[Git][security-tracker-team/security-tracker][master] Add CVE-2023-33718/mp4v2
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c37e7ab by Salvatore Bonaccorso at 2023-06-01T08:25:06+02:00 Add CVE-2023-33718/mp4v2 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -93,7 +93,7 @@ CVE-2023-33730 (Privilege Escalation in the "GetUserCurrentPwd" function in Micr CVE-2023-33722 (EDIMAX BR-6288ACL v1.12 was discovered to contain an authenticated rem ...) NOT-FOR-US: EDIMAX CVE-2023-33718 (mp4v2 v2.1.3 was discovered to contain a memory leak via MP4File::Read ...) - TODO: check + - mp4v2 CVE-2023-33509 (KramerAV VIA GO\xb2 < 4.0.1.1326 is vulnerable to SQL Injection.) NOT-FOR-US: KramerAV VIA GO CVE-2023-33508 (KramerAV VIA GO\xb2 < 4.0.1.1326 is vulnerable to unauthenticated file ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c37e7ab4e4071f10d5718c8a5d6bb406b6f1f2d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c37e7ab4e4071f10d5718c8a5d6bb406b6f1f2d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: af7d88a6 by Salvatore Bonaccorso at 2023-06-01T08:23:01+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -47,35 +47,35 @@ CVE-2023-34255 (An issue was discovered in the Linux kernel through 6.3.5. There - linux NOTE: https://git.kernel.org/linus/22ed903eee23a5b174e240f1cdfa9acf393a5210 (6.4-rc1) CVE-2023-34229 (In JetBrains TeamCity before 2023.05 stored XSS in GitLab Connection p ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2023-34228 (In JetBrains TeamCity before 2023.05 authentication checks were missin ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2023-34227 (In JetBrains TeamCity before 2023.05 a specific endpoint was vulnerabl ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2023-34226 (In JetBrains TeamCity before 2023.05 reflected XSS in the Subscription ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2023-34225 (In JetBrains TeamCity before 2023.05 stored XSS in the NuGet feed page ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2023-34224 (In JetBrains TeamCity before 2023.05 open redirect during oAuth config ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2023-34223 (In JetBrains TeamCity before 2023.05 parameters of the "password" type ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2023-34222 (In JetBrains TeamCity before 2023.05 possible XSS in the Plugin Vendor ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2023-34221 (In JetBrains TeamCity before 2023.05 stored XSS in the Show Connection ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2023-34220 (In JetBrains TeamCity before 2023.05 stored XSS in the Commit Status P ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2023-34219 (In JetBrains TeamCity before 2023.05 improper permission checks allowe ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2023-34218 (In JetBrains TeamCity before 2023.05 bypass of permission checks allow ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2023-34088 (Collabora Online is a collaborative online office suite. A stored cros ...) - TODO: check + NOT-FOR-US: Collabora Online CVE-2023-33979 (gpt_academic provides a graphical interface for ChatGPT/GLM. A vulnera ...) TODO: check CVE-2023-33971 (Formcreator is a GLPI plugin which allow creation of custom forms and ...) - TODO: check + NOT-FOR-US: GLPI plugin CVE-2023-33967 (EaseProbe is a tool that can do health/status checking. An SQL injecti ...) TODO: check CVE-2023-33966 (Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and de ...) @@ -85,21 +85,21 @@ CVE-2023-33964 (mx-chain-go is an implementation of the MultiversX blockchain pr CVE-2023-33736 (A stored cross-site scripting (XSS) vulnerability in Dcat-Admin v2.1.3 ...) TODO: check CVE-2023-33735 (D-Link DIR-846 v1.00A52 was discovered to contain a remote command exe ...) - TODO: check + NOT-FOR-US: D-Link CVE-2023-33732 (Cross Site Scripting (XSS) in the New Policy form in Microworld Techno ...) TODO: check CVE-2023-33730 (Privilege Escalation in the "GetUserCurrentPwd" function in Microworld ...) - TODO: check + NOT-FOR-US: Microworld Technologies eScan Management Console CVE-2023-33722 (EDIMAX BR-6288ACL v1.12 was discovered to contain an authenticated rem ...) - TODO: check + NOT-FOR-US: EDIMAX CVE-2023-33718 (mp4v2 v2.1.3 was discovered to contain a memory leak via MP4File::Read ...) TODO: check CVE-2023-33509 (KramerAV VIA GO\xb2 < 4.0.1.1326 is vulnerable to SQL Injection.) - TODO: check + NOT-FOR-US: KramerAV VIA GO CVE-2023-33508 (KramerAV VIA GO\xb2 < 4.0.1.1326 is vulnerable to unauthenticated file ...) - TODO: check + NOT-FOR-US: KramerAV VIA GO CVE-2023-33507 (KramerAV VIA GO\xb2 < 4.0.1.1326 is vulnerable to Unauthenticated arbi ...) - TODO: check + NOT-FOR-US: KramerAV VIA GO CVE-2023-33487 (TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 cont ...) NOT-FOR-US: TOTOLINK CVE-2023-33486 (TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 cont ...) @@ -107,11 +107,11 @@ CVE-2023-33486 (TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B2023011 CVE-2023-33485 (TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 cont ...) NOT-FOR-US: TOTOLINK CVE-2023-33287 (A stored cross-site scripting (XSS) vulnerability in the Inline Table ...) - TODO: check + NOT-FOR-US: Atlassian Confluence CVE-2023-32217 (IdentityIQ 8.3 and all 8.3 patch
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-3006/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cbd02bb1 by Salvatore Bonaccorso at 2023-06-01T08:15:58+02:00 Add CVE-2023-3006/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27,7 +27,9 @@ CVE-2023-3008 (A vulnerability classified as critical has been found in ningzich CVE-2023-3007 (A vulnerability was found in ningzichun Student Management System 1.0. ...) NOT-FOR-US: ningzichun Student Management System CVE-2023-3006 (A known cache speculation vulnerability, known as Branch History Injec ...) - TODO: check + - linux 6.0.7-1 + [bullseye] - linux 5.10.158-1 + NOTE: https://git.kernel.org/linus/0e5d5ae837c8ce04d2ddb874ec5f920118bd9d31 (6.1-rc1) CVE-2023-3005 (A vulnerability, which was classified as problematic, was found in Sou ...) NOT-FOR-US: SourceCodester Local Service Search Engine Management System CVE-2023-3004 (A vulnerability, which was classified as critical, has been found in S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbd02bb157ef131e7750f5e3df5d8b3412108010 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cbd02bb157ef131e7750f5e3df5d8b3412108010 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2023-32697/xerial-sqlite-jdbc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bd8d3b3d by Salvatore Bonaccorso at 2023-06-01T07:25:03+02:00 Update status for CVE-2023-32697/xerial-sqlite-jdbc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -740,7 +740,9 @@ CVE-2023-33246 (For RocketMQ versions 5.1.0 and below, under certain conditions, NOT-FOR-US: Apache RocketMQ CVE-2023-32697 (SQLite JDBC is a library for accessing and creating SQLite database fi ...) - xerial-sqlite-jdbc (bug #1036706) + [bookworm] - xerial-sqlite-jdbc (Minor issue) NOTE: https://github.com/xerial/sqlite-jdbc/security/advisories/GHSA-6phf-6h5g-97j2 + NOTE: Fixed by: https://github.com/xerial/sqlite-jdbc/commit/edb4b8adc2447bc04e05b9b908195a4bc7926242 (3.41.2.2) CVE-2023-32685 (Kanboard is project management software that focuses on the Kanban met ...) - kanboard (bug #1036874) [bookworm] - kanboard (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd8d3b3db5c5c0c786a092a5cbbd497b7f4b2a75 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd8d3b3db5c5c0c786a092a5cbbd497b7f4b2a75 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-48502/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 89ae6293 by Salvatore Bonaccorso at 2023-05-31T22:56:01+02:00 Add CVE-2022-48502/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117,7 +117,11 @@ CVE-2023-2758 (A denial of service vulnerability exists in Contec CONPROSYS HMI CVE-2023-2749 (Download Center fails to properly validate the file path submitted by ...) TODO: check CVE-2022-48502 (An issue was discovered in the Linux kernel before 6.2. The ntfs3 subs ...) - TODO: check + - linux (unimportant) + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/0e8235d28f3a0e9eda9f02ff67ee566d5f42b66b (6.2-rc1) + NOTE: NTFS3 driver not enabled in Debian CVE-2015-10108 (A vulnerability was found in meitar Inline Google Spreadsheet Viewer P ...) TODO: check CVE-2023-33962 (JStachio is a type-safe Java Mustache templating engine. Prior to ver ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89ae6293aa643bed10fa0b37578b25cfed1f85e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89ae6293aa643bed10fa0b37578b25cfed1f85e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-34255/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 46fefb74 by Salvatore Bonaccorso at 2023-05-31T22:50:41+02:00 Add CVE-2023-34255/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -42,7 +42,8 @@ CVE-2023-34256 (An issue was discovered in the Linux kernel before 6.3.3. There - linux NOTE: https://git.kernel.org/linus/4f04351888a83e595571de672e0a4a8b74f4fb31 (6.4-rc2) CVE-2023-34255 (An issue was discovered in the Linux kernel through 6.3.5. There is a ...) - TODO: check + - linux + NOTE: https://git.kernel.org/linus/22ed903eee23a5b174e240f1cdfa9acf393a5210 (6.4-rc1) CVE-2023-34229 (In JetBrains TeamCity before 2023.05 stored XSS in GitLab Connection p ...) TODO: check CVE-2023-34228 (In JetBrains TeamCity before 2023.05 authentication checks were missin ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46fefb7454b94097ac9512245ea8555096c78845 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46fefb7454b94097ac9512245ea8555096c78845 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-34256/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 239fc4c8 by Salvatore Bonaccorso at 2023-05-31T22:47:28+02:00 Add CVE-2023-34256/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39,7 +39,8 @@ CVE-2023-34258 (An issue was discovered in BMC Patrol before 22.1.00. The agent' CVE-2023-34257 (An issue was discovered in BMC Patrol through 23.1.00. The agent's con ...) NOT-FOR-US: BMC Patrol CVE-2023-34256 (An issue was discovered in the Linux kernel before 6.3.3. There is an ...) - TODO: check + - linux + NOTE: https://git.kernel.org/linus/4f04351888a83e595571de672e0a4a8b74f4fb31 (6.4-rc2) CVE-2023-34255 (An issue was discovered in the Linux kernel through 6.3.5. There is a ...) TODO: check CVE-2023-34229 (In JetBrains TeamCity before 2023.05 stored XSS in GitLab Connection p ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/239fc4c8d795f8c9db1db3221d6ae68e19bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/239fc4c8d795f8c9db1db3221d6ae68e19bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-3009/teampass
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 16df2957 by Salvatore Bonaccorso at 2023-05-31T22:31:36+02:00 Add CVE-2023-3009/teampass - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,7 +21,7 @@ CVE-2023-3012 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to NOTE: https://huntr.dev/bounties/916b787a-c603-409d-afc6-25bb02070e69 NOTE: https://github.com/gpac/gpac/commit/53387aa86c1af1228d0fa57c67f9c7330716d5a7 CVE-2023-3009 (Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassn ...) - TODO: check + - teampass (bug #730180) CVE-2023-3008 (A vulnerability classified as critical has been found in ningzichun St ...) NOT-FOR-US: ningzichun Student Management System CVE-2023-3007 (A vulnerability was found in ningzichun Student Management System 1.0. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16df2957f6d041d80442d2dd5dc04bcbd3c39d42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16df2957f6d041d80442d2dd5dc04bcbd3c39d42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-301{2,3}/gpac
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d0aa8220 by Salvatore Bonaccorso at 2023-05-31T22:30:48+02:00 Add CVE-2023-301{2,3}/gpac - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,9 +13,13 @@ CVE-2023-3015 (A vulnerability has been found in yiwent Vip Video Analysis 1.0 a CVE-2023-3014 (A vulnerability, which was classified as problematic, was found in Bei ...) NOT-FOR-US: BeipyVideoResolution CVE-2023-3013 (Unchecked Return Value in GitHub repository gpac/gpac prior to 2.2.2.) - TODO: check + - gpac + NOTE: https://huntr.dev/bounties/52f95edc-cc03-4a9f-9bf8-74f641260073 + NOTE: https://github.com/gpac/gpac/commit/78e539b43293829a14a32e821f5267e3b7417594 CVE-2023-3012 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2 ...) - TODO: check + - gpac + NOTE: https://huntr.dev/bounties/916b787a-c603-409d-afc6-25bb02070e69 + NOTE: https://github.com/gpac/gpac/commit/53387aa86c1af1228d0fa57c67f9c7330716d5a7 CVE-2023-3009 (Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassn ...) TODO: check CVE-2023-3008 (A vulnerability classified as critical has been found in ningzichun St ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0aa8220460d425fb3a569e9aeca429d0df0c9c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0aa8220460d425fb3a569e9aeca429d0df0c9c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3cdba264 by Salvatore Bonaccorso at 2023-05-31T22:30:18+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,15 +3,15 @@ CVE-2023-3021 (Cross-site Scripting (XSS) - Stored in GitHub repository mkucej/i CVE-2023-3020 (Cross-site Scripting (XSS) - Reflected in GitHub repository mkucej/i-l ...) TODO: check CVE-2023-3018 (A vulnerability was found in SourceCodester Lost and Found Information ...) - TODO: check + NOT-FOR-US: SourceCodester Lost and Found Information System CVE-2023-3017 (A vulnerability was found in SourceCodester Lost and Found Information ...) - TODO: check + NOT-FOR-US: SourceCodester Lost and Found Information System CVE-2023-3016 (A vulnerability was found in yiwent Vip Video Analysis 1.0 and classif ...) - TODO: check + NOT-FOR-US: yiwent Vip Video Analysis CVE-2023-3015 (A vulnerability has been found in yiwent Vip Video Analysis 1.0 and cl ...) - TODO: check + NOT-FOR-US: yiwent Vip Video Analysis CVE-2023-3014 (A vulnerability, which was classified as problematic, was found in Bei ...) - TODO: check + NOT-FOR-US: BeipyVideoResolution CVE-2023-3013 (Unchecked Return Value in GitHub repository gpac/gpac prior to 2.2.2.) TODO: check CVE-2023-3012 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2 ...) @@ -19,21 +19,21 @@ CVE-2023-3012 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to CVE-2023-3009 (Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassn ...) TODO: check CVE-2023-3008 (A vulnerability classified as critical has been found in ningzichun St ...) - TODO: check + NOT-FOR-US: ningzichun Student Management System CVE-2023-3007 (A vulnerability was found in ningzichun Student Management System 1.0. ...) - TODO: check + NOT-FOR-US: ningzichun Student Management System CVE-2023-3006 (A known cache speculation vulnerability, known as Branch History Injec ...) TODO: check CVE-2023-3005 (A vulnerability, which was classified as problematic, was found in Sou ...) - TODO: check + NOT-FOR-US: SourceCodester Local Service Search Engine Management System CVE-2023-3004 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Simple Chat System CVE-2023-3003 (A vulnerability classified as critical was found in SourceCodester Tra ...) - TODO: check + NOT-FOR-US: SourceCodester Train Station Ticketing System CVE-2023-34258 (An issue was discovered in BMC Patrol before 22.1.00. The agent's conf ...) - TODO: check + NOT-FOR-US: BMC Patrol CVE-2023-34257 (An issue was discovered in BMC Patrol through 23.1.00. The agent's con ...) - TODO: check + NOT-FOR-US: BMC Patrol CVE-2023-34256 (An issue was discovered in the Linux kernel before 6.3.3. There is an ...) TODO: check CVE-2023-34255 (An issue was discovered in the Linux kernel through 6.3.5. There is a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cdba264005b1b36b3b2caf00cfa24d059b324e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3cdba264005b1b36b3b2caf00cfa24d059b324e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b5523c7b by Salvatore Bonaccorso at 2023-05-31T22:22:47+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -93,11 +93,11 @@ CVE-2023-33508 (KramerAV VIA GO\xb2 < 4.0.1.1326 is vulnerable to unauthenticate CVE-2023-33507 (KramerAV VIA GO\xb2 < 4.0.1.1326 is vulnerable to Unauthenticated arbi ...) TODO: check CVE-2023-33487 (TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 cont ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-33486 (TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 cont ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-33485 (TOTOLINK X5000R V9.1.0u.6118_B20201102 and V9.1.0u.6369_B20230113 cont ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2023-33287 (A stored cross-site scripting (XSS) vulnerability in the Inline Table ...) TODO: check CVE-2023-32217 (IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p3, IdentityIQ 8.2 ...) @@ -17374,7 +17374,7 @@ CVE-2023-26279 CVE-2023-26278 (IBM QRadar WinCollect Agent 10.0 through 10.1.3 could allow a local au ...) TODO: check CVE-2023-26277 (IBM QRadar WinCollect Agent 10.0 though 10.1.3 could allow a local use ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-26276 RESERVED CVE-2023-26275 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5523c7bf7c059c151019e667f5a2fe4a5295a82 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5523c7bf7c059c151019e667f5a2fe4a5295a82 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-34151/imagemagick
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 15aefb9f by Salvatore Bonaccorso at 2023-05-31T22:19:29+02:00 Add Debian bug reference for CVE-2023-34151/imagemagick - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -77447,7 +77447,7 @@ CVE-2022-32547 (In ImageMagick, there is load of misaligned address for type 'do NOTE: https://github.com/ImageMagick/ImageMagick/commit/eac8ce4d873f28bb6a46aa3a662fb196b49b95d0 (7.1.0-30) NOTE: https://github.com/ImageMagick/ImageMagick6/commit/dc070da861a015d3c97488fdcca6063b44d47a7b (6.9.12-45) CVE-2023-34151 (A vulnerability was found in ImageMagick. This security flaw ouccers a ...) - - imagemagick + - imagemagick (bug #1036999) NOTE: https://github.com/ImageMagick/ImageMagick/issues/6341 NOTE: ImageMagick: https://github.com/ImageMagick/ImageMagick/commit/3d6d98d8a2be30d74172ab43b5b8e874d2deb158 (7.1.1-10) NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/commit/133089f716f23ce0b80d89ccc1fd680960235512 (6.9.12-88) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15aefb9fa77c9d4c85bf2be47d7935fe85dbbe99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15aefb9fa77c9d4c85bf2be47d7935fe85dbbe99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 46894de1 by security tracker role at 2023-05-31T20:12:04+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,119 @@ +CVE-2023-3021 (Cross-site Scripting (XSS) - Stored in GitHub repository mkucej/i-libr ...) + TODO: check +CVE-2023-3020 (Cross-site Scripting (XSS) - Reflected in GitHub repository mkucej/i-l ...) + TODO: check +CVE-2023-3018 (A vulnerability was found in SourceCodester Lost and Found Information ...) + TODO: check +CVE-2023-3017 (A vulnerability was found in SourceCodester Lost and Found Information ...) + TODO: check +CVE-2023-3016 (A vulnerability was found in yiwent Vip Video Analysis 1.0 and classif ...) + TODO: check +CVE-2023-3015 (A vulnerability has been found in yiwent Vip Video Analysis 1.0 and cl ...) + TODO: check +CVE-2023-3014 (A vulnerability, which was classified as problematic, was found in Bei ...) + TODO: check +CVE-2023-3013 (Unchecked Return Value in GitHub repository gpac/gpac prior to 2.2.2.) + TODO: check +CVE-2023-3012 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.2.2 ...) + TODO: check +CVE-2023-3009 (Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassn ...) + TODO: check +CVE-2023-3008 (A vulnerability classified as critical has been found in ningzichun St ...) + TODO: check +CVE-2023-3007 (A vulnerability was found in ningzichun Student Management System 1.0. ...) + TODO: check +CVE-2023-3006 (A known cache speculation vulnerability, known as Branch History Injec ...) + TODO: check +CVE-2023-3005 (A vulnerability, which was classified as problematic, was found in Sou ...) + TODO: check +CVE-2023-3004 (A vulnerability, which was classified as critical, has been found in S ...) + TODO: check +CVE-2023-3003 (A vulnerability classified as critical was found in SourceCodester Tra ...) + TODO: check +CVE-2023-34258 (An issue was discovered in BMC Patrol before 22.1.00. The agent's conf ...) + TODO: check +CVE-2023-34257 (An issue was discovered in BMC Patrol through 23.1.00. The agent's con ...) + TODO: check +CVE-2023-34256 (An issue was discovered in the Linux kernel before 6.3.3. There is an ...) + TODO: check +CVE-2023-34255 (An issue was discovered in the Linux kernel through 6.3.5. There is a ...) + TODO: check +CVE-2023-34229 (In JetBrains TeamCity before 2023.05 stored XSS in GitLab Connection p ...) + TODO: check +CVE-2023-34228 (In JetBrains TeamCity before 2023.05 authentication checks were missin ...) + TODO: check +CVE-2023-34227 (In JetBrains TeamCity before 2023.05 a specific endpoint was vulnerabl ...) + TODO: check +CVE-2023-34226 (In JetBrains TeamCity before 2023.05 reflected XSS in the Subscription ...) + TODO: check +CVE-2023-34225 (In JetBrains TeamCity before 2023.05 stored XSS in the NuGet feed page ...) + TODO: check +CVE-2023-34224 (In JetBrains TeamCity before 2023.05 open redirect during oAuth config ...) + TODO: check +CVE-2023-34223 (In JetBrains TeamCity before 2023.05 parameters of the "password" type ...) + TODO: check +CVE-2023-34222 (In JetBrains TeamCity before 2023.05 possible XSS in the Plugin Vendor ...) + TODO: check +CVE-2023-34221 (In JetBrains TeamCity before 2023.05 stored XSS in the Show Connection ...) + TODO: check +CVE-2023-34220 (In JetBrains TeamCity before 2023.05 stored XSS in the Commit Status P ...) + TODO: check +CVE-2023-34219 (In JetBrains TeamCity before 2023.05 improper permission checks allowe ...) + TODO: check +CVE-2023-34218 (In JetBrains TeamCity before 2023.05 bypass of permission checks allow ...) + TODO: check +CVE-2023-34088 (Collabora Online is a collaborative online office suite. A stored cros ...) + TODO: check +CVE-2023-33979 (gpt_academic provides a graphical interface for ChatGPT/GLM. A vulnera ...) + TODO: check +CVE-2023-33971 (Formcreator is a GLPI plugin which allow creation of custom forms and ...) + TODO: check +CVE-2023-33967 (EaseProbe is a tool that can do health/status checking. An SQL injecti ...) + TODO: check +CVE-2023-33966 (Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and de ...) + TODO: check +CVE-2023-33964 (mx-chain-go is an implementation of the MultiversX blockchain protocol ...) + TODO: check +CVE-2023-33736 (A stored cross-site scripting (XSS) vulnerability in Dcat-Admin v2.1.3 ...) + TODO: check +CVE-2023-33735 (D-Link DIR-846 v1.00A52 was discovered to contain a remote command exe ...) + TODO: check +CVE-2023-33732 (Cross Site Scripting (XSS) in the New Policy form in Microworld Techno ...) + TODO: c
[Git][security-tracker-team/security-tracker][master] Track proposed update for CVE-2022-1537/grunt via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c65ccc5 by Salvatore Bonaccorso at 2023-05-31T21:27:50+02:00 Track proposed update for CVE-2022-1537/grunt via bullseye-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -81,3 +81,5 @@ CVE-2023-29491 [bullseye] - ncurses 6.2+20201114-2+deb11u2 CVE-2022-0512 [bullseye] - node-url-parse 1.5.3-1+deb11u2 +CVE-2022-1537 + [bullseye] - grunt 1.3.0-1+deb11u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c65ccc5279ed53865e475b96fb276a6fa211a71 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c65ccc5279ed53865e475b96fb276a6fa211a71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-2953/openldap
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9df5d57a by Salvatore Bonaccorso at 2023-05-31T21:25:23+02:00 Add Debian bug reference for CVE-2023-2953/openldap - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -161,7 +161,7 @@ CVE-2014-125102 (A vulnerability classified as problematic was found in Bestwebs NOT-FOR-US: WordPress plugin CVE-2023-2953 (A vulnerability was found in openldap. This security flaw causes a nul ...) [experimental] - openldap 2.6.4+dfsg-1~exp1 - - openldap + - openldap (bug #1036995) [bookworm] - openldap (Minor issue) [bullseye] - openldap (Minor issue) NOTE: https://bugs.openldap.org/show_bug.cgi?id=9904 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9df5d57aa9de2d91db3204629f6c63ea8676cd93 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9df5d57aa9de2d91db3204629f6c63ea8676cd93 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for CVE-2022-0512 via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d19db6c by Salvatore Bonaccorso at 2023-05-31T21:26:49+02:00 Track proposed update for CVE-2022-0512 via bullseye-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -79,3 +79,5 @@ CVE-2021-33797 [bullseye] - mujs 1.1.0-1+deb11u3 CVE-2023-29491 [bullseye] - ncurses 6.2+20201114-2+deb11u2 +CVE-2022-0512 + [bullseye] - node-url-parse 1.5.3-1+deb11u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d19db6cbf45a7d90ae396698e01efffb398356b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d19db6cbf45a7d90ae396698e01efffb398356b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3427-2 texlive-bin
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 503d755c by Markus Koschany at 2023-05-31T21:03:44+02:00 Reserve DLA-3427-2 texlive-bin - - - - - 2 changed files: - data/CVE/list - data/DLA/list Changes: = data/CVE/list = @@ -265472,7 +265472,6 @@ CVE-2019-18605 RESERVED CVE-2019-18604 (In axohelp.c before 1.3 in axohelp in axodraw2 before 2.1.1b, as distr ...) - texlive-bin 2020.20200327.54578-2 - [buster] - texlive-bin (Minor issue) [stretch] - texlive-bin (Vulnerable code not present) [jessie] - texlive-bin (Vulnerable code not present) NOTE: https://github.com/TeX-Live/texlive-source/commit/9216833a3888a4105a18e8c349f65b045ddb1079#diff-987e40c0e27ee43f6a2414ada73a191a = data/DLA/list = @@ -1,3 +1,6 @@ +[31 May 2023] DLA-3427-2 texlive-bin - regression update + {CVE-2019-18604} + [buster] - texlive-bin 2018.20181218.49446-1+deb10u2 [31 May 2023] DLA-3439-1 libwebp - security update {CVE-2023-1999} [buster] - libwebp 0.6.1-2+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/503d755c8bac0a36d3ede1b8720128343677eefa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/503d755c8bac0a36d3ede1b8720128343677eefa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take wireshark
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abec7792 by Adrian Bunk at 2023-05-31T20:03:58+03:00 dla: take wireshark - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -221,7 +221,7 @@ webkit2gtk (Emilio) NOTE: 20230529: made some progress on the backport, but there are still some blockers, NOTE: 20230529: particularly around (the lack of) C++20 support. (pochu) -- -wireshark +wireshark (Adrian Bunk) NOTE: 20230531: Programming language: C. NOTE: 20230531: VCS: https://salsa.debian.org/lts-team/packages/wireshark.git -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abec7792081fa93093ed8e51ff7b2f7b4ef508c2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abec7792081fa93093ed8e51ff7b2f7b4ef508c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new wireshark issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c746a58 by Moritz Muehlenhoff at 2023-05-31T17:57:01+02:00 new wireshark issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,7 +23,12 @@ CVE-2023-2998 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten CVE-2023-2987 (The Wordapp plugin for WordPress is vulnerable to authorization bypass ...) NOT-FOR-US: Wordapp plugin for WordPress CVE-2023-2952 (XRA dissector infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3 ...) - TODO: check + [experimental] - wireshark 4.0.6-1~exp1 + - wireshark + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) + NOTE: https://www.wireshark.org/security/wnpa-sec-2023-20.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19100 CVE-2023-2836 (The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross ...) NOT-FOR-US: CRM Perks Forms plugin for WordPress CVE-2023-2612 (Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ub ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c746a58b7d3eb3a267ec4f7ea00c8e4f4373dc4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c746a58b7d3eb3a267ec4f7ea00c8e4f4373dc4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d4dc504 by Moritz Muehlenhoff at 2023-05-31T17:53:55+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,25 +1,25 @@ CVE-2023-33962 (JStachio is a type-safe Java Mustache templating engine. Prior to ver ...) - TODO: check + NOT-FOR-US: JStachio CVE-2023-33961 (Leantime is a lean open source project management system. Starting in ...) - TODO: check + NOT-FOR-US: Leantime CVE-2023-33741 (Macrovideo v380pro v1.4.97 shares the device id and password when shar ...) - TODO: check + NOT-FOR-US: Macrovideo CVE-2023-33740 (Incorrect access control in luowice v3.5.18 allows attackers to access ...) - TODO: check + NOT-FOR-US: luowice CVE-2023-33734 (BlueCMS v1.6 was discovered to contain a SQL injection vulnerability v ...) - TODO: check + NOT-FOR-US: BlueCMS CVE-2023-33181 (Xibo is a content management system (CMS). Starting in version 3.0.0 a ...) - TODO: check + NOT-FOR-US: Xibo CVE-2023-33180 (Xibo is a content management system (CMS). An SQL injection vulnerabil ...) - TODO: check + NOT-FOR-US: Xibo CVE-2023-33179 (Xibo is a content management system (CMS). An SQL injection vulnerabil ...) - TODO: check + NOT-FOR-US: Xibo CVE-2023-32342 (IBM GSKit could allow a remote attacker to obtain sensitive informatio ...) NOT-FOR-US: IBM CVE-2023-2999 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpm ...) - TODO: check + NOT-FOR-US: phpmyfaq CVE-2023-2998 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpm ...) - TODO: check + NOT-FOR-US: phpmyfaq CVE-2023-2987 (The Wordapp plugin for WordPress is vulnerable to authorization bypass ...) NOT-FOR-US: Wordapp plugin for WordPress CVE-2023-2952 (XRA dissector infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3 ...) @@ -27,7 +27,7 @@ CVE-2023-2952 (XRA dissector infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 CVE-2023-2836 (The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross ...) NOT-FOR-US: CRM Perks Forms plugin for WordPress CVE-2023-2612 (Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ub ...) - TODO: check + NOT-FOR-US: shiftfs (part of Ubuntu kernels, not not upstream) CVE-2023-2549 (The Feather Login Page plugin for WordPress is vulnerable to Cross-Sit ...) NOT-FOR-US: Feather Login Page plugin for WordPress CVE-2023-2547 (The Feather Login Page plugin for WordPress is vulnerable to unauthori ...) @@ -41,11 +41,11 @@ CVE-2023-2435 (The Blog-in-Blog plugin for WordPress is vulnerable to Local File CVE-2023-2434 (The Nested Pages plugin for WordPress is vulnerable to unauthorized lo ...) NOT-FOR-US: Nested Pages plugin for WordPress CVE-2015-10107 (A vulnerability was found in Simplr Registration Form Plus+ Plugin up ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2014-125103 (A vulnerability was found in BestWebSoft Twitter Plugin up to 1.3.2 on ...) - TODO: check + NOT-FOR-US: Twitter plugin CVE-2012-10015 (A vulnerability was found in BestWebSoft Twitter Plugin up to 2.14 on ...) - TODO: check + NOT-FOR-US: Twitter plugin CVE-2023-33975 (RIOT-OS, an operating system for Internet of Things (IoT) devices, con ...) NOT-FOR-US: RIOT-OS CVE-2023-33974 (RIOT-OS, an operating system for Internet of Things (IoT) devices, con ...) @@ -53,7 +53,7 @@ CVE-2023-33974 (RIOT-OS, an operating system for Internet of Things (IoT) device CVE-2023-33973 (RIOT-OS, an operating system for Internet of Things (IoT) devices, con ...) NOT-FOR-US: RIOT-OS CVE-2023-33656 (A memory leak vulnerability exists in NanoMQ 0.17.2. The vulnerability ...) - TODO: check + NOT-FOR-US: NanoMQ CVE-2023-33234 (Arbitrary code execution in Apache Airflow CNCF Kubernetes provider ve ...) NOT-FOR-US: Apache Airflow CNCF Kubernetes provider CVE-2023-33178 (Xibo is a content management system (CMS). An SQL injection vulnerabil ...) @@ -65,13 +65,13 @@ CVE-2023-32699 (MeterSphere is an open source continuous testing platform. Versi CVE-2023-32696 (CKAN is an open-source data management system for powering data hubs a ...) NOT-FOR-US: CKAN CVE-2023-32689 (Parse Server is an open source backend that can be deployed to any inf ...) - TODO: check + NOT-FOR-US: Node parse-server CVE-2023-32684 (Lima launches Linux virtual machines, typically on macOS, for running ...) - TODO: check + NOT-FOR-US: Lima CVE-2023-32448 (PowerPath for Windows, versions 7.0, 7.1 & 7.2 contains License Key St ...) - TODO: check + NOT-FOR-US: PowerPath CVE-2023-32218 (Avaya IX Workforc
[Git][security-tracker-team/security-tracker][master] jquery-minicolors fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c11378a by Moritz Muehlenhoff at 2023-05-31T17:14:09+02:00 jquery-minicolors fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -149068,7 +149068,7 @@ CVE-2021-32852 (Countly, a product analytics solution, is vulnerable to cross-si CVE-2021-32851 (Mind-elixir is a free, open source mind map core. Prior to version 0.1 ...) NOT-FOR-US: Mind-elixir CVE-2021-32850 (jQuery MiniColors is a color picker built on jQuery. Prior to version ...) - - jquery-minicolors (bug #1031791) + - jquery-minicolors 2.3.5+dfsg-4 (bug #1031791) [bookworm] - jquery-minicolors (Minor issue) [bullseye] - jquery-minicolors (Minor issue) [buster] - jquery-minicolors (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c11378abfb6e6f5ad6978db62b9c9bfc9fa500a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c11378abfb6e6f5ad6978db62b9c9bfc9fa500a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for openssl update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df95b38b by Salvatore Bonaccorso at 2023-05-31T16:42:20+02:00 Reserve DSA number for openssl update - - - - - 3 changed files: - data/CVE/list - data/DSA/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -22843,21 +22843,18 @@ CVE-2023-0467 (The WP Dark Mode WordPress plugin before 4.0.8 does not properly NOT-FOR-US: WordPress plugin CVE-2023-0466 (The function X509_VERIFY_PARAM_add0_policy() is documented to implicit ...) - openssl 3.0.9-1 (bug #1034720) - [bullseye] - openssl (Minor issue) [buster] - openssl (Minor issue) NOTE: https://www.openssl.org/news/secadv/20230328.txt NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51e8a84ce742db0f6c70510d0159dad8f7825908 (openssl-3.0) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a (OpenSSL_1_1_1-stable) CVE-2023-0465 (Applications that use a non-default option when verifying certificates ...) - openssl 3.0.9-1 (bug #1034720) - [bullseye] - openssl (Minor issue) [buster] - openssl (Minor issue) NOTE: https://www.openssl.org/news/secadv/20230328.txt NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1dd43e0709fece299b15208f36cc7c76209ba0bb (openssl-3.0) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b013765abfa80036dc779dd0e50602c57bb3bf95 (OpenSSL_1_1_1-stable) CVE-2023-0464 (A security vulnerability has been identified in all supported versions ...) - openssl 3.0.9-1 (bug #1034720) - [bullseye] - openssl (Minor issue) [buster] - openssl (Minor issue) NOTE: https://www.openssl.org/news/secadv/20230322.txt NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1 (openssl-3.0) = data/DSA/list = @@ -1,3 +1,6 @@ +[31 May 2023] DSA-5417-1 openssl - security update + {CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-2650} + [bullseye] - openssl 1.1.1n-0+deb11u5 [31 May 2023] DSA-5416-1 connman - security update {CVE-2023-28488} [bullseye] - connman 1.36-2.2+deb11u2 = data/dsa-needed.txt = @@ -39,8 +39,6 @@ openjdk-11 (jmm) -- openjdk-17 (jmm) -- -openssl (carnil) --- owslib -- php-cas View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df95b38b777908388089bc2a7687f8e3d3589e26 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df95b38b777908388089bc2a7687f8e3d3589e26 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3439-1 for libwebp
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 2868594c by Chris Lamb at 2023-05-31T09:49:09-04:00 Reserve DLA-3439-1 for libwebp - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 May 2023] DLA-3439-1 libwebp - security update + {CVE-2023-1999} + [buster] - libwebp 0.6.1-2+deb10u2 [31 May 2023] DLA-3436-2 sssd - regression update [buster] - sssd 1.16.3-3.2+deb10u2 [30 May 2023] DLA-3438-1 kamailio - security update = data/dla-needed.txt = @@ -90,10 +90,6 @@ libreoffice NOTE: 20230530: Programming language: C++. NOTE: 20230530: VCS: https://salsa.debian.org/lts-team/packages/libreoffice.git -- -libwebp (Chris Lamb) - NOTE: 20230530: Programming language: C. - NOTE: 20230530: VCS: https://salsa.debian.org/lts-team/packages/libwebp.git --- linux (Ben Hutchings) NOTE: 20230111: Programming language: C -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2868594c7f43c04757a23802ced99de31a112063 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2868594c7f43c04757a23802ced99de31a112063 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bca75d7 by Salvatore Bonaccorso at 2023-05-31T14:48:00+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -55,11 +55,11 @@ CVE-2023-33973 (RIOT-OS, an operating system for Internet of Things (IoT) device CVE-2023-33656 (A memory leak vulnerability exists in NanoMQ 0.17.2. The vulnerability ...) TODO: check CVE-2023-33234 (Arbitrary code execution in Apache Airflow CNCF Kubernetes provider ve ...) - TODO: check + NOT-FOR-US: Apache Airflow CNCF Kubernetes provider CVE-2023-33178 (Xibo is a content management system (CMS). An SQL injection vulnerabil ...) - TODO: check + NOT-FOR-US: Xibo CVE-2023-33177 (Xibo is a content management system (CMS). A path traversal vulnerabil ...) - TODO: check + NOT-FOR-US: Xibo CVE-2023-32699 (MeterSphere is an open source continuous testing platform. Version 2.9 ...) NOT-FOR-US: MeterSphere CVE-2023-32696 (CKAN is an open-source data management system for powering data hubs a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bca75d7ef1f13f0aa4b3fd2d12e6d590327322a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bca75d7ef1f13f0aa4b3fd2d12e6d590327322a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8298ccb2 by Moritz Muehlenhoff at 2023-05-31T13:22:52+02:00 bookworm triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3625,11 +3625,13 @@ CVE-2023-30848 (Pimcore is an open source data and experience management platfor NOT-FOR-US: Pimcore CVE-2023-30847 (H2O is an HTTP server. In versions 2.3.0-beta2 and prior, when the rev ...) - h2o + [bookworm] - h2o (Minor issue) + [bullseye] - h2o (Minor issue) NOTE: Fixed by: https://github.com/h2o/h2o/commit/a70af675328dda438ecd9d8a1673c1715fd93cc7 NOTE: Fixed by: https://github.com/h2o/h2o/commit/5f57d505514e937d13787b1f408837cb9197e2b2 NOTE: https://github.com/h2o/h2o/pull/3229 NOTE: https://github.com/h2o/h2o/security/advisories/GHSA-p5hj-phwj-hrvx - TODO: check, https://github.com/h2o/h2o/commit/f2d9056ba5004000755a5a7adccd27d0d79d83da has done a major refactoring, but issue possibly present before + NOTE: https://github.com/h2o/h2o/commit/f2d9056ba5004000755a5a7adccd27d0d79d83da has done a major refactoring, but issue possibly present before CVE-2023-30846 (typed-rest-client is a library for Node Rest and Http Clients with typ ...) NOT-FOR-US: typed-rest-client CVE-2023-30845 (ESPv2 is a service proxy that provides API management capabilities usi ...) @@ -24258,10 +24260,12 @@ CVE-2023-0407 CVE-2023-23920 (An untrusted search path vulnerability exists in Node.js. <19.6.1, <18 ...) {DSA-5395-1 DLA-3344-1} - nodejs (bug #1031834) + [bookworm] - nodejs (Can be fixed along with next update) NOTE: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-insecure-loading-of-icu-data-through-icu_data-environment-variable-low-cve-2023-23920 NOTE: https://github.com/nodejs/node/commit/f369c0a739b9f0182ededa834a2a44e6fec322d1 CVE-2023-23919 (A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16 ...) - nodejs (bug #1031834) + [bookworm] - nodejs (Can be fixed along with next update) [bullseye] - nodejs (X509Certificate API introduced in v15.6.0) [buster] - nodejs (X509Certificate API introduced in v15.6.0) NOTE: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-openssl-error-handling-issues-in-nodejs-crypto-library-medium-cve-2023-23919 @@ -24269,6 +24273,7 @@ CVE-2023-23919 (A cryptographic vulnerability exists in Node.js <19.2.0, <18.14. NOTE: https://github.com/nodejs/node/commit/438812e14d3b2a705fb639b69e37c6cc4e7c8029 CVE-2023-23918 (A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14 ...) - nodejs (bug #1031834) + [bookworm] - nodejs (Can be fixed along with next update) [bullseye] - nodejs (Permissions policy introduced in v16.x) [buster] - nodejs (v10.x doesn't support policy manifests) NOTE: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-permissions-policies-can-be-bypassed-via-process-mainmodule-high-cve-2023-23918 @@ -60260,8 +60265,10 @@ CVE-2022-3013 (A vulnerability classified as critical has been found in SourceCo CVE-2022-3012 (A vulnerability was found in oretnom23 Fast Food Ordering System. It h ...) NOT-FOR-US: oretnom23 Fast Food Ordering System CVE-2022-38065 (A privilege escalation vulnerability exists in the oslo.privsep functi ...) - - python-oslo.privsep (bug #1033114) + - python-oslo.privsep (unimportant; bug #1033114) NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2022-1599 + NOTE: Deemed as additional hardening, but not a security issue by upstream: + NOTE: https://bugs.launchpad.net/oslo.privsep/+bug/1989008 CVE-2022-3011 RESERVED CVE-2022-38785 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8298ccb2dda0991737330b48bb3912c52d4b5952 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8298ccb2dda0991737330b48bb3912c52d4b5952 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3436-2 for sssd
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: e8b1aca0 by Guilhem Moulin at 2023-05-31T12:48:00+02:00 Reserve DLA-3436-2 for sssd - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[31 May 2023] DLA-3436-2 sssd - regression update + [buster] - sssd 1.16.3-3.2+deb10u2 [30 May 2023] DLA-3438-1 kamailio - security update {CVE-2020-27507} [buster] - kamailio 5.2.1-1+deb10u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8b1aca0de9e8aa5bf21f8b2b9563fd579c3f705 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8b1aca0de9e8aa5bf21f8b2b9563fd579c3f705 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track CVE-2023-32763 for qt4-x11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: e3c5d76e by Emilio Pozuelo Monfort at 2023-05-31T12:35:46+02:00 Track CVE-2023-32763 for qt4-x11 The vulnerable code is present in QT 4. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -969,6 +969,7 @@ CVE-2023-32763 (An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, - qt6-base 6.4.2+dfsg-8 - qtbase-opensource-src 5.15.8+dfsg-10 - qtbase-opensource-src-gles 5.15.8+dfsg-3 (bug #1036702) + - qt4-x11 NOTE: https://lists.qt-project.org/pipermail/announce/2023-May/000413.html NOTE: https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff NOTE: https://download.qt.io/official_releases/qt/6.5/CVE-2023-32763-qtbase-6.5.diff View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3c5d76e7dcf8fea9a3cd88f2140164eee71466f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e3c5d76e7dcf8fea9a3cd88f2140164eee71466f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: add wireshark
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 7c690cd6 by Emilio Pozuelo Monfort at 2023-05-31T12:08:54+02:00 lts: add wireshark - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -225,3 +225,7 @@ webkit2gtk (Emilio) NOTE: 20230529: made some progress on the backport, but there are still some blockers, NOTE: 20230529: particularly around (the lack of) C++20 support. (pochu) -- +wireshark + NOTE: 20230531: Programming language: C. + NOTE: 20230531: VCS: https://salsa.debian.org/lts-team/packages/wireshark.git +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c690cd61c3f4464252d3041ac753bcfb6fecce2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7c690cd61c3f4464252d3041ac753bcfb6fecce2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: CVE-2023-27043/python2.7 postponed on buster
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 14d3a1e1 by Emilio Pozuelo Monfort at 2023-05-31T11:56:12+02:00 lts: CVE-2023-27043/python2.7 postponed on buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15321,6 +15321,7 @@ CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses e-m - python3.7 - python2.7 [bullseye] - python2.7 (Unsupported in Bullseye, only included to build a few applications) + [buster] - python2.7 (Minor issue) NOTE: https://github.com/python/cpython/issues/102988 CVE-2023-27042 (Tenda AX3 V16.03.12.11 is vulnerable to Buffer Overflow via /goform/Se ...) NOT-FOR-US: Tenda View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14d3a1e1439028bac4eb3c9dc3113cb70f97772e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/14d3a1e1439028bac4eb3c9dc3113cb70f97772e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: add openssl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: daff505d by Emilio Pozuelo Monfort at 2023-05-31T11:46:24+02:00 lts: add openssl - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -132,6 +132,12 @@ openjdk-11 (Emilio) NOTE: 20230419: VCS: https://salsa.debian.org/lts-team/packages/openjdk-11.git NOTE: 20230522: waiting for sid/bullseye update (pochu) -- +openssl + NOTE: 20230531: Programming language: C. + NOTE: 20230531: VCS: https://salsa.debian.org/debian/openssl.git + NOTE: 20230531: Special attention: Very high popcon!. + NOTE: 20230531: also handle no-dsa issues (pochu) +-- owslib (Adrian Bunk) NOTE: 20230514: Programming language: Python. NOTE: 20230514: VCS: https://salsa.debian.org/lts-team/packages/owslib.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/daff505d07521e784c5efe9670608993e15bffd0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/daff505d07521e784c5efe9670608993e15bffd0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: re-take owslib
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abbe4a8a by Adrian Bunk at 2023-05-31T12:41:28+03:00 dla: re-take owslib - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -132,7 +132,7 @@ openjdk-11 (Emilio) NOTE: 20230419: VCS: https://salsa.debian.org/lts-team/packages/openjdk-11.git NOTE: 20230522: waiting for sid/bullseye update (pochu) -- -owslib +owslib (Adrian Bunk) NOTE: 20230514: Programming language: Python. NOTE: 20230514: VCS: https://salsa.debian.org/lts-team/packages/owslib.git NOTE: 20230514: also in dsa-needed. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abbe4a8a467d74433bc0fec4f3f9f34fb7ed11ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abbe4a8a467d74433bc0fec4f3f9f34fb7ed11ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ca642fa by Moritz Muehlenhoff at 2023-05-31T11:27:37+02:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -488,6 +488,8 @@ CVE-2023-2480 (Missing access permissions checks in M-Files Client before 23.5.1 NOT-FOR-US: M-Files CVE-2023-28370 (Open redirect vulnerability in Tornado versions 6.3.1 and earlier allo ...) - python-tornado (bug #1036875) + [bookworm] - python-tornado (Minor issue) + [bullseye] - python-tornado (Minor issue) NOTE: https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f (v6.3.2) CVE-2023-27529 (Wacom Tablet Driver installer prior to 6.4.2-1 (for macOS) contains an ...) NOT-FOR-US: Wacom Tablet Driver installer @@ -5420,12 +5422,11 @@ CVE-2023-30302 CVE-2023-30301 RESERVED CVE-2023-30300 (An issue in the component hang.wasm of WebAssembly 1.0 causes an infin ...) - - wabt (bug #1035686) - [bullseye] - wabt (Minor issue) - [buster] - wabt (Minor issue) + - wabt (unimportant; bug #1035686) NOTE: https://github.com/WebAssembly/wabt/issues/2180 NOTE: https://github.com/WebAssembly/wabt/pull/2183 NOTE: https://github.com/WebAssembly/wabt/commit/2d77bda4034a719fe1a2eaf1d51593eb351ecb4c + NOTE: Hang in CLI tool, no security impact CVE-2023-30299 RESERVED CVE-2023-30298 @@ -8898,6 +8899,8 @@ CVE-2023-29000 (The Nextcloud Desktop Client is a tool to synchronize files from NOTE: https://hackerone.com/reports/1679267 CVE-2023-28999 (Nextcloud is an open-source productivity platform. In Nextcloud Deskto ...) - nextcloud-desktop (bug #1034184) + [bookworm] - nextcloud-desktop (Minor issue) + [bullseye] - nextcloud-desktop (Minor issue) [buster] - nextcloud-desktop (Minor issue) NOTE: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8875-wxww-3rr8 NOTE: https://github.com/nextcloud/desktop/pull/5560 @@ -47978,6 +47981,7 @@ CVE-2022-3591 (Use After Free in GitHub repository vim/vim prior to 9.0.0789.) NOTE: Crash in CLI tool, no security impact CVE-2022-3590 (WordPress is affected by an unauthenticated blind SSRF in the pingback ...) - wordpress (bug #1033251) + [bookworm] - wordpress (Minor issue) [bullseye] - wordpress (Minor issue) [buster] - wordpress (Minor issue) NOTE: https://www.sonarsource.com/blog/wordpress-core-unauthenticated-blind-ssrf/ @@ -54838,6 +54842,7 @@ CVE-2022-40900 RESERVED CVE-2022-40899 (An issue discovered in Python Charmers Future 0.18.2 and earlier allow ...) - python-future (bug #1031699) + [bookworm] - python-future (Minor issue) [bullseye] - python-future (Minor issue) [buster] - python-future (Minor issue) NOTE: https://github.com/PythonCharmers/python-future/pull/610 @@ -143613,6 +143618,8 @@ CVE-2021-3611 (A stack overflow vulnerability was found in the Intel HD Audio de NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/79fa99831debc9782087e834382c577215f2f511 (v7.0.0-rc1) CVE-2021-3610 (A heap-based buffer overflow vulnerability was found in ImageMagick in ...) - imagemagick + [bookworm] - imagemagick (Minor issue) + [bullseye] - imagemagick (Minor issue) [buster] - imagemagick (Vulnerable code introduced later) NOTE: https://github.com/ImageMagick/ImageMagick/commit/930ff0d1a9bc42925a7856e9ea53f5fc9f318bf3 NOTE: ImageMagick6 prerequisite for <= 6.9.10-92: https://github.com/ImageMagick/ImageMagick6/commit/2d96228eec9fbea62ddb6c1450fa8d43e2c6b68a = data/dsa-needed.txt = @@ -75,6 +75,8 @@ salt -- samba -- +sofia-sip +-- webkit2gtk -- wpewebkit View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ca642fa3bd1e368c20b37d333878363e0a2ebb9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ca642fa3bd1e368c20b37d333878363e0a2ebb9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: re-take python3.7 now that CVE-2023-24329 is fixed
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abc52354 by Adrian Bunk at 2023-05-31T12:09:26+03:00 dla: re-take python3.7 now that CVE-2023-24329 is fixed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -159,7 +159,7 @@ python-oslo.privsep NOTE: 20230525: CVE-2022-38065 has been marked as Won't-fix/Hardening opportunity. NOTE: 20230525: It was mentioned the fix was easy but tedious. It is consumer design flaw issue. -- -python3.7 +python3.7 (Adrian Bunk) NOTE: 20230220: Programming language: C, Python. NOTE: 20230220: VCS: https://salsa.debian.org/lts-team/packages/python3.7.git NOTE: 20230220: Testsuite: https://lts-team.pages.debian.net/wiki/TestSuites/python.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abc52354e7714eafef24ce71369bc80bc8797b7b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abc52354e7714eafef24ce71369bc80bc8797b7b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track chromium issues fixed in unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c0a5e03 by Salvatore Bonaccorso at 2023-05-31T10:51:08+02:00 Track chromium issues fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -251,43 +251,43 @@ CVE-2023-2943 (Code Injection in GitHub repository openemr/openemr prior to 7.0. CVE-2023-2942 (Improper Input Validation in GitHub repository openemr/openemr prior t ...) NOT-FOR-US: OpenEMR CVE-2023-2941 (Inappropriate implementation in Extensions API in Google Chrome prior ...) - - chromium + - chromium 114.0.5735.90-1 [buster] - chromium (see DSA 5046) CVE-2023-2940 (Inappropriate implementation in Downloads in Google Chrome prior to 11 ...) - - chromium + - chromium 114.0.5735.90-1 [buster] - chromium (see DSA 5046) CVE-2023-2939 (Insufficient data validation in Installer in Google Chrome on Windows ...) - - chromium + - chromium 114.0.5735.90-1 [buster] - chromium (see DSA 5046) CVE-2023-2938 (Inappropriate implementation in Picture In Picture in Google Chrome pr ...) - - chromium + - chromium 114.0.5735.90-1 [buster] - chromium (see DSA 5046) CVE-2023-2937 (Inappropriate implementation in Picture In Picture in Google Chrome pr ...) - - chromium + - chromium 114.0.5735.90-1 [buster] - chromium (see DSA 5046) CVE-2023-2936 (Type Confusion in V8 in Google Chrome prior to 114.0.5735.90 allowed a ...) - - chromium + - chromium 114.0.5735.90-1 [buster] - chromium (see DSA 5046) CVE-2023-2935 (Type Confusion in V8 in Google Chrome prior to 114.0.5735.90 allowed a ...) - - chromium + - chromium 114.0.5735.90-1 [buster] - chromium (see DSA 5046) CVE-2023-2934 (Out of bounds memory access in Mojo in Google Chrome prior to 114.0.57 ...) - - chromium + - chromium 114.0.5735.90-1 [buster] - chromium (see DSA 5046) CVE-2023-2933 (Use after free in PDF in Google Chrome prior to 114.0.5735.90 allowed ...) - - chromium + - chromium 114.0.5735.90-1 [buster] - chromium (see DSA 5046) CVE-2023-2932 (Use after free in PDF in Google Chrome prior to 114.0.5735.90 allowed ...) - - chromium + - chromium 114.0.5735.90-1 [buster] - chromium (see DSA 5046) CVE-2023-2931 (Use after free in PDF in Google Chrome prior to 114.0.5735.90 allowed ...) - - chromium + - chromium 114.0.5735.90-1 [buster] - chromium (see DSA 5046) CVE-2023-2930 (Use after free in Extensions in Google Chrome prior to 114.0.5735.90 a ...) - - chromium + - chromium 114.0.5735.90-1 [buster] - chromium (see DSA 5046) CVE-2023-2929 (Out of bounds write in Swiftshader in Google Chrome prior to 114.0.573 ...) - - chromium + - chromium 114.0.5735.90-1 [buster] - chromium (see DSA 5046) CVE-2023-2928 (A vulnerability was found in DedeCMS up to 5.7.106. It has been declar ...) NOT-FOR-US: DedeCMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c0a5e03dbf4b0beb0e951cb4453a25cd908aecb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c0a5e03dbf4b0beb0e951cb4453a25cd908aecb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cc526000 by Salvatore Bonaccorso at 2023-05-31T10:49:48+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,31 +15,31 @@ CVE-2023-33180 (Xibo is a content management system (CMS). An SQL injection vuln CVE-2023-33179 (Xibo is a content management system (CMS). An SQL injection vulnerabil ...) TODO: check CVE-2023-32342 (IBM GSKit could allow a remote attacker to obtain sensitive informatio ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-2999 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpm ...) TODO: check CVE-2023-2998 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpm ...) TODO: check CVE-2023-2987 (The Wordapp plugin for WordPress is vulnerable to authorization bypass ...) - TODO: check + NOT-FOR-US: Wordapp plugin for WordPress CVE-2023-2952 (XRA dissector infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3 ...) TODO: check CVE-2023-2836 (The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross ...) - TODO: check + NOT-FOR-US: CRM Perks Forms plugin for WordPress CVE-2023-2612 (Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ub ...) TODO: check CVE-2023-2549 (The Feather Login Page plugin for WordPress is vulnerable to Cross-Sit ...) - TODO: check + NOT-FOR-US: Feather Login Page plugin for WordPress CVE-2023-2547 (The Feather Login Page plugin for WordPress is vulnerable to unauthori ...) - TODO: check + NOT-FOR-US: Feather Login Page plugin for WordPress CVE-2023-2545 (The Feather Login Page plugin for WordPress is vulnerable to unauthori ...) - TODO: check + NOT-FOR-US: Feather Login Page plugin for WordPress CVE-2023-2436 (The Blog-in-Blog plugin for WordPress is vulnerable to Stored Cross-Si ...) - TODO: check + NOT-FOR-US: Blog-in-Blog plugin for WordPress CVE-2023-2435 (The Blog-in-Blog plugin for WordPress is vulnerable to Local File Incl ...) - TODO: check + NOT-FOR-US: Blog-in-Blog plugin for WordPress CVE-2023-2434 (The Nested Pages plugin for WordPress is vulnerable to unauthorized lo ...) - TODO: check + NOT-FOR-US: Nested Pages plugin for WordPress CVE-2015-10107 (A vulnerability was found in Simplr Registration Form Plus+ Plugin up ...) TODO: check CVE-2014-125103 (A vulnerability was found in BestWebSoft Twitter Plugin up to 1.3.2 on ...) @@ -2483,7 +2483,7 @@ CVE-2023-2306 CVE-2023-2305 RESERVED CVE-2023-2304 (The Favorites plugin for WordPress is vulnerable to Stored Cross-Site ...) - TODO: check + NOT-FOR-US: Favorites plugin for WordPress CVE-2023-2303 RESERVED CVE-2023-2302 @@ -9272,7 +9272,7 @@ CVE-2023-1663 (Coverity versions prior to 2023.3.2 are vulnerable to forced brow CVE-2023-1662 RESERVED CVE-2023-1661 (The Display post meta, term meta, comment meta, and user meta plugin f ...) - TODO: check + NOT-FOR-US: Display post meta, term meta, comment meta, and user meta plugin for WordPress CVE-2023-1660 (The AI ChatBot WordPress plugin before 4.4.9 does not have authorisati ...) NOT-FOR-US: WordPress plugin CVE-2023-1659 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc526d21a0e6d9002c689885f3f001ddcc27 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc526d21a0e6d9002c689885f3f001ddcc27 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c55917d4 by security tracker role at 2023-05-31T08:11:51+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,51 @@ +CVE-2023-33962 (JStachio is a type-safe Java Mustache templating engine. Prior to ver ...) + TODO: check +CVE-2023-33961 (Leantime is a lean open source project management system. Starting in ...) + TODO: check +CVE-2023-33741 (Macrovideo v380pro v1.4.97 shares the device id and password when shar ...) + TODO: check +CVE-2023-33740 (Incorrect access control in luowice v3.5.18 allows attackers to access ...) + TODO: check +CVE-2023-33734 (BlueCMS v1.6 was discovered to contain a SQL injection vulnerability v ...) + TODO: check +CVE-2023-33181 (Xibo is a content management system (CMS). Starting in version 3.0.0 a ...) + TODO: check +CVE-2023-33180 (Xibo is a content management system (CMS). An SQL injection vulnerabil ...) + TODO: check +CVE-2023-33179 (Xibo is a content management system (CMS). An SQL injection vulnerabil ...) + TODO: check +CVE-2023-32342 (IBM GSKit could allow a remote attacker to obtain sensitive informatio ...) + TODO: check +CVE-2023-2999 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpm ...) + TODO: check +CVE-2023-2998 (Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpm ...) + TODO: check +CVE-2023-2987 (The Wordapp plugin for WordPress is vulnerable to authorization bypass ...) + TODO: check +CVE-2023-2952 (XRA dissector infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3 ...) + TODO: check +CVE-2023-2836 (The CRM Perks Forms plugin for WordPress is vulnerable to Stored Cross ...) + TODO: check +CVE-2023-2612 (Jean-Baptiste Cayrou discovered that the shiftfs file system in the Ub ...) + TODO: check +CVE-2023-2549 (The Feather Login Page plugin for WordPress is vulnerable to Cross-Sit ...) + TODO: check +CVE-2023-2547 (The Feather Login Page plugin for WordPress is vulnerable to unauthori ...) + TODO: check +CVE-2023-2545 (The Feather Login Page plugin for WordPress is vulnerable to unauthori ...) + TODO: check +CVE-2023-2436 (The Blog-in-Blog plugin for WordPress is vulnerable to Stored Cross-Si ...) + TODO: check +CVE-2023-2435 (The Blog-in-Blog plugin for WordPress is vulnerable to Local File Incl ...) + TODO: check +CVE-2023-2434 (The Nested Pages plugin for WordPress is vulnerable to unauthorized lo ...) + TODO: check +CVE-2015-10107 (A vulnerability was found in Simplr Registration Form Plus+ Plugin up ...) + TODO: check +CVE-2014-125103 (A vulnerability was found in BestWebSoft Twitter Plugin up to 1.3.2 on ...) + TODO: check +CVE-2012-10015 (A vulnerability was found in BestWebSoft Twitter Plugin up to 2.14 on ...) + TODO: check CVE-2023-33975 (RIOT-OS, an operating system for Internet of Things (IoT) devices, con ...) NOT-FOR-US: RIOT-OS CVE-2023-33974 (RIOT-OS, an operating system for Internet of Things (IoT) devices, con ...) @@ -106,7 +154,7 @@ CVE-2023-2470 (The Add to Feedly WordPress plugin through 1.2.11 does not saniti NOT-FOR-US: WordPress plugin CVE-2014-125102 (A vulnerability classified as problematic was found in Bestwebsoft Rel ...) NOT-FOR-US: WordPress plugin -CVE-2023-2953 [potential null pointer dereference flaw] +CVE-2023-2953 (A vulnerability was found in openldap. This security flaw causes a nul ...) [experimental] - openldap 2.6.4+dfsg-1~exp1 - openldap [bookworm] - openldap (Minor issue) @@ -118,13 +166,13 @@ CVE-2023-2953 [potential null pointer dereference flaw] NOTE: https://git.openldap.org/openldap/openldap/-/commit/840944e26f734bb03d925f26c4ef11a6cedcbb9c (OPENLDAP_REL_ENG_2_6_4) NOTE: https://git.openldap.org/openldap/openldap/-/commit/752d320cf96e46f24c0900f1a8f6af0a3fc3c4ce (OPENLDAP_REL_ENG_2_5_14) NOTE: https://git.openldap.org/openldap/openldap/-/commit/6563fab9e2feccb0a684d0398e78571d09fb808b (OPENLDAP_REL_ENG_2_5_14) -CVE-2023-34153 [Shell command injection vulnerability via video:vsync or video:pixel-format options in VIDEO encoding/decoding] +CVE-2023-34153 (A vulnerability was found in ImageMagick. This security flaw causes a ...) - imagemagick (Vulnerable code introduced later in ImageMagick7) NOTE: https://github.com/ImageMagick/ImageMagick/issues/6338 NOTE: Fixed by: https://github.com/ImageMagick/ImageMagick/commit/d31c80d15a2c82fc1dd8e889e0f97b0219079a57 (7.1.1-10) NOTE: ImageMagick6: https://github.com/ImageMagick/ImageMagick6/8fdb81b3c551a37f41a6370fe7d1634406eb1cef NOTE: introduces the vsync and pix_fmt features, without introducing
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2023-32695/node-socket.io-parser
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6ec59b68 by Salvatore Bonaccorso at 2023-05-31T09:19:49+02:00 Update information on CVE-2023-32695/node-socket.io-parser - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -589,9 +589,12 @@ CVE-2023-2494 (The Go Pricing - WordPress Responsive Pricing Tables plugin for W NOT-FOR-US: Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress CVE-2023-32695 (socket.io parser is a socket.io encoder and decoder written in JavaScr ...) - node-socket.io-parser 4.2.1+~3.1.0-2 + [bullseye] - node-socket.io-parser (Vulnerable code introduced later) + [buster] - node-socket.io-parser (Vulnerable code introduced later) NOTE: https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9 - NOTE: https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced (3.4.3) - NOTE: https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3 (4.2.3) + NOTE: Fixed by: https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced (3.4.3) + NOTE: Introduced by: https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9 (4.0.4) + NOTE: Fixed by: https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3 (4.2.3) CVE-2023-33617 (An OS Command Injection vulnerability in Parks Fiberlink 210 firmware ...) NOT-FOR-US: Parks Fiberlink 210 firmware CVE-2023-33599 (EasyImages2.0 \u2264 2.8.1 is vulnerable to Cross Site Scripting (XSS) ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ec59b686c196dfc337ba1c49446aeb1075eca0b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6ec59b686c196dfc337ba1c49446aeb1075eca0b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-2977/opensc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d82ae32 by Salvatore Bonaccorso at 2023-05-31T09:09:48+02:00 Add CVE-2023-2977/opensc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43,6 +43,11 @@ CVE-2023-2979 (A vulnerability classified as critical has been found in Abstrium TODO: check CVE-2023-2978 (A vulnerability was found in Abstrium Pydio Cells 4.2.0. It has been r ...) TODO: check +CVE-2023-2977 + - opensc + NOTE: https://github.com/OpenSC/OpenSC/issues/2785 + NOTE: https://github.com/OpenSC/OpenSC/pull/2787 + NOTE: Fixed by: https://github.com/OpenSC/OpenSC/commit/81944d1529202bd28359bede57c0a15deb65ba8a CVE-2023-2973 (A vulnerability, which was classified as problematic, has been found i ...) TODO: check CVE-2023-2972 (Prototype Pollution in GitHub repository antfu/utils prior to 0.7.3.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d82ae32f77b5e376dc317f61da0caf248e765d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d82ae32f77b5e376dc317f61da0caf248e765d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-2985/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7930b273 by Salvatore Bonaccorso at 2023-05-31T09:06:09+02:00 Add CVE-2023-2985/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -26,6 +26,11 @@ CVE-2023-32218 (Avaya IX Workforce Engagement v15.2.7.1195 - CWE-601: URL Redire TODO: check CVE-2023-2994 REJECTED +CVE-2023-2985 [fs: hfsplus: fix UAF issue in hfsplus_put_super] + - linux 6.1.20-1 + [bullseye] - linux 5.10.178-1 + [buster] - linux 4.19.282-1 + NOTE: https://git.kernel.org/linus/07db5e247ab5858439b14dd7cc1fe538b9efcf32 (6.3-rc1) CVE-2023-2984 (Path Traversal: '\..\filename' in GitHub repository pimcore/pimcore pr ...) TODO: check CVE-2023-2983 (Privilege Defined With Unsafe Actions in GitHub repository pimcore/pim ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7930b2732ce7716e73c116dd74c8e0dad417c98e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7930b2732ce7716e73c116dd74c8e0dad417c98e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits