[Git][security-tracker-team/security-tracker][master] Track fixed version for chromium via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 53c24e00 by Salvatore Bonaccorso at 2023-05-17T06:40:13+02:00 Track fixed version for chromium via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,22 +21,22 @@ CVE-2023-2738 (A vulnerability classified as critical has been found in Tongda O CVE-2023-2730 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...) NOT-FOR-US: pimcore CVE-2023-2726 (Inappropriate implementation in WebApp Installs in Google Chrome prior ...) - - chromium + - chromium 113.0.5672.126-1 [buster] - chromium (see DSA 5046) CVE-2023-2725 (Use after free in Guest View in Google Chrome prior to 113.0.5672.126 ...) - - chromium + - chromium 113.0.5672.126-1 [buster] - chromium (see DSA 5046) CVE-2023-2724 (Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed ...) - - chromium + - chromium 113.0.5672.126-1 [buster] - chromium (see DSA 5046) CVE-2023-2723 (Use after free in DevTools in Google Chrome prior to 113.0.5672.126 al ...) - - chromium + - chromium 113.0.5672.126-1 [buster] - chromium (see DSA 5046) CVE-2023-2722 (Use after free in Autofill UI in Google Chrome on Android prior to 113 ...) - - chromium + - chromium 113.0.5672.126-1 [buster] - chromium (see DSA 5046) CVE-2023-2721 (Use after free in Navigation in Google Chrome prior to 113.0.5672.126 ...) - - chromium + - chromium 113.0.5672.126-1 [buster] - chromium (see DSA 5046) CVE-2023-2548 (The RegistrationMagic plugin for WordPress is vulnerable to Insecure D ...) NOT-FOR-US: RegistrationMagic plugin for WordPress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53c24e0028999e61a8cfc3d77bd5499103c2b678 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53c24e0028999e61a8cfc3d77bd5499103c2b678 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3426-1 for netatalk
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8009518b by Markus Koschany at 2023-05-17T00:20:16+02:00
Reserve DLA-3426-1 for netatalk
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[17 May 2023] DLA-3426-1 netatalk - security update
+ {CVE-2021-31439 CVE-2022-0194 CVE-2022-23121 CVE-2022-23122
CVE-2022-23123 CVE-2022-23124 CVE-2022-23125 CVE-2022-43634 CVE-2022-45188}
+ [buster] - netatalk 3.1.12~ds-3+deb10u1
[16 May 2023] DLA-3425-1 sqlparse - security update
{CVE-2023-30608}
[buster] - sqlparse 0.2.4-1+deb10u1
=
data/dla-needed.txt
=
@@ -75,12 +75,6 @@ nbconvert
NOTE: 20230423: XSS may be worth fixing and this was a lot of them. To
consider if this require
NOTE: 20230423: more work on user side and that require further analysis.
--
-netatalk (Markus Koschany)
- NOTE: 20220816: Programming language: C.
- NOTE: 20220912: We get errors in the log, not present on bookworm. Needs
more investigation. (stefanor)
- NOTE: 20221212: VCS: https://salsa.debian.org/lts-team/packages/netatalk
- NOTE: 20221212: Work is ongoing. CVE-2022-0194 is probably too intrusive.
(gladk)
---
node-got
NOTE: 2022: Programming language: JavaScript.
NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8009518bc9d84d315e331f3d7c45aec371d440c1
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8009518bc9d84d315e331f3d7c45aec371d440c1
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b2594cd by Salvatore Bonaccorso at 2023-05-16T22:54:02+02:00 Add chromium to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. +-- +chromium -- gpac (aron) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b2594cdf88af5a8ba2eaf883a792e2f1d31da58 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b2594cdf88af5a8ba2eaf883a792e2f1d31da58 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2550a788 by Salvatore Bonaccorso at 2023-05-16T22:44:39+02:00 Add new chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,17 +21,23 @@ CVE-2023-2738 (A vulnerability classified as critical has been found in Tongda O CVE-2023-2730 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...) NOT-FOR-US: pimcore CVE-2023-2726 (Inappropriate implementation in WebApp Installs in Google Chrome prior ...) - TODO: check + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-2725 (Use after free in Guest View in Google Chrome prior to 113.0.5672.126 ...) - TODO: check + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-2724 (Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed ...) - TODO: check + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-2723 (Use after free in DevTools in Google Chrome prior to 113.0.5672.126 al ...) - TODO: check + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-2722 (Use after free in Autofill UI in Google Chrome on Android prior to 113 ...) - TODO: check + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-2721 (Use after free in Navigation in Google Chrome prior to 113.0.5672.126 ...) - TODO: check + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-2548 (The RegistrationMagic plugin for WordPress is vulnerable to Insecure D ...) NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2023-2499 (The RegistrationMagic plugin for WordPress is vulnerable to authentica ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2550a78893824560fc1d2905f7aadd417fbf3704 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2550a78893824560fc1d2905f7aadd417fbf3704 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ec7a8c9 by Salvatore Bonaccorso at 2023-05-16T22:42:46+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2023-31890 (An XML Deserialization vulnerability in glazedlists v1.11.0 allows an ...) TODO: check CVE-2023-31857 (Sourcecodester Online Computer and Laptop Store 1.0 allows unrestricte ...) - TODO: check + NOT-FOR-US: Sourcecodester Online Computer and Laptop Store CVE-2023-31856 (A command injection vulnerability in the hostTime parameter in the fun ...) NOT-FOR-US: TOTOLINK CVE-2023-31587 (Tenda AC5 router V15.03.06.28 was discovered to contain a remote code ...) @@ -9,17 +9,17 @@ CVE-2023-31587 (Tenda AC5 router V15.03.06.28 was discovered to contain a remote CVE-2023-31576 (An arbitrary file upload vulnerability in Serendipity 2.4-beta1 allows ...) TODO: check CVE-2023-31572 (An issue in Bludit 4.0.0-rc-2 allows authenticated attackers to change ...) - TODO: check + NOT-FOR-US: Bludit CVE-2023-31519 (Pharmacy Management System v1.0 was discovered to contain a SQL inject ...) - TODO: check + NOT-FOR-US: Pharmacy Management System CVE-2023-2740 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: SourceCodester Guest Management System CVE-2023-2739 (A vulnerability classified as problematic was found in Gira HomeServer ...) - TODO: check + NOT-FOR-US: Gira HomeServer CVE-2023-2738 (A vulnerability classified as critical has been found in Tongda OA 11. ...) TODO: check CVE-2023-2730 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...) - TODO: check + NOT-FOR-US: pimcore CVE-2023-2726 (Inappropriate implementation in WebApp Installs in Google Chrome prior ...) TODO: check CVE-2023-2725 (Use after free in Guest View in Google Chrome prior to 113.0.5672.126 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ec7a8c95efbe5ca01c26c1d6c821c5bb667794e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ec7a8c95efbe5ca01c26c1d6c821c5bb667794e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add libpcap to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b2bcfaa by Anton Gladky at 2023-05-16T22:39:34+02:00 LTS: add libpcap to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -63,6 +63,10 @@ libfastjson (Thorsten Alteholz) NOTE: 20230507: Programming language: C. NOTE: 20230507: the CVE was fixed in json-c already -- +libpcap + NOTE: 20230516: Programming language: C. + NOTE: 20230516: VCS: https://salsa.debian.org/lts-team/packages/libpcap.git +-- linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b2bcfaa20e12d0c90eb3999fba8b6e942e201ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b2bcfaa20e12d0c90eb3999fba8b6e942e201ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a948e57 by Salvatore Bonaccorso at 2023-05-16T22:18:39+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,9 +3,9 @@ CVE-2023-31890 (An XML Deserialization vulnerability in glazedlists v1.11.0 allo CVE-2023-31857 (Sourcecodester Online Computer and Laptop Store 1.0 allows unrestricte ...) TODO: check CVE-2023-31856 (A command injection vulnerability in the hostTime parameter in the fun ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-31587 (Tenda AC5 router V15.03.06.28 was discovered to contain a remote code ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-31576 (An arbitrary file upload vulnerability in Serendipity 2.4-beta1 allows ...) TODO: check CVE-2023-31572 (An issue in Bludit 4.0.0-rc-2 allows authenticated attackers to change ...) @@ -33,9 +33,9 @@ CVE-2023-2722 (Use after free in Autofill UI in Google Chrome on Android prior t CVE-2023-2721 (Use after free in Navigation in Google Chrome prior to 113.0.5672.126 ...) TODO: check CVE-2023-2548 (The RegistrationMagic plugin for WordPress is vulnerable to Insecure D ...) - TODO: check + NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2023-2499 (The RegistrationMagic plugin for WordPress is vulnerable to authentica ...) - TODO: check + NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2023-2633 (Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server ...) NOT-FOR-US: Jenkins plugin CVE-2023-2632 (Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API key ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a948e570ea07d279fed8a3f2f940357809fad9a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a948e570ea07d279fed8a3f2f940357809fad9a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ca6da290 by security tracker role at 2023-05-16T20:12:12+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,70 +1,108 @@ -CVE-2023-2633 +CVE-2023-31890 (An XML Deserialization vulnerability in glazedlists v1.11.0 allows an ...) + TODO: check +CVE-2023-31857 (Sourcecodester Online Computer and Laptop Store 1.0 allows unrestricte ...) + TODO: check +CVE-2023-31856 (A command injection vulnerability in the hostTime parameter in the fun ...) + TODO: check +CVE-2023-31587 (Tenda AC5 router V15.03.06.28 was discovered to contain a remote code ...) + TODO: check +CVE-2023-31576 (An arbitrary file upload vulnerability in Serendipity 2.4-beta1 allows ...) + TODO: check +CVE-2023-31572 (An issue in Bludit 4.0.0-rc-2 allows authenticated attackers to change ...) + TODO: check +CVE-2023-31519 (Pharmacy Management System v1.0 was discovered to contain a SQL inject ...) + TODO: check +CVE-2023-2740 (A vulnerability, which was classified as problematic, has been found i ...) + TODO: check +CVE-2023-2739 (A vulnerability classified as problematic was found in Gira HomeServer ...) + TODO: check +CVE-2023-2738 (A vulnerability classified as critical has been found in Tongda OA 11. ...) + TODO: check +CVE-2023-2730 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...) + TODO: check +CVE-2023-2726 (Inappropriate implementation in WebApp Installs in Google Chrome prior ...) + TODO: check +CVE-2023-2725 (Use after free in Guest View in Google Chrome prior to 113.0.5672.126 ...) + TODO: check +CVE-2023-2724 (Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed ...) + TODO: check +CVE-2023-2723 (Use after free in DevTools in Google Chrome prior to 113.0.5672.126 al ...) + TODO: check +CVE-2023-2722 (Use after free in Autofill UI in Google Chrome on Android prior to 113 ...) + TODO: check +CVE-2023-2721 (Use after free in Navigation in Google Chrome prior to 113.0.5672.126 ...) + TODO: check +CVE-2023-2548 (The RegistrationMagic plugin for WordPress is vulnerable to Insecure D ...) + TODO: check +CVE-2023-2499 (The RegistrationMagic plugin for WordPress is vulnerable to authentica ...) + TODO: check +CVE-2023-2633 (Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server ...) NOT-FOR-US: Jenkins plugin -CVE-2023-2632 +CVE-2023-2632 (Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API key ...) NOT-FOR-US: Jenkins plugin -CVE-2023-2631 +CVE-2023-2631 (A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33007 +CVE-2023-33007 (Jenkins LoadComplete support Plugin 1.0 and earlier does not escape th ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33006 +CVE-2023-33006 (A cross-site request forgery (CSRF) vulnerability in Jenkins WSO2 Oaut ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33005 +CVE-2023-33005 (Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the prev ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33004 +CVE-2023-33004 (A missing permission check in Jenkins Tag Profiler Plugin 0.2 and earl ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33003 +CVE-2023-33003 (A cross-site request forgery (CSRF) vulnerability in Jenkins Tag Profi ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33002 +CVE-2023-33002 (Jenkins TestComplete support Plugin 2.8.1 and earlier does not escape ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33001 +CVE-2023-33001 (Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33000 +CVE-2023-33000 (Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.149 and e ...) NOT-FOR-US: Jenkins plugin -CVE-2023-32999 +CVE-2023-32999 (A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earl ...) NOT-FOR-US: Jenkins plugin -CVE-2023-32998 +CVE-2023-32998 (A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider ...) NOT-FOR-US: Jenkins plugin -CVE-2023-32997 +CVE-2023-32997 (Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous ...) NOT-FOR-US: Jenkins plugin -CVE-2023-32996 +CVE-2023-32996 (A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin ...) NOT-FOR-US: Jenkins plugin -CVE-2023-32995 +CVE-2023-32995 (A cross-site request forgery (CSRF) vulnerability in Jenkins SAML Sing ...) NOT-FOR-US: Jenkins plugin -CVE-2023-32994 +CVE-2023-32994 (Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditiona ...) NOT-FOR-US: Jenkins plugin -CVE-2023-32993 +CVE-2023-32993
[Git][security-tracker-team/security-tracker][master] Add new virtuoso-opensource CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe0eff82 by Salvatore Bonaccorso at 2023-05-16T22:05:27+02:00 Add new virtuoso-opensource CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -97,55 +97,80 @@ CVE-2023-31843 (Sourcecodester Faculty Evaluation System v1.0 is vulnerable to S CVE-2023-31842 (Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Inj ...) NOT-FOR-US: Sourcecodester Faculty Evaluation System CVE-2023-31631 (An issue in the sqlo_preds_contradiction component of openlink virtuos ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1137 CVE-2023-31630 (An issue in the sqlo_query_spec component of openlink virtuoso-opensou ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1138 CVE-2023-31629 (An issue in the sqlo_union_scope component of openlink virtuoso-openso ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1139 CVE-2023-31628 (An issue in the stricmp component of openlink virtuoso-opensource v7.2 ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1141 CVE-2023-31627 (An issue in the strhash component of openlink virtuoso-opensource v7.2 ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1140 CVE-2023-31626 (An issue in the gpf_notice component of openlink virtuoso-opensource v ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1129 CVE-2023-31625 (An issue in the psiginfo component of openlink virtuoso-opensource v7. ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1132 CVE-2023-31624 (An issue in the sinv_check_exp component of openlink virtuoso-opensour ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1134 CVE-2023-31623 (An issue in the mp_box_copy component of openlink virtuoso-opensource ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1131 CVE-2023-31622 (An issue in the sqlc_make_policy_trig component of openlink virtuoso-o ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1135 CVE-2023-31621 (An issue in the kc_var_col component of openlink virtuoso-opensource v ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1130 CVE-2023-31620 (An issue in the dv_compare component of openlink virtuoso-opensource v ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1128 CVE-2023-31619 (An issue in the sch_name_to_object component of openlink virtuoso-open ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1133 CVE-2023-31618 (An issue in the sqlc_union_dt_wrap component of openlink virtuoso-open ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1136 CVE-2023-31617 (An issue in the dk_set_delete component of openlink virtuoso-opensourc ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1127 CVE-2023-31616 (An issue in the bif_mod component of openlink virtuoso-opensource v7.2 ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1122 CVE-2023-31615 (An issue in the chash_array component of openlink virtuoso-opensource ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1124 CVE-2023-31614 (An issue in the mp_box_deserialize_string function in openlink virtuos ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1117 CVE-2023-31613 (An issue in the __nss_database_lookup component of openlink virtuoso-o ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1121 CVE-2023-31612 (An issue in the dfe_qexp_list component of openlink virtuoso-opensourc ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1125
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c74e77ed by Salvatore Bonaccorso at 2023-05-16T21:12:28+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -73,7 +73,7 @@ CVE-2023-32955 (Improper neutralization of special elements used in an OS comman CVE-2023-32309 (PyMdown Extensions is a set of extensions for the `Python-Markdown` ma ...) TODO: check CVE-2023-32308 (anuko timetracker is an open source time tracking system. Boolean-base ...) - TODO: check + NOT-FOR-US: Anuko Time Tracker CVE-2023-32068 (XWiki Platform is a generic wiki platform offering runtime services fo ...) NOT-FOR-US: XWiki CVE-2023-2710 (The video carousel slider with lightbox plugin for WordPress is vulner ...) @@ -81,7 +81,7 @@ CVE-2023-2710 (The video carousel slider with lightbox plugin for WordPress is v CVE-2023-2708 (The Video Gallery plugin for WordPress is vulnerable to Reflected Cros ...) NOT-FOR-US: Video Gallery plugin for WordPress CVE-2023-32787 (The OPC UA Legacy Java Stack before 6f176f2 enables an attacker to blo ...) - TODO: check + NOT-FOR-US: OPC UA Legacy Java Stack CVE-2023-32314 (vm2 is a sandbox that can run untrusted code with Node's built-in modu ...) NOT-FOR-US: Node vm2 CVE-2023-32313 (vm2 is a sandbox that can run untrusted code with Node's built-in modu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c74e77ed6c3553bad74952d9adf43cb2664b631b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c74e77ed6c3553bad74952d9adf43cb2664b631b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-42336/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d9e1fe94 by Salvatore Bonaccorso at 2023-05-16T17:57:17+02:00 Add CVE-2022-42336/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49374,6 +49374,11 @@ CVE-2022-42337 RESERVED CVE-2022-42336 RESERVED + - xen + [bullseye] - xen (Vulnerable code not present) + [buster] - xen (Vulnerable code not present) + NOTE: https://www.openwall.com/lists/oss-security/2023/05/16/5 + NOTE: https://xenbits.xen.org/xsa/advisory-431.html CVE-2022-42335 (x86 shadow paging arbitrary pointer dereference In environments where ...) - xen (bug #1034842) [bullseye] - xen (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9e1fe947e7f9c2b559e5345468887f219e8460c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9e1fe947e7f9c2b559e5345468887f219e8460c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6991857d by Moritz Muehlenhoff at 2023-05-16T17:12:20+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,71 @@
+CVE-2023-2633
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-2632
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-2631
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-33007
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-33006
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-33005
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-33004
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-33003
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-33002
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-33001
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-33000
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32999
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32998
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32997
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32996
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32995
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32994
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32993
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32992
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32991
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32990
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32989
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32988
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32987
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32986
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32985
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32984
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32983
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32982
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32981
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32980
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32979
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32978
+ NOT-FOR-US: Jenkins plugin
+CVE-2023-32977
+ NOT-FOR-US: Jenkins plugin
CVE-2023-32956 (Improper neutralization of special elements used in an OS
command ('OS ...)
NOT-FOR-US: Synology
CVE-2023-32955 (Improper neutralization of special elements used in an OS
command ('OS ...)
@@ -2052,8 +2120,10 @@ CVE-2023-2197 (HashiCorp Vault Enterprise 1.13.0 up to
1.13.1 is vulnerable to a
NOT-FOR-US: HashiCorp Vault
CVE-2023-2196
RESERVED
+ NOT-FOR-US: Jenkins plugin
CVE-2023-2195
RESERVED
+ NOT-FOR-US: Jenkins plugin
CVE-2023-2194 (An out-of-bounds write vulnerability was found in the Linux
kernel's S ...)
{DLA-3404-1 DLA-3403-1}
- linux 6.1.25-1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6991857dd01cfff515b609731dfbb189983184f7
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6991857dd01cfff515b609731dfbb189983184f7
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Proccess NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
60e9d688 by Salvatore Bonaccorso at 2023-05-16T16:13:25+02:00
Proccess NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,13 +1,13 @@
CVE-2023-32956 (Improper neutralization of special elements used in an OS
command ('OS ...)
- TODO: check
+ NOT-FOR-US: Synology
CVE-2023-32955 (Improper neutralization of special elements used in an OS
command ('OS ...)
- TODO: check
+ NOT-FOR-US: Synology
CVE-2023-32309 (PyMdown Extensions is a set of extensions for the
`Python-Markdown` ma ...)
TODO: check
CVE-2023-32308 (anuko timetracker is an open source time tracking system.
Boolean-base ...)
TODO: check
CVE-2023-32068 (XWiki Platform is a generic wiki platform offering runtime
services fo ...)
- TODO: check
+ NOT-FOR-US: XWiki
CVE-2023-2710 (The video carousel slider with lightbox plugin for WordPress is
vulner ...)
NOT-FOR-US: video carousel slider with lightbox plugin for WordPress
CVE-2023-2708 (The Video Gallery plugin for WordPress is vulnerable to
Reflected Cros ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60e9d688deab525bb9c9636bd90981b1bb966f44
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60e9d688deab525bb9c9636bd90981b1bb966f44
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3425-1 for sqlparse
Guilhem Moulin pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
5171a771 by Guilhem Moulin at 2023-05-16T13:29:38+02:00
Reserve DLA-3425-1 for sqlparse
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[16 May 2023] DLA-3425-1 sqlparse - security update
+ {CVE-2023-30608}
+ [buster] - sqlparse 0.2.4-1+deb10u1
[16 May 2023] DLA-3424-1 python-ipaddress - security update
{CVE-2020-14422}
[buster] - python-ipaddress 1.0.17-1+deb10u1
=
data/dla-needed.txt
=
@@ -203,9 +203,6 @@ samba
NOTE: 20220904: Many postponed or open CVE in general. (apo)
NOTE: 20230323: Still working on the long list of CVEs, will likely release
an intermittent package first (lee)
--
-sqlparse (guilhem)
- NOTE: 20230507: Programming language: Python.
---
sssd (gladk)
NOTE: 20230131: Programming language: C.
NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5171a7715fb5de279baedd755699b5b40c628565
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5171a7715fb5de279baedd755699b5b40c628565
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 499e028f by Salvatore Bonaccorso at 2023-05-16T11:00:49+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,9 +9,9 @@ CVE-2023-32308 (anuko timetracker is an open source time tracking system. Boolea CVE-2023-32068 (XWiki Platform is a generic wiki platform offering runtime services fo ...) TODO: check CVE-2023-2710 (The video carousel slider with lightbox plugin for WordPress is vulner ...) - TODO: check + NOT-FOR-US: video carousel slider with lightbox plugin for WordPress CVE-2023-2708 (The Video Gallery plugin for WordPress is vulnerable to Reflected Cros ...) - TODO: check + NOT-FOR-US: Video Gallery plugin for WordPress CVE-2023-32787 (The OPC UA Legacy Java Stack before 6f176f2 enables an attacker to blo ...) TODO: check CVE-2023-32314 (vm2 is a sandbox that can run untrusted code with Node's built-in modu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/499e028ffd69b545019fa61b54f58bd79a4618bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/499e028ffd69b545019fa61b54f58bd79a4618bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b2823b55 by security tracker role at 2023-05-16T08:11:59+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,17 @@
+CVE-2023-32956 (Improper neutralization of special elements used in an OS
command ('OS ...)
+ TODO: check
+CVE-2023-32955 (Improper neutralization of special elements used in an OS
command ('OS ...)
+ TODO: check
+CVE-2023-32309 (PyMdown Extensions is a set of extensions for the
`Python-Markdown` ma ...)
+ TODO: check
+CVE-2023-32308 (anuko timetracker is an open source time tracking system.
Boolean-base ...)
+ TODO: check
+CVE-2023-32068 (XWiki Platform is a generic wiki platform offering runtime
services fo ...)
+ TODO: check
+CVE-2023-2710 (The video carousel slider with lightbox plugin for WordPress is
vulner ...)
+ TODO: check
+CVE-2023-2708 (The Video Gallery plugin for WordPress is vulnerable to
Reflected Cros ...)
+ TODO: check
CVE-2023-32787 (The OPC UA Legacy Java Stack before 6f176f2 enables an
attacker to blo ...)
TODO: check
CVE-2023-32314 (vm2 is a sandbox that can run untrusted code with Node's
built-in modu ...)
@@ -74,7 +88,7 @@ CVE-2023-32784 (In KeePass 2.x before 2.54, it is possible to
recover the cleart
NOTE:
https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/
CVE-2023-32758 (giturlparse (aka git-url-parse) through 1.2.2, as used in
Semgrep thro ...)
NOT-FOR-US: git-url-parse
-CVE-2023-2700 [Memory leak in virPCIVirtualFunctionList cleanup]
+CVE-2023-2700 (A vulnerability was found in libvirt. This security flaw
ouccers due t ...)
[experimental] - libvirt 9.3.0-1
- libvirt
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2203653
@@ -1320,8 +1334,8 @@ CVE-2023-31147
RESERVED
CVE-2023-31146 (Vyper is a Pythonic smart contract language for the Ethereum
virtual m ...)
NOT-FOR-US: Vyper
-CVE-2023-31145
- RESERVED
+CVE-2023-31145 (Collabora Online is a collaborative online office suite based
on Libre ...)
+ TODO: check
CVE-2023-31144 (Craft CMS is a content management system. Starting in version
3.0.0 an ...)
NOT-FOR-US: Craft CMS
CVE-2023-31143 (mage-ai is an open-source data pipeline tool for transforming
and inte ...)
@@ -1350,8 +1364,8 @@ CVE-2023-31133 (Ghost is an app for new-media creators
with tools to build a web
NOT-FOR-US: Ghost CMS
CVE-2023-31132
RESERVED
-CVE-2023-31131
- RESERVED
+CVE-2023-31131 (Greenplum Database (GPDB) is an open source data warehouse
based on Po ...)
+ TODO: check
CVE-2023-31130
RESERVED
CVE-2023-31129 (The Contiki-NG operating system versions 4.8 and prior can be
triggere ...)
@@ -2342,8 +2356,8 @@ CVE-2023-2162 (A use-after-free vulnerability was found
in iscsi_sw_tcp_session_
- linux 6.1.11-1
[bullseye] - linux 5.10.178-1
NOTE:
https://git.kernel.org/linus/f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 (6.2-rc6)
-CVE-2023-2161
- RESERVED
+CVE-2023-2161 (A CWE-611: Improper Restriction of XML External Entity
Reference vulne ...)
+ TODO: check
CVE-2023-2160 (Weak Password Requirements in GitHub repository modoboa/modoboa
prior ...)
NOT-FOR-US: modoboa
CVE-2023-2159
@@ -2484,8 +2498,7 @@ CVE-2023-2126
RESERVED
CVE-2023-2125
RESERVED
-CVE-2023-2124 [OOB access in the Linux kernel's XFS subsystem]
- RESERVED
+CVE-2023-2124 (An out-of-bounds memory access flaw was found in the Linux
kernel\u201 ...)
- linux
NOTE: https://www.openwall.com/lists/oss-security/2023/04/19/2
NOTE:
https://lore.kernel.org/linux-xfs/20230412214034.gl3223...@dread.disaster.area/T/#m1ebbcd1ad061d2d33bef6f0534a2b014744d152d
@@ -4694,8 +4707,8 @@ CVE-2023-29963 (S-CMS v5.0 was discovered to contain an
authenticated remote cod
NOT-FOR-US: S-CMS
CVE-2023-29962
RESERVED
-CVE-2023-29961
- RESERVED
+CVE-2023-29961 (D-Link DIR-605L firmware version 1.17B01 BETA is vulnerable to
stack o ...)
+ TODO: check
CVE-2023-29960
RESERVED
CVE-2023-29959
@@ -7347,8 +7360,7 @@ CVE-2023-1731 (In LTOS versions prior to V7.06.013, the
configuration file uploa
NOT-FOR-US: LTOS
CVE-2023-1730 (The SupportCandy WordPress plugin before 3.1.5 does not
validate and e ...)
NOT-FOR-US: WordPress plugin
-CVE-2023-1729
- RESERVED
+CVE-2023-1729 (A flaw was found in LibRaw. A heap-buffer-overflow in
raw2image_ex() c ...)
- libraw
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2188240
NOTE: https://github.com/LibRaw/LibRaw/issues/557
@@ -40547,14 +40559,11 @@ CVE-2023-21120
RESERVED
CVE-2023-21119
RESERVED
-CVE-2023-21118
- RESERVED
+CVE-2023-21118 (In
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-2700/libvirt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64f91d14 by Salvatore Bonaccorso at 2023-05-16T08:41:16+02:00 Add CVE-2023-2700/libvirt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -74,6 +74,11 @@ CVE-2023-32784 (In KeePass 2.x before 2.54, it is possible to recover the cleart NOTE: https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/ CVE-2023-32758 (giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep thro ...) NOT-FOR-US: git-url-parse +CVE-2023-2700 [Memory leak in virPCIVirtualFunctionList cleanup] + [experimental] - libvirt 9.3.0-1 + - libvirt + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2203653 + NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585 (v9.3.0) CVE-2023-2699 (A vulnerability, which was classified as critical, has been found in S ...) NOT-FOR-US: SourceCodester Lost and Found Information System CVE-2023-2698 (A vulnerability classified as critical was found in SourceCodester Los ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64f91d143aed3ac5b422f093e0a8edbf9baa7215 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64f91d143aed3ac5b422f093e0a8edbf9baa7215 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
