[Git][security-tracker-team/security-tracker][master] Add CVE-2023-3161/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 56660f9c by Salvatore Bonaccorso at 2023-06-09T06:38:51+02:00 Add CVE-2023-3161/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,6 +2,11 @@ CVE-2023-3165 (A vulnerability was found in SourceCodester Life Insurance Manage NOT-FOR-US: SourceCodester Life Insurance Management System CVE-2023-3163 (A vulnerability was found in y_project RuoYi up to 4.7.7. It has been ...) NOT-FOR-US: y_project RuoYi +CVE-2023-3161 [fbcon: Check font dimension limits] + - linux 6.1.11-1 + [bullseye] - linux 5.10.178-1 + [buster] - linux 4.19.282-1 + NOTE: https://git.kernel.org/linus/2b09d5d364986f724f17001ccfe4126b9b43a0be (6.2-rc7) CVE-2023-34962 (Incorrect access control in Chamilo v1.11.x up to v1.11.18 allows a st ...) NOT-FOR-US: Chamilo LMS CVE-2023-34961 (Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56660f9c82b118d134657d864443eca589a110e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56660f9c82b118d134657d864443eca589a110e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] claim owslib
Aron Xu pushed to branch master at Debian Security Tracker / security-tracker Commits: 3207fe99 by Aron Xu at 2023-06-09T12:06:22+08:00 claim owslib - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -36,7 +36,7 @@ openjdk-11 (jmm) -- openjdk-17 (jmm) -- -owslib +owslib (aron) -- php-cas -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3207fe997ee4d9a352c6bd7c1facbe2e49b4b506 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3207fe997ee4d9a352c6bd7c1facbe2e49b4b506 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for ruby2.7 and ruby-rack in dsa-needed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9073e3c4 by Salvatore Bonaccorso at 2023-06-08T22:50:00+02:00 Update notes for ruby2.7 and ruby-rack in dsa-needed - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -56,11 +56,12 @@ ring might make sense to rebase to current version -- ruby2.7 + Utkarsh Gupta offered help in preparing updates -- ruby-nokogiri -- ruby-rack - Utkarsh Gupta available for preparing updates + Utkarsh Gupta available for preparing updates, debdiff ready for review -- ruby-sinatra Maintainer posted packaging repository link with proposed changes for review View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9073e3c481a89b65b50ddecb1bd0c43681474469 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9073e3c481a89b65b50ddecb1bd0c43681474469 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-33595/python*
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e7139a67 by Salvatore Bonaccorso at 2023-06-08T22:43:38+02:00 Add CVE-2023-33595/python* - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -104,7 +104,14 @@ CVE-2023-34109 (zxcvbn-ts is an open source password strength estimator written CVE-2023-34108 (mailcow is a mail server suite based on Dovecot, Postfix and other ope ...) NOT-FOR-US: mailcow CVE-2023-33595 (CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-fre ...) - TODO: check + - python3.11 (Vulnerable code not present) + - python3.10 (Vulnerable code not present) + - python3.9 (Vulnerable code not present) + - python3.7 (Vulnerable code not present) + - python2.7 (Vulnerable code not present) + NOTE: https://github.com/python/cpython/issues/103824 + NOTE: Introduced by: https://github.com/python/cpython/commit/1ef61cf71a218c71860ff6aecf0fd51edb8b65dc (v3.12.0b1) + NOTE: Fixed by: https://github.com/python/cpython/commit/d5a97074d24cd14cb2a35a2b1ad3074863cde264 (v3.12.0b1) CVE-2023-33556 (TOTOLink A7100RU V7.4cu.2313_B20191024 was discovered to contain a com ...) NOT-FOR-US: TOTOLINK CVE-2023-33553 (An issue in Planet Technologies WDRT-1800AX v1.01-CP21 allows attacker ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7139a67da71e5e8bb2590f5bdf41127ce61fecd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7139a67da71e5e8bb2590f5bdf41127ce61fecd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2074bdfd by Salvatore Bonaccorso at 2023-06-08T22:20:04+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,15 +1,15 @@ CVE-2023-3165 (A vulnerability was found in SourceCodester Life Insurance Management ...) - TODO: check + NOT-FOR-US: SourceCodester Life Insurance Management System CVE-2023-3163 (A vulnerability was found in y_project RuoYi up to 4.7.7. It has been ...) - TODO: check + NOT-FOR-US: y_project RuoYi CVE-2023-34962 (Incorrect access control in Chamilo v1.11.x up to v1.11.18 allows a st ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-34961 (Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-34959 (An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-34958 (Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a stud ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-34571 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain ...) NOT-FOR-US: Tenda CVE-2023-34570 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain ...) @@ -25,19 +25,19 @@ CVE-2023-34566 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to co CVE-2023-34231 (gosnowflake is th Snowflake Golang driver. Prior to version 1.6.19, a ...) TODO: check CVE-2023-34096 (Thruk is a multibackend monitoring webinterface which currently suppor ...) - TODO: check + NOT-FOR-US: Thruk CVE-2023-33660 (A heap buffer overflow vulnerability exists in NanoMQ 0.17.2. The vuln ...) - TODO: check + NOT-FOR-US: NanoMQ CVE-2023-33658 (A heap buffer overflow vulnerability exists in NanoMQ 0.17.2. The vuln ...) - TODO: check + NOT-FOR-US: NanoMQ CVE-2023-33657 (A use-after-free vulnerability exists in NanoMQ 0.17.2. The vulnerabil ...) - TODO: check + NOT-FOR-US: NanoMQ CVE-2023-33443 (Incorrect access control in the administrative functionalities of BES- ...) - TODO: check + NOT-FOR-US: BES VideoPlayTool CVE-2023-32750 (Pydio Cells through 4.1.2 allows SSRF. For longer running processes, P ...) - TODO: check + NOT-FOR-US: Pydio Cells CVE-2023-32749 (Pydio Cells allows users by default to create so-called external users ...) - TODO: check + NOT-FOR-US: Pydio Cells CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus- ...) [experimental] - dbus 1.15.6-1 - dbus (bug #1037151) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2074bdfd7856210ae5f826225a14fc554ce73307 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2074bdfd7856210ae5f826225a14fc554ce73307 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ec943824 by Salvatore Bonaccorso at 2023-06-08T22:17:03+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,17 +11,17 @@ CVE-2023-34959 (An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to e CVE-2023-34958 (Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a stud ...) TODO: check CVE-2023-34571 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-34570 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-34569 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-34568 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-34567 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-34566 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-34231 (gosnowflake is th Snowflake Golang driver. Prior to version 1.6.19, a ...) TODO: check CVE-2023-34096 (Thruk is a multibackend monitoring webinterface which currently suppor ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec943824240e8d97eb0305f44b47c1f024b8a179 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec943824240e8d97eb0305f44b47c1f024b8a179 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: efc85425 by security tracker role at 2023-06-08T20:12:12+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,43 @@ +CVE-2023-3165 (A vulnerability was found in SourceCodester Life Insurance Management ...) + TODO: check +CVE-2023-3163 (A vulnerability was found in y_project RuoYi up to 4.7.7. It has been ...) + TODO: check +CVE-2023-34962 (Incorrect access control in Chamilo v1.11.x up to v1.11.18 allows a st ...) + TODO: check +CVE-2023-34961 (Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site ...) + TODO: check +CVE-2023-34959 (An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute ...) + TODO: check +CVE-2023-34958 (Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a stud ...) + TODO: check +CVE-2023-34571 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain ...) + TODO: check +CVE-2023-34570 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain ...) + TODO: check +CVE-2023-34569 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain ...) + TODO: check +CVE-2023-34568 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain ...) + TODO: check +CVE-2023-34567 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain ...) + TODO: check +CVE-2023-34566 (Tenda AC10 v4 US_AC10V4.0si_V16.03.10.13_cn was discovered to contain ...) + TODO: check +CVE-2023-34231 (gosnowflake is th Snowflake Golang driver. Prior to version 1.6.19, a ...) + TODO: check +CVE-2023-34096 (Thruk is a multibackend monitoring webinterface which currently suppor ...) + TODO: check +CVE-2023-33660 (A heap buffer overflow vulnerability exists in NanoMQ 0.17.2. The vuln ...) + TODO: check +CVE-2023-33658 (A heap buffer overflow vulnerability exists in NanoMQ 0.17.2. The vuln ...) + TODO: check +CVE-2023-33657 (A use-after-free vulnerability exists in NanoMQ 0.17.2. The vulnerabil ...) + TODO: check +CVE-2023-33443 (Incorrect access control in the administrative functionalities of BES- ...) + TODO: check +CVE-2023-32750 (Pydio Cells through 4.1.2 allows SSRF. For longer running processes, P ...) + TODO: check +CVE-2023-32749 (Pydio Cells allows users by default to create so-called external users ...) + TODO: check CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus- ...) [experimental] - dbus 1.15.6-1 - dbus (bug #1037151) @@ -1110,7 +1150,7 @@ CVE-2023-2972 (Prototype Pollution in GitHub repository antfu/utils prior to 0.7 CVE-2023-2968 (A remote attacker can trigger a denial of service in the socket.remote ...) NOT-FOR-US: JFROG CVE-2023-2650 (Issue summary: Processing some specially crafted ASN.1 object identifi ...) - {DSA-5417-1} + {DSA-5417-1 DLA-3449-1} - openssl 3.0.9-1 NOTE: https://www.openssl.org/news/secadv/20230530.txt NOTE: https://github.com/openssl/openssl/commit/9e209944b35cf82368071f160a744b6178f9b098 (OpenSSL_1_1_1u) @@ -18224,8 +18264,8 @@ CVE-2023-0956 RESERVED CVE-2023-0955 (The WP Statistics WordPress plugin before 14.0 does not escape a param ...) NOT-FOR-US: WordPress plugin -CVE-2023-0954 - RESERVED +CVE-2023-0954 (A debug feature in Sensormatic Electronics Illustra Pro Gen 4 Dome and ...) + TODO: check CVE-2023-0953 (Insufficient input sanitization in the documentation feature of Devolu ...) NOT-FOR-US: Devolutions Server CVE-2023-0952 (Improper access controls on entries in Devolutions Server 2022.3.12 a ...) @@ -23913,13 +23953,13 @@ CVE-2023-0468 (A use-after-free flaw was found in io_uring/poll.c in io_poll_che CVE-2023-0467 (The WP Dark Mode WordPress plugin before 4.0.8 does not properly sanit ...) NOT-FOR-US: WordPress plugin CVE-2023-0466 (The function X509_VERIFY_PARAM_add0_policy() is documented to implicit ...) - {DSA-5417-1} + {DSA-5417-1 DLA-3449-1} - openssl 3.0.9-1 (bug #1034720) NOTE: https://www.openssl.org/news/secadv/20230328.txt NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51e8a84ce742db0f6c70510d0159dad8f7825908 (openssl-3.0) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a (OpenSSL_1_1_1-stable) CVE-2023-0465 (Applications that use a non-default option when verifying certificates ...) - {DSA-5417-1} + {DSA-5417-1 DLA-3449-1} - openssl 3.0.9-1 (bug #1034720) NOTE: https://www.openssl.org/news/secadv/20230328.txt NOTE: Fixed by: https://git.openssl.org/gitweb/?p=openssl.git;a=co
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for CVE-2023-34237 for easier tracking
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: abc5eaa2 by Salvatore Bonaccorso at 2023-06-08T21:56:05+02:00 Add upstream tag information for CVE-2023-34237 for easier tracking - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -54,8 +54,8 @@ CVE-2023-3140 (Missing HTTP headers (X-Frame-Options, Content-Security-Policy) i NOT-FOR-US: KNIME Business Hub CVE-2023-34237 (SABnzbd is an open source automated Usenet download tool. A design fla ...) - sabnzbdplus - NOTE: https://github.com/sabnzbd/sabnzbd/commit/422b4fce7bfd56e95a315be0400cdfdc585df7cc - NOTE: https://github.com/sabnzbd/sabnzbd/commit/e3a722664819d1c7c8fab97144cc299b1c18b429 + NOTE: https://github.com/sabnzbd/sabnzbd/commit/422b4fce7bfd56e95a315be0400cdfdc585df7cc (4.0.2RC2) + NOTE: https://github.com/sabnzbd/sabnzbd/commit/e3a722664819d1c7c8fab97144cc299b1c18b429 (4.0.2RC2) NOTE: https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-hhgh-xgh3-985r CVE-2023-34234 (OpenZeppelin Contracts is a library for smart contract development. By ...) NOT-FOR-US: OpenZeppelin Contracts View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abc5eaa2018d0e05b1e5491ff014433aee0ead55 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abc5eaa2018d0e05b1e5491ff014433aee0ead55 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream commit for CVE-2022-30065
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f367500 by Salvatore Bonaccorso at 2023-06-08T21:51:57+02:00 Reference upstream commit for CVE-2022-30065 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -85953,6 +85953,7 @@ CVE-2022-30066 CVE-2022-30065 (A use-after-free in Busybox 1.35-x's awk applet leads to denial of ser ...) - busybox 1:1.36.1-1 (unimportant) NOTE: https://bugs.busybox.net/show_bug.cgi?id=14781 + NOTE: https://git.busybox.net/busybox/commit/?id=e63d7cdfdac78c6fd27e9e63150335767592b85e (1_36_0) NOTE: Crash in CLI tool, no security impact CVE-2022-30064 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f367500a5ad2de0dee23e98e531ea898d39b514 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1f367500a5ad2de0dee23e98e531ea898d39b514 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new sabnzbdplus issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a2441e0e by Moritz Muehlenhoff at 2023-06-08T20:52:08+02:00 new sabnzbdplus issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53,7 +53,10 @@ CVE-2023-3142 (Cross-site Scripting (XSS) - Stored in GitHub repository microweb CVE-2023-3140 (Missing HTTP headers (X-Frame-Options, Content-Security-Policy) in KNI ...) NOT-FOR-US: KNIME Business Hub CVE-2023-34237 (SABnzbd is an open source automated Usenet download tool. A design fla ...) - TODO: check + - sabnzbdplus + NOTE: https://github.com/sabnzbd/sabnzbd/commit/422b4fce7bfd56e95a315be0400cdfdc585df7cc + NOTE: https://github.com/sabnzbd/sabnzbd/commit/e3a722664819d1c7c8fab97144cc299b1c18b429 + NOTE: https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-hhgh-xgh3-985r CVE-2023-34234 (OpenZeppelin Contracts is a library for smart contract development. By ...) NOT-FOR-US: OpenZeppelin Contracts CVE-2023-34109 (zxcvbn-ts is an open source password strength estimator written in typ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2441e0e64496412297239dfaf9984b9c552fb4f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2441e0e64496412297239dfaf9984b9c552fb4f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new gitlab issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5fab74b2 by Moritz Muehlenhoff at 2023-06-08T20:49:47+02:00 new gitlab issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -79,7 +79,7 @@ CVE-2023-33282 (Marval MSM through 14.19.0.12476 and 15.0 has a System account w CVE-2023-2530 (A privilege escalation allowing remote code execution was discovered i ...) TODO: check CVE-2023-2442 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - TODO: check + - gitlab CVE-2021-4380 (The Pinterest Automatic plugin for WordPress is vulnerable to authoriz ...) NOT-FOR-US: Pinterest Automatic plugin for WordPress CVE-2021-4379 (The WooCommerce Multi Currency plugin for WordPress is vulnerable to a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fab74b2c58b374ad406c16aeb4de72d1e164ee5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5fab74b2c58b374ad406c16aeb4de72d1e164ee5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 052e3688 by Moritz Muehlenhoff at 2023-06-08T19:22:26+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,7 @@ CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to crash [bullseye] - dbus (Minor issue) NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/457 CVE-2023-34239 (Gradio is an open-source Python library that is used to build machine ...) - TODO: check + NOT-FOR-US: Gradio CVE-2023-34238 (Gatsby is a free and open source framework based on React. The Gatsby ...) - gatsby (bug #922188) CVE-2023-33849 (IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, ...) @@ -17,13 +17,13 @@ CVE-2023-33847 (IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, CVE-2023-33846 (IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, ...) NOT-FOR-US: IBM CVE-2023-33496 (xxl-rpc v1.7.0 was discovered to contain a deserialization vulnerabili ...) - TODO: check + NOT-FOR-US: xxl-rpc CVE-2023-2986 (The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulner ...) NOT-FOR-US: Abandoned Cart Lite for WooCommerce plugin for WordPress CVE-2023-2904 (The External Visitor Manager portal of HID\u2019s SAFE versions 5.8.0 ...) - TODO: check + NOT-FOR-US: HID SAFE CVE-2023-2866 (If an attacker can trick an authenticated user into loading a maliciou ...) - TODO: check + NOT-FOR-US: Advantech CVE-2023-3153 [service monitor MAC flow is not rate limited] - ovn NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2213279 @@ -57,7 +57,7 @@ CVE-2023-34237 (SABnzbd is an open source automated Usenet download tool. A desi CVE-2023-34234 (OpenZeppelin Contracts is a library for smart contract development. By ...) NOT-FOR-US: OpenZeppelin Contracts CVE-2023-34109 (zxcvbn-ts is an open source password strength estimator written in typ ...) - TODO: check + NOT-FOR-US: zxcvbn-ts CVE-2023-34108 (mailcow is a mail server suite based on Dovecot, Postfix and other ope ...) NOT-FOR-US: mailcow CVE-2023-33595 (CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-fre ...) @@ -69,13 +69,13 @@ CVE-2023-33553 (An issue in Planet Technologies WDRT-1800AX v1.01-CP21 allows at CVE-2023-33510 (Jeecg P3 Biz Chat 1.0.5 allows remote attackers to read arbitrary file ...) NOT-FOR-US: Jeecg P3 Biz Chat CVE-2023-33498 (alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privileg ...) - TODO: check + NOT-FOR-US: alist CVE-2023-33284 (Marval MSM through 14.19.0.12476 and 15.0 has a Remote Code Execution ...) - TODO: check + NOT-FOR-US: Marval MSM CVE-2023-33283 (Marval MSM through 14.19.0.12476 uses a static encryption key for secr ...) - TODO: check + NOT-FOR-US: Marval MSM CVE-2023-33282 (Marval MSM through 14.19.0.12476 and 15.0 has a System account with de ...) - TODO: check + NOT-FOR-US: Marval MSM CVE-2023-2530 (A privilege escalation allowing remote code execution was discovered i ...) TODO: check CVE-2023-2442 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) @@ -331,19 +331,19 @@ CVE-2023-3120 (A vulnerability, which was classified as critical, was found in S CVE-2023-3119 (A vulnerability, which was classified as critical, has been found in S ...) NOT-FOR-US: SourceCodester Service Provider Management System CVE-2023-34409 (In Percona Monitoring and Management (PMM) server 2.x before 2.37.1, t ...) - TODO: check + NOT-FOR-US: Percona Monitoring and Management (PMM) CVE-2023-34111 (The `Release PR Merged` workflow in the github repo taosdata/grafanapl ...) - TODO: check + NOT-FOR-US: taosdata/grafanaplugin CVE-2023-34104 (fast-xml-parser is an open source, pure javascript xml parser. fast-xm ...) TODO: check CVE-2023-33977 (Kiwi TCMS is an open source test management system for both manual and ...) NOT-FOR-US: Kiwi TCMS CVE-2023-33959 (notation is a CLI tool to sign and verify OCI artifacts and container ...) - TODO: check + NOT-FOR-US: notation CVE-2023-33958 (notation is a CLI tool to sign and verify OCI artifacts and container ...) - TODO: check + NOT-FOR-US: notation CVE-2023-33957 (notation is a CLI tool to sign and verify OCI artifacts and container ...) - TODO: check + NOT-FOR-US: notation CVE-2023-33747 (CloudPanel v2.2.2 allows attackers to execute a path traversal.) NOT-FOR-US: CloudPanel CVE-2023-33684 (Weak session management in DB Elettronica Telecomunicazioni SpA SFT DA ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3449-1 for openssl
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: b3ea2d11 by Sylvain Beucler at 2023-06-08T18:18:49+02:00 Reserve DLA-3449-1 for openssl - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -23912,14 +23912,12 @@ CVE-2023-0467 (The WP Dark Mode WordPress plugin before 4.0.8 does not properly CVE-2023-0466 (The function X509_VERIFY_PARAM_add0_policy() is documented to implicit ...) {DSA-5417-1} - openssl 3.0.9-1 (bug #1034720) - [buster] - openssl (Minor issue) NOTE: https://www.openssl.org/news/secadv/20230328.txt NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=51e8a84ce742db0f6c70510d0159dad8f7825908 (openssl-3.0) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0d16b7e99aafc0b4a6d729eec65a411a7e025f0a (OpenSSL_1_1_1-stable) CVE-2023-0465 (Applications that use a non-default option when verifying certificates ...) {DSA-5417-1} - openssl 3.0.9-1 (bug #1034720) - [buster] - openssl (Minor issue) NOTE: https://www.openssl.org/news/secadv/20230328.txt NOTE: Fixed by: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1dd43e0709fece299b15208f36cc7c76209ba0bb (openssl-3.0.9) NOTE: Test: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=d2f0d05807fc70c68dcc22bcc6979147782d4adf (openssl-3.0.9) @@ -23930,7 +23928,6 @@ CVE-2023-0465 (Applications that use a non-default option when verifying certifi CVE-2023-0464 (A security vulnerability has been identified in all supported versions ...) {DSA-5417-1} - openssl 3.0.9-1 (bug #1034720) - [buster] - openssl (Minor issue) NOTE: https://www.openssl.org/news/secadv/20230322.txt NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=959c59c7a0164117e7f8366466a32bb1f8d77ff1 (openssl-3.0) NOTE: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=879f7080d7e141f415c79eaa3a8ac4a3dad0348b (OpenSSL_1_1_1-stable) = data/DLA/list = @@ -1,3 +1,6 @@ +[08 Jun 2023] DLA-3449-1 openssl - security update + {CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-2650} + [buster] - openssl 1.1.1n-0+deb10u5 [08 Jun 2023] DLA-3448-1 firefox-esr - security update {CVE-2023-34414 CVE-2023-34416} [buster] - firefox-esr 102.12.0esr-1~deb10u1 = data/dla-needed.txt = @@ -106,10 +106,6 @@ openjdk-11 (Emilio) NOTE: 20230419: Added by Front-Desk (ola) NOTE: 20230522: waiting for sid/bullseye update (pochu) -- -openssl (Sylvain Beucler) - NOTE: 20230531: Added by Front-Desk (pochu) - NOTE: 20230531: also handle no-dsa issues (pochu) --- owslib (Adrian Bunk) NOTE: 20230514: Added by Front-Desk (utkarsh) NOTE: 20230514: also in dsa-needed. (utkarsh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3ea2d115bf4158042dbc43f70dc1dd38c5009fb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3ea2d115bf4158042dbc43f70dc1dd38c5009fb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Re-associate two CVEs to gatsby, itp'ed entry instead of NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0f080835 by Salvatore Bonaccorso at 2023-06-08T17:58:15+02:00 Re-associate two CVEs to gatsby, itp'ed entry instead of NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30339,7 +30339,7 @@ CVE-2023-22493 (RSSHub is an open source RSS feed generator. RSSHub is vulnerabl CVE-2023-22492 (ZITADEL is a combination of Auth0 and Keycloak. RefreshTokens is an OA ...) NOT-FOR-US: ZITADEL CVE-2023-22491 (Gatsby is a free and open source framework based on React that helps d ...) - NOT-FOR-US: Gatsby + - gatsby (bug #922188) CVE-2023-22490 (Git is a revision control system. Using a specially-crafted repository ...) {DSA-5357-1 DLA-3338-1} - git 1:2.39.2-1 (bug #1031310) @@ -150432,7 +150432,7 @@ CVE-2021-32772 (Poddycast is a podcast app made with Electron. Prior to version CVE-2021-32771 (Contiki-NG is an open-source, cross-platform operating system for IoT ...) NOT-FOR-US: Contiki-NG CVE-2021-32770 (Gatsby is a framework for building websites. The gatsby-source-wordpre ...) - NOT-FOR-US: Gatsby + - gatsby (bug #922188) CVE-2021-32769 (Micronaut is a JVM-based, full stack Java framework designed for build ...) NOT-FOR-US: Micronaut CVE-2021-32768 (TYPO3 is an open source PHP based web content management system releas ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f0808352567fd57cf899c714129b4b370496fdd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0f0808352567fd57cf899c714129b4b370496fdd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-34238/gatsby
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f015b02d by Salvatore Bonaccorso at 2023-06-08T17:54:14+02:00 Add CVE-2023-34238/gatsby - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,7 +7,7 @@ CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to crash CVE-2023-34239 (Gradio is an open-source Python library that is used to build machine ...) TODO: check CVE-2023-34238 (Gatsby is a free and open source framework based on React. The Gatsby ...) - TODO: check + - gatsby (bug #922188) CVE-2023-33849 (IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, ...) NOT-FOR-US: IBM CVE-2023-33848 (IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f015b02d65053e9bf98300f044ade87e2497ee14 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f015b02d65053e9bf98300f044ade87e2497ee14 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track dbus update via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c43f638 by Salvatore Bonaccorso at 2023-06-08T17:45:20+02:00 Track dbus update via bullseye-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -115,3 +115,5 @@ CVE-2022-32545 [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 CVE-2022-32546 [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 +CVE-2023-34969 + [bullseye] - dbus 1.12.28-0+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c43f63881e0d782ab56786c6fca11dfb4c3d77a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c43f63881e0d782ab56786c6fca11dfb4c3d77a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-34969/dbus as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61fd43d4 by Salvatore Bonaccorso at 2023-06-08T17:44:07+02:00 Mark CVE-2023-34969/dbus as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,6 +1,8 @@ CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus- ...) [experimental] - dbus 1.15.6-1 - dbus (bug #1037151) + [bookworm] - dbus (Minor issue) + [bullseye] - dbus (Minor issue) NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/457 CVE-2023-34239 (Gradio is an open-source Python library that is used to build machine ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61fd43d478b6a473c49cd480b03fd37a08e36d7e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61fd43d478b6a473c49cd480b03fd37a08e36d7e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for imagemagick via bullseye-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0512a30b by Salvatore Bonaccorso at 2023-06-08T14:41:43+02:00 Track proposed update for imagemagick via bullseye-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -89,3 +89,29 @@ CVE-2022-47015 [bullseye] - mariadb-10.5 1:10.5.20-0+deb11u1 CVE-2023-28617 [bullseye] - org-mode 9.4.0+dfsg-1+deb11u1 +CVE-2021-3574 + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 +CVE-2021-4219 + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 +CVE-2021-20241 + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 +CVE-2021-20243 + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 +CVE-2021-20244 + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 +CVE-2021-20245 + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 +CVE-2021-20246 + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 +CVE-2021-20309 + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 +CVE-2021-39212 + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 +CVE-2022-1114 + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 +CVE-2022-28463 + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 +CVE-2022-32545 + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 +CVE-2022-32546 + [bullseye] - imagemagick 8:6.9.11.60+dfsg-1.3+deb11u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0512a30b1ff70c104f9fd0ac98e0c1e1d30a605d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0512a30b1ff70c104f9fd0ac98e0c1e1d30a605d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-34969/dbus
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c97dd32 by Salvatore Bonaccorso at 2023-06-08T14:35:27+02:00 Add CVE-2023-34969/dbus - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus- ...) - TODO: check + [experimental] - dbus 1.15.6-1 + - dbus (bug #1037151) + NOTE: https://gitlab.freedesktop.org/dbus/dbus/-/issues/457 CVE-2023-34239 (Gradio is an open-source Python library that is used to build machine ...) TODO: check CVE-2023-34238 (Gatsby is a free and open source framework based on React. The Gatsby ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c97dd32bc3cec6ae4bfe90567d58314f91f378c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c97dd32bc3cec6ae4bfe90567d58314f91f378c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b6db4cec by Salvatore Bonaccorso at 2023-06-08T13:11:06+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,17 +5,17 @@ CVE-2023-34239 (Gradio is an open-source Python library that is used to build ma CVE-2023-34238 (Gatsby is a free and open source framework based on React. The Gatsby ...) TODO: check CVE-2023-33849 (IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-33848 (IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-33847 (IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-33846 (IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-33496 (xxl-rpc v1.7.0 was discovered to contain a deserialization vulnerabili ...) TODO: check CVE-2023-2986 (The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulner ...) - TODO: check + NOT-FOR-US: Abandoned Cart Lite for WooCommerce plugin for WordPress CVE-2023-2904 (The External Visitor Manager portal of HID\u2019s SAFE versions 5.8.0 ...) TODO: check CVE-2023-2866 (If an attacker can trick an authenticated user into loading a maliciou ...) @@ -26830,11 +26830,11 @@ CVE-2023-23484 CVE-2023-23483 RESERVED CVE-2023-23482 (IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 could allo ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-23481 (IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnera ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-23480 (IBM Sterling Partner Engagement Manager 6.1, 6.2, and 6.2.1 is vulnera ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-23479 RESERVED CVE-2023-23478 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6db4cec7926690aa2a675d458358d6c8f5264ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6db4cec7926690aa2a675d458358d6c8f5264ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] busybox fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d873e650 by Moritz Muehlenhoff at 2023-06-08T12:27:52+02:00 busybox fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -85947,7 +85947,7 @@ CVE-2022-30067 (GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Thro CVE-2022-30066 RESERVED CVE-2022-30065 (A use-after-free in Busybox 1.35-x's awk applet leads to denial of ser ...) - - busybox (unimportant) + - busybox 1:1.36.1-1 (unimportant) NOTE: https://bugs.busybox.net/show_bug.cgi?id=14781 NOTE: Crash in CLI tool, no security impact CVE-2022-30064 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d873e650fc9b343ce3a8e4034df03f8204e90af6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d873e650fc9b343ce3a8e4034df03f8204e90af6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] qtbase-opensource-src fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1319729b by Moritz Muehlenhoff at 2023-06-08T12:26:29+02:00 qtbase-opensource-src fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -557,7 +557,7 @@ CVE-2023-34411 (The xml-rs crate before 0.8.14 for Rust and Crab allows a denial NOTE: https://github.com/netvl/xml-rs/commit/c09549a187e62d39d40467f129e64abf32efc35c (0.8.14) CVE-2023-34410 (An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6. ...) - qt6-base 6.4.2+dfsg-11 (bug #1037209) - - qtbase-opensource-src (bug #1037210) + - qtbase-opensource-src 5.15.8+dfsg-12 (bug #1037210) - qtbase-opensource-src-gles - qt4-x11 NOTE: https://codereview.qt-project.org/c/qt/qtbase/+/477560 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1319729b43b21dda002a8df2049d7b0cbe21828a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1319729b43b21dda002a8df2049d7b0cbe21828a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 996d82ad by Moritz Muehlenhoff at 2023-06-08T10:26:08+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -43165,24 +43165,33 @@ CVE-2023-21145 RESERVED CVE-2023-21144 RESERVED + NOT-FOR-US: Android CVE-2023-21143 RESERVED + NOT-FOR-US: Android CVE-2023-21142 RESERVED + NOT-FOR-US: Android CVE-2023-21141 RESERVED + NOT-FOR-US: Android CVE-2023-21140 RESERVED CVE-2023-21139 RESERVED + NOT-FOR-US: Android CVE-2023-21138 RESERVED + NOT-FOR-US: Android CVE-2023-21137 RESERVED + NOT-FOR-US: Android CVE-2023-21136 RESERVED + NOT-FOR-US: Android CVE-2023-21135 RESERVED + NOT-FOR-US: Android CVE-2023-21134 RESERVED CVE-2023-21133 @@ -43191,26 +43200,36 @@ CVE-2023-21132 RESERVED CVE-2023-21131 RESERVED + NOT-FOR-US: Android CVE-2023-21130 RESERVED + NOT-FOR-US: Android CVE-2023-21129 RESERVED + NOT-FOR-US: Android CVE-2023-21128 RESERVED + NOT-FOR-US: Android CVE-2023-21127 RESERVED + NOT-FOR-US: Android CVE-2023-21126 RESERVED + NOT-FOR-US: Android CVE-2023-21125 RESERVED CVE-2023-21124 RESERVED + NOT-FOR-US: Android CVE-2023-21123 RESERVED + NOT-FOR-US: Android CVE-2023-21122 RESERVED + NOT-FOR-US: Android CVE-2023-21121 RESERVED + NOT-FOR-US: Android CVE-2023-21120 RESERVED CVE-2023-21119 @@ -43223,6 +43242,7 @@ CVE-2023-21116 (In verifyReplacingVersionCode of InstallPackageHelper.java, ther NOT-FOR-US: Android CVE-2023-21115 RESERVED + NOT-FOR-US: Android CVE-2023-21114 RESERVED CVE-2023-21113 @@ -43237,6 +43257,7 @@ CVE-2023-21109 (In multiple places of AccessibilityService, there is a possible NOT-FOR-US: Android CVE-2023-21108 RESERVED + NOT-FOR-US: Android CVE-2023-21107 (In retrieveAppEntry of NotificationAccessDetails.java, there is a miss ...) NOT-FOR-US: Android CVE-2023-21106 (In adreno_set_param of adreno_gpu.c, there is a possible memory corrup ...) @@ -43246,6 +43267,7 @@ CVE-2023-21106 (In adreno_set_param of adreno_gpu.c, there is a possible memory NOTE: https://git.kernel.org/linus/a66f1efcf748febea7758c4c3c8b5bc5294949ef (6.2-rc5) CVE-2023-21105 RESERVED + NOT-FOR-US: Android CVE-2023-21104 (In applySyncTransaction of WindowOrganizer.java, a missing permission ...) NOT-FOR-US: Android CVE-2023-21103 (In registerPhoneAccount of PhoneAccountRegistrar.java, uncaught except ...) @@ -43271,6 +43293,7 @@ CVE-2023-21096 (In OnWakelockReleased of attribution_processor.cc, there is a us NOT-FOR-US: Android CVE-2023-21095 RESERVED + NOT-FOR-US: Android CVE-2023-21094 (In sanitize of LayerState.cpp, there is a possible way to take over th ...) NOT-FOR-US: Android CVE-2023-21093 (In extractRelativePath of FileUtils.java, there is a possible way to a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/996d82ad1f62b0db6adc45aac5e68f88798d2b1b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/996d82ad1f62b0db6adc45aac5e68f88798d2b1b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e80cd727 by security tracker role at 2023-06-08T08:12:02+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,25 @@ +CVE-2023-34969 (D-Bus before 1.15.6 sometimes allows unprivileged users to crash dbus- ...) + TODO: check +CVE-2023-34239 (Gradio is an open-source Python library that is used to build machine ...) + TODO: check +CVE-2023-34238 (Gatsby is a free and open source framework based on React. The Gatsby ...) + TODO: check +CVE-2023-33849 (IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, ...) + TODO: check +CVE-2023-33848 (IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, ...) + TODO: check +CVE-2023-33847 (IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, ...) + TODO: check +CVE-2023-33846 (IBM TXSeries for Multiplatforms 8.1, 8.2, 9.1, CICS TX Standard, 11.1, ...) + TODO: check +CVE-2023-33496 (xxl-rpc v1.7.0 was discovered to contain a deserialization vulnerabili ...) + TODO: check +CVE-2023-2986 (The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulner ...) + TODO: check +CVE-2023-2904 (The External Visitor Manager portal of HID\u2019s SAFE versions 5.8.0 ...) + TODO: check +CVE-2023-2866 (If an attacker can trick an authenticated user into loading a maliciou ...) + TODO: check CVE-2023-3153 [service monitor MAC flow is not rate limited] - ovn NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2213279 @@ -393,6 +415,7 @@ CVE-2023-34417 - firefox 114.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-20/#CVE-2023-34417 CVE-2023-34416 + {DSA-5421-1 DLA-3448-1} - firefox 114.0-1 - firefox-esr 102.12.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-19/#CVE-2023-34416 @@ -401,6 +424,7 @@ CVE-2023-34415 - firefox 114.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-20/#CVE-2023-34415 CVE-2023-34414 + {DSA-5421-1 DLA-3448-1} - firefox 114.0-1 - firefox-esr 102.12.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-19/#CVE-2023-34414 @@ -3641,8 +3665,8 @@ CVE-2023-31205 RESERVED CVE-2023-31204 RESERVED -CVE-2023-31200 - RESERVED +CVE-2023-31200 (PTC Vuforia Studio does not require a token; this could allow an atta ...) + TODO: check CVE-2023-31199 (Improper access control in the Intel(R) Solid State Drive Toolbox(TM) ...) NOT-FOR-US: Intel CVE-2023-31197 (Uncontrolled search path in the Intel(R) Trace Analyzer and Collector ...) @@ -3795,14 +3819,14 @@ CVE-2023-30768 (Improper access control in the Intel(R) Server Board S2600WTT be NOT-FOR-US: Intel CVE-2023-30763 (Heap-based overflow in Intel(R) SoC Watch based software before versio ...) NOT-FOR-US: Intel -CVE-2023-29502 - RESERVED +CVE-2023-29502 (Before importing a project into Vuforia, a user could modify the \u20 ...) + TODO: check CVE-2023-29242 (Improper access control for Intel(R) oneAPI Toolkits before version 20 ...) NOT-FOR-US: Intel -CVE-2023-29168 - RESERVED -CVE-2023-29152 - RESERVED +CVE-2023-29168 (The local Vuforia web application does not support HTTPS, and federate ...) + TODO: check +CVE-2023-29152 (By changing the filename parameter in the request, an attacker could ...) + TODO: check CVE-2023-28822 RESERVED CVE-2023-28745 @@ -3813,10 +3837,10 @@ CVE-2023-28719 RESERVED CVE-2023-28378 RESERVED -CVE-2023-27881 - RESERVED -CVE-2023-24476 - RESERVED +CVE-2023-27881 (A user could use the \u201cUpload Resource\u201d functionality to uplo ...) + TODO: check +CVE-2023-24476 (An attacker with local access to the machine could record the traffic, ...) + TODO: check CVE-2023-2270 RESERVED CVE-2023-2269 (A denial of service problem was found, due to a possible recursive loc ...) @@ -3856,12 +3880,12 @@ CVE-2023-31118 RESERVED CVE-2023-31117 RESERVED -CVE-2023-31116 - RESERVED -CVE-2023-31115 - RESERVED -CVE-2023-31114 - RESERVED +CVE-2023-31116 (An issue was discovered in the Shannon RCS component in Samsung Exynos ...) + TODO: check +CVE-2023-31115 (An issue was discovered in the Shannon RCS component in Samsung Exynos ...) + TODO: check +CVE-2023-31114 (An issue was discovered in the Shannon RCS component in Samsung Exynos ...) + TODO: check CVE-2023-31113 RESERVED CVE-2023-31112 @@ -8776,8 +8800,8 @@ CVE-2023-1866 (The YourChannel plugin for WordPress is vulnerable to Cross-Site NOT-FOR-US: YourChannel plugin fo
[Git][security-tracker-team/security-tracker][master] Revert "Mark CVE-2023-2602 CVE-2023-2603 as not-affected for strech, jessie"
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bcbfe50 by Moritz Muehlenhoff at 2023-06-08T09:22:10+02:00 Revert "Mark CVE-2023-2602 CVE-2023-2603 as not-affected for strech, jessie" This reverts commit 6e397c722790a000c8a026a77c8846c38f25a736. These suites don't belong in the Security Tracker anymore. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2533,8 +2533,6 @@ CVE-2023-2603 (A vulnerability was found in libcap. This issue occurs in the _li - libcap2 1:2.66-4 (bug #1036114) [bullseye] - libcap2 (Minor issue) [buster] - libcap2 (Vulnerable code introduced later) - [stretch] - libcap2 (Vulnerable code introduced later) - [jessie] - libcap2 (Vulnerable code introduced later) NOTE: https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe NOTE: https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf NOTE: https://www.openwall.com/lists/oss-security/2023/05/15/4 @@ -2543,8 +2541,6 @@ CVE-2023-2602 (A vulnerability was found in the pthread_create() function in lib - libcap2 1:2.66-4 (bug #1036114) [bullseye] - libcap2 (Minor issue) [buster] - libcap2 (Vulnerable code introduced later) - [stretch] - libcap2 (Vulnerable code introduced later) - [jessie] - libcap2 (Vulnerable code introduced later) NOTE: https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.iuvg7sbjg8pe NOTE: https://www.x41-dsec.de/static/reports/X41-libcap-Code-Review-2023-OSTIF-Final-Report.pdf NOTE: https://www.openwall.com/lists/oss-security/2023/05/15/4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bcbfe506db84102df98dbb48b4262586e3b9e6f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bcbfe506db84102df98dbb48b4262586e3b9e6f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3448-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 41782e28 by Emilio Pozuelo Monfort at 2023-06-08T09:14:21+02:00 Reserve DLA-3448-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[08 Jun 2023] DLA-3448-1 firefox-esr - security update + {CVE-2023-34414 CVE-2023-34416} + [buster] - firefox-esr 102.12.0esr-1~deb10u1 [06 Jun 2023] DLA-3447-1 ruby2.5 - security update {CVE-2023-28755 CVE-2023-28756} [buster] - ruby2.5 2.5.5-3+deb10u5 = data/dla-needed.txt = @@ -42,9 +42,6 @@ erlang (Markus Koschany) NOTE: 20221119: Added by Front-Desk (ta) NOTE: 20221119: at least CVE-2022-37026 needs to be fixed (original request has been for Stretch) -- -firefox-esr (Emilio) - NOTE: 20230606: Added by pochu --- fusiondirectory (Abhijith PA) NOTE: 20221203: Added by Front-Desk (gladk) NOTE: 20221203: Please evaluate, whether the package can be fixed (gladk). View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41782e28bf341a7422a6b6afdb0c16b562e6625e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41782e28bf341a7422a6b6afdb0c16b562e6625e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits