[Git][security-tracker-team/security-tracker][master] Reserve DLA-3499-1 for libapache2-mod-auth-openidc
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 2da979ec by Guilhem Moulin at 2023-07-19T00:39:49+02:00 Reserve DLA-3499-1 for libapache2-mod-auth-openidc - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -111492,7 +111492,6 @@ CVE-2022-23528 CVE-2022-23527 (mod_auth_openidc is an OpenID Certified\u2122 authentication and autho ...) - libapache2-mod-auth-openidc 2.4.12.2-1 (bug #1026444) [bullseye] - libapache2-mod-auth-openidc 2.4.9.4-0+deb11u2 - [buster] - libapache2-mod-auth-openidc (Minor issue) NOTE: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-q6f2-285m-gr53 NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/87119f44b9a88312dbc1f752d720bcd2371b94a8 (v2.4.12.2) CVE-2022-23526 (Helm is a tool for managing Charts, pre-configured Kubernetes resource ...) @@ -139809,7 +139808,6 @@ CVE-2021-39192 (Ghost is a Node.js content management system. An error in the im CVE-2021-39191 (mod_auth_openidc is an authentication/authorization module for the Apa ...) - libapache2-mod-auth-openidc 2.4.9.4-1 (bug #993648) [bullseye] - libapache2-mod-auth-openidc 2.4.9.4-0+deb11u1 - [buster] - libapache2-mod-auth-openidc (Minor issue; can be fixed via point release) [stretch] - libapache2-mod-auth-openidc (Minor issue) NOTE: https://github.com/zmartzone/mod_auth_openidc/security/advisories/GHSA-2pgf-8h6h-gqg2 NOTE: https://github.com/zmartzone/mod_auth_openidc/commit/03e6bfb446f4e3f27c003d30d6a433e5dd8e2b3d = data/DLA/list = @@ -1,3 +1,6 @@ +[19 Jul 2023] DLA-3499-1 libapache2-mod-auth-openidc - security update + {CVE-2021-39191 CVE-2022-23527} + [buster] - libapache2-mod-auth-openidc 2.3.10.2-1+deb10u3 [18 Jul 2023] DLA-3498-1 bind9 - security update {CVE-2023-2828} [buster] - bind9 1:9.11.5.P4+dfsg-5.1+deb10u9 = data/dla-needed.txt = @@ -80,10 +80,6 @@ imagemagick -- iperf3 (Markus Koschany) -- -libapache2-mod-auth-openidc (guilhem) - NOTE: 20230620: Added by Front-Desk (Beuc) - NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed CVE-2021-39191 (Beuc/front-desk) --- libreoffice (Abhijith PA) NOTE: 20230530: Added by Front-Desk (pochu) NOTE: 20230718: http://people.debian.org/~abhijith/upload/lo (abhijith) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2da979ecb1f86e6827671057f764ce3f3a3b7195 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2da979ecb1f86e6827671057f764ce3f3a3b7195 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2022-47085 but with unclear status
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2e0c9a2e by Salvatore Bonaccorso at 2023-07-18T22:57:02+02:00 Add CVE-2022-47085 but with unclear status - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40819,7 +40819,9 @@ CVE-2022-47086 (GPAC MP4Box v2.1-DEV-rev574-g9d5bb184b contains a segmentation v NOTE: https://github.com/gpac/gpac/issues/2337 NOTE: https://github.com/gpac/gpac/commit/15e3aece44f24a1c4e8cc0622c59008b1b9ab683 (v2.2.0) CVE-2022-47085 (An issue was discovered in ostree before 2022.7 allows attackers to ca ...) - TODO: check + - ostree + NOTE: https://github.com/ostreedev/ostree/issues/2775 + TODO: check, affected bindings seems not present in src:ostree itself CVE-2022-47084 RESERVED CVE-2022-47083 (Spitfire CMS 1.0.475 is vulnerable to PHP Object Injection.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e0c9a2e766f53d8c3e27ff74f48d4bd3d027f24 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2e0c9a2e766f53d8c3e27ff74f48d4bd3d027f24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 82321fd6 by Salvatore Bonaccorso at 2023-07-18T22:56:12+02:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -18667,15 +18667,15 @@ CVE-2023-28025 CVE-2023-28024 RESERVED CVE-2023-28023 (A cross site request forgery vulnerability in the BigFix WebUI Softwar ...) - TODO: check + NOT-FOR-US: HCL CVE-2023-28022 RESERVED CVE-2023-28021 (The BigFix WebUI uses weak cipher suites.) - TODO: check + NOT-FOR-US: HCL CVE-2023-28020 (URL redirection in Login page in HCL BigFix WebUI allows malicious use ...) - TODO: check + NOT-FOR-US: HCL CVE-2023-28019 (Insufficient validation in Bigfix WebUI API App site version < 14 allo ...) - TODO: check + NOT-FOR-US: HCL CVE-2023-28018 RESERVED CVE-2023-28017 @@ -26230,7 +26230,7 @@ CVE-2023-25484 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-25483 RESERVED CVE-2023-25482 (Cross-Site Request Forgery (CSRF) vulnerability in Mike Martel WP Tile ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25481 (Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Sub ...) NOT-FOR-US: WordPress plugin CVE-2023-25480 @@ -26244,11 +26244,11 @@ CVE-2023-25477 CVE-2023-25476 RESERVED CVE-2023-25475 (Cross-Site Request Forgery (CSRF) vulnerability in Vladimir Prelovac S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25474 (Cross-Site Request Forgery (CSRF) vulnerability in Csaba Kissi About M ...) NOT-FOR-US: WordPress plugin CVE-2023-25473 (Cross-Site Request Forgery (CSRF) vulnerability in Miro Mannino Flickr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25472 (Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Pod ...) NOT-FOR-US: WordPress plugin CVE-2023-25471 @@ -27316,7 +27316,7 @@ CVE-2023-25038 (Cross-Site Request Forgery (CSRF) vulnerability in 984.Ru For th CVE-2023-25037 RESERVED CVE-2023-25036 (Cross-Site Request Forgery (CSRF) vulnerability in akhlesh-nagar, a.An ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-25035 RESERVED CVE-2023-25034 (Cross-Site Request Forgery (CSRF) vulnerability in BoLiQuan WP Clean U ...) @@ -29420,7 +29420,7 @@ CVE-2023-24392 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in I CVE-2023-24391 RESERVED CVE-2023-24390 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in WeSe ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-24389 RESERVED CVE-2023-24388 (Cross-Site Request Forgery (CSRF) vulnerability in WpDevArt Booking ca ...) @@ -31414,7 +31414,7 @@ CVE-2023-23662 CVE-2023-23661 RESERVED CVE-2023-23660 (Auth. (subscriber+) SQL Injection (SQLi) vulnerability in MainWP MainW ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-23659 (Cross-Site Request Forgery (CSRF) vulnerability in MainWP Matomo Exten ...) NOT-FOR-US: MainWP Matomo Extension CVE-2023-23658 @@ -39715,7 +39715,7 @@ CVE-2022-47423 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2022-47422 (Cross-Site Request Forgery (CSRF) vulnerability in HM Plugin Accept St ...) NOT-FOR-US: WordPress plugin CVE-2022-47421 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Repu ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-47420 RESERVED CVE-2022-47419 (An XSS vulnerability was discovered in the Mayan EDMS DMS. Successful ...) @@ -40606,7 +40606,7 @@ CVE-2022-47171 (Improper Neutralization of Input During Web Page Generation ('Cr CVE-2022-47170 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Unli ...) NOT-FOR-US: WordPress plugin CVE-2022-47169 (Cross-Site Request Forgery (CSRF) vulnerability in StaxWP Visibility L ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-47168 RESERVED CVE-2022-47167 (Cross-Site Request Forgery (CSRF) vulnerability in Aram Kocharyan Cray ...) @@ -41468,7 +41468,7 @@ CVE-2022-46859 CVE-2022-46858 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Amin A.R ...) NOT-FOR-US: WordPress plugin CVE-2022-46857 (Cross-Site Request Forgery (CSRF) vulnerability in SiteAlert plugin <= ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2022-46856 (Cross-Site Request Forgery (CSRF) vulnerability in ORION Woocommerce P ...) NOT-FOR-US: WordPress plugin CVE-2022-46855 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) @@ -44650,7 +44650,7 @@ CVE-2022-45830 CVE-2022-45829 (Auth. Path Traversal vulnerability inEasy WP SMTP
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2023-3618/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5cc3e1dd by Salvatore Bonaccorso at 2023-07-18T22:45:39+02:00 Update status for CVE-2023-3618/tiff Thanks: László Böszörményi - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -921,10 +921,11 @@ CVE-2023-37943 (Jenkins Active Directory Plugin 2.30 and earlier ignores the "Re CVE-2023-37942 (Jenkins External Monitor Job Type Plugin 206.v9a_94ff0b_4a_10 and earl ...) NOT-FOR-US: Jenkins plugin CVE-2023-3618 (A flaw was found in libtiff. A specially crafted tiff file can lead to ...) - - tiff (bug #1040945) + - tiff 4.5.1~rc3-1 (bug #1040945) [bookworm] - tiff (Minor issue) [bullseye] - tiff (Minor issue) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/529 + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/b5c7d4c4e0ac16b5cfb11acaaeaa493334f8 (v4.5.1rc1) CVE-2023-3603 - libssh (Vulnerable code not present in 0.10.5/any released version) NOTE: https://git.libssh.org/projects/libssh.git/commit/?id=fe80f47b0ae8902d229ef9b8a1b4fa949b92e720 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cc3e1dd854d91503f2da9818a2f2ca21c33eb69 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cc3e1dd854d91503f2da9818a2f2ca21c33eb69 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-37476: Add reference to commit in 3.7.4
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a850690c by Salvatore Bonaccorso at 2023-07-18T22:36:36+02:00 CVE-2023-37476: Add reference to commit in 3.7.4 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -218,7 +218,8 @@ CVE-2023-37479 (Open Enclave is a hardware-agnostic open source library for deve CVE-2023-37476 (OpenRefine is a free, open source tool for data processing. A carefull ...) - openrefine (bug #1041422) NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq - NOTE: https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e + NOTE: https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e (master) + NOTE: https://github.com/OpenRefine/OpenRefine/commit/c40c84d8170c4d61c6a0926531b552a50caa5651 (3.7.4) CVE-2023-37475 (Hamba avro is a go lang encoder/decoder implementation of the avro cod ...) NOT-FOR-US: Hamba avro CVE-2023-37461 (Metersphere is an opensource testing framework. Files uploaded to Mete ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a850690c9be76dcfd46d41480dbf69e1414dbd3d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a850690c9be76dcfd46d41480dbf69e1414dbd3d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag reference for CVE-2023-3724 upstream commit
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f9fd77e by Salvatore Bonaccorso at 2023-07-18T22:33:22+02:00 Add upstream tag reference for CVE-2023-3724 upstream commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -84,7 +84,7 @@ CVE-2018-25088 (A vulnerability, which was classified as critical, was found in CVE-2023-3724 (If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor ...) - wolfssl NOTE: https://github.com/wolfSSL/wolfssl/pull/6412 - NOTE: https://github.com/wolfSSL/wolfssl/commit/00f1eddee429ff51390b20caadd2eb6afe51e1aa + NOTE: https://github.com/wolfSSL/wolfssl/commit/00f1eddee429ff51390b20caadd2eb6afe51e1aa (v5.6.2-stable) CVE-2023-3714 (The ProfileGrid plugin for WordPress is vulnerable to unauthorized mod ...) NOT-FOR-US: WordPress plugin CVE-2023-3713 (The ProfileGrid plugin for WordPress is vulnerable to unauthorized mod ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f9fd77e6f9e2ceb0340778449a8e93c453d433c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f9fd77e6f9e2ceb0340778449a8e93c453d433c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-33265/hazelcast
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a76db07 by Salvatore Bonaccorso at 2023-07-18T22:24:09+02:00 Add CVE-2023-33265/hazelcast - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -64,7 +64,7 @@ CVE-2023-33329 (Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerabilit CVE-2023-33312 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in wppal Ea ...) NOT-FOR-US: WordPress plugin CVE-2023-33265 (In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, ...) - TODO: check + - hazelcast (bug #745640) CVE-2023-33231 (XSS attack was possible in DPA 2023.2 due to insufficient input valida ...) NOT-FOR-US: SolarWinds CVE-2023-32965 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CRUDLab ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a76db0744aa816c97857d4a850acb027c3c7d3e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5a76db0744aa816c97857d4a850acb027c3c7d3e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-37788/golang-github-elazarl-goproxy
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 89643fea by Salvatore Bonaccorso at 2023-07-18T22:23:19+02:00 Add CVE-2023-37788/golang-github-elazarl-goproxy - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,8 @@ CVE-2023-37892 (Cross-Site Request Forgery (CSRF) vulnerability in Kemal YAZICI CVE-2023-37889 (Cross-Site Request Forgery (CSRF) vulnerability in WPAdmin WPAdmin AWS ...) NOT-FOR-US: WordPress plugin CVE-2023-37788 (goproxy v1.1 was discovered to contain an issue which can lead to a De ...) - TODO: check + - golang-github-elazarl-goproxy + NOTE: https://github.com/elazarl/goproxy/issues/502 CVE-2023-37758 (D-LINK DIR-815 v1.01 was discovered to contain a buffer overflow via t ...) NOT-FOR-US: D-LINK CVE-2023-37481 (Fides is an open-source privacy engineering platform for managing data ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89643feaf848fc8849bdbd818815eeca6d14d3c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89643feaf848fc8849bdbd818815eeca6d14d3c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ddb100b by Salvatore Bonaccorso at 2023-07-18T22:22:50+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,81 +1,81 @@ CVE-2023-3743 (Ap Page Builder, in versions lower than 1.7.8.2, could allow a remote ...) - TODO: check + NOT-FOR-US: Ap Page Builder CVE-2023-38326 REJECTED CVE-2023-38257 (Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to an insec ...) - TODO: check + NOT-FOR-US: Iagona ScrutisWeb CVE-2023-37973 (Cross-Site Request Forgery (CSRF) vulnerability in David Pokorny Repla ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-37892 (Cross-Site Request Forgery (CSRF) vulnerability in Kemal YAZICI - Plug ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-37889 (Cross-Site Request Forgery (CSRF) vulnerability in WPAdmin WPAdmin AWS ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-37788 (goproxy v1.1 was discovered to contain an issue which can lead to a De ...) TODO: check CVE-2023-37758 (D-LINK DIR-815 v1.01 was discovered to contain a buffer overflow via t ...) - TODO: check + NOT-FOR-US: D-LINK CVE-2023-37481 (Fides is an open-source privacy engineering platform for managing data ...) TODO: check CVE-2023-37480 (Fides is an open-source privacy engineering platform for managing data ...) TODO: check CVE-2023-37477 (1Panel is an open source Linux server operation and maintenance manage ...) - TODO: check + NOT-FOR-US: 1Panel CVE-2023-37387 (Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classif ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-37386 (Cross-Site Request Forgery (CSRF) vulnerability in Media Library Helpe ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-37259 (matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip ...) TODO: check CVE-2023-37143 (ChakraCore branch master cbb9b was discovered to contain a segmentatio ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2023-37142 (ChakraCore branch master cbb9b was discovered to contain a segmentatio ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2023-37141 (ChakraCore branch master cbb9b was discovered to contain a segmentatio ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2023-37140 (ChakraCore branch master cbb9b was discovered to contain a segmentatio ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2023-37139 (ChakraCore branch master cbb9b was discovered to contain a stack overf ...) - TODO: check + NOT-FOR-US: Microsoft CVE-2023-36670 (A remotely exploitable command injection vulnerability was found on th ...) - TODO: check + NOT-FOR-US: Kratos NGC-IDU CVE-2023-36669 (Missing Authentication for a Critical Function within the Kratos NGC I ...) - TODO: check + NOT-FOR-US: Kratos NGC-IDU CVE-2023-36384 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeop ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-36383 (Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Mag ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-36120 REJECTED CVE-2023-35763 (Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a crypto ...) - TODO: check + NOT-FOR-US: Iagona ScrutisWeb CVE-2023-35189 (Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a remote ...) - TODO: check + NOT-FOR-US: Iagona ScrutisWeb CVE-2023-34330 (AMI SPx contains a vulnerability in the BMC where a User may cause a i ...) - TODO: check + NOT-FOR-US: AMI SPx CVE-2023-34329 (AMI SPx contains a vulnerability in BMC where a User may cause an auth ...) - TODO: check + NOT-FOR-US: AMI SPx CVE-2023-34035 (Spring Security versions 5.8prior to 5.8.5, 6.0prior to 6.0.5,and 6.1p ...) TODO: check CVE-2023-33871 (Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a direct ...) - TODO: check + NOT-FOR-US: Iagona ScrutisWeb CVE-2023-33329 (Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability in H ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-33312 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in wppal Ea ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-33265 (In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, ...) TODO: check CVE-2023-33231 (XSS attack was possible in DPA 2023.2 due to insufficient input valida ...) - TODO: check + NOT-FOR-US: SolarWinds CVE-2023-32965 (Unauth. Reflected Cross-Site Scripting
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 02e8b15f by Salvatore Bonaccorso at 2023-07-18T22:16:53+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -73,7 +73,7 @@ CVE-2023-31441 (In NATO Communications and Information Agency anet (aka Advisor CVE-2023-2913 (An executable used in Rockwell Automation ThinManager ThinServer can b ...) TODO: check CVE-2023-2433 (The YARPP plugin for WordPress is vulnerable to Stored Cross-Site Scri ...) - TODO: check + NOT-FOR-US: YARPP plugin for WordPress CVE-2021-4428 (A vulnerability has been found in what3words Autosuggest Plugin up to ...) TODO: check CVE-2020-36762 (A vulnerability was found in ONS Digital RAS Collection Instrument up ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02e8b15f83a9cb1e16c2aad88203c29264cb37e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02e8b15f83a9cb1e16c2aad88203c29264cb37e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fef2175a by security tracker role at 2023-07-18T20:12:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,85 @@ +CVE-2023-3743 (Ap Page Builder, in versions lower than 1.7.8.2, could allow a remote ...) + TODO: check +CVE-2023-38326 + REJECTED +CVE-2023-38257 (Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to an insec ...) + TODO: check +CVE-2023-37973 (Cross-Site Request Forgery (CSRF) vulnerability in David Pokorny Repla ...) + TODO: check +CVE-2023-37892 (Cross-Site Request Forgery (CSRF) vulnerability in Kemal YAZICI - Plug ...) + TODO: check +CVE-2023-37889 (Cross-Site Request Forgery (CSRF) vulnerability in WPAdmin WPAdmin AWS ...) + TODO: check +CVE-2023-37788 (goproxy v1.1 was discovered to contain an issue which can lead to a De ...) + TODO: check +CVE-2023-37758 (D-LINK DIR-815 v1.01 was discovered to contain a buffer overflow via t ...) + TODO: check +CVE-2023-37481 (Fides is an open-source privacy engineering platform for managing data ...) + TODO: check +CVE-2023-37480 (Fides is an open-source privacy engineering platform for managing data ...) + TODO: check +CVE-2023-37477 (1Panel is an open source Linux server operation and maintenance manage ...) + TODO: check +CVE-2023-37387 (Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Classif ...) + TODO: check +CVE-2023-37386 (Cross-Site Request Forgery (CSRF) vulnerability in Media Library Helpe ...) + TODO: check +CVE-2023-37259 (matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip ...) + TODO: check +CVE-2023-37143 (ChakraCore branch master cbb9b was discovered to contain a segmentatio ...) + TODO: check +CVE-2023-37142 (ChakraCore branch master cbb9b was discovered to contain a segmentatio ...) + TODO: check +CVE-2023-37141 (ChakraCore branch master cbb9b was discovered to contain a segmentatio ...) + TODO: check +CVE-2023-37140 (ChakraCore branch master cbb9b was discovered to contain a segmentatio ...) + TODO: check +CVE-2023-37139 (ChakraCore branch master cbb9b was discovered to contain a stack overf ...) + TODO: check +CVE-2023-36670 (A remotely exploitable command injection vulnerability was found on th ...) + TODO: check +CVE-2023-36669 (Missing Authentication for a Critical Function within the Kratos NGC I ...) + TODO: check +CVE-2023-36384 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CodePeop ...) + TODO: check +CVE-2023-36383 (Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Mag ...) + TODO: check +CVE-2023-36120 + REJECTED +CVE-2023-35763 (Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a crypto ...) + TODO: check +CVE-2023-35189 (Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a remote ...) + TODO: check +CVE-2023-34330 (AMI SPx contains a vulnerability in the BMC where a User may cause a i ...) + TODO: check +CVE-2023-34329 (AMI SPx contains a vulnerability in BMC where a User may cause an auth ...) + TODO: check +CVE-2023-34035 (Spring Security versions 5.8prior to 5.8.5, 6.0prior to 6.0.5,and 6.1p ...) + TODO: check +CVE-2023-33871 (Iagona ScrutisWeb versions 2.1.37 and prior are vulnerable to a direct ...) + TODO: check +CVE-2023-33329 (Auth. (admin+) Reflected Cross-Site Scripting (XSS) vulnerability in H ...) + TODO: check +CVE-2023-33312 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in wppal Ea ...) + TODO: check +CVE-2023-33265 (In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, ...) + TODO: check +CVE-2023-33231 (XSS attack was possible in DPA 2023.2 due to insufficient input valida ...) + TODO: check +CVE-2023-32965 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in CRUDLab ...) + TODO: check +CVE-2023-31441 (In NATO Communications and Information Agency anet (aka Advisor Networ ...) + TODO: check +CVE-2023-2913 (An executable used in Rockwell Automation ThinManager ThinServer can b ...) + TODO: check +CVE-2023-2433 (The YARPP plugin for WordPress is vulnerable to Stored Cross-Site Scri ...) + TODO: check +CVE-2021-4428 (A vulnerability has been found in what3words Autosuggest Plugin up to ...) + TODO: check +CVE-2020-36762 (A vulnerability was found in ONS Digital RAS Collection Instrument up ...) + TODO: check +CVE-2018-25088 (A vulnerability, which was classified as critical, was found in Blue Y ...) + TODO: check CVE-2023-3724 (If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor ...) - wolfssl NOTE:
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2023-38409/linux and sync with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a6abb770 by Salvatore Bonaccorso at 2023-07-18T22:07:45+02:00 Update status for CVE-2023-38409/linux and sync with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -99,7 +99,9 @@ CVE-2023-38426 (An issue was discovered in the Linux kernel before 6.3.4. ksmbd [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/02f76c401d17e409ed45bf7887148fcc22c93c85 (6.4-rc3) CVE-2023-38409 (An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/ ...) - - linux 6.3.7-1 + - linux 6.1.25-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/fffb0b52d5258554c645c966c6cbef7de50b851d (6.3-rc7) CVE-2023-38405 (On Crestron 3-Series Control Systems before 1.8001.0187, crafting and ...) NOT-FOR-US: Creston View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6abb7703bfd3ed37337b4a6d8e9076016c1e137 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a6abb7703bfd3ed37337b4a6d8e9076016c1e137 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync status for CVE-2023-38426/linux with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ca83b462 by Salvatore Bonaccorso at 2023-07-18T22:03:11+02:00 Sync status for CVE-2023-38426/linux with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -94,6 +94,7 @@ CVE-2023-38427 (An issue was discovered in the Linux kernel before 6.3.8. fs/smb NOTE: https://git.kernel.org/linus/f1a411873c85b642f13b01f21b534c2bab81fc1b (6.4-rc6) CVE-2023-38426 (An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an ...) - linux 6.3.7-1 + [bookworm] - linux 6.1.37-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/02f76c401d17e409ed45bf7887148fcc22c93c85 (6.4-rc3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca83b462e05249e022dbf0fa86cea17e966299d3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ca83b462e05249e022dbf0fa86cea17e966299d3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync CVE-2023-38429/linux with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fb84d4e0 by Salvatore Bonaccorso at 2023-07-18T22:01:04+02:00 Sync CVE-2023-38429/linux with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -76,6 +76,7 @@ CVE-2023-38430 (An issue was discovered in the Linux kernel before 6.3.9. ksmbd NOTE: https://git.kernel.org/linus/1c1bcf2d3ea061613119b534f57507c377df20f9 (6.4-rc6) CVE-2023-38429 (An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/con ...) - linux 6.3.7-1 + [bookworm] - linux 6.1.37-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/443d61d1fa9faa60ef925513d83742902390100f (6.4-rc3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb84d4e0e78c74defc82a36ed1540dc7b068490a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb84d4e0e78c74defc82a36ed1540dc7b068490a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync CVE-2023-38428/linux with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61ac741b by Salvatore Bonaccorso at 2023-07-18T21:59:21+02:00 Sync CVE-2023-38428/linux with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -81,6 +81,7 @@ CVE-2023-38429 (An issue was discovered in the Linux kernel before 6.3.4. fs/ksm NOTE: https://git.kernel.org/linus/443d61d1fa9faa60ef925513d83742902390100f (6.4-rc3) CVE-2023-38428 (An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb ...) - linux 6.3.7-1 + [bookworm] - linux 6.1.37-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f (6.4-rc3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ac741b65c0a02c0ff9ebb47bc0863cfc4278ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ac741b65c0a02c0ff9ebb47bc0863cfc4278ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop v prefix from kernel commits for kernel-sec consistency
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fbe14f3c by Salvatore Bonaccorso at 2023-07-18T21:56:11+02:00 Drop v prefix from kernel commits for kernel-sec consistency Though ... that said, it is inconsistent with security-tracker practice to identify the upstream commits. Feel free to revert. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78,12 +78,12 @@ CVE-2023-38429 (An issue was discovered in the Linux kernel before 6.3.4. fs/ksm - linux 6.3.7-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) - NOTE: https://git.kernel.org/linus/443d61d1fa9faa60ef925513d83742902390100f (v6.4-rc3) + NOTE: https://git.kernel.org/linus/443d61d1fa9faa60ef925513d83742902390100f (6.4-rc3) CVE-2023-38428 (An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb ...) - linux 6.3.7-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) - NOTE: https://git.kernel.org/linus/f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f (v6.4-rc3) + NOTE: https://git.kernel.org/linus/f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f (6.4-rc3) CVE-2023-38427 (An issue was discovered in the Linux kernel before 6.3.8. fs/smb/serve ...) - linux 6.3.11-1 [bookworm] - linux 6.1.37-1 @@ -94,10 +94,10 @@ CVE-2023-38426 (An issue was discovered in the Linux kernel before 6.3.4. ksmbd - linux 6.3.7-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) - NOTE: https://git.kernel.org/linus/02f76c401d17e409ed45bf7887148fcc22c93c85 (v6.4-rc3) + NOTE: https://git.kernel.org/linus/02f76c401d17e409ed45bf7887148fcc22c93c85 (6.4-rc3) CVE-2023-38409 (An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/ ...) - linux 6.3.7-1 - NOTE: https://git.kernel.org/linus/fffb0b52d5258554c645c966c6cbef7de50b851d (v6.3-rc7) + NOTE: https://git.kernel.org/linus/fffb0b52d5258554c645c966c6cbef7de50b851d (6.3-rc7) CVE-2023-38405 (On Crestron 3-Series Control Systems before 1.8001.0187, crafting and ...) NOT-FOR-US: Creston CVE-2023-38404 (The XPRTLD web application in Veritas InfoScale Operations Manager (VI ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbe14f3c2b4cd87232d04dabdbb9230cc1861cab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbe14f3c2b4cd87232d04dabdbb9230cc1861cab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync CVE-2023-38427/linux with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fb30cced by Salvatore Bonaccorso at 2023-07-18T21:55:28+02:00 Sync CVE-2023-38427/linux with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -86,9 +86,10 @@ CVE-2023-38428 (An issue was discovered in the Linux kernel before 6.3.4. fs/ksm NOTE: https://git.kernel.org/linus/f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f (v6.4-rc3) CVE-2023-38427 (An issue was discovered in the Linux kernel before 6.3.8. fs/smb/serve ...) - linux 6.3.11-1 + [bookworm] - linux 6.1.37-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) - NOTE: https://git.kernel.org/linus/f1a411873c85b642f13b01f21b534c2bab81fc1b (v6.4-rc6) + NOTE: https://git.kernel.org/linus/f1a411873c85b642f13b01f21b534c2bab81fc1b (6.4-rc6) CVE-2023-38426 (An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an ...) - linux 6.3.7-1 [bullseye] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb30ccedc0c2ee5d2bab2b490cfd32aba6d803f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb30ccedc0c2ee5d2bab2b490cfd32aba6d803f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync CVE-2023-38430/linux with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1654109d by Salvatore Bonaccorso at 2023-07-18T21:54:08+02:00 Sync CVE-2023-38430/linux with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -70,9 +70,10 @@ CVE-2023-38431 (An issue was discovered in the Linux kernel before 6.3.8. fs/smb NOTE: https://git.kernel.org/linus/368ba06881c395f1c9a7ba22203cf8d78b4addc0 (6.4-rc6) CVE-2023-38430 (An issue was discovered in the Linux kernel before 6.3.9. ksmbd does n ...) - linux 6.3.11-1 + [bookworm] - linux 6.1.37-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) - NOTE: https://git.kernel.org/linus/1c1bcf2d3ea061613119b534f57507c377df20f9 (v6.4-rc6) + NOTE: https://git.kernel.org/linus/1c1bcf2d3ea061613119b534f57507c377df20f9 (6.4-rc6) CVE-2023-38429 (An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/con ...) - linux 6.3.7-1 [bullseye] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1654109d6aca8ba0445623f76b4d25df1f08f0c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1654109d6aca8ba0445623f76b4d25df1f08f0c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync CVE-2023-38432/linux with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e89ec396 by Salvatore Bonaccorso at 2023-07-18T21:47:52+02:00 Sync CVE-2023-38432/linux with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -58,9 +58,10 @@ CVE-2023-38434 (xHTTP 72f812d has a double free in close_connection in xhttp.c v NOT-FOR-US: xHTTP CVE-2023-38432 (An issue was discovered in the Linux kernel before 6.3.10. fs/smb/serv ...) - linux 6.3.11-1 + [bookworm] - linux 6.1.37-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) - NOTE: https://git.kernel.org/linus/2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d (v6.4) + NOTE: https://git.kernel.org/linus/2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d (6.4) CVE-2023-38431 (An issue was discovered in the Linux kernel before 6.3.8. fs/smb/serve ...) - linux 6.3.11-1 [bookworm] - linux 6.1.37-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e89ec3968473718f3a9b7ebfdb9fcdb3e310e08f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e89ec3968473718f3a9b7ebfdb9fcdb3e310e08f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync CVE-2023-38431 with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e55fd35 by Salvatore Bonaccorso at 2023-07-18T21:45:57+02:00 Sync CVE-2023-38431 with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -63,9 +63,10 @@ CVE-2023-38432 (An issue was discovered in the Linux kernel before 6.3.10. fs/sm NOTE: https://git.kernel.org/linus/2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d (v6.4) CVE-2023-38431 (An issue was discovered in the Linux kernel before 6.3.8. fs/smb/serve ...) - linux 6.3.11-1 + [bookworm] - linux 6.1.37-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) - NOTE: https://git.kernel.org/linus/368ba06881c395f1c9a7ba22203cf8d78b4addc0 (v6.4-rc6) + NOTE: https://git.kernel.org/linus/368ba06881c395f1c9a7ba22203cf8d78b4addc0 (6.4-rc6) CVE-2023-38430 (An issue was discovered in the Linux kernel before 6.3.9. ksmbd does n ...) - linux 6.3.11-1 [bullseye] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e55fd35c33a038ac29abdb2442f957ea976d1d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e55fd35c33a038ac29abdb2442f957ea976d1d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e4a97a19 by Moritz Mühlenhoff at 2023-07-18T20:58:06+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1028,7 +1028,7 @@ CVE-2023-37374 (A vulnerability has been identified in Tecnomatix Plant Simulati CVE-2023-37280 (Pimcore Admin Classic Bundle provides a Backend UI for Pimcore based o ...) NOT-FOR-US: Pimcore Admin Classic Bundle CVE-2023-37271 (RestrictedPython is a tool that helps to define a subset of the Python ...) - - restrictedpython + - restrictedpython (bug #1041429) NOTE: https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-wqc8-x2pr-7jqh NOTE: https://github.com/zopefoundation/RestrictedPython/commit/c8eca66ae49081f0016d2e1f094c3d72095ef531 (master) NOTE: https://github.com/zopefoundation/RestrictedPython/commit/d8c5aa72c5d0ec8eceab635d93d6bc8321116002 (5.3) @@ -1767,7 +1767,7 @@ CVE-2023-33008 (Deserialization of Untrusted Data vulnerability in Apache Softwa CVE-2023-3532 (Cross-site Scripting (XSS) - Stored in GitHub repository outline/outli ...) NOT-FOR-US: Outline CVE-2023-37192 (Memory management and protection issues in Bitcoin Core v22 allows att ...) - - bitcoin + - bitcoin (bug #1041427) CVE-2023-36859 (PiiGAB M-Bus SoftwarePack 900S does not correctly sanitize user inp ...) NOT-FOR-US: PiiGAB M-Bus CVE-2023-36829 (Sentry is an error tracking and performance monitoring platform. Start ...) @@ -1849,12 +1849,12 @@ CVE-2023-36969 (CMS Made Simple v2.2.17 is vulnerable to Remote Command Executio CVE-2023-36968 (A SQL Injection vulnerability detected in Food Ordering System v1.0 al ...) NOT-FOR-US: Food Ordering System CVE-2023-36830 (SQLFluff is a SQL linter. Prior to version 2.1.2, in environments wher ...) - - sqlfluff + - sqlfluff (bug #1041428) [bookworm] - sqlfluff (Minor issue) NOTE: https://github.com/sqlfluff/sqlfluff/security/advisories/GHSA-jqhc-m2j3-fjrx NOTE: https://github.com/sqlfluff/sqlfluff/pull/4925 CVE-2023-36823 (Sanitize is an allowlist-based HTML and CSS sanitizer. Using carefully ...) - - ruby-sanitize + - ruby-sanitize (bug #1041430) NOTE: https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220 (v6.0.2) NOTE: https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7 CVE-2023-36462 (Mastodon is a free, open-source social network server based on Activit ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4a97a1916ab4e2ca7714ebdd22be916803b66a4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e4a97a1916ab4e2ca7714ebdd22be916803b66a4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark nettle as n/a in general
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: bad06e9d by Moritz Mühlenhoff at 2023-07-18T20:56:50+02:00 mark nettle as n/a in general - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3018,11 +3018,7 @@ CVE-2023-36663 (it-novum openITCOCKPIT (aka open IT COCKPIT) 4.6.4 before 4.6.5 CVE-2023-36662 (The TechTime User Management components for Atlassian products allow s ...) NOT-FOR-US: Atlassian CVE-2023-36660 (The OCB feature in libnettle in Nettle 3.9 before 3.9.1 allows memory ...) - [experimental] - nettle 3.9.1-1 - - nettle - [bookworm] - nettle (Vulnerable code not present) - [bullseye] - nettle (Vulnerable code not present) - [buster] - nettle (Vulnerable code not present) + - nettle (Only affects 3.9.x and experimental is fixed) NOTE: https://bugzilla.suse.com/show_bug.cgi?id=1212112 NOTE: Introduced with: https://git.lysator.liu.se/nettle/nettle/-/commit/9cf0e2d2675268a403194d85a78a44e8cbdf562b (nettle_3.9_release_20230514) NOTE: Fixed by: https://git.lysator.liu.se/nettle/nettle/-/commit/867a4548b95705291a3afdd66d76e7f17ba2618f (nettle_3.9.1_release_20230601) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bad06e9d3444b6e8790631a60bbb96aeb032dcb8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bad06e9d3444b6e8790631a60bbb96aeb032dcb8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 897de784 by Moritz Mühlenhoff at 2023-07-18T20:47:05+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -124,7 +124,7 @@ CVE-2023-37769 (stress-test master commit e4c878 was discovered to contain a FPE CVE-2023-37479 (Open Enclave is a hardware-agnostic open source library for developing ...) NOT-FOR-US: Open Enclave CVE-2023-37476 (OpenRefine is a free, open source tool for data processing. A carefull ...) - - openrefine + - openrefine (bug #1041422) NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq NOTE: https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e CVE-2023-37475 (Hamba avro is a go lang encoder/decoder implementation of the avro cod ...) @@ -318,7 +318,7 @@ CVE-2023-37793 (WAYOS FBM-291W 19.09.11V was discovered to contain a buffer over CVE-2023-37472 (Knowage is an open source suite for business analytics. The applicatio ...) NOT-FOR-US: Knowage CVE-2023-37464 (OpenIDC/cjose is a C library implementing the Javascript Object Signin ...) - - cjose + - cjose (bug #1041423) NOTE: https://github.com/OpenIDC/cjose/security/advisories/GHSA-3rhg-3gf2-6xgj NOTE: https://github.com/OpenIDC/cjose/commit/7325e9a5e71e2fc0e350487ecac7d84acdf0ed5e (v0.6.2.2) CVE-2023-37462 (XWiki Platform is a generic wiki platform offering runtime services fo ...) @@ -885,19 +885,19 @@ CVE-2023-3019 [e1000e: heap use-after-free in e1000e_write_packet_to_guest()] CVE-2023-3011 (The ARMember plugin for WordPress is vulnerable to Cross-Site Request ...) NOT-FOR-US: ARMember plugin for WordPress CVE-2023-37767 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a seg ...) - - gpac + - gpac (bug #1041421) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2514 NOTE: https://github.com/gpac/gpac/commit/d414df635c773b21bbb3a9fbf17b101b1e8ea345 CVE-2023-37766 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a seg ...) - - gpac + - gpac (bug #1041421) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2516 NOTE: https://github.com/gpac/gpac/commit/a64c60ef0983be6db8ab1e4a663e0ce83ff7bf2c CVE-2023-37765 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a seg ...) - - gpac + - gpac (bug #1041421) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2515 @@ -913,7 +913,7 @@ CVE-2023-37197 (A CWE-89: Improper Neutralization of Special Elements vulnerabil CVE-2023-37196 (A CWE-89: Improper Neutralization of Special Elements vulnerability us ...) NOT-FOR-US: Schneider Electric CVE-2023-37174 (GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a seg ...) - - gpac + - gpac (bug #1041421) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2505 @@ -1797,7 +1797,7 @@ CVE-2023-3529 (A vulnerability classified as problematic has been found in Rotem CVE-2023-3528 (A vulnerability was found in ThinuTech ThinuCMS 1.5. It has been rated ...) NOT-FOR-US: ThinuTech ThinuCMS CVE-2023-3523 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.2.2.) - - gpac + - gpac (bug #1041421) [bullseye] - gpac (Minor issue) [buster] - gpac (EOL in buster LTS) NOTE: https://huntr.dev/bounties/57e0be03-8484-415e-8b5c-c1fe4546eaac/ @@ -2305,12 +2305,12 @@ CVE-2023-36812 (OpenTSDB is a open source, distributed, scalable Time Series Dat CVE-2023-36144 (An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1. ...) NOT-FOR-US: Intelbras CVE-2023-35947 (Gradle is a build tool with a focus on build automation and support fo ...) - - gradle + - gradle (bug #1041424) NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-84mw-qh6q-v842 NOTE: https://github.com/gradle/gradle/commit/1096b309520a8c315e3b6109a6526de4eabcb879 (v8.2.0-RC3) NOTE: https://github.com/gradle/gradle/commit/2e5c34d57d0c0b7f0e8b039a192b91e5c8249d91 (v8.2.0-RC3) CVE-2023-35946 (Gradle is a build tool with a focus on build automation and support fo ...) - - gradle + - gradle (bug #1041424) NOTE: https://github.com/gradle/gradle/security/advisories/GHSA-2h6c-rv6q-494v NOTE: https://github.com/gradle/gradle/commit/859eae2b2acf751ae7db3c9ffefe275aa5da0d5d
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3498-1 for bind9
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 16c86df1 by Chris Lamb at 2023-07-18T17:21:11+01:00 Reserve DLA-3498-1 for bind9 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[18 Jul 2023] DLA-3498-1 bind9 - security update + {CVE-2023-2828} + [buster] - bind9 1:9.11.5.P4+dfsg-5.1+deb10u9 [14 Jul 2023] DLA-3497-1 pypdf2 - security update {CVE-2023-36810} [buster] - pypdf2 1.26.0-2+deb10u2 = data/dla-needed.txt = @@ -20,10 +20,6 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. --- -bind9 (Chris Lamb) - NOTE: 20230623: Added by Front-Desk (Beuc) - NOTE: 20230623: Upcoming DSA prepared by maintainer (Beuc/front-desk) -- cairosvg NOTE: 20230323: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16c86df11fc5bf9ceadd2822568cf1faa1974ec7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/16c86df11fc5bf9ceadd2822568cf1faa1974ec7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fix data/dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 860b1155 by Tobias Frost at 2023-07-18T16:50:04+02:00 fix data/dla-needed.txt stray ^S broke lts tool. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -208,4 +208,4 @@ tiff (Adrian Bunk) xqilla (tobi) NOTE: 20230706: Added by Front-Desk (gladk) NOTE: 20230715: not vulnerable, the embedded yajl is ancient (around 0.2.2), not having the vulnerable code. --- +-- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/860b115593876887543ab0a3320e1856ee39ef85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/860b115593876887543ab0a3320e1856ee39ef85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new linux issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c177dccd by Moritz Muehlenhoff at 2023-07-18T13:34:01+02:00 new linux issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -92,7 +92,8 @@ CVE-2023-38426 (An issue was discovered in the Linux kernel before 6.3.4. ksmbd [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/02f76c401d17e409ed45bf7887148fcc22c93c85 (v6.4-rc3) CVE-2023-38409 (An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/ ...) - TODO: check + - linux 6.3.7-1 + NOTE: https://git.kernel.org/linus/fffb0b52d5258554c645c966c6cbef7de50b851d (v6.3-rc7) CVE-2023-38405 (On Crestron 3-Series Control Systems before 1.8001.0187, crafting and ...) NOT-FOR-US: Creston CVE-2023-38404 (The XPRTLD web application in Veritas InfoScale Operations Manager (VI ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c177dccd9723b5e3aba918fada074bea25a7693a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c177dccd9723b5e3aba918fada074bea25a7693a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new faust issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c113dae1 by Moritz Muehlenhoff at 2023-07-18T13:33:04+02:00 new faust issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -115,7 +115,9 @@ CVE-2023-37791 (D-Link DIR-619L v2.04(TW) was discovered to contain a stack over CVE-2023-37781 (An issue in the emqx_sn plugin of EMQX v4.3.8 allows attackers to exec ...) NOT-FOR-US: EMQX CVE-2023-37770 (faust commit ee39a19 was discovered to contain a stack overflow via th ...) - TODO: check + - faust (unimportant) + NOTE: https://github.com/grame-cncm/faust/issues/922 + NOTE: Negligible security impact CVE-2023-37769 (stress-test master commit e4c878 was discovered to contain a FPE vulne ...) TODO: check CVE-2023-37479 (Open Enclave is a hardware-agnostic open source library for developing ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c113dae1c576d089647318f71342ed8c8cd4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c113dae1c576d089647318f71342ed8c8cd4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new openrefine issue (and rewrite older NFUs)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4bc90306 by Moritz Muehlenhoff at 2023-07-18T13:28:50+02:00 new openrefine issue (and rewrite older NFUs) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -121,7 +121,9 @@ CVE-2023-37769 (stress-test master commit e4c878 was discovered to contain a FPE CVE-2023-37479 (Open Enclave is a hardware-agnostic open source library for developing ...) NOT-FOR-US: Open Enclave CVE-2023-37476 (OpenRefine is a free, open source tool for data processing. A carefull ...) - TODO: check + - openrefine + NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq + NOTE: https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e CVE-2023-37475 (Hamba avro is a go lang encoder/decoder implementation of the avro cod ...) NOT-FOR-US: Hamba avro CVE-2023-37461 (Metersphere is an opensource testing framework. Files uploaded to Mete ...) @@ -316814,7 +316816,7 @@ CVE-2018-20662 (In Poppler 0.72.0, PDFDoc::setup in PDFDoc.cc allows attackers t NOTE: https://gitlab.freedesktop.org/poppler/poppler/issues/706 NOTE: https://gitlab.freedesktop.org/poppler/poppler/commit/7b4e372deeb716eb3fe3a54b31ed41af759224f9 CVE-2019-3580 (OpenRefine through 3.1 allows arbitrary file write because Directory T ...) - NOT-FOR-US: OpenRefine + NOTE: OpenRefine issue not reproducible by upstream CVE-2019-3579 (MyBB 1.8.19 allows remote attackers to obtain sensitive information be ...) NOT-FOR-US: MyBB CVE-2019-3578 (MyBB 1.8.19 has XSS in the resetpassword function.) @@ -318894,7 +318896,7 @@ CVE-2018-20159 (i-doit open 1.11.2 allows Remote Code Execution because ZIP arch CVE-2018-20158 RESERVED CVE-2018-20157 (The data import functionality in OpenRefine through 3.1 allows an XML ...) - NOT-FOR-US: OpenRefine + - openrefine (Fixed before initial upload) CVE-2018-20156 (The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remot ...) NOT-FOR-US: WordPress plugin wp-maintenance-mode CVE-2018-20155 (The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remot ...) @@ -323843,7 +323845,7 @@ CVE-2018-19861 (Buffer overflow in MiniShare 1.4.1 and earlier allows remote att CVE-2018-19860 (Broadcom firmware before summer 2014 on Nexus 5 BCM4335C0 2012-12-11, ...) NOT-FOR-US: Broadcom components for Android CVE-2018-19859 (OpenRefine before 3.2 beta allows directory traversal via a relative p ...) - NOT-FOR-US: OpenRefine + - openrefine (Fixed before initial upload) CVE-2018-19858 (PrinceXML, versions 10 and below, is vulnerable to XXE due to the lack ...) NOT-FOR-US: PrinceXML CVE-2018-19857 (The CAF demuxer in modules/demux/caf.c in VideoLAN VLC media player 3. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bc90306872108ed0ad95817bec483358d92766e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4bc90306872108ed0ad95817bec483358d92766e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 93eb48bb by Moritz Muehlenhoff at 2023-07-18T13:25:53+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -55,7 +55,7 @@ CVE-2023-3179 (The POST SMTP Mailer WordPress plugin before 2.5.7 does not have CVE-2023-3041 (The Autochat Automatic Conversation WordPress plugin through 1.1.7 doe ...) NOT-FOR-US: WordPress plugin CVE-2023-38434 (xHTTP 72f812d has a double free in close_connection in xhttp.c via a m ...) - TODO: check + NOT-FOR-US: xHTTP CVE-2023-38432 (An issue was discovered in the Linux kernel before 6.3.10. fs/smb/serv ...) - linux 6.3.11-1 [bullseye] - linux (Vulnerable code not present) @@ -119,29 +119,29 @@ CVE-2023-37770 (faust commit ee39a19 was discovered to contain a stack overflow CVE-2023-37769 (stress-test master commit e4c878 was discovered to contain a FPE vulne ...) TODO: check CVE-2023-37479 (Open Enclave is a hardware-agnostic open source library for developing ...) - TODO: check + NOT-FOR-US: Open Enclave CVE-2023-37476 (OpenRefine is a free, open source tool for data processing. A carefull ...) TODO: check CVE-2023-37475 (Hamba avro is a go lang encoder/decoder implementation of the avro cod ...) - TODO: check + NOT-FOR-US: Hamba avro CVE-2023-37461 (Metersphere is an opensource testing framework. Files uploaded to Mete ...) - TODO: check + NOT-FOR-US: Metersphere CVE-2023-37266 (CasaOS is an open-source Personal Cloud system. Unauthenticated attack ...) - TODO: check + NOT-FOR-US: CasaOS CVE-2023-37265 (CasaOS is an open-source Personal Cloud system. Due to a lack of IP ad ...) - TODO: check + NOT-FOR-US: CasaOS CVE-2023-36656 (Cross Site Scripting (XSS) vulnerability in Jaegertracing Jaeger UI be ...) - TODO: check + NOT-FOR-US: Jaegertracing UI CVE-2023-36514 (Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Shippin ...) - TODO: check + NOT-FOR-US: WooCommerce plugin CVE-2023-36513 (Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Automat ...) - TODO: check + NOT-FOR-US: WooCommerce plugin CVE-2023-36511 (Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooComm ...) - TODO: check + NOT-FOR-US: WooCommerce plugin CVE-2023-35880 (Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooComm ...) - TODO: check + NOT-FOR-US: WooCommerce plugin CVE-2023-35818 (An issue was discovered on Espressif ESP32 3.0 (ESP32_rev300 ROM) devi ...) - TODO: check + NOT-FOR-US: Expressif CVE-2023-35096 (Cross-Site Request Forgery (CSRF) vulnerability in myCred plugin <=2.5 ...) NOT-FOR-US: WordPress plugin CVE-2023-35089 (Cross-Site Request Forgery (CSRF) vulnerability in Really Simple Plugi ...) @@ -187,7 +187,7 @@ CVE-2023-2959 (Authentication Bypass by Primary Weakness vulnerability in Oliva CVE-2023-2958 (Authorization Bypass Through User-Controlled Key vulnerability in Orig ...) NOT-FOR-US: Origin Software ATS Pro CVE-2023-2912 (Use After Free vulnerability in Secomea SiteManager Embedded allows Ob ...) - TODO: check + NOT-FOR-US: Secomea SiteManager Embedded CVE-2023-2701 (The Gravity Forms WordPress plugin before 2.7.5 does not escape genera ...) NOT-FOR-US: WordPress plugin CVE-2023-2636 (The AN_GradeBook WordPress plugin through 5.0.1 does not properly sani ...) @@ -88902,7 +88902,7 @@ CVE-2022-30860 (FUDforum 3.1.2 is vulnerable to Remote Code Execution through Up CVE-2022-30859 RESERVED CVE-2022-30858 (An issue was discovered in ngiflib 0.4. There is SEGV in SDL_LoadAnima ...) - TODO: check + NOT-FOR-US: ngiflib CVE-2022-30857 RESERVED CVE-2022-30856 @@ -128379,7 +128379,7 @@ CVE-2021-43074 (An improper verification of cryptographic signature vulnerabilit CVE-2021-43073 (A improper neutralization of special elements used in an os command (' ...) NOT-FOR-US: FortiGuard CVE-2021-43072 (A buffer copy without checking size of input ('classic buffer overflow ...) - TODO: check + NOT-FOR-US: Fortinet CVE-2021-43071 (A heap-based buffer overflow in Fortinet FortiWeb version 6.4.1 and 6. ...) NOT-FOR-US: FortiGuard CVE-2021-43070 (Multiple relative path traversal vulnerabilities [CWE-23] in FortiWLM ...) @@ -144379,11 +144379,11 @@ CVE-2021-37388 (A buffer overflow in D-Link DIR-615 C2 3.03WW. The ping_ipaddr p CVE-2021-37387 RESERVED CVE-2021-37386 (Furukawa 423-41W/AC before v1.1.4 and LD421-21W before v1.3.3 were dis ...) - TODO: check + NOT-FOR-US: Furukawa CVE-2021-37385 RESERVED CVE-2021-37384 (A remote command execution (RCE) vulnerability in the web interface
[Git][security-tracker-team/security-tracker][master] new wolfssl issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b590b7e by Moritz Muehlenhoff at 2023-07-18T13:20:16+02:00 new wolfssl issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2023-3724 (If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor ...) - TODO: check + - wolfssl + NOTE: https://github.com/wolfSSL/wolfssl/pull/6412 + NOTE: https://github.com/wolfSSL/wolfssl/commit/00f1eddee429ff51390b20caadd2eb6afe51e1aa CVE-2023-3714 (The ProfileGrid plugin for WordPress is vulnerable to unauthorized mod ...) NOT-FOR-US: WordPress plugin CVE-2023-3713 (The ProfileGrid plugin for WordPress is vulnerable to unauthorized mod ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b590b7e813ced00d078746314f9219b62e8445c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7b590b7e813ced00d078746314f9219b62e8445c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new linux issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7bc95fa2 by Moritz Muehlenhoff at 2023-07-18T13:15:08+02:00 new linux issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -85,7 +85,10 @@ CVE-2023-38427 (An issue was discovered in the Linux kernel before 6.3.8. fs/smb [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/f1a411873c85b642f13b01f21b534c2bab81fc1b (v6.4-rc6) CVE-2023-38426 (An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an ...) - TODO: check + - linux 6.3.7-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/02f76c401d17e409ed45bf7887148fcc22c93c85 (v6.4-rc3) CVE-2023-38409 (An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/ ...) TODO: check CVE-2023-38405 (On Crestron 3-Series Control Systems before 1.8001.0187, crafting and ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bc95fa295924089595a4b83f07c1b4052ca0b4b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7bc95fa295924089595a4b83f07c1b4052ca0b4b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new linux issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 055efa7a by Moritz Muehlenhoff at 2023-07-18T13:12:22+02:00 new linux issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -70,9 +70,15 @@ CVE-2023-38430 (An issue was discovered in the Linux kernel before 6.3.9. ksmbd [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/1c1bcf2d3ea061613119b534f57507c377df20f9 (v6.4-rc6) CVE-2023-38429 (An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/con ...) - TODO: check + - linux 6.3.7-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/443d61d1fa9faa60ef925513d83742902390100f (v6.4-rc3) CVE-2023-38428 (An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb ...) - TODO: check + - linux 6.3.7-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/f0a96d1aafd8964e1f9955c830a3e5cb3c60a90f (v6.4-rc3) CVE-2023-38427 (An issue was discovered in the Linux kernel before 6.3.8. fs/smb/serve ...) - linux 6.3.11-1 [bullseye] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/055efa7a14a8d3886797adaef007e9fcb4b984b9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/055efa7a14a8d3886797adaef007e9fcb4b984b9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new linux issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d9001d3 by Moritz Muehlenhoff at 2023-07-18T13:05:23+02:00 new linux issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56,18 +56,28 @@ CVE-2023-38434 (xHTTP 72f812d has a double free in close_connection in xhttp.c v TODO: check CVE-2023-38432 (An issue was discovered in the Linux kernel before 6.3.10. fs/smb/serv ...) - linux 6.3.11-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d (v6.4) CVE-2023-38431 (An issue was discovered in the Linux kernel before 6.3.8. fs/smb/serve ...) - linux 6.3.11-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/368ba06881c395f1c9a7ba22203cf8d78b4addc0 (v6.4-rc6) CVE-2023-38430 (An issue was discovered in the Linux kernel before 6.3.9. ksmbd does n ...) - TODO: check + - linux 6.3.11-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/1c1bcf2d3ea061613119b534f57507c377df20f9 (v6.4-rc6) CVE-2023-38429 (An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/con ...) TODO: check CVE-2023-38428 (An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb ...) TODO: check CVE-2023-38427 (An issue was discovered in the Linux kernel before 6.3.8. fs/smb/serve ...) - TODO: check + - linux 6.3.11-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/f1a411873c85b642f13b01f21b534c2bab81fc1b (v6.4-rc6) CVE-2023-38426 (An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an ...) TODO: check CVE-2023-38409 (An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d9001d358bd5b6eb19a647dfc8c72c50178c0ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d9001d358bd5b6eb19a647dfc8c72c50178c0ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new chef issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4c104660 by Moritz Muehlenhoff at 2023-07-18T12:54:17+02:00 new chef issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15472,7 +15472,7 @@ CVE-2023-28866 (In the Linux kernel through 6.2.8, net/bluetooth/hci_sync.c allo CVE-2023-28865 RESERVED CVE-2023-28864 (Progress Chef Infra Server before 15.7 allows a local attacker to expl ...) - TODO: check + - chef CVE-2023-28863 (AMI MegaRAC SPx12 and SPx13 devices have Insufficient Verification of ...) NOT-FOR-US: AMI CVE-2023-28862 (An issue was discovered in LemonLDAP::NG before 2.16.1. Weak session I ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c1046604306ba55e629865842e64a915c53801a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4c1046604306ba55e629865842e64a915c53801a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new linux issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6c8c9606 by Moritz Muehlenhoff at 2023-07-18T12:52:51+02:00 new linux issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -55,9 +55,11 @@ CVE-2023-3041 (The Autochat Automatic Conversation WordPress plugin through 1.1. CVE-2023-38434 (xHTTP 72f812d has a double free in close_connection in xhttp.c via a m ...) TODO: check CVE-2023-38432 (An issue was discovered in the Linux kernel before 6.3.10. fs/smb/serv ...) - TODO: check + - linux 6.3.11-1 + NOTE: https://git.kernel.org/linus/2b9b8f3b68edb3d67d79962f02e26dbb5ae3808d (v6.4) CVE-2023-38431 (An issue was discovered in the Linux kernel before 6.3.8. fs/smb/serve ...) - TODO: check + - linux 6.3.11-1 + NOTE: https://git.kernel.org/linus/368ba06881c395f1c9a7ba22203cf8d78b4addc0 (v6.4-rc6) CVE-2023-38430 (An issue was discovered in the Linux kernel before 6.3.9. ksmbd does n ...) TODO: check CVE-2023-38429 (An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/con ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c8c9606e93b09c3ec2210c3c7b9436872fc70cc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6c8c9606e93b09c3ec2210c3c7b9436872fc70cc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] iperf3 CVEfied
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 4ded1fe2 by Moritz Muehlenhoff at 2023-07-18T12:43:58+02:00 iperf3 CVEfied - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -75,7 +75,10 @@ CVE-2023-38405 (On Crestron 3-Series Control Systems before 1.8001.0187, craftin CVE-2023-38404 (The XPRTLD web application in Veritas InfoScale Operations Manager (VI ...) NOT-FOR-US: Veritas InfoScale CVE-2023-38403 (iperf3 before 3.14 allows peers to cause an integer overflow and heap ...) - TODO: check + {DSA-5455-1} + - iperf3 3.14-1 (bug #1040830) + NOTE: https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc + NOTE: https://github.com/esnet/iperf/commit/0ef151550d96cc4460f98832df84b4a1e87c65e9 (3.14) CVE-2023-37985 (Cross-Site Request Forgery (CSRF) vulnerability in FiveStarPlugins Res ...) NOT-FOR-US: WordPress themes CVE-2023-37974 (Cross-Site Request Forgery (CSRF) vulnerability in Justin Klein WP Soc ...) @@ -1374,12 +1377,6 @@ CVE-2023-36543 (Apache Airflow, versions before 2.6.3, has a vulnerability where - airflow (bug #819700) CVE-2023-35908 (Apache Airflow, versions before 2.6.3, is affected by a vulnerability ...) - airflow (bug #819700) -CVE-2023- [ESNET-SECADV-2023-0001: iperf3 memory allocation hazard and crash] - - iperf3 3.14-1 (bug #1040830) - [bookworm] - iperf3 3.12-1+deb12u1 - [bullseye] - iperf3 3.9-1+deb11u1 - NOTE: https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc - NOTE: https://github.com/esnet/iperf/commit/0ef151550d96cc4460f98832df84b4a1e87c65e9 (3.14) CVE-2023-3608 (A vulnerability was found in Ruijie BCR810W 2.5.10. It has been rated ...) NOT-FOR-US: Ruijie CVE-2023-3607 (A vulnerability was found in kodbox 1.26. It has been declared as crit ...) = data/DSA/list = @@ -1,4 +1,5 @@ [17 Jul 2023] DSA-5455-1 iperf3 - security update + {CVE-2023-38403} [bullseye] - iperf3 3.9-1+deb11u1 [bookworm] - iperf3 3.12-1+deb12u1 [16 Jul 2023] DSA-5454-1 kanboard - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ded1fe2bb8f3a736fe638321a675297cde89cfd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4ded1fe2bb8f3a736fe638321a675297cde89cfd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 13c724e9 by Moritz Muehlenhoff at 2023-07-18T12:42:20+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,57 +1,57 @@ CVE-2023-3724 (If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor ...) TODO: check CVE-2023-3714 (The ProfileGrid plugin for WordPress is vulnerable to unauthorized mod ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3713 (The ProfileGrid plugin for WordPress is vulnerable to unauthorized mod ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3709 (The Royal Elementor Addons plugin for WordPress is vulnerable to unaut ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3708 (Several themes for WordPress by DeoThemes are vulnerable to Reflected ...) - TODO: check + NOT-FOR-US: WordPress themes CVE-2023-3615 (Mattermost iOS app failsto properlyvalidate the server certificate whi ...) - TODO: check + NOT-FOR-US: Mattermost iOS app CVE-2023-3614 (Mattermost fails to properly validate a gif image file, allowing an at ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-3613 (Mattermost WelcomeBot plugin fails to to validate the membership statu ...) - TODO: check + NOT-FOR-US: Mattermost plugin CVE-2023-3593 (Mattermost fails to properly validate markdown, allowing an attacker t ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-3591 (Mattermost fails to invalidate previously generated password reset tok ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-3590 (Mattermostfails to delete card attachments in Boards, allowing an atta ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-3587 (Mattermost fails to properly show information in the UI, allowing a sy ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-3586 (Mattermost fails to disablepublic Boards after the "Enable Publicly-Sh ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-3585 (Mattermost Boards fail to properly validate a board link, allowing an ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-3584 (Mattermost fails to properly check the authorization ofPOST /api/v4/te ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-3582 (Mattermost fails to verify channel membership when linking a board to ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-3581 (Mattermost fails to properly validate the origin of a websocket connec ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-3577 (Mattermost fails to properly restrict requests tolocalhost/intranet du ...) - TODO: check + - mattermost-server (bug #823556) CVE-2023-3459 (The Export and Import Users and Customers plugin for WordPress is vuln ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3418 (The Querlo Chatbot WordPress plugin through 1.2.4 does not escape or s ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3403 (The ProfileGrid plugin for WordPress is vulnerable to unauthorized mod ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3376 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3245 (The Floating Chat Widget WordPress plugin before 3.1.2 does not saniti ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3186 (The Popup by Supsystic WordPress plugin before 1.10.19 has a prototype ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3182 (The Membership WordPress plugin before 3.2.3 does not sanitise and esc ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3179 (The POST SMTP Mailer WordPress plugin before 2.5.7 does not have prope ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-3041 (The Autochat Automatic Conversation WordPress plugin through 1.1.7 doe ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-38434 (xHTTP 72f812d has a double free in close_connection in xhttp.c via a m ...) TODO: check CVE-2023-38432 (An issue was discovered in the Linux kernel before 6.3.10. fs/smb/serv ...) @@ -71,23 +71,23 @@ CVE-2023-38426 (An issue was discovered in the Linux kernel before 6.3.4. ksmbd CVE-2023-38409 (An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/ ...) TODO: check CVE-2023-38405 (On Crestron 3-Series Control Systems before 1.8001.0187, crafting and ...) - TODO: check + NOT-FOR-US: Creston CVE-2023-38404
[Git][security-tracker-team/security-tracker][master] add fixed versions in bookworm/bullseye for temp iperf3 issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 168d6b9e by Moritz Muehlenhoff at 2023-07-18T12:33:17+02:00 add fixed versions in bookworm/bullseye for temp iperf3 issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1376,6 +1376,8 @@ CVE-2023-35908 (Apache Airflow, versions before 2.6.3, is affected by a vulnerab - airflow (bug #819700) CVE-2023- [ESNET-SECADV-2023-0001: iperf3 memory allocation hazard and crash] - iperf3 3.14-1 (bug #1040830) + [bookworm] - iperf3 3.12-1+deb12u1 + [bullseye] - iperf3 3.9-1+deb11u1 NOTE: https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc NOTE: https://github.com/esnet/iperf/commit/0ef151550d96cc4460f98832df84b4a1e87c65e9 (3.14) CVE-2023-3608 (A vulnerability was found in Ruijie BCR810W 2.5.10. It has been rated ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/168d6b9e087c1f969a4813eeb583cbb5216fec2d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/168d6b9e087c1f969a4813eeb583cbb5216fec2d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2d946575 by security tracker role at 2023-07-18T08:12:05+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,181 @@ +CVE-2023-3724 (If a TLS 1.3 client gets neither a PSK (pre shared key) extension nor ...) + TODO: check +CVE-2023-3714 (The ProfileGrid plugin for WordPress is vulnerable to unauthorized mod ...) + TODO: check +CVE-2023-3713 (The ProfileGrid plugin for WordPress is vulnerable to unauthorized mod ...) + TODO: check +CVE-2023-3709 (The Royal Elementor Addons plugin for WordPress is vulnerable to unaut ...) + TODO: check +CVE-2023-3708 (Several themes for WordPress by DeoThemes are vulnerable to Reflected ...) + TODO: check +CVE-2023-3615 (Mattermost iOS app failsto properlyvalidate the server certificate whi ...) + TODO: check +CVE-2023-3614 (Mattermost fails to properly validate a gif image file, allowing an at ...) + TODO: check +CVE-2023-3613 (Mattermost WelcomeBot plugin fails to to validate the membership statu ...) + TODO: check +CVE-2023-3593 (Mattermost fails to properly validate markdown, allowing an attacker t ...) + TODO: check +CVE-2023-3591 (Mattermost fails to invalidate previously generated password reset tok ...) + TODO: check +CVE-2023-3590 (Mattermostfails to delete card attachments in Boards, allowing an atta ...) + TODO: check +CVE-2023-3587 (Mattermost fails to properly show information in the UI, allowing a sy ...) + TODO: check +CVE-2023-3586 (Mattermost fails to disablepublic Boards after the "Enable Publicly-Sh ...) + TODO: check +CVE-2023-3585 (Mattermost Boards fail to properly validate a board link, allowing an ...) + TODO: check +CVE-2023-3584 (Mattermost fails to properly check the authorization ofPOST /api/v4/te ...) + TODO: check +CVE-2023-3582 (Mattermost fails to verify channel membership when linking a board to ...) + TODO: check +CVE-2023-3581 (Mattermost fails to properly validate the origin of a websocket connec ...) + TODO: check +CVE-2023-3577 (Mattermost fails to properly restrict requests tolocalhost/intranet du ...) + TODO: check +CVE-2023-3459 (The Export and Import Users and Customers plugin for WordPress is vuln ...) + TODO: check +CVE-2023-3418 (The Querlo Chatbot WordPress plugin through 1.2.4 does not escape or s ...) + TODO: check +CVE-2023-3403 (The ProfileGrid plugin for WordPress is vulnerable to unauthorized mod ...) + TODO: check +CVE-2023-3376 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check +CVE-2023-3245 (The Floating Chat Widget WordPress plugin before 3.1.2 does not saniti ...) + TODO: check +CVE-2023-3186 (The Popup by Supsystic WordPress plugin before 1.10.19 has a prototype ...) + TODO: check +CVE-2023-3182 (The Membership WordPress plugin before 3.2.3 does not sanitise and esc ...) + TODO: check +CVE-2023-3179 (The POST SMTP Mailer WordPress plugin before 2.5.7 does not have prope ...) + TODO: check +CVE-2023-3041 (The Autochat Automatic Conversation WordPress plugin through 1.1.7 doe ...) + TODO: check +CVE-2023-38434 (xHTTP 72f812d has a double free in close_connection in xhttp.c via a m ...) + TODO: check +CVE-2023-38432 (An issue was discovered in the Linux kernel before 6.3.10. fs/smb/serv ...) + TODO: check +CVE-2023-38431 (An issue was discovered in the Linux kernel before 6.3.8. fs/smb/serve ...) + TODO: check +CVE-2023-38430 (An issue was discovered in the Linux kernel before 6.3.9. ksmbd does n ...) + TODO: check +CVE-2023-38429 (An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/con ...) + TODO: check +CVE-2023-38428 (An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/smb ...) + TODO: check +CVE-2023-38427 (An issue was discovered in the Linux kernel before 6.3.8. fs/smb/serve ...) + TODO: check +CVE-2023-38426 (An issue was discovered in the Linux kernel before 6.3.4. ksmbd has an ...) + TODO: check +CVE-2023-38409 (An issue was discovered in set_con2fb_map in drivers/video/fbdev/core/ ...) + TODO: check +CVE-2023-38405 (On Crestron 3-Series Control Systems before 1.8001.0187, crafting and ...) + TODO: check +CVE-2023-38404 (The XPRTLD web application in Veritas InfoScale Operations Manager (VI ...) + TODO: check +CVE-2023-38403 (iperf3 before 3.14 allows peers to cause an integer overflow and heap ...) + TODO: check +CVE-2023-37985 (Cross-Site Request Forgery (CSRF) vulnerability in FiveStarPlugins Res ...) + TODO: check +CVE-2023-37974 (Cross-Site Request Forgery (CSRF) vulnerability in Justin Klein WP Soc ...) + TODO: check
[Git][security-tracker-team/security-tracker][master] 2 commits: xrdp commit references
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e3ce346 by Moritz Muehlenhoff at 2023-07-18T09:54:50+02:00 xrdp commit references - - - - - 7027f2af by Moritz Muehlenhoff at 2023-07-18T09:54:50+02:00 requests fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6324,7 +6324,7 @@ CVE-2023-32685 (Kanboard is project management software that focuses on the Kanb NOTE: https://github.com/kanboard/kanboard/security/advisories/GHSA-hjmw-gm82-r4gv CVE-2023-32681 (Requests is a HTTP library. Since Requests 2.3.0, Requests has been le ...) {DLA-3456-1} - - requests (bug #1036693) + - requests 2.31.0+dfsg-1 (bug #1036693) [bookworm] - requests (Minor issue) [bullseye] - requests (Minor issue) NOTE: https://github.com/psf/requests/security/advisories/GHSA-j8r2-6x86-q33q @@ -111303,6 +111303,7 @@ CVE-2022-23493 (xrdp is an open source project which provides a graphical login {DLA-3370-1} - xrdp 0.9.21.1-1 (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-59wp-3wq6-jh5v + NOTE: https://github.com/neutrinolabs/xrdp/commit/030db5524be7616967ae9e7d26b3d4477cf6082d CVE-2022-23492 (go-libp2p is the offical libp2p implementation in the Go programming l ...) NOT-FOR-US: go-libp2p CVE-2022-23491 (Certifi is a curated collection of Root Certificates for validating th ...) @@ -111325,10 +111326,12 @@ CVE-2022-23484 (xrdp is an open source project which provides a graphical login {DLA-3370-1} - xrdp 0.9.21.1-1 (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rqfx-5fv8-q9c6 + NOTE: https://github.com/neutrinolabs/xrdp/commit/c2c6efb1d377be6baaa4acbc9d3700490fe92887 CVE-2022-23483 (xrdp is an open source project which provides a graphical login to rem ...) {DLA-3370-1} - xrdp 0.9.21.1-1 (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-38rw-9ch2-fcxq + NOTE: https://github.com/neutrinolabs/xrdp/commit/35cca701c753db65d3c05b7ea4fff9bd09e76661 CVE-2022-23482 (xrdp is an open source project which provides a graphical login to rem ...) {DLA-3375-1} - xrdp 0.9.21.1-1 (bug #1025879) @@ -111348,14 +111351,17 @@ CVE-2022-23479 (xrdp is an open source project which provides a graphical login {DLA-3370-1} - xrdp 0.9.21.1-1 (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-pgx2-3fjj-fqqh + NOTE: https://github.com/neutrinolabs/xrdp/commit/60864014b733c10881c078048560858067fe5d0f CVE-2022-23478 (xrdp is an open source project which provides a graphical login to rem ...) {DLA-3370-1} - xrdp 0.9.21.1-1 (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-2f49-wwpm-78pj + NOTE: https://github.com/neutrinolabs/xrdp/commit/6cb54a1c26b53617e1c79a0abc96d03c4add1eb8 CVE-2022-23477 (xrdp is an open source project which provides a graphical login to rem ...) - xrdp 0.9.21.1-1 (bug #1025879) [buster] - xrdp (Code not present) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-hqw2-jx2c-wrr2 + NOTE: https://github.com/neutrinolabs/xrdp/commit/96afae1ec559f9befa1c222f92f0d982e410c864 CVE-2022-23476 (Nokogiri is an open source XML and HTML library for the Ruby programmi ...) - ruby-nokogiri 1.13.10+dfsg-1 [bullseye] - ruby-nokogiri (Introduced in 1.13.8) @@ -111383,6 +111389,7 @@ CVE-2022-23468 (xrdp is an open source project which provides a graphical login {DLA-3370-1} - xrdp 0.9.21.1-1 (bug #1025879) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-8c2f-mw8m-qpx6 + NOTE: https://github.com/neutrinolabs/xrdp/commit/43cf272b1138462c1bdfc48ef7e9142208194382 CVE-2022-23467 (OpenRazer is an open source driver and user-space daemon to control Ra ...) - openrazer 3.5.1+dfsg-1 [bullseye] - openrazer (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4a0e9dba76e7cf415a884a3d6b46bb661e5b4537...7027f2af78a427925b46b685d8610d2530a1c29b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/4a0e9dba76e7cf415a884a3d6b46bb661e5b4537...7027f2af78a427925b46b685d8610d2530a1c29b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim libapache2-mod-auth-openidc in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a0e9dba by Guilhem Moulin at 2023-07-18T09:43:40+02:00 LTS: claim libapache2-mod-auth-openidc in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -84,7 +84,7 @@ imagemagick -- iperf3 (Markus Koschany) -- -libapache2-mod-auth-openidc +libapache2-mod-auth-openidc (guilhem) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed CVE-2021-39191 (Beuc/front-desk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a0e9dba76e7cf415a884a3d6b46bb661e5b4537 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a0e9dba76e7cf415a884a3d6b46bb661e5b4537 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] re-claim libreoffice and update notes
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: b6f4ba4b by Abhijith PA at 2023-07-18T12:06:25+05:30 re-claim libreoffice and update notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -88,8 +88,10 @@ libapache2-mod-auth-openidc NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: Follow fix from bullseye 11.7 (CVE-2022-23527) + 1 postponed CVE-2021-39191 (Beuc/front-desk) -- -libreoffice +libreoffice (Abhijith PA) NOTE: 20230530: Added by Front-Desk (pochu) + NOTE: 20230718: http://people.debian.org/~abhijith/upload/lo (abhijith) + NOTE: 20230718: CVE-2023-2255.diff fails to build. (abhijith) -- linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6f4ba4b6fb0c1af310ad698a36340cae734a07c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b6f4ba4b6fb0c1af310ad698a36340cae734a07c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits