVE-2023-1173 REJECTED CVE-2023-1172 (The Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scr ...) - TODO: check + NOT-FOR-US: Bookly plugin for WordPress CVE-2023-1171 RESERVED CVE-2023-1170 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) @@ -165795,7 +165795,7 @@ CVE-2021-21550 (Dell EMC PowerScale OneFS 8.1.0-9.1.0 contain an improper neutra CVE-2021-21549 (Dell EMC XtremIO Versions prior to 6.3.3-8, contain a Cross-Site Reque ...) NOT-FOR-US: EMC CVE-2021-21548 (Dell EMC Unisphere for PowerMax versions before 9.1.0.27, Dell EMC Uni ...) - TODO: check + NOT-FOR-US: EMC CVE-2021-21547 (Dell EMC Unity, UnityVSA, and Unity XT versions prior to 5.0.7.0.5.008 ...) NOT-FOR-US: EMC CVE-2021-21546 (Dell EMC NetWorker versions 18.x,19.x prior to 19.3.0.4 and 19.4.0.0 c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/412b6cf608dc8fa9c9b03448513187e1ba6fca01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/412b6cf608dc8fa9c9b03448513187e1ba6fca01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c1bb365 by security tracker role at 2023-03-17T20:10:27+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,341 @@ +CVE-2023-28603 + RESERVED +CVE-2023-28602 + RESERVED +CVE-2023-28601 + RESERVED +CVE-2023-28600 + RESERVED +CVE-2023-28599 + RESERVED +CVE-2023-28598 + RESERVED +CVE-2023-28597 + RESERVED +CVE-2023-28596 + RESERVED +CVE-2023-28595 + RESERVED +CVE-2023-28594 + RESERVED +CVE-2023-28593 + RESERVED +CVE-2023-28592 + RESERVED +CVE-2023-28591 + RESERVED +CVE-2023-28590 + RESERVED +CVE-2023-28589 + RESERVED +CVE-2023-28588 + RESERVED +CVE-2023-28587 + RESERVED +CVE-2023-28586 + RESERVED +CVE-2023-28585 + RESERVED +CVE-2023-28584 + RESERVED +CVE-2023-28583 + RESERVED +CVE-2023-28582 + RESERVED +CVE-2023-28581 + RESERVED +CVE-2023-28580 + RESERVED +CVE-2023-28579 + RESERVED +CVE-2023-28578 + RESERVED +CVE-2023-28577 + RESERVED +CVE-2023-28576 + RESERVED +CVE-2023-28575 + RESERVED +CVE-2023-28574 + RESERVED +CVE-2023-28573 + RESERVED +CVE-2023-28572 + RESERVED +CVE-2023-28571 + RESERVED +CVE-2023-28570 + RESERVED +CVE-2023-28569 + RESERVED +CVE-2023-28568 + RESERVED +CVE-2023-28567 + RESERVED +CVE-2023-28566 + RESERVED +CVE-2023-28565 + RESERVED +CVE-2023-28564 + RESERVED +CVE-2023-28563 + RESERVED +CVE-2023-28562 + RESERVED +CVE-2023-28561 + RESERVED +CVE-2023-28560 + RESERVED +CVE-2023-28559 + RESERVED +CVE-2023-28558 + RESERVED +CVE-2023-28557 + RESERVED +CVE-2023-28556 + RESERVED +CVE-2023-28555 + RESERVED +CVE-2023-28554 + RESERVED +CVE-2023-28553 + RESERVED +CVE-2023-28552 + RESERVED +CVE-2023-28551 + RESERVED +CVE-2023-28550 + RESERVED +CVE-2023-28549 + RESERVED +CVE-2023-28548 + RESERVED +CVE-2023-28547 + RESERVED +CVE-2023-28546 + RESERVED +CVE-2023-28545 + RESERVED +CVE-2023-28544 + RESERVED +CVE-2023-28543 + RESERVED +CVE-2023-28542 + RESERVED +CVE-2023-28541 + RESERVED +CVE-2023-28540 + RESERVED +CVE-2023-28539 + RESERVED +CVE-2023-28538 + RESERVED +CVE-2023-28537 + RESERVED +CVE-2023-28536 + RESERVED +CVE-2023-28535 + RESERVED +CVE-2023-28534 + RESERVED +CVE-2023-28533 + RESERVED +CVE-2023-28532 + RESERVED +CVE-2023-28531 (ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without ...) + TODO: check +CVE-2023-28530 + RESERVED +CVE-2023-28529 + RESERVED +CVE-2023-28528 + RESERVED +CVE-2023-28527 + RESERVED +CVE-2023-28526 + RESERVED +CVE-2023-28525 + RESERVED +CVE-2023-28524 + RESERVED +CVE-2023-28523 + RESERVED +CVE-2023-28522 + RESERVED +CVE-2023-28521 + RESERVED +CVE-2023-28520 + RESERVED +CVE-2023-28519 + RESERVED +CVE-2023-28518 + RESERVED +CVE-2023-28517 + RESERVED +CVE-2023-28516 + RESERVED +CVE-2023-28515 + RESERVED +CVE-2023-28514 + RESERVED +CVE-2023-28513 + RESERVED +CVE-2023-28512 + RESERVED +CVE-2023-28511 + RESERVED +CVE-2023-28510 + RESERVED +CVE-2023-28509 + RESERVED +CVE-2023-28508 + RESERVED +CVE-2023-28507 + RESERVED +CVE-2023-28506 + RESERVED +CVE-2023-28505 + RESERVED +CVE-2023-28504 + RESERVED +CVE-2023-28503 + RESERVED +CVE-2023-28502 + RESERVED +CVE-2023-28501 + RESERVED +CVE-2023-28500 + RESERVED +CVE-2023-28499 + RESERVED +CVE-2023-28498 + RESERVED +CVE-2023-28497 + RESERVED +CVE-2023-28496 + RESERVED +CVE-2023-28495 + RESERVED +CVE-2023-28494 + RESERVED +CVE-2023-28493 + RESERVED +CVE-2023-28492 + RESERVED +CVE-2023-28491 + RESERVED +CVE-2023-28490 + RESERVED +CVE-2023-28489 + RESERVED +CVE-2023-1478 + RESERVED +CVE-2023-1477 + RESERVED +CVE-2023-1476 + RESERVED +CVE-2023-1475 (A vulnerability, which was classified as critical, has been found in S ...) + TODO: check +CVE-2023-1474 (A vulnerability classified as critical was found in SourceCodester Aut ...) + TODO: check +CVE-2023-1473 + RESERVED +CVE-2023-1472 (The RapidLoad Power-Up for Autoptimize plugin for WordPress is vulnera ...) + TODO: check +CVE-2023-1471 (The WP Popup Banners plugin for WordPress is vulnerable to SQL Injecti ...) + TODO: check +CVE-2023-1470 (The eCommerce Product Catalog plugin for WordPress is vulnerable to St ...) + TODO: check +CVE-2023-1469 (The WP Express Checkout plugin for WordPress is vulnerable to
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for sox regression update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7dd92d31 by Salvatore Bonaccorso at 2023-03-17T20:19:59+01:00 Reserve DSA number for sox regression update - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,5 @@ +[17 Mar 2023] DSA-5356-2 sox - regression update + [bullseye] - sox 14.4.2+git20190427-2+deb11u2 [17 Mar 2023] DSA-5375-1 thunderbird - security update {CVE-2023-25751 CVE-2023-25752 CVE-2023-28162 CVE-2023-28164 CVE-2023-28176} [bullseye] - thunderbird 1:102.9.0-1~deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dd92d317571be562c161076c1ecafb961fa29db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7dd92d317571be562c161076c1ecafb961fa29db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for intel-microcode via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7502612c by Salvatore Bonaccorso at 2023-03-17T20:15:43+01:00 Track proposed update for intel-microcode via bullseye-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -148,3 +148,13 @@ CVE-2021-33587 [bullseye] - node-css-what 4.0.0-3+deb11u1 CVE-2023-28154 [bullseye] - node-webpack 4.43.0-6+deb11u1 +CVE-2022-21216 + [bullseye] - intel-microcode 3.20230214.1~deb11u1 +CVE-2022-21233 + [bullseye] - intel-microcode 3.20230214.1~deb11u1 +CVE-2022-33196 + [bullseye] - intel-microcode 3.20230214.1~deb11u1 +CVE-2022-33972 + [bullseye] - intel-microcode 3.20230214.1~deb11u1 +CVE-2022-38090 + [bullseye] - intel-microcode 3.20230214.1~deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7502612c3bccfadbc3492dfb041e77b3456c7267 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7502612c3bccfadbc3492dfb041e77b3456c7267 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Document progress on intel-microcode.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 95dfae46 by Tobias Frost at 2023-03-17T20:09:33+01:00 Document progress on intel-microcode. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -106,6 +106,7 @@ intel-microcode (tobi) NOTE: 20230219: VCS: https://salsa.debian.org/lts-team/packages/intel-microcode.git NOTE: 20230310: will first fix unstable and stable, then proceed with LTS and ELTS, using the same new upstream version. (tobi) NOTE: 20230312: uploaded to DELAYED/5 for unstable. + NOTE: 20230317: now in unstable. prepared SPU for bullseye (#1033079), prepared update for buster, stretch and jessie, available in LTS repo. (tobi) -- libmicrohttpd (Thorsten Alteholz) NOTE: 20230313: Programming language: C. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95dfae46bbda569342608fa92f99849b43ad602a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95dfae46bbda569342608fa92f99849b43ad602a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: aba57269 by Moritz Muehlenhoff at 2023-03-17T19:48:43+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -86,7 +86,7 @@ CVE-2023-1423 CVE-2023-1422 RESERVED CVE-2023-1421 (A reflected cross-site scripting vulnerability in the OAuth flow compl ...) - TODO: check + - mattermost-server (bug #823556) CVE-2019-25135 RESERVED CVE-2019-25134 @@ -450,9 +450,9 @@ CVE-2023-28339 (OpenDoas through 6.8.2, when TIOCSTI is available, allows privil NOTE: posted to kernel-hardening list, and can be mitigated with Linux 6.2, see option NOTE: CONFIG_LEGACY_TIOCSTI. CVE-2023-28338 (Any request send to a Netgear Nighthawk Wifi6 Router (RAX30)'s web ser ...) - TODO: check + NOT-FOR-US: Netgear CVE-2023-28337 (When uploading a firmware image to a Netgear Nighthawk Wifi6 Router (R ...) - TODO: check + NOT-FOR-US: Netgear CVE-2023-28336 RESERVED CVE-2023-28335 @@ -517,7 +517,7 @@ CVE-2023-1390 [buster] - linux 4.19.171-1 NOTE: https://git.kernel.org/linus/b77413446408fdd256599daf00d5be72b5f3e7c6 (5.11-rc4) CVE-2023-1389 (TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 2023 ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2023-1388 RESERVED CVE-2023-1387 @@ -1263,15 +1263,15 @@ CVE-2023-28100 [bullseye] - flatpak (Minor issue) NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp CVE-2023-28099 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) - TODO: check + NOT-FOR-US: OpenSIPS CVE-2023-28098 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) - TODO: check + NOT-FOR-US: OpenSIPS CVE-2023-28097 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) - TODO: check + NOT-FOR-US: OpenSIPS CVE-2023-28096 (OpenSIPS, a Session Initiation Protocol (SIP) server implementation, h ...) - TODO: check + NOT-FOR-US: OpenSIPS CVE-2023-28095 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) - TODO: check + NOT-FOR-US: OpenSIPS CVE-2023-28094 RESERVED CVE-2023-28093 @@ -2745,17 +2745,17 @@ CVE-2014-125092 (A vulnerability was found in MaxButtons Plugin up to 1.26.0 and CVE-2006-10001 (A vulnerability, which was classified as problematic, was found in Sub ...) NOT-FOR-US: WordPress plugin CVE-2023-27601 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) - TODO: check + NOT-FOR-US: OpenSIPS CVE-2023-27600 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) - TODO: check + NOT-FOR-US: OpenSIPS CVE-2023-27599 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) - TODO: check + NOT-FOR-US: OpenSIPS CVE-2023-27598 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) - TODO: check + NOT-FOR-US: OpenSIPS CVE-2023-27597 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) - TODO: check + NOT-FOR-US: OpenSIPS CVE-2023-27596 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) - TODO: check + NOT-FOR-US: OpenSIPS CVE-2023-27595 RESERVED CVE-2023-27594 @@ -2767,7 +2767,7 @@ CVE-2023-27592 CVE-2023-27591 RESERVED CVE-2023-27590 (Rizin is a UNIX-like reverse engineering framework and command-line to ...) - TODO: check + NOT-FOR-US: Rizin CVE-2023-27589 (Minio is a Multi-Cloud Object Storage framework. Starting with RELEASE ...) TODO: check CVE-2023-27588 (Hasura is an open-source product that provides users GraphQL or REST A ...) @@ -4167,7 +4167,7 @@ CVE-2023-27086 CVE-2023-27085 RESERVED CVE-2023-27084 (Permissions vulnerability found in isoftforce Dreamer CMS v.4.0.1 allo ...) - TODO: check + NOT-FOR-US: Dreamer CMS CVE-2023-27083 RESERVED CVE-2023-27082 @@ -4433,7 +4433,7 @@ CVE-2023-26953 (onekeyadmin v1.3.9 was discovered to contain a stored cross-site CVE-2023-26952 (onekeyadmin v1.3.9 was discovered to contain a stored cross-site scrip ...) NOT-FOR-US: onekeyadmin CVE-2023-26951 (onekeyadmin v1.3.9 was discovered to contain a stored cross-site scrip ...) - TODO: check + NOT-FOR-US: onekeyadmin CVE-2023-26950 (onekeyadmin v1.3.9 was discovered to contain a stored cross-site scrip ...) NOT-FOR-US: onekeyadmin CVE-2023-26949 (An arbitrary file upload vulnerability in the component /admin1/config ...) @@ -4511,7 +4511,7 @@ CVE-2023-26914 CVE-2023-26913 RESERVED CVE-2023-26912 (Cross site scripting (XSS) vulnerability in
[Git][security-tracker-team/security-tracker][master] Add tracking bug for now explicitly on CVE-2023-24808
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 661acf7e by Salvatore Bonaccorso at 2023-03-17T17:57:41+01:00 Add tracking bug for now explicitly on CVE-2023-24808 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10379,7 +10379,8 @@ CVE-2023-24809 (NetHack is a single player dungeon exploration game. Starting wi NOTE: https://github.com/NetHack/NetHack/security/advisories/GHSA-2cqv-5w4v-mgch NOTE: https://nethack.org/security/CVE-2023-24809.html CVE-2023-24808 (PDFio is a C library for reading and writing PDF files. In versions pr ...) - TODO: check, might affect src:ippsample + - ippsample (bug #1033104) + TODO: check, might affect src:ippsample, will be determined via query to maintainers in #1033104 CVE-2023-24807 (Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the ...) - node-undici 5.19.1+dfsg1+~cs20.10.9.5-1 (bug #1031418) NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/661acf7e6c1eb821b029d80dd0dbf2ddad15bc24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/661acf7e6c1eb821b029d80dd0dbf2ddad15bc24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-2810{0,1}/flatpkak as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ee53265 by Salvatore Bonaccorso at 2023-03-17T17:55:28+01:00 Mark CVE-2023-2810{0,1}/flatpkak as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1255,10 +1255,12 @@ CVE-2023-28102 CVE-2023-28101 RESERVED - flatpak 1.14.4-1 (bug #1033098) + [bullseye] - flatpak (Minor issue) NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8 CVE-2023-28100 RESERVED - flatpak 1.14.4-1 (bug #1033099) + [bullseye] - flatpak (Minor issue) NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp CVE-2023-28099 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ee5326563a26e9e66fd1e70255b0d663dcb49ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ee5326563a26e9e66fd1e70255b0d663dcb49ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 69103dca by Moritz Muehlenhoff at 2023-03-17T15:37:04+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7119,7 +7119,7 @@ CVE-2023-0868 (Reflected cross-site scripting in graph results in multiple versi CVE-2023-0867 (Multiple stored and reflected cross-site scripting vulnerabilities in ...) NOT-FOR-US: OpenNMS CVE-2023-0866 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3 ...) - - gpac + - gpac (bug #1033116) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/7d3c5792-d20b-4cb6-9c6d-bb14f3430d7f @@ -7542,19 +7542,19 @@ CVE-2023-0821 (HashiCorp Nomad and Nomad Enterprise 1.2.15 up to 1.3.8, and 1.4. CVE-2023-0820 RESERVED CVE-2023-0819 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to v2. ...) - - gpac + - gpac (bug #1033116) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/35793610-dccc-46c8-9f55-6a24c621e4ef NOTE: https://github.com/gpac/gpac/commit/d067ab3ccdeaa340e8c045a0fd5bcfc22b809e8f CVE-2023-0818 (Off-by-one Error in GitHub repository gpac/gpac prior to v2.3.0-DEV. ...) - - gpac + - gpac (bug #1033116) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/038e7472-f3e9-46c2-9aea-d6dafb62a18a NOTE: https://github.com/gpac/gpac/commit/377ab25f3e502db2934a9cf4b54739e1c89a02ff CVE-2023-0817 (Buffer Over-read in GitHub repository gpac/gpac prior to v2.3.0-DEV. ...) - - gpac + - gpac (bug #1033116) [bullseye] - gpac (Vulnerable code not present) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/cb730bc5-d79c-4de6-9e57-10e8c3ce2cf3 @@ -8112,7 +8112,7 @@ CVE-2023-25642 CVE-2023-0771 (SQL Injection in GitHub repository ampache/ampache prior to 5.5.7,deve ...) - ampache CVE-2023-0770 (Stack-based Buffer Overflow in GitHub repository gpac/gpac prior to 2. ...) - - gpac + - gpac (bug #1033116) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/e0fdeee5-7909-446e-9bd0-db80fd80e8dd @@ -8203,7 +8203,7 @@ CVE-2023-0762 CVE-2023-0761 RESERVED CVE-2023-0760 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to V2. ...) - - gpac + - gpac (bug #1033116) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/d06223df-a473-4c82-96d0-23726b844b21 @@ -13327,7 +13327,7 @@ CVE-2023-0360 (The Location Weather WordPress plugin before 1.3.4 does not valid CVE-2023-0359 RESERVED CVE-2023-0358 (Use After Free in GitHub repository gpac/gpac prior to 2.3.0-DEV. ...) - - gpac + - gpac (bug #1033116) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/93e128ed-253f-4c42-81ff-fbac7fd8f355 NOTE: https://github.com/gpac/gpac/commit/9971fb125cf91cefd081a080c417b90bbe4a467b @@ -15086,15 +15086,15 @@ CVE-2023-23147 CVE-2023-23146 RESERVED CVE-2023-23145 (GPAC version 2.2-rev0-gab012bbfb-master was discovered to contain a me ...) - - gpac + - gpac (bug #1033116) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/4ade98128cbc41d5115b97a41ca2e59529c8dd5f CVE-2023-23144 (Integer overflow vulnerability in function Q_DecCoordOnUnitSphere file ...) - - gpac + - gpac (bug #1033116) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/3a2458a49b3e6399709d456d7b35e7a6f50cfb86 CVE-2023-23143 (Buffer overflow vulnerability in function avc_parse_slice in file medi ...) - - gpac + - gpac (bug #1033116) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/af6a5e7a96ee01a139cce6c9e4edfc069aad17a6 CVE-2023-23142 @@ -17521,7 +17521,7 @@ CVE-2020-36638 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chr CVE-2020-36637 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chris92de ...) NOT-FOR-US: Chris92de AdminServ CVE-2018-25060 (A vulnerability was found in Macaron csrf and classified as problemati ...) - - golang-github-go-macaron-csrf + - golang-github-go-macaron-csrf (bug #1033115) [bullseye] - golang-github-go-macaron-csrf (Minor issue) [buster] - golang-github-go-macaron-csrf (Limited support, minor issue, follow bullseye DSAs/point-releases) NOTE:
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4595f08a by Moritz Muehlenhoff at 2023-03-17T15:09:07+01:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17590,22 +17590,30 @@ CVE-2023-22488 (Flarum is a forum software for building communities. Using the n CVE-2023-22487 (Flarum is a forum software for building communities. Using the mention ...) NOT-FOR-US: Flarum CVE-2023-22486 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - - cmark-gfm + - cmark-gfm (bug #1033110) + - python-cmarkgfm (bug #1033111) + - r-cran-commonmark (bug #1033112) + - ruby-commonmarker (bug #1033113) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p NOTE: https://github.com/github/cmark-gfm/commit/ece074cc3378f7a8dec0395f00123e9fa6981f7b (0.29.0.gfm.7) - TODO: check other codebase, python-cmarkgfm, ruby-commonmarker and r-cran-commonmark CVE-2023-22485 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - - cmark-gfm + - cmark-gfm (bug #1033110) + - python-cmarkgfm (bug #1033111) + - r-cran-commonmark (bug #1033112) + - ruby-commonmarker (bug #1033113) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr - TODO: check other codebase, python-cmarkgfm, ruby-commonmarker and r-cran-commonmark CVE-2023-22484 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - - cmark-gfm + - cmark-gfm (bug #1033110) + - python-cmarkgfm (bug #1033111) + - r-cran-commonmark (bug #1033112) + - ruby-commonmarker (bug #1033113) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r - TODO: check other codebase, python-cmarkgfm, ruby-commonmarker and r-cran-commonmark CVE-2023-22483 (cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and renderin ...) - - cmark-gfm + - cmark-gfm (bug #1033110) + - python-cmarkgfm (bug #1033111) + - r-cran-commonmark (bug #1033112) + - ruby-commonmarker (bug #1033113) NOTE: https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c - TODO: check other codebase, python-cmarkgfm, ruby-commonmarker and r-cran-commonmark CVE-2023-22482 (Argo CD is a declarative, GitOps continuous delivery tool for Kubernet ...) NOT-FOR-US: Argo CD CVE-2023-22481 (FreshRSS is a self-hosted RSS feed aggregator. When using the greader ...) @@ -208078,7 +208086,7 @@ CVE-2020-16156 (CPAN 2.28 allows Signature Verification Bypass. ...) NOTE: https://github.com/andk/cpanpm/commit/7d4d5e32bcd9b75f7bf70a395938a48ca4a06d25 (2.33-TRIAL) NOTE: https://github.com/andk/cpanpm/commit/89b13baf1d46e4fb10023af30ef305efec4fd603 (2.33-TRIAL) CVE-2020-16155 (The CPAN::Checksums package 2.12 for Perl does not uniquely define sig ...) - - libcpan-checksums-perl + - libcpan-checksums-perl (bug #1033109) [bookworm] - libcpan-checksums-perl (Minor issue) [bullseye] - libcpan-checksums-perl (Minor issue) [buster] - libcpan-checksums-perl (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4595f08a6df8c918b41b3f829d65f8cd4606f0c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4595f08a6df8c918b41b3f829d65f8cd4606f0c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 73660236 by Moritz Muehlenhoff at 2023-03-17T14:47:56+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -107719,7 +107719,7 @@ CVE-2021-43519 (Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5 NOTE: http://lua-users.org/lists/lua-l/2021-11/msg00015.html NOTE: Fixed by: https://github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868 CVE-2021-43518 (Teeworlds up to and including 0.7.5 is vulnerable to Buffer Overflow. ...) - - teeworlds (bug #1009070) + - teeworlds 0.7.5-2 (bug #1009070) [bullseye] - teeworlds (Minor issue) [buster] - teeworlds (Minor issue) NOTE: https://github.com/teeworlds/teeworlds/issues/2981 @@ -130466,6 +130466,7 @@ CVE-2021-3618 (ALPACA is an application layer protocol content confusion attack, [bullseye] - nginx 1.18.0-6.1+deb11u2 [stretch] - nginx (Minor issue) - vsftpd (bug #991329) + [bookworm] - vsftpd (Minor issue) [bullseye] - vsftpd (Minor issue) [buster] - vsftpd (Minor issue) [stretch] - vsftpd (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73660236b6341532d5411e2a26de9285f457e9cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73660236b6341532d5411e2a26de9285f457e9cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3364-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: f148c358 by Emilio Pozuelo Monfort at 2023-03-17T14:23:31+01:00 Reserve DLA-3364-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Mar 2023] DLA-3364-1 firefox-esr - security update + {CVE-2023-25751 CVE-2023-25752 CVE-2023-28162 CVE-2023-28164 CVE-2023-28176} + [buster] - firefox-esr 102.9.0esr-1~deb10u1 [16 Mar 2023] DLA-3363-1 pcre2 - security update {CVE-2019-20454 CVE-2022-1586 CVE-2022-1587} [buster] - pcre2 10.32-5+deb10u1 = data/dla-needed.txt = @@ -58,8 +58,6 @@ erlang NOTE: 20230111: VCS: https://salsa.debian.org/erlang-team/packages/erlang NOTE: 20230111: Maintainer notes: Coordinate with maintainer, whether their VCS can be used. -- -firefox-esr (Emilio) --- firmware-nonfree (tobi) NOTE: 20220906: Consider to check the severity of the issues again and judge whether a correction is worth it. NOTE: 20221204: Coming soon in the first week of December. (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f148c35823e8200527e0bf70c141b83af1703d11 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f148c35823e8200527e0bf70c141b83af1703d11 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] remove duplicated entry
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: aea14a3c by Moritz Muehlenhoff at 2023-03-17T12:46:40+01:00 remove duplicated entry - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -148,5 +148,3 @@ CVE-2021-33587 [bullseye] - node-css-what 4.0.0-3+deb11u1 CVE-2023-28154 [bullseye] - node-webpack 4.43.0-6+deb11u1 -CVE-2022-3650 - [bullseye] - ceph 14.2.21-1+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aea14a3c7fd4507c932b8dabc69eadeb62f6bd13 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aea14a3c7fd4507c932b8dabc69eadeb62f6bd13 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ceph spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3d90a5d1 by Moritz Mühlenhoff at 2023-03-17T11:45:17+01:00 ceph spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -148,3 +148,5 @@ CVE-2021-33587 [bullseye] - node-css-what 4.0.0-3+deb11u1 CVE-2023-28154 [bullseye] - node-webpack 4.43.0-6+deb11u1 +CVE-2022-3650 + [bullseye] - ceph 14.2.21-1+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d90a5d1a9665fd609d3020190ff0bec4df6f377 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3d90a5d1a9665fd609d3020190ff0bec4df6f377 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two new flatpak issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f080812 by Salvatore Bonaccorso at 2023-03-17T11:40:56+01:00 Add two new flatpak issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1254,8 +1254,12 @@ CVE-2023-28102 RESERVED CVE-2023-28101 RESERVED + - flatpak 1.14.4-1 (bug #1033098) + NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-h43h-fwqx-mpp8 CVE-2023-28100 RESERVED + - flatpak 1.14.4-1 (bug #1033099) + NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp CVE-2023-28099 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) TODO: check CVE-2023-28098 (OpenSIPS is a Session Initiation Protocol (SIP) server implementation. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f08081242a2cbf45b0f8894c1fa6b8ec280fb64 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f08081242a2cbf45b0f8894c1fa6b8ec280fb64 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: fd95911a by Moritz Muehlenhoff at 2023-03-17T11:26:51+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -44832,8 +44832,8 @@ CVE-2022-38457 (A use-after-free(UAF) vulnerability was found in function 'vmw_c [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=2074 CVE-2022-38096 (A NULL pointer dereference vulnerability was found in vmwgfx driver in ...) - - linux - NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=2073 + NOTE: PoC has been removed, original reporter is unresponsive and not reproducible + NOTE: It's unclear whether this was a really issue in the first place CVE-2022-36402 (An integer overflow vulnerability was found in vmwgfx driver in driver ...) - linux NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=2072 @@ -217650,6 +217650,7 @@ CVE-2020-12695 (The Open Connectivity Foundation UPnP specification before 2020- [buster] - gupnp 1.0.5-0+deb10u1 - minidlna 1.2.1+dfsg-3 (bug #976594) - pupnp-1.8 (bug #983206) + [bookworm] - pupnp-1.8 (Minor issue) [bullseye] - pupnp-1.8 (Minor issue) [buster] - pupnp-1.8 (Minor issue) - libupnp @@ -229842,6 +229843,7 @@ CVE-2020-8555 (The Kubernetes kube-controller-manager in versions v1.0-1.14, ver NOTE: https://github.com/kubernetes/kubernetes/issues/91542 CVE-2020-8554 (Kubernetes API server in all versions allow an attacker who is able to ...) - kubernetes (bug #990793) + [bookworm] - kubernetes (Kubernetes in Bullseye only ships the client) [bullseye] - kubernetes (Kubernetes in Bullseye only ships the client) NOTE: https://www.openwall.com/lists/oss-security/2020/12/07/5 NOTE: https://github.com/kubernetes/kubernetes/issues/97076 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd95911a49076f04baa4c3156d90fdbcebe2bab3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fd95911a49076f04baa4c3156d90fdbcebe2bab3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d6a9465e by Moritz Mühlenhoff at 2023-03-17T10:23:02+01:00 thunderbird DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[17 Mar 2023] DSA-5375-1 thunderbird - security update + {CVE-2023-25751 CVE-2023-25752 CVE-2023-28162 CVE-2023-28164 CVE-2023-28176} + [bullseye] - thunderbird 1:102.9.0-1~deb11u1 [15 Mar 2023] DSA-5374-1 firefox-esr - security update {CVE-2023-25751 CVE-2023-25752 CVE-2023-28162 CVE-2023-28164 CVE-2023-28176} [bullseye] - firefox-esr 102.9.0esr-1~deb11u1 = data/dsa-needed.txt = @@ -55,8 +55,6 @@ samba sofia-sip Maintainer proposed debdiff for review with additional question and sent a followup -- -thunderbird (jmm) --- xrdp needs some additional clarification, tentatively DSA worthy maybe upgrade to 0.9.21 within bullseye? View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6a9465e91a5487cd5547432149bce0714f61533 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d6a9465e91a5487cd5547432149bce0714f61533 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c72e0539 by Moritz Muehlenhoff at 2023-03-17T09:23:29+01:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25692,6 +25692,7 @@ CVE-2022-4171 (The demon image annotation plugin for WordPress is vulnerable to NOT-FOR-US: demon image annotation plugin for WordPress CVE-2022-4170 (The rxvt-unicode package is vulnerable to a remote code execution, in ...) - rxvt-unicode (bug #1025489) + [bookworm] - rxvt-unicode (Minor issue) [bullseye] - rxvt-unicode (Vulnerable code introduced later) [buster] - rxvt-unicode (Vulnerable code introduced later) NOTE: https://www.openwall.com/lists/oss-security/2022/12/05/1 @@ -178130,6 +178131,7 @@ CVE-2020-28492 REJECTED CVE-2020-28491 (This affects the package com.fasterxml.jackson.dataformat:jackson-data ...) - jackson-dataformat-cbor (bug #983664) + [bookworm] - jackson-dataformat-cbor (Minor issue) [bullseye] - jackson-dataformat-cbor (Minor issue) [buster] - jackson-dataformat-cbor (Minor issue) [stretch] - jackson-dataformat-cbor (Minor issue; https://people.debian.org/~abhijith/CVE-2020-28491.txt) @@ -185158,7 +185160,8 @@ CVE-2020-26556 (Mesh Provisioning in the Bluetooth Mesh profile 1.0 and 1.0.1 ma NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/malleable/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1960012 CVE-2020-26555 (Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specificati ...) - - linux + NOT-FOR-US: Bluetooth + NOTE: There's no indication that any Bluetooth software in Debian is affected NOTE: https://kb.cert.org/vuls/id/799380 NOTE: https://www.bluetooth.com/learn-about-bluetooth/key-attributes/bluetooth-security/impersonation-pin-pairing/ NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1918601 @@ -209120,9 +209123,7 @@ CVE-2020-15803 (Zabbix before 3.0.32rc1, 4.x before 4.0.22rc1, 4.1.x through 4.4 [buster] - zabbix (Minor issue) NOTE: https://support.zabbix.com/browse/ZBX-18057 CVE-2020-15802 (Devices supporting Bluetooth before 5.1 may allow man-in-the-middle at ...) - - linux - [bullseye] - linux (Minor issue, revisit when/if fixed upstream) - [buster] - linux (Minor issue, revisit when/if fixed upstream) + NOTE: Bluetooth protocol issue NOTE: https://www.kb.cert.org/vuls/id/589825/ CVE-2020-15801 (In Python 3.8.4, sys.path restrictions specified in a python38._pth fi ...) - python3.9 (Windows-specific) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72e05398d71b26af09299b3f90b540b44af3bb8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c72e05398d71b26af09299b3f90b540b44af3bb8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 5 commits: Track fixed version for CVE-2021-38371/exim4 via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 68739287 by Salvatore Bonaccorso at 2023-03-17T09:09:41+01:00 Track fixed version for CVE-2021-38371/exim4 via unstable - - - - - b5e42675 by Salvatore Bonaccorso at 2023-03-17T09:09:43+01:00 Add CVE-2023-24278 as NFU - - - - - d58f7830 by Salvatore Bonaccorso at 2023-03-17T09:09:44+01:00 Update information for CVE-2022-38457 and CVE-2022-40133 - - - - - e0021e06 by Salvatore Bonaccorso at 2023-03-17T09:09:46+01:00 Track fixed version for CVE-2020-25016/rust-rgb via unstable - - - - - b55d4864 by Salvatore Bonaccorso at 2023-03-17T09:09:47+01:00 Update information for CVE-2022-43995/sudo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11928,6 +11928,7 @@ CVE-2023-24279 (A cross-site scripting (XSS) vulnerability in Open Networking Fo NOT-FOR-US: Open Networking Foundation ONOS CVE-2023-24278 RESERVED + NOT-FOR-US: Squidex CVE-2023-24277 RESERVED CVE-2023-24276 (TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a co ...) @@ -32644,8 +32645,8 @@ CVE-2022-43997 (Incorrect access control in Aternity agent in Riverbed Aternity CVE-2022-43996 (The csaf_provider package before 0.8.2 allows XSS via a crafted CSAF d ...) NOT-FOR-US: csaf_provider CVE-2022-43995 (Sudo 1.8.0 through 1.9.12, with the crypt() password backend, contains ...) - - sudo (unimportant) - NOTE: Fixed by: https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050 + - sudo 1.9.12p1-1 (unimportant) + NOTE: Fixed by: https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050 (SUDO_1_9_12p1) NOTE: Binary packages compiled with PAM support not enabling the plugins/sudoers/auth/passwd.c code CVE-2022-43994 RESERVED @@ -44822,11 +44823,11 @@ CVE-2022-40139 (Improper validation of some components used by the rollback mech CVE-2022-40138 (An integer conversion error in Hermes bytecode generation, prior to co ...) NOT-FOR-US: Facebook Hermes CVE-2022-40133 (A use-after-free(UAF) vulnerability was found in function 'vmw_execbuf ...) - - linux + - linux 6.1.7-1 [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=2075 CVE-2022-38457 (A use-after-free(UAF) vulnerability was found in function 'vmw_cmd_res ...) - - linux + - linux 6.1.7-1 [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.openanolis.cn/show_bug.cgi?id=2074 CVE-2022-38096 (A NULL pointer dereference vulnerability was found in vmwgfx driver in ...) @@ -123091,7 +123092,7 @@ CVE-2021-38373 (In KDE KMail 19.12.3 (aka 5.13.3), the SMTP STARTTLS option is n CVE-2021-38372 (In KDE Trojita 0.7, man-in-the-middle attackers can create new folders ...) - trojita (bug #795701) CVE-2021-38371 (The STARTTLS feature in Exim through 4.94.2 allows response injection ...) - - exim4 (bug #992172) + - exim4 4.95~RC2-1 (bug #992172) [bullseye] - exim4 (Minor issue) [buster] - exim4 (Minor issue) [stretch] - exim4 (Minor issue, revisit when fixed upstream) @@ -189377,7 +189378,7 @@ CVE-2020-24863 (A memory corruption vulnerability was found in the kernel functi CVE-2020-24862 (The catID parameter in Pharmacy Medical Store and Sale Point v1.0 has ...) NOT-FOR-US: Pharmacy Medical Store and Sale Point CVE-2020-25016 (A safety violation was discovered in the rgb crate before 0.8.20 for R ...) - - rust-rgb (bug #969213) + - rust-rgb 0.8.36-1 (bug #969213) [bullseye] - rust-rgb (Minor issue) [buster] - rust-rgb (Minor issue) NOTE: https://rustsec.org/advisories/RUSTSEC-2020-0029.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6c41193d4b7bda16ec132f26a43e82407c068cc...b55d48649620832d1fb35d332fe14a7dbc4dbe7e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f6c41193d4b7bda16ec132f26a43e82407c068cc...b55d48649620832d1fb35d332fe14a7dbc4dbe7e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits