[Git][security-tracker-team/security-tracker][master] Track fixed version for chromium via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 53c24e00 by Salvatore Bonaccorso at 2023-05-17T06:40:13+02:00 Track fixed version for chromium via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,22 +21,22 @@ CVE-2023-2738 (A vulnerability classified as critical has been found in Tongda O CVE-2023-2730 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...) NOT-FOR-US: pimcore CVE-2023-2726 (Inappropriate implementation in WebApp Installs in Google Chrome prior ...) - - chromium + - chromium 113.0.5672.126-1 [buster] - chromium (see DSA 5046) CVE-2023-2725 (Use after free in Guest View in Google Chrome prior to 113.0.5672.126 ...) - - chromium + - chromium 113.0.5672.126-1 [buster] - chromium (see DSA 5046) CVE-2023-2724 (Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed ...) - - chromium + - chromium 113.0.5672.126-1 [buster] - chromium (see DSA 5046) CVE-2023-2723 (Use after free in DevTools in Google Chrome prior to 113.0.5672.126 al ...) - - chromium + - chromium 113.0.5672.126-1 [buster] - chromium (see DSA 5046) CVE-2023-2722 (Use after free in Autofill UI in Google Chrome on Android prior to 113 ...) - - chromium + - chromium 113.0.5672.126-1 [buster] - chromium (see DSA 5046) CVE-2023-2721 (Use after free in Navigation in Google Chrome prior to 113.0.5672.126 ...) - - chromium + - chromium 113.0.5672.126-1 [buster] - chromium (see DSA 5046) CVE-2023-2548 (The RegistrationMagic plugin for WordPress is vulnerable to Insecure D ...) NOT-FOR-US: RegistrationMagic plugin for WordPress View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53c24e0028999e61a8cfc3d77bd5499103c2b678 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53c24e0028999e61a8cfc3d77bd5499103c2b678 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3426-1 for netatalk
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8009518b by Markus Koschany at 2023-05-17T00:20:16+02:00 Reserve DLA-3426-1 for netatalk - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[17 May 2023] DLA-3426-1 netatalk - security update + {CVE-2021-31439 CVE-2022-0194 CVE-2022-23121 CVE-2022-23122 CVE-2022-23123 CVE-2022-23124 CVE-2022-23125 CVE-2022-43634 CVE-2022-45188} + [buster] - netatalk 3.1.12~ds-3+deb10u1 [16 May 2023] DLA-3425-1 sqlparse - security update {CVE-2023-30608} [buster] - sqlparse 0.2.4-1+deb10u1 = data/dla-needed.txt = @@ -75,12 +75,6 @@ nbconvert NOTE: 20230423: XSS may be worth fixing and this was a lot of them. To consider if this require NOTE: 20230423: more work on user side and that require further analysis. -- -netatalk (Markus Koschany) - NOTE: 20220816: Programming language: C. - NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor) - NOTE: 20221212: VCS: https://salsa.debian.org/lts-team/packages/netatalk - NOTE: 20221212: Work is ongoing. CVE-2022-0194 is probably too intrusive. (gladk) --- node-got NOTE: 2022: Programming language: JavaScript. NOTE: 2022: Follow fixes from bullseye 11.4 (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8009518bc9d84d315e331f3d7c45aec371d440c1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8009518bc9d84d315e331f3d7c45aec371d440c1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b2594cd by Salvatore Bonaccorso at 2023-05-16T22:54:02+02:00 Add chromium to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. +-- +chromium -- gpac (aron) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b2594cdf88af5a8ba2eaf883a792e2f1d31da58 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b2594cdf88af5a8ba2eaf883a792e2f1d31da58 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2550a788 by Salvatore Bonaccorso at 2023-05-16T22:44:39+02:00 Add new chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,17 +21,23 @@ CVE-2023-2738 (A vulnerability classified as critical has been found in Tongda O CVE-2023-2730 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...) NOT-FOR-US: pimcore CVE-2023-2726 (Inappropriate implementation in WebApp Installs in Google Chrome prior ...) - TODO: check + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-2725 (Use after free in Guest View in Google Chrome prior to 113.0.5672.126 ...) - TODO: check + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-2724 (Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed ...) - TODO: check + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-2723 (Use after free in DevTools in Google Chrome prior to 113.0.5672.126 al ...) - TODO: check + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-2722 (Use after free in Autofill UI in Google Chrome on Android prior to 113 ...) - TODO: check + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-2721 (Use after free in Navigation in Google Chrome prior to 113.0.5672.126 ...) - TODO: check + - chromium + [buster] - chromium (see DSA 5046) CVE-2023-2548 (The RegistrationMagic plugin for WordPress is vulnerable to Insecure D ...) NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2023-2499 (The RegistrationMagic plugin for WordPress is vulnerable to authentica ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2550a78893824560fc1d2905f7aadd417fbf3704 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2550a78893824560fc1d2905f7aadd417fbf3704 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ec7a8c9 by Salvatore Bonaccorso at 2023-05-16T22:42:46+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2023-31890 (An XML Deserialization vulnerability in glazedlists v1.11.0 allows an ...) TODO: check CVE-2023-31857 (Sourcecodester Online Computer and Laptop Store 1.0 allows unrestricte ...) - TODO: check + NOT-FOR-US: Sourcecodester Online Computer and Laptop Store CVE-2023-31856 (A command injection vulnerability in the hostTime parameter in the fun ...) NOT-FOR-US: TOTOLINK CVE-2023-31587 (Tenda AC5 router V15.03.06.28 was discovered to contain a remote code ...) @@ -9,17 +9,17 @@ CVE-2023-31587 (Tenda AC5 router V15.03.06.28 was discovered to contain a remote CVE-2023-31576 (An arbitrary file upload vulnerability in Serendipity 2.4-beta1 allows ...) TODO: check CVE-2023-31572 (An issue in Bludit 4.0.0-rc-2 allows authenticated attackers to change ...) - TODO: check + NOT-FOR-US: Bludit CVE-2023-31519 (Pharmacy Management System v1.0 was discovered to contain a SQL inject ...) - TODO: check + NOT-FOR-US: Pharmacy Management System CVE-2023-2740 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: SourceCodester Guest Management System CVE-2023-2739 (A vulnerability classified as problematic was found in Gira HomeServer ...) - TODO: check + NOT-FOR-US: Gira HomeServer CVE-2023-2738 (A vulnerability classified as critical has been found in Tongda OA 11. ...) TODO: check CVE-2023-2730 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...) - TODO: check + NOT-FOR-US: pimcore CVE-2023-2726 (Inappropriate implementation in WebApp Installs in Google Chrome prior ...) TODO: check CVE-2023-2725 (Use after free in Guest View in Google Chrome prior to 113.0.5672.126 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ec7a8c95efbe5ca01c26c1d6c821c5bb667794e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ec7a8c95efbe5ca01c26c1d6c821c5bb667794e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add libpcap to dla-needed.txt
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b2bcfaa by Anton Gladky at 2023-05-16T22:39:34+02:00 LTS: add libpcap to dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -63,6 +63,10 @@ libfastjson (Thorsten Alteholz) NOTE: 20230507: Programming language: C. NOTE: 20230507: the CVE was fixed in json-c already -- +libpcap + NOTE: 20230516: Programming language: C. + NOTE: 20230516: VCS: https://salsa.debian.org/lts-team/packages/libpcap.git +-- linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b2bcfaa20e12d0c90eb3999fba8b6e942e201ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b2bcfaa20e12d0c90eb3999fba8b6e942e201ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a948e57 by Salvatore Bonaccorso at 2023-05-16T22:18:39+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,9 +3,9 @@ CVE-2023-31890 (An XML Deserialization vulnerability in glazedlists v1.11.0 allo CVE-2023-31857 (Sourcecodester Online Computer and Laptop Store 1.0 allows unrestricte ...) TODO: check CVE-2023-31856 (A command injection vulnerability in the hostTime parameter in the fun ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-31587 (Tenda AC5 router V15.03.06.28 was discovered to contain a remote code ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-31576 (An arbitrary file upload vulnerability in Serendipity 2.4-beta1 allows ...) TODO: check CVE-2023-31572 (An issue in Bludit 4.0.0-rc-2 allows authenticated attackers to change ...) @@ -33,9 +33,9 @@ CVE-2023-2722 (Use after free in Autofill UI in Google Chrome on Android prior t CVE-2023-2721 (Use after free in Navigation in Google Chrome prior to 113.0.5672.126 ...) TODO: check CVE-2023-2548 (The RegistrationMagic plugin for WordPress is vulnerable to Insecure D ...) - TODO: check + NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2023-2499 (The RegistrationMagic plugin for WordPress is vulnerable to authentica ...) - TODO: check + NOT-FOR-US: RegistrationMagic plugin for WordPress CVE-2023-2633 (Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server ...) NOT-FOR-US: Jenkins plugin CVE-2023-2632 (Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API key ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a948e570ea07d279fed8a3f2f940357809fad9a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a948e570ea07d279fed8a3f2f940357809fad9a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ca6da290 by security tracker role at 2023-05-16T20:12:12+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,70 +1,108 @@ -CVE-2023-2633 +CVE-2023-31890 (An XML Deserialization vulnerability in glazedlists v1.11.0 allows an ...) + TODO: check +CVE-2023-31857 (Sourcecodester Online Computer and Laptop Store 1.0 allows unrestricte ...) + TODO: check +CVE-2023-31856 (A command injection vulnerability in the hostTime parameter in the fun ...) + TODO: check +CVE-2023-31587 (Tenda AC5 router V15.03.06.28 was discovered to contain a remote code ...) + TODO: check +CVE-2023-31576 (An arbitrary file upload vulnerability in Serendipity 2.4-beta1 allows ...) + TODO: check +CVE-2023-31572 (An issue in Bludit 4.0.0-rc-2 allows authenticated attackers to change ...) + TODO: check +CVE-2023-31519 (Pharmacy Management System v1.0 was discovered to contain a SQL inject ...) + TODO: check +CVE-2023-2740 (A vulnerability, which was classified as problematic, has been found i ...) + TODO: check +CVE-2023-2739 (A vulnerability classified as problematic was found in Gira HomeServer ...) + TODO: check +CVE-2023-2738 (A vulnerability classified as critical has been found in Tongda OA 11. ...) + TODO: check +CVE-2023-2730 (Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimco ...) + TODO: check +CVE-2023-2726 (Inappropriate implementation in WebApp Installs in Google Chrome prior ...) + TODO: check +CVE-2023-2725 (Use after free in Guest View in Google Chrome prior to 113.0.5672.126 ...) + TODO: check +CVE-2023-2724 (Type confusion in V8 in Google Chrome prior to 113.0.5672.126 allowed ...) + TODO: check +CVE-2023-2723 (Use after free in DevTools in Google Chrome prior to 113.0.5672.126 al ...) + TODO: check +CVE-2023-2722 (Use after free in Autofill UI in Google Chrome on Android prior to 113 ...) + TODO: check +CVE-2023-2721 (Use after free in Navigation in Google Chrome prior to 113.0.5672.126 ...) + TODO: check +CVE-2023-2548 (The RegistrationMagic plugin for WordPress is vulnerable to Insecure D ...) + TODO: check +CVE-2023-2499 (The RegistrationMagic plugin for WordPress is vulnerable to authentica ...) + TODO: check +CVE-2023-2633 (Jenkins Code Dx Plugin 3.1.0 and earlier does not mask Code Dx server ...) NOT-FOR-US: Jenkins plugin -CVE-2023-2632 +CVE-2023-2632 (Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API key ...) NOT-FOR-US: Jenkins plugin -CVE-2023-2631 +CVE-2023-2631 (A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33007 +CVE-2023-33007 (Jenkins LoadComplete support Plugin 1.0 and earlier does not escape th ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33006 +CVE-2023-33006 (A cross-site request forgery (CSRF) vulnerability in Jenkins WSO2 Oaut ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33005 +CVE-2023-33005 (Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the prev ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33004 +CVE-2023-33004 (A missing permission check in Jenkins Tag Profiler Plugin 0.2 and earl ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33003 +CVE-2023-33003 (A cross-site request forgery (CSRF) vulnerability in Jenkins Tag Profi ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33002 +CVE-2023-33002 (Jenkins TestComplete support Plugin 2.8.1 and earlier does not escape ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33001 +CVE-2023-33001 (Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not ...) NOT-FOR-US: Jenkins plugin -CVE-2023-33000 +CVE-2023-33000 (Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.149 and e ...) NOT-FOR-US: Jenkins plugin -CVE-2023-32999 +CVE-2023-32999 (A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earl ...) NOT-FOR-US: Jenkins plugin -CVE-2023-32998 +CVE-2023-32998 (A cross-site request forgery (CSRF) vulnerability in Jenkins AppSpider ...) NOT-FOR-US: Jenkins plugin -CVE-2023-32997 +CVE-2023-32997 (Jenkins CAS Plugin 1.6.2 and earlier does not invalidate the previous ...) NOT-FOR-US: Jenkins plugin -CVE-2023-32996 +CVE-2023-32996 (A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin ...) NOT-FOR-US: Jenkins plugin -CVE-2023-32995 +CVE-2023-32995 (A cross-site request forgery (CSRF) vulnerability in Jenkins SAML Sing ...) NOT-FOR-US: Jenkins plugin -CVE-2023-32994 +CVE-2023-32994 (Jenkins SAML Single Sign On(SSO) Plugin 2.1.0 and earlier unconditiona ...) NOT-FOR-US: Jenkins plugin -CVE-2023-32993 +CVE-2023-32993
[Git][security-tracker-team/security-tracker][master] Add new virtuoso-opensource CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe0eff82 by Salvatore Bonaccorso at 2023-05-16T22:05:27+02:00 Add new virtuoso-opensource CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -97,55 +97,80 @@ CVE-2023-31843 (Sourcecodester Faculty Evaluation System v1.0 is vulnerable to S CVE-2023-31842 (Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Inj ...) NOT-FOR-US: Sourcecodester Faculty Evaluation System CVE-2023-31631 (An issue in the sqlo_preds_contradiction component of openlink virtuos ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1137 CVE-2023-31630 (An issue in the sqlo_query_spec component of openlink virtuoso-opensou ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1138 CVE-2023-31629 (An issue in the sqlo_union_scope component of openlink virtuoso-openso ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1139 CVE-2023-31628 (An issue in the stricmp component of openlink virtuoso-opensource v7.2 ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1141 CVE-2023-31627 (An issue in the strhash component of openlink virtuoso-opensource v7.2 ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1140 CVE-2023-31626 (An issue in the gpf_notice component of openlink virtuoso-opensource v ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1129 CVE-2023-31625 (An issue in the psiginfo component of openlink virtuoso-opensource v7. ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1132 CVE-2023-31624 (An issue in the sinv_check_exp component of openlink virtuoso-opensour ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1134 CVE-2023-31623 (An issue in the mp_box_copy component of openlink virtuoso-opensource ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1131 CVE-2023-31622 (An issue in the sqlc_make_policy_trig component of openlink virtuoso-o ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1135 CVE-2023-31621 (An issue in the kc_var_col component of openlink virtuoso-opensource v ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1130 CVE-2023-31620 (An issue in the dv_compare component of openlink virtuoso-opensource v ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1128 CVE-2023-31619 (An issue in the sch_name_to_object component of openlink virtuoso-open ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1133 CVE-2023-31618 (An issue in the sqlc_union_dt_wrap component of openlink virtuoso-open ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1136 CVE-2023-31617 (An issue in the dk_set_delete component of openlink virtuoso-opensourc ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1127 CVE-2023-31616 (An issue in the bif_mod component of openlink virtuoso-opensource v7.2 ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1122 CVE-2023-31615 (An issue in the chash_array component of openlink virtuoso-opensource ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1124 CVE-2023-31614 (An issue in the mp_box_deserialize_string function in openlink virtuos ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1117 CVE-2023-31613 (An issue in the __nss_database_lookup component of openlink virtuoso-o ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1121 CVE-2023-31612 (An issue in the dfe_qexp_list component of openlink virtuoso-opensourc ...) - TODO: check + - virtuoso-opensource + NOTE: https://github.com/openlink/virtuoso-opensource/issues/1125
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c74e77ed by Salvatore Bonaccorso at 2023-05-16T21:12:28+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -73,7 +73,7 @@ CVE-2023-32955 (Improper neutralization of special elements used in an OS comman CVE-2023-32309 (PyMdown Extensions is a set of extensions for the `Python-Markdown` ma ...) TODO: check CVE-2023-32308 (anuko timetracker is an open source time tracking system. Boolean-base ...) - TODO: check + NOT-FOR-US: Anuko Time Tracker CVE-2023-32068 (XWiki Platform is a generic wiki platform offering runtime services fo ...) NOT-FOR-US: XWiki CVE-2023-2710 (The video carousel slider with lightbox plugin for WordPress is vulner ...) @@ -81,7 +81,7 @@ CVE-2023-2710 (The video carousel slider with lightbox plugin for WordPress is v CVE-2023-2708 (The Video Gallery plugin for WordPress is vulnerable to Reflected Cros ...) NOT-FOR-US: Video Gallery plugin for WordPress CVE-2023-32787 (The OPC UA Legacy Java Stack before 6f176f2 enables an attacker to blo ...) - TODO: check + NOT-FOR-US: OPC UA Legacy Java Stack CVE-2023-32314 (vm2 is a sandbox that can run untrusted code with Node's built-in modu ...) NOT-FOR-US: Node vm2 CVE-2023-32313 (vm2 is a sandbox that can run untrusted code with Node's built-in modu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c74e77ed6c3553bad74952d9adf43cb2664b631b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c74e77ed6c3553bad74952d9adf43cb2664b631b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-42336/xen
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d9e1fe94 by Salvatore Bonaccorso at 2023-05-16T17:57:17+02:00 Add CVE-2022-42336/xen - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49374,6 +49374,11 @@ CVE-2022-42337 RESERVED CVE-2022-42336 RESERVED + - xen + [bullseye] - xen (Vulnerable code not present) + [buster] - xen (Vulnerable code not present) + NOTE: https://www.openwall.com/lists/oss-security/2023/05/16/5 + NOTE: https://xenbits.xen.org/xsa/advisory-431.html CVE-2022-42335 (x86 shadow paging arbitrary pointer dereference In environments where ...) - xen (bug #1034842) [bullseye] - xen (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9e1fe947e7f9c2b559e5345468887f219e8460c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9e1fe947e7f9c2b559e5345468887f219e8460c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6991857d by Moritz Muehlenhoff at 2023-05-16T17:12:20+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,71 @@ +CVE-2023-2633 + NOT-FOR-US: Jenkins plugin +CVE-2023-2632 + NOT-FOR-US: Jenkins plugin +CVE-2023-2631 + NOT-FOR-US: Jenkins plugin +CVE-2023-33007 + NOT-FOR-US: Jenkins plugin +CVE-2023-33006 + NOT-FOR-US: Jenkins plugin +CVE-2023-33005 + NOT-FOR-US: Jenkins plugin +CVE-2023-33004 + NOT-FOR-US: Jenkins plugin +CVE-2023-33003 + NOT-FOR-US: Jenkins plugin +CVE-2023-33002 + NOT-FOR-US: Jenkins plugin +CVE-2023-33001 + NOT-FOR-US: Jenkins plugin +CVE-2023-33000 + NOT-FOR-US: Jenkins plugin +CVE-2023-32999 + NOT-FOR-US: Jenkins plugin +CVE-2023-32998 + NOT-FOR-US: Jenkins plugin +CVE-2023-32997 + NOT-FOR-US: Jenkins plugin +CVE-2023-32996 + NOT-FOR-US: Jenkins plugin +CVE-2023-32995 + NOT-FOR-US: Jenkins plugin +CVE-2023-32994 + NOT-FOR-US: Jenkins plugin +CVE-2023-32993 + NOT-FOR-US: Jenkins plugin +CVE-2023-32992 + NOT-FOR-US: Jenkins plugin +CVE-2023-32991 + NOT-FOR-US: Jenkins plugin +CVE-2023-32990 + NOT-FOR-US: Jenkins plugin +CVE-2023-32989 + NOT-FOR-US: Jenkins plugin +CVE-2023-32988 + NOT-FOR-US: Jenkins plugin +CVE-2023-32987 + NOT-FOR-US: Jenkins plugin +CVE-2023-32986 + NOT-FOR-US: Jenkins plugin +CVE-2023-32985 + NOT-FOR-US: Jenkins plugin +CVE-2023-32984 + NOT-FOR-US: Jenkins plugin +CVE-2023-32983 + NOT-FOR-US: Jenkins plugin +CVE-2023-32982 + NOT-FOR-US: Jenkins plugin +CVE-2023-32981 + NOT-FOR-US: Jenkins plugin +CVE-2023-32980 + NOT-FOR-US: Jenkins plugin +CVE-2023-32979 + NOT-FOR-US: Jenkins plugin +CVE-2023-32978 + NOT-FOR-US: Jenkins plugin +CVE-2023-32977 + NOT-FOR-US: Jenkins plugin CVE-2023-32956 (Improper neutralization of special elements used in an OS command ('OS ...) NOT-FOR-US: Synology CVE-2023-32955 (Improper neutralization of special elements used in an OS command ('OS ...) @@ -2052,8 +2120,10 @@ CVE-2023-2197 (HashiCorp Vault Enterprise 1.13.0 up to 1.13.1 is vulnerable to a NOT-FOR-US: HashiCorp Vault CVE-2023-2196 RESERVED + NOT-FOR-US: Jenkins plugin CVE-2023-2195 RESERVED + NOT-FOR-US: Jenkins plugin CVE-2023-2194 (An out-of-bounds write vulnerability was found in the Linux kernel's S ...) {DLA-3404-1 DLA-3403-1} - linux 6.1.25-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6991857dd01cfff515b609731dfbb189983184f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6991857dd01cfff515b609731dfbb189983184f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Proccess NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 60e9d688 by Salvatore Bonaccorso at 2023-05-16T16:13:25+02:00 Proccess NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,13 +1,13 @@ CVE-2023-32956 (Improper neutralization of special elements used in an OS command ('OS ...) - TODO: check + NOT-FOR-US: Synology CVE-2023-32955 (Improper neutralization of special elements used in an OS command ('OS ...) - TODO: check + NOT-FOR-US: Synology CVE-2023-32309 (PyMdown Extensions is a set of extensions for the `Python-Markdown` ma ...) TODO: check CVE-2023-32308 (anuko timetracker is an open source time tracking system. Boolean-base ...) TODO: check CVE-2023-32068 (XWiki Platform is a generic wiki platform offering runtime services fo ...) - TODO: check + NOT-FOR-US: XWiki CVE-2023-2710 (The video carousel slider with lightbox plugin for WordPress is vulner ...) NOT-FOR-US: video carousel slider with lightbox plugin for WordPress CVE-2023-2708 (The Video Gallery plugin for WordPress is vulnerable to Reflected Cros ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60e9d688deab525bb9c9636bd90981b1bb966f44 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60e9d688deab525bb9c9636bd90981b1bb966f44 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3425-1 for sqlparse
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 5171a771 by Guilhem Moulin at 2023-05-16T13:29:38+02:00 Reserve DLA-3425-1 for sqlparse - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[16 May 2023] DLA-3425-1 sqlparse - security update + {CVE-2023-30608} + [buster] - sqlparse 0.2.4-1+deb10u1 [16 May 2023] DLA-3424-1 python-ipaddress - security update {CVE-2020-14422} [buster] - python-ipaddress 1.0.17-1+deb10u1 = data/dla-needed.txt = @@ -203,9 +203,6 @@ samba NOTE: 20220904: Many postponed or open CVE in general. (apo) NOTE: 20230323: Still working on the long list of CVEs, will likely release an intermittent package first (lee) -- -sqlparse (guilhem) - NOTE: 20230507: Programming language: Python. --- sssd (gladk) NOTE: 20230131: Programming language: C. NOTE: 20230205: VCS: https://salsa.debian.org/lts-team/packages/sssd.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5171a7715fb5de279baedd755699b5b40c628565 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5171a7715fb5de279baedd755699b5b40c628565 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 499e028f by Salvatore Bonaccorso at 2023-05-16T11:00:49+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,9 +9,9 @@ CVE-2023-32308 (anuko timetracker is an open source time tracking system. Boolea CVE-2023-32068 (XWiki Platform is a generic wiki platform offering runtime services fo ...) TODO: check CVE-2023-2710 (The video carousel slider with lightbox plugin for WordPress is vulner ...) - TODO: check + NOT-FOR-US: video carousel slider with lightbox plugin for WordPress CVE-2023-2708 (The Video Gallery plugin for WordPress is vulnerable to Reflected Cros ...) - TODO: check + NOT-FOR-US: Video Gallery plugin for WordPress CVE-2023-32787 (The OPC UA Legacy Java Stack before 6f176f2 enables an attacker to blo ...) TODO: check CVE-2023-32314 (vm2 is a sandbox that can run untrusted code with Node's built-in modu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/499e028ffd69b545019fa61b54f58bd79a4618bb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/499e028ffd69b545019fa61b54f58bd79a4618bb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b2823b55 by security tracker role at 2023-05-16T08:11:59+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2023-32956 (Improper neutralization of special elements used in an OS command ('OS ...) + TODO: check +CVE-2023-32955 (Improper neutralization of special elements used in an OS command ('OS ...) + TODO: check +CVE-2023-32309 (PyMdown Extensions is a set of extensions for the `Python-Markdown` ma ...) + TODO: check +CVE-2023-32308 (anuko timetracker is an open source time tracking system. Boolean-base ...) + TODO: check +CVE-2023-32068 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + TODO: check +CVE-2023-2710 (The video carousel slider with lightbox plugin for WordPress is vulner ...) + TODO: check +CVE-2023-2708 (The Video Gallery plugin for WordPress is vulnerable to Reflected Cros ...) + TODO: check CVE-2023-32787 (The OPC UA Legacy Java Stack before 6f176f2 enables an attacker to blo ...) TODO: check CVE-2023-32314 (vm2 is a sandbox that can run untrusted code with Node's built-in modu ...) @@ -74,7 +88,7 @@ CVE-2023-32784 (In KeePass 2.x before 2.54, it is possible to recover the cleart NOTE: https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/ CVE-2023-32758 (giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep thro ...) NOT-FOR-US: git-url-parse -CVE-2023-2700 [Memory leak in virPCIVirtualFunctionList cleanup] +CVE-2023-2700 (A vulnerability was found in libvirt. This security flaw ouccers due t ...) [experimental] - libvirt 9.3.0-1 - libvirt NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2203653 @@ -1320,8 +1334,8 @@ CVE-2023-31147 RESERVED CVE-2023-31146 (Vyper is a Pythonic smart contract language for the Ethereum virtual m ...) NOT-FOR-US: Vyper -CVE-2023-31145 - RESERVED +CVE-2023-31145 (Collabora Online is a collaborative online office suite based on Libre ...) + TODO: check CVE-2023-31144 (Craft CMS is a content management system. Starting in version 3.0.0 an ...) NOT-FOR-US: Craft CMS CVE-2023-31143 (mage-ai is an open-source data pipeline tool for transforming and inte ...) @@ -1350,8 +1364,8 @@ CVE-2023-31133 (Ghost is an app for new-media creators with tools to build a web NOT-FOR-US: Ghost CMS CVE-2023-31132 RESERVED -CVE-2023-31131 - RESERVED +CVE-2023-31131 (Greenplum Database (GPDB) is an open source data warehouse based on Po ...) + TODO: check CVE-2023-31130 RESERVED CVE-2023-31129 (The Contiki-NG operating system versions 4.8 and prior can be triggere ...) @@ -2342,8 +2356,8 @@ CVE-2023-2162 (A use-after-free vulnerability was found in iscsi_sw_tcp_session_ - linux 6.1.11-1 [bullseye] - linux 5.10.178-1 NOTE: https://git.kernel.org/linus/f484a794e4ee2a9ce61f52a78e810ac45f3fe3b3 (6.2-rc6) -CVE-2023-2161 - RESERVED +CVE-2023-2161 (A CWE-611: Improper Restriction of XML External Entity Reference vulne ...) + TODO: check CVE-2023-2160 (Weak Password Requirements in GitHub repository modoboa/modoboa prior ...) NOT-FOR-US: modoboa CVE-2023-2159 @@ -2484,8 +2498,7 @@ CVE-2023-2126 RESERVED CVE-2023-2125 RESERVED -CVE-2023-2124 [OOB access in the Linux kernel's XFS subsystem] - RESERVED +CVE-2023-2124 (An out-of-bounds memory access flaw was found in the Linux kernel\u201 ...) - linux NOTE: https://www.openwall.com/lists/oss-security/2023/04/19/2 NOTE: https://lore.kernel.org/linux-xfs/20230412214034.gl3223...@dread.disaster.area/T/#m1ebbcd1ad061d2d33bef6f0534a2b014744d152d @@ -4694,8 +4707,8 @@ CVE-2023-29963 (S-CMS v5.0 was discovered to contain an authenticated remote cod NOT-FOR-US: S-CMS CVE-2023-29962 RESERVED -CVE-2023-29961 - RESERVED +CVE-2023-29961 (D-Link DIR-605L firmware version 1.17B01 BETA is vulnerable to stack o ...) + TODO: check CVE-2023-29960 RESERVED CVE-2023-29959 @@ -7347,8 +7360,7 @@ CVE-2023-1731 (In LTOS versions prior to V7.06.013, the configuration file uploa NOT-FOR-US: LTOS CVE-2023-1730 (The SupportCandy WordPress plugin before 3.1.5 does not validate and e ...) NOT-FOR-US: WordPress plugin -CVE-2023-1729 - RESERVED +CVE-2023-1729 (A flaw was found in LibRaw. A heap-buffer-overflow in raw2image_ex() c ...) - libraw NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2188240 NOTE: https://github.com/LibRaw/LibRaw/issues/557 @@ -40547,14 +40559,11 @@ CVE-2023-21120 RESERVED CVE-2023-21119 RESERVED -CVE-2023-21118 - RESERVED +CVE-2023-21118 (In
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-2700/libvirt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 64f91d14 by Salvatore Bonaccorso at 2023-05-16T08:41:16+02:00 Add CVE-2023-2700/libvirt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -74,6 +74,11 @@ CVE-2023-32784 (In KeePass 2.x before 2.54, it is possible to recover the cleart NOTE: https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/ CVE-2023-32758 (giturlparse (aka git-url-parse) through 1.2.2, as used in Semgrep thro ...) NOT-FOR-US: git-url-parse +CVE-2023-2700 [Memory leak in virPCIVirtualFunctionList cleanup] + [experimental] - libvirt 9.3.0-1 + - libvirt + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2203653 + NOTE: Fixed by: https://gitlab.com/libvirt/libvirt/-/commit/6425a311b8ad19d6f9c0b315bf1d722551ea3585 (v9.3.0) CVE-2023-2699 (A vulnerability, which was classified as critical, has been found in S ...) NOT-FOR-US: SourceCodester Lost and Found Information System CVE-2023-2698 (A vulnerability classified as critical was found in SourceCodester Los ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64f91d143aed3ac5b422f093e0a8edbf9baa7215 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/64f91d143aed3ac5b422f093e0a8edbf9baa7215 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits