[Git][security-tracker-team/security-tracker][master] Re-associate some older NFUs to now packaged matrix-sydent
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b29b5232 by Salvatore Bonaccorso at 2023-08-05T08:03:28+02:00 Re-associate some older NFUs to now packaged matrix-sydent - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -167209,13 +167209,17 @@ CVE-2021-29435 (trestle-auth is an authentication plugin for the Trestle admin f CVE-2021-29434 (Wagtail is a Django content management system. In affected versions of ...) NOT-FOR-US: wagtail CVE-2021-29433 (Sydent is a reference Matrix identity server. In Sydent versions 2.2.0 ...) - NOT-FOR-US: Matrix Sydent + - matrix-sydent (Fixed before initial upload to Debian) + NOTE: https://github.com/matrix-org/sydent/security/advisories/GHSA-pw4v-gr34-2553 CVE-2021-29432 (Sydent is a reference matrix identity server. A malicious user could a ...) - NOT-FOR-US: Matrix Sydent + - matrix-sydent (Fixed before initial upload to Debian) + NOTE: https://github.com/matrix-org/sydent/security/advisories/GHSA-mh74-4m5g-fcjx CVE-2021-29431 (Sydent is a reference Matrix identity server. Sydent can be induced to ...) - NOT-FOR-US: Matrix Sydent + - matrix-sydent (Fixed before initial upload to Debian) + NOTE: https://github.com/matrix-org/sydent/security/advisories/GHSA-9jhm-8m8c-c3f4 CVE-2021-29430 (Sydent is a reference Matrix identity server. Sydent does not limit th ...) - NOT-FOR-US: Matrix Sydent + - matrix-sydent (Fixed before initial upload to Debian) + NOTE: https://github.com/matrix-org/sydent/security/advisories/GHSA-wmg4-8cp2-hpg9 CVE-2021-29429 (In Gradle before version 7.0, files created with open permissions in t ...) - gradle (bug #987284) [bookworm] - gradle (Minor issue) @@ -297953,7 +297957,7 @@ CVE-2019-11342 CVE-2019-11341 (On certain Samsung P(9.0) phones, an attacker with physical access can ...) NOT-FOR-US: Samsung CVE-2019-11340 (util/emailutils.py in Matrix Sydent before 1.0.2 mishandles registrati ...) - NOT-FOR-US: Matrix Sydent + - matrix-sydent (Fixed before initial upload to Debian) CVE-2019-11339 (The studio profile decoder in libavcodec/mpeg4videodec.c in FFmpeg 4.0 ...) - ffmpeg 7:4.1.3-1 [stretch] - ffmpeg (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29b52322e61d3cc3c0eb908ddf717f41cebe39b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b29b52322e61d3cc3c0eb908ddf717f41cebe39b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-38686/matrix-sydent
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5208e6c6 by Salvatore Bonaccorso at 2023-08-05T07:58:04+02:00 Add CVE-2023-38686/matrix-sydent - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -56,7 +56,10 @@ CVE-2023-38689 (Logistics Pipes is a modification (a.k.a. mod) for the computer CVE-2023-38688 (twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, ...) TODO: check CVE-2023-38686 (Sydent is an identity server for the Matrix communications protocol. P ...) - TODO: check + - matrix-sydent + NOTE: https://github.com/matrix-org/sydent/pull/574 + NOTE: https://github.com/matrix-org/sydent/commit/1cd748307c6b168b66154e6c4db715d4b9551261 (v2.5.6) + NOTE: https://github.com/matrix-org/sydent/security/advisories/GHSA-p6hw-wm59-3g5g CVE-2023-38494 (MeterSphere is an open-source continuous testing platform. Prior to ve ...) TODO: check CVE-2023-38487 (HedgeDoc is software for creating real-time collaborative markdown not ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5208e6c6c8bebb2a757d2ccbcd02ba41b17388cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5208e6c6c8bebb2a757d2ccbcd02ba41b17388cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4135/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 790f8572 by Salvatore Bonaccorso at 2023-08-05T07:57:26+02:00 Add CVE-2023-4135/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,7 +5,14 @@ CVE-2023-4158 (Cross-site Scripting (XSS) - Stored in GitHub repository omeka/om CVE-2023-4157 (Improper Input Validation in GitHub repository omeka/omeka-s prior to ...) NOT-FOR-US: omeka-s CVE-2023-4135 (A heap out-of-bounds memory read flaw was found in the virtual nvme de ...) - TODO: check + - qemu + [bookworm] - qemu (Vulnerable code not present) + [bullseye] - qemu (Vulnerable code not present) + [buster] - qemu (Vulnerable code not present) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2229101 + NOTE: https://www.zerodayinitiative.com/advisories/ZDI-CAN-21521 + NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/73064edfb864743cde2c08f319609344af02aeb3 (v8.0.0-rc0) + NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-08/msg00516.html CVE-2023-39552 (PHPGurukul Online Security Guards Hiring System v.1.0 is vulnerable to ...) NOT-FOR-US: PHPGurukul Online Security Guards Hiring System CVE-2023-39551 (PHPGurukul Online Security Guards Hiring System v.1.0 is vulnerable to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/790f8572ca836bd6545c16c40dda7f9c0db07d1f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/790f8572ca836bd6545c16c40dda7f9c0db07d1f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9637067f by Salvatore Bonaccorso at 2023-08-05T07:56:43+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,37 +1,37 @@ CVE-2023-4159 (Unrestricted Upload of File with Dangerous Type in GitHub repository o ...) - TODO: check + NOT-FOR-US: omeka-s CVE-2023-4158 (Cross-site Scripting (XSS) - Stored in GitHub repository omeka/omeka-s ...) - TODO: check + NOT-FOR-US: omeka-s CVE-2023-4157 (Improper Input Validation in GitHub repository omeka/omeka-s prior to ...) - TODO: check + NOT-FOR-US: omeka-s CVE-2023-4135 (A heap out-of-bounds memory read flaw was found in the virtual nvme de ...) TODO: check CVE-2023-39552 (PHPGurukul Online Security Guards Hiring System v.1.0 is vulnerable to ...) - TODO: check + NOT-FOR-US: PHPGurukul Online Security Guards Hiring System CVE-2023-39551 (PHPGurukul Online Security Guards Hiring System v.1.0 is vulnerable to ...) - TODO: check + NOT-FOR-US: PHPGurukul Online Security Guards Hiring System CVE-2023-39379 (Fujitsu Software Infrastructure Manager (ISM) stores sensitive informa ...) - TODO: check + NOT-FOR-US: Fujitsu Software Infrastructure Manager (ISM) CVE-2023-39344 (social-media-skeleton is an uncompleted social media project. A SQL in ...) - TODO: check + NOT-FOR-US: social-media-skeleton CVE-2023-39143 (PaperCut NG and PaperCut MF before 22.1.3 are vulnerable to path trave ...) - TODO: check + NOT-FOR-US: PaperCut CVE-2023-39112 (ECShop v4.1.16 contains an arbitrary file deletion vulnerability in th ...) - TODO: check + NOT-FOR-US: ECShop CVE-2023-39107 (An arbitrary file overwrite vulnerability in NoMachine Free Edition an ...) TODO: check CVE-2023-38964 (Creative Item Academy LMS 6.0 was discovered to contain a cross-site s ...) - TODO: check + NOT-FOR-US: Creative Item Academy LMS CVE-2023-38707 REJECTED CVE-2023-38702 (Knowage is an open source analytics and business intelligence suite. S ...) - TODO: check + NOT-FOR-US: Knowage CVE-2023-38700 (matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to ver ...) TODO: check CVE-2023-38699 (MindsDB's AI Virtual Database allows developers to connect any AI/ML m ...) TODO: check CVE-2023-38698 (Ethereum Name Service (ENS) is a distributed, open, and extensible nam ...) - TODO: check + NOT-FOR-US: Ethereum Name Service (ENS) CVE-2023-38697 (protocol-http1 provides a low-level implementation of the HTTP/1 proto ...) TODO: check CVE-2023-38696 @@ -53,9 +53,9 @@ CVE-2023-38686 (Sydent is an identity server for the Matrix communications proto CVE-2023-38494 (MeterSphere is an open-source continuous testing platform. Prior to ve ...) TODO: check CVE-2023-38487 (HedgeDoc is software for creating real-time collaborative markdown not ...) - TODO: check + NOT-FOR-US: HedgeDoc CVE-2023-38332 (Zoho ManageEngine ADManager Plus through 7201 allow authenticated user ...) - TODO: check + NOT-FOR-US: Zoho ManageEngine CVE-2023-37896 (Nuclei is a vulnerability scanner. Prior to version 2.9.9, a security ...) TODO: check CVE-2023-37470 (Metabase is an open-source business intelligence and analytics platfor ...) @@ -63,9 +63,9 @@ CVE-2023-37470 (Metabase is an open-source business intelligence and analytics p CVE-2023-36480 (The Aerospike Java client is a Java application that implements a netw ...) TODO: check CVE-2023-34038 (VMware Horizon Server contains an information disclosure vulnerability ...) - TODO: check + NOT-FOR-US: VMware CVE-2023-34037 (VMware Horizon Server contains a HTTP request smuggling vulnerability. ...) - TODO: check + NOT-FOR-US: VMware CVE-2023-33379 (Connected IO v2.1.0 and prior has a misconfiguration in their MQTT bro ...) TODO: check CVE-2023-33378 (Connected IO v2.1.0 and prior has an argument injection vulnerability ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9637067f311fb2d7fbf5a08ec4397cde2b42bb9f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9637067f311fb2d7fbf5a08ec4397cde2b42bb9f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] webkit2gtk / wpewebkit upstream advisory WSA-2023-0007
Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker Commits: 0acb0fe3 by Alberto Garcia at 2023-08-05T03:10:50+03:00 webkit2gtk / wpewebkit upstream advisory WSA-2023-0007 - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -922,11 +922,17 @@ CVE-2023-38604 (An out-of-bounds write issue was addressed with improved input v CVE-2023-38601 (This issue was addressed by removing the vulnerable code. This issue i ...) NOT-FOR-US: Apple CVE-2023-38599 (A logic issue was addressed with improved state management. This issue ...) - NOT-FOR-US: Apple + - webkit2gtk 2.40.5-1 + - wpewebkit 2.40.5-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38598 (A use-after-free issue was addressed with improved memory management. ...) NOT-FOR-US: Apple CVE-2023-38592 (A logic issue was addressed with improved restrictions. This issue is ...) - NOT-FOR-US: Apple + - webkit2gtk 2.40.5-1 + - wpewebkit 2.40.5-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38590 (A buffer overflow issue was addressed with improved memory handling. T ...) NOT-FOR-US: Apple CVE-2023-38571 (This issue was addressed with improved validation of symlinks. This is ...) @@ -1037,7 +1043,10 @@ CVE-2023-3956 (The InstaWP Connect plugin for WordPress is vulnerable to unautho CVE-2023-3451 REJECTED CVE-2023-38611 (The issue was addressed with improved memory handling. This issue is f ...) - NOT-FOR-US: Apple + - webkit2gtk 2.40.5-1 + - wpewebkit 2.40.5-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38608 (The issue was addressed with additional permissions checks. This issue ...) NOT-FOR-US: Apple CVE-2023-38606 (This issue was addressed with improved state management. This issue is ...) @@ -1047,19 +1056,34 @@ CVE-2023-38603 (The issue was addressed with improved checks. This issue is fixe CVE-2023-38602 (A permissions issue was addressed with additional restrictions. This i ...) NOT-FOR-US: Apple CVE-2023-38600 (The issue was addressed with improved checks. This issue is fixed in i ...) - NOT-FOR-US: Apple + - webkit2gtk 2.40.5-1 + - wpewebkit 2.40.5-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38597 (The issue was addressed with improved checks. This issue is fixed in i ...) - NOT-FOR-US: Apple + - webkit2gtk 2.40.5-1 + - wpewebkit 2.40.5-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38595 (The issue was addressed with improved checks. This issue is fixed in i ...) - NOT-FOR-US: Apple + - webkit2gtk 2.40.5-1 + - wpewebkit 2.40.5-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38594 (The issue was addressed with improved checks. This issue is fixed in i ...) - NOT-FOR-US: Apple + - webkit2gtk 2.40.5-1 + - wpewebkit 2.40.5-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38593 (A logic issue was addressed with improved checks. This issue is fixed ...) NOT-FOR-US: Apple CVE-2023-38580 (The issue was addressed with improved memory handling. This issue is f ...) NOT-FOR-US: Apple CVE-2023-38572 (The issue was addressed with improved checks. This issue is fixed in i ...) - NOT-FOR-US: Apple + - webkit2gtk 2.40.5-1 + - wpewebkit 2.40.5-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + NOTE: https://webkitgtk.org/security/WSA-2023-0007.html CVE-2023-38565 (A path handling issue was addressed with improved validation. This iss ...) NOT-FOR-US: Apple CVE-2023-38564 (The issue was addressed with improved checks. This issue is fixed in m ...) @@ -1084,7 +1108,10 @@ CVE-2023-38258 (The issue was addressed with improved checks. This issue is fixe CVE-2023-38136 (The issue was addressed with improved memory handling. This issue is f ...) NOT-FOR-US: Apple CVE-2023-38133 (The issue was addressed with improved checks. This issue is fixed in i ...) - NOT-FOR-US: Apple + - webkit2gtk 2.40.5-
[Git][security-tracker-team/security-tracker][master] dla: take poppler
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abf0b412 by Adrian Bunk at 2023-08-04T23:26:38+03:00 dla: take poppler - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -127,7 +127,7 @@ openssl (gladk) pdfcrack (Adrian Bunk) NOTE: 20230731: Added by Front-Desk (apo) -- -poppler +poppler (Adrian Bunk) NOTE: 20230804: Added by Front-Desk (gladk) -- python-glance-store View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abf0b412a77599ea6174d1bb1700a75d9ee24605 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abf0b412a77599ea6174d1bb1700a75d9ee24605 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0984464e by security tracker role at 2023-08-04T20:12:28+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,89 @@ +CVE-2023-4159 (Unrestricted Upload of File with Dangerous Type in GitHub repository o ...) + TODO: check +CVE-2023-4158 (Cross-site Scripting (XSS) - Stored in GitHub repository omeka/omeka-s ...) + TODO: check +CVE-2023-4157 (Improper Input Validation in GitHub repository omeka/omeka-s prior to ...) + TODO: check +CVE-2023-4135 (A heap out-of-bounds memory read flaw was found in the virtual nvme de ...) + TODO: check +CVE-2023-39552 (PHPGurukul Online Security Guards Hiring System v.1.0 is vulnerable to ...) + TODO: check +CVE-2023-39551 (PHPGurukul Online Security Guards Hiring System v.1.0 is vulnerable to ...) + TODO: check +CVE-2023-39379 (Fujitsu Software Infrastructure Manager (ISM) stores sensitive informa ...) + TODO: check +CVE-2023-39344 (social-media-skeleton is an uncompleted social media project. A SQL in ...) + TODO: check +CVE-2023-39143 (PaperCut NG and PaperCut MF before 22.1.3 are vulnerable to path trave ...) + TODO: check +CVE-2023-39112 (ECShop v4.1.16 contains an arbitrary file deletion vulnerability in th ...) + TODO: check +CVE-2023-39107 (An arbitrary file overwrite vulnerability in NoMachine Free Edition an ...) + TODO: check +CVE-2023-38964 (Creative Item Academy LMS 6.0 was discovered to contain a cross-site s ...) + TODO: check +CVE-2023-38707 + REJECTED +CVE-2023-38702 (Knowage is an open source analytics and business intelligence suite. S ...) + TODO: check +CVE-2023-38700 (matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to ver ...) + TODO: check +CVE-2023-38699 (MindsDB's AI Virtual Database allows developers to connect any AI/ML m ...) + TODO: check +CVE-2023-38698 (Ethereum Name Service (ENS) is a distributed, open, and extensible nam ...) + TODO: check +CVE-2023-38697 (protocol-http1 provides a low-level implementation of the HTTP/1 proto ...) + TODO: check +CVE-2023-38696 + REJECTED +CVE-2023-38695 (cypress-image-snapshot shows visual regressions in Cypress with jest-i ...) + TODO: check +CVE-2023-38692 (CloudExplorer Lite is an open source, lightweight cloud management pla ...) + TODO: check +CVE-2023-38691 (matrix-appservice-bridge provides an API for setting up bridges. Start ...) + TODO: check +CVE-2023-38690 (matrix-appservice-irc is a Node.js IRC bridge for Matrix. Prior to ver ...) + TODO: check +CVE-2023-38689 (Logistics Pipes is a modification (a.k.a. mod) for the computer game M ...) + TODO: check +CVE-2023-38688 (twitch-tui provides Twitch chat in a terminal. Prior to version 2.4.1, ...) + TODO: check +CVE-2023-38686 (Sydent is an identity server for the Matrix communications protocol. P ...) + TODO: check +CVE-2023-38494 (MeterSphere is an open-source continuous testing platform. Prior to ve ...) + TODO: check +CVE-2023-38487 (HedgeDoc is software for creating real-time collaborative markdown not ...) + TODO: check +CVE-2023-38332 (Zoho ManageEngine ADManager Plus through 7201 allow authenticated user ...) + TODO: check +CVE-2023-37896 (Nuclei is a vulnerability scanner. Prior to version 2.9.9, a security ...) + TODO: check +CVE-2023-37470 (Metabase is an open-source business intelligence and analytics platfor ...) + TODO: check +CVE-2023-36480 (The Aerospike Java client is a Java application that implements a netw ...) + TODO: check +CVE-2023-34038 (VMware Horizon Server contains an information disclosure vulnerability ...) + TODO: check +CVE-2023-34037 (VMware Horizon Server contains a HTTP request smuggling vulnerability. ...) + TODO: check +CVE-2023-33379 (Connected IO v2.1.0 and prior has a misconfiguration in their MQTT bro ...) + TODO: check +CVE-2023-33378 (Connected IO v2.1.0 and prior has an argument injection vulnerability ...) + TODO: check +CVE-2023-33377 (Connected IO v2.1.0 and prior has an OS command injection vulnerabilit ...) + TODO: check +CVE-2023-33376 (Connected IO v2.1.0 and prior has an argument injection vulnerability ...) + TODO: check +CVE-2023-33375 (Connected IO v2.1.0 and prior has a stack-based buffer overflow vulner ...) + TODO: check +CVE-2023-33374 (Connected IO v2.1.0 and prior has a command as part of its communicati ...) + TODO: check +CVE-2023-33373 (Connected IO v2.1.0 and prior keeps passwords and credentials in clear ...) + TODO: check +CVE-2023-33372 (Connected IO v2.1.0 and prior uses a hard-coded username/password pair ...) + TODO: check +CVE-2022-4955 (Inappropria
[Git][security-tracker-team/security-tracker][master] LTS: add burp, poppler, thunderbird
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 9db40c66 by Anton Gladky at 2023-08-04T21:55:46+02:00 LTS: add burp, poppler, thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -24,6 +24,9 @@ rather than remove/replace existing ones. amanda (Thorsten Alteholz) NOTE: 20230730: Added by Front-Desk (apo) -- +burp + NOTE: 20230804: Added by Front-Desk (gladk) +-- cairosvg (gladk) NOTE: 20230323: Added by Front-Desk (gladk) NOTE: 20230411: Proposed solution for CVE-2023-27586 in Buster to backport the --unsafe switch, introduced in 1.0.21, might work (dleidert/inactive) @@ -124,6 +127,9 @@ openssl (gladk) pdfcrack (Adrian Bunk) NOTE: 20230731: Added by Front-Desk (apo) -- +poppler + NOTE: 20230804: Added by Front-Desk (gladk) +-- python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. @@ -194,6 +200,9 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- +thunderbird + NOTE: 20230804: Added by Front-Desk (gladk) +-- zabbix (tobi) NOTE: 20230731: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9db40c661345d17a5d8878affb46fdc5c2f6f8ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9db40c661345d17a5d8878affb46fdc5c2f6f8ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-38559/ghostscript
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 758a62ee by Salvatore Bonaccorso at 2023-08-04T21:36:52+02:00 Add Debian bug reference for CVE-2023-38559/ghostscript - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -430,7 +430,7 @@ CVE-2023-38560 (An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_ NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b7eb1d0174cb25a0cd44a1c0706c2ed73fc95bef NOTE: Issue in PCL support shipped sourcewise in src:ghostscript CVE-2023-38559 (A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_w ...) - - ghostscript + - ghostscript (bug #1043033) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706897 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=d81b82c70bc1fb9991bb95f1201abb5dea55f57f CVE-2023-38357 (Session tokens in RWS WorldServer 11.7.3 and earlier have a low entrop ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/758a62eef4e8952b12be3a58c38650fd08d2fff9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/758a62eef4e8952b12be3a58c38650fd08d2fff9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-2940{7,8}/golang-golang-x-image
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 63a6e0d3 by Salvatore Bonaccorso at 2023-08-04T21:35:52+02:00 Add CVE-2023-2940{7,8}/golang-golang-x-image - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15620,9 +15620,15 @@ CVE-2023-29409 (Extremely large RSA keys in certificate chains can cause a clien [buster] - golang-1.11 (Limited support, follow bullseye DSAs/point-releases) NOTE: https://groups.google.com/g/golang-announce/c/X0b6CsSAaYI CVE-2023-29408 (The TIFF decoder does not place a limit on the size of compressed tile ...) - TODO: check + - golang-golang-x-image + NOTE: https://go.dev/issue/61582 + NOTE: https://go.dev/cl/514897 + NOTE: https://github.com/golang/image/commit/cb227cd2c919b27c6206fe0c1041a8bcc677949d (v0.10.0) CVE-2023-29407 (A maliciously-crafted image can cause excessive CPU consumption in dec ...) - TODO: check + - golang-golang-x-image + NOTE: https://go.dev/issue/61581 + NOTE: https://go.dev/cl/514897 + NOTE: https://github.com/golang/image/commit/cb227cd2c919b27c6206fe0c1041a8bcc677949d (v0.10.0) CVE-2023-29406 (The HTTP/1 client does not fully validate the contents of the Host hea ...) - golang-1.20 1.20.6-1 - golang-1.19 1.19.11-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63a6e0d328ddc165b870c1eb81b011b074ef1281 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63a6e0d328ddc165b870c1eb81b011b074ef1281 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e33e812a by Salvatore Bonaccorso at 2023-08-04T21:29:16+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -161,23 +161,23 @@ CVE-2023-38955 (ZKTeco BioAccess IVS v3.3.1 allows unauthenticated attackers to CVE-2023-38954 (ZKTeco BioAccess IVS v3.3.1 was discovered to contain a SQL injection ...) NOT-FOR-US: ZKTeco BioAccess CVE-2023-38948 (An arbitrary file download vulnerability in the /c/PluginsController.p ...) - TODO: check + NOT-FOR-US: jizhi CMS CVE-2023-38947 (An arbitrary file upload vulnerability in the /languages/install.php c ...) - TODO: check + NOT-FOR-US: WBCE CMS CVE-2023-38942 (Dango-Translator v4.5.5 was discovered to contain a remote command exe ...) TODO: check CVE-2023-38812 REJECTED CVE-2023-38748 (Use after free vulnerability exists in CX-Programmer Included in CX-On ...) - TODO: check + NOT-FOR-US: CX-One CXONE-AL[][]D-V4 CVE-2023-38747 (Heap-based buffer overflow vulnerability exists in CX-Programmer Inclu ...) - TODO: check + NOT-FOR-US: CX-One CXONE-AL[][]D-V4 CVE-2023-38746 (Out-of-bounds read vulnerability/issue exists in CX-Programmer Include ...) - TODO: check + NOT-FOR-US: CX-One CXONE-AL[][]D-V4 CVE-2023-38744 (Denial-of-service (DoS) vulnerability due to improper validation of sp ...) TODO: check CVE-2023-37679 (A remote command execution (RCE) vulnerability in NextGen Mirth Connec ...) - TODO: check + NOT-FOR-US: NextGen Mirth Connect CVE-2023-37559 (After successful authentication as a user in multiple Codesys products ...) NOT-FOR-US: Codesys CVE-2023-37558 (After successful authentication as a user in multiple Codesys products ...) @@ -209,45 +209,45 @@ CVE-2023-37546 (In multiple Codesys products in multiple versions, after success CVE-2023-37545 (In multiple Codesys products in multiple versions, after successful au ...) NOT-FOR-US: Codesys CVE-2023-37364 (In WS-Inc J WBEM Server 4.7.4 before 4.7.5, the CIM-XML protocol adapt ...) - TODO: check + NOT-FOR-US: WS-Inc J WBEM Server CVE-2023-36299 (A File Upload vulnerability in typecho v.1.2.1 allows a remote attacke ...) TODO: check CVE-2023-36298 (DedeCMS v5.7.109 has a File Upload vulnerability, leading to remote co ...) - TODO: check + NOT-FOR-US: DedeCMS CVE-2023-36255 (An issue in Eramba Limited Eramba Enterprise v.3.19.1 allows a remote ...) - TODO: check + NOT-FOR-US: Eramba Limited Eramba Enterprise CVE-2023-36217 (Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remo ...) - TODO: check + NOT-FOR-US: Xoops CMS CVE-2023-36213 (SQL injection vulnerability in MotoCMS v.3.4.3 allows a remote attacke ...) - TODO: check + NOT-FOR-US: MotoCMS CVE-2023-36212 (File Upload vulnerability in Total CMS v.1.7.4 allows a remote attacke ...) - TODO: check + NOT-FOR-US: Total CMS CVE-2023-36082 (An isssue in GatesAIr Flexiva FM Transmitter/Exiter Fax 150W allows a ...) - TODO: check + NOT-FOR-US: GatesAIr Flexiva FM Transmitter/Exiter Fax 150W CVE-2023-35081 (A path traversal vulnerability in Ivanti EPMM versions (11.10.x < 11.1 ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2023-34196 (In the Keyfactor EJBCA before 8.0.0, the RA web certificate distributi ...) - TODO: check + NOT-FOR-US: Keyfactor EJBCA CVE-2023-33666 (ai-dev aioptimizedcombinations before v0.1.3 was discovered to contain ...) TODO: check CVE-2023-33371 (Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic ...) - TODO: check + NOT-FOR-US: Control ID IDSecure CVE-2023-33370 (An uncaught exception vulnerability exists in Control ID IDSecure 4.7. ...) - TODO: check + NOT-FOR-US: Control ID IDSecure CVE-2023-33369 (A path traversal vulnerability exists in Control ID IDSecure 4.7.26.0 ...) - TODO: check + NOT-FOR-US: Control ID IDSecure CVE-2023-33368 (Some API routes exists in Control ID IDSecure 4.7.26.0 and prior, exfi ...) - TODO: check + NOT-FOR-US: Control ID IDSecure CVE-2023-33366 (A SQL injection vulnerability exists in Suprema BioStar 2 before 2.9.1 ...) - TODO: check + NOT-FOR-US: Suprema BioStar CVE-2023-33365 (A path traversal vulnerability exists in Suprema BioStar 2 before 2.9. ...) - TODO: check + NOT-FOR-US: Suprema BioStar CVE-2023-33364 (An OS Command injection vulnerability exists in Suprema BioStar 2 befo ...) - TODO: check + NOT-FOR-US: Suprema BioStar CVE-2023-33363 (An authentication bypass vulnerability exists in Suprema BioStar 2 bef ...) - TODO: check + NOT-FOR-US: Suprema BioStar
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2023-38560
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a870dec by Salvatore Bonaccorso at 2023-08-04T21:08:11+02:00 Update status for CVE-2023-38560 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -425,9 +425,10 @@ CVE-2023-39109 (rconfig v3.9.4 was discovered to contain a Server-Side Request F CVE-2023-39108 (rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery ...) NOT-FOR-US: rConfig CVE-2023-38560 (An integer overflow flaw was found in pcl/pl/plfont.c:418 in pl_glyph_ ...) - - ghostscript + - ghostscript (unimportant) NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706898 NOTE: https://git.ghostscript.com/?p=ghostpdl.git;a=commitdiff;h=b7eb1d0174cb25a0cd44a1c0706c2ed73fc95bef + NOTE: Issue in PCL support shipped sourcewise in src:ghostscript CVE-2023-38559 (A buffer overflow flaw was found in base/gdevdevn.c:1973 in devn_pcx_w ...) - ghostscript NOTE: https://bugs.ghostscript.com/show_bug.cgi?id=706897 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a870decd0f8e56483d44b20cc8e6cfded44d88a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a870decd0f8e56483d44b20cc8e6cfded44d88a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ffa674a by Moritz Mühlenhoff at 2023-08-04T20:20:41+02:00 chromium DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[04 Aug 2023] DSA-5467-1 chromium - security update + {CVE-2023-4068 CVE-2023-4069 CVE-2023-4070 CVE-2023-4071 CVE-2023-4072 CVE-2023-4073 CVE-2023-4074 CVE-2023-4075 CVE-2023-4076 CVE-2023-4077 CVE-2023-4078} + [bullseye] - chromium 115.0.5790.170-1~deb11u1 + [bookworm] - chromium 115.0.5790.170-1~deb12u1 [04 Aug 2023] DSA-5466-1 ntpsec - security update {CVE-2023-4012} [bookworm] - ntpsec 1.2.2+dfsg1-1+deb12u1 = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- aom/oldstable -- -chromium (jmm) --- cjose (jmm) -- cinder/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ffa674ae345687d562d3ccae951c6427c4d07dd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ffa674ae345687d562d3ccae951c6427c4d07dd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c963e58a by Moritz Mühlenhoff at 2023-08-04T20:17:53+02:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -259,6 +259,8 @@ CVE-2023-3971 NOT-FOR-US: Red Hat Ansible Automation Controller CVE-2023-34320 [arm: Guests can trigger a deadlock on Cortex-A77] - xen + [bookworm] - xen (Minor issue) + [bullseye] - xen (Minor issue) [buster] - xen (DSA 4677-1) NOTE: https://www.openwall.com/lists/oss-security/2023/08/01/1 NOTE: https://xenbits.xen.org/xsa/advisory-436.html @@ -670,6 +672,8 @@ CVE-2023-34916 (Fuge CMS v1.0 contains an Open Redirect vulnerability via /front NOT-FOR-US: Fuge CMS CVE-2023-34872 (A vulnerability in Outline.cc for Poppler prior to 23.06.0 allows a re ...) - poppler (bug #1042811) + [bookworm] - poppler (Minor issue) + [bullseye] - poppler (Minor issue) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/commit/591235c8b6c65a2eee88991b9ae73490fd9afdfe (poppler-23.06.0) NOTE: https://gitlab.freedesktop.org/poppler/poppler/-/issues/1399 CVE-2023-34842 (Remote Code Execution vulnerability in DedeCMS through 5.7.109 allows ...) = data/dsa-needed.txt = @@ -16,8 +16,7 @@ aom/oldstable -- chromium (jmm) -- -cjose - Maintainer asked to prepare updates +cjose (jmm) -- cinder/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c963e58a842c13ccd133979ce7f28c9dd9d85a8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c963e58a842c13ccd133979ce7f28c9dd9d85a8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a7a9ff94 by Moritz Mühlenhoff at 2023-08-04T16:34:41+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,7 @@ CVE-2023-4139 (The WP Ultimate CSV Importer plugin for WordPress is vulnerable t CVE-2023-3373 (Predictable Exact Value from Previous Values vulnerability in Mitsubis ...) NOT-FOR-US: Mitsubishi CVE-2023-39343 (Sulu is an open-source PHP content management system based on the Symf ...) - TODO: check + NOT-FOR-US: Sulu CVE-2023-38991 (An issue in the delete function in the ActModelController class of jee ...) NOT-FOR-US: jeesite CVE-2023-38952 (Insecure access control in ZKTeco BioTime v8.5.5 allows unauthenticate ...) @@ -21,7 +21,7 @@ CVE-2023-38950 (A path traversal vulnerability in the iclock API of ZKTeco BioTi CVE-2023-38949 (An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticat ...) NOT-FOR-US: ZKTeco BioTime CVE-2023-38941 (django-sspanel v2022.2.2 was discovered to contain a remote command ex ...) - TODO: check + NOT-FOR-US: django-sspanel CVE-2023-38708 (Pimcore is an Open Source Data & Experience Management Platform: PIM, ...) NOT-FOR-US: Pimcore CVE-2023-37501 (A Persistent XSS vulnerability can be carried out in a certain field o ...) @@ -45,7 +45,7 @@ CVE-2023-36139 (In PHPJabbers Cleaning Business Software 1.0, lack of verificati CVE-2023-36138 (PHPJabbers Cleaning Business Software 1.0 is vulnerable to Cross Site ...) NOT-FOR-US: PHPJabbers CVE-2023-36137 (There is a Cross Site Scripting (XSS) vulnerability in the "theme" par ...) - TODO: check + NOT-FOR-US: PHPJabbers Class Scheduling System CVE-2023-36135 (User enumeration is found in in PHPJabbers Class Scheduling System v1. ...) NOT-FOR-US: PHPJabbers CVE-2023-36134 (In PHP Jabbers Class Scheduling System 1.0, lack of verification when ...) @@ -57,7 +57,7 @@ CVE-2023-36132 (PHP Jabbers Availability Booking Calendar 5.0 is vulnerable to I CVE-2023-36131 (PHPJabbers Availability Booking Calendar 5.0 is vulnerable to Incorrec ...) NOT-FOR-US: PHPJabbers CVE-2023-33665 (ai-dev aitable before v0.2.2 was discovered to contain a SQL injection ...) - TODO: check + NOT-FOR-US: ai-dev aitable CVE-2023-38497 [Cargo does not respect umask when extracting packages] - rustc NOTE: https://www.openwall.com/lists/oss-security/2023/08/03/2 @@ -99,7 +99,7 @@ CVE-2023-4120 (A vulnerability was found in Beijing Baichuo Smart S85F Managemen CVE-2023-4119 (A vulnerability has been found in Academy LMS 6.0 and classified as pr ...) NOT-FOR-US: Academy LMS CVE-2023-4118 (A vulnerability, which was classified as problematic, was found in Cut ...) - TODO: check + NOT-FOR-US: Cute HTTP File Server CVE-2023-4117 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: PHP Jabbers Rental Property Booking CVE-2023-4116 (A vulnerability classified as problematic was found in PHP Jabbers Tax ...) @@ -119,47 +119,47 @@ CVE-2023-4110 (A vulnerability has been found in PHP Jabbers Availability Bookin CVE-2023-3932 (An issue has been discovered in GitLab EE affecting all versions start ...) TODO: check CVE-2023-3766 (A vulnerability was discovered in the odoh-rs rust crate that stems fr ...) - TODO: check + NOT-FOR-US: odoh-rs Rust crate CVE-2023-3749 (A local user could edit the VideoEdge configuration file and interfere ...) - TODO: check + NOT-FOR-US: VideoEdge CVE-2023-3669 (A missing Brute-Force protection in CODESYS Development System prior t ...) - TODO: check + NOT-FOR-US: Codesys CVE-2023-3663 (In CODESYS Development System versions from 3.5.11.20 and before 3.5.1 ...) - TODO: check + NOT-FOR-US: Codesys CVE-2023-3662 (In CODESYS Development System versions from 3.5.17.0 and prior to 3.5. ...) - TODO: check + NOT-FOR-US: Codesys CVE-2023-3348 (The Wrangler command line tool (<=wrangler@3.1.0) was affected by a di ...) TODO: check CVE-2023-3346 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ...) - TODO: check + NOT-FOR-US: Mitsubishi CVE-2023-3329 (SpiderControl SCADA Webserver versions 2.08 and prior are vulnerable t ...) - TODO: check + NOT-FOR-US: SpiderControl SCADA Webserver CVE-2023-3180 (A flaw was found in the QEMU virtual crypto device while handling data ...) - qemu NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/04b9b37edda85964cca033a48dcc0298036782f2 (v2.8.0-rc0) NOTE: Proposed patch: https://lists.nongnu.org/archive/html/qemu-devel/2023-08/msg00401.html CVE-2023-39144 (Element55 KnowMore appliances
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3515-1 for cjose
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: e5d2bf04 by Guilhem Moulin at 2023-08-04T12:17:09+02:00 Reserve DLA-3515-1 for cjose - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[04 Aug 2023] DLA-3515-1 cjose - security update + {CVE-2023-37464} + [buster] - cjose 0.6.1+dfsg1-1+deb10u1 [02 Aug 2023] DLA-3514-1 bouncycastle - security update {CVE-2023-33201} [buster] - bouncycastle 1.60-1+deb10u1 = data/dla-needed.txt = @@ -32,9 +32,6 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -cjose (guilhem) - NOTE: 20230730: Added by Front-Desk (apo) --- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5d2bf040137ef4bb13ba25f3c45a0865970ea81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e5d2bf040137ef4bb13ba25f3c45a0865970ea81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove xqilla from dla-needed.txt; the two CVEs (CVE-2022-24795 and...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: ee138e63 by Chris Lamb at 2023-08-04T10:08:41+01:00 Remove xqilla from dla-needed.txt; the two CVEs (CVE-2022-24795 and CVE-2017-16516) were marked as not-affected. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -197,10 +197,6 @@ suricata (Adrian Bunk) NOTE: 20230714: Still reviewing+testing CVEs. (bunk) NOTE: 20230731: Still reviewing+testing CVEs. (bunk) -- -xqilla - NOTE: 20230706: Added by Front-Desk (gladk) - NOTE: 20230715: not vulnerable, the embedded yajl is ancient (around 0.2.2), not having the vulnerable code. --- zabbix (tobi) NOTE: 20230731: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee138e636658f433fa12dbc88913cab55d9609b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ee138e636658f433fa12dbc88913cab55d9609b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c75243e by Salvatore Bonaccorso at 2023-08-04T11:03:56+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,55 +7,55 @@ CVE-2023-4140 (The WP Ultimate CSV Importer plugin for WordPress is vulnerable t CVE-2023-4139 (The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Sen ...) NOT-FOR-US: WP Ultimate CSV Importer plugin for WordPress CVE-2023-3373 (Predictable Exact Value from Previous Values vulnerability in Mitsubis ...) - TODO: check + NOT-FOR-US: Mitsubishi CVE-2023-39343 (Sulu is an open-source PHP content management system based on the Symf ...) TODO: check CVE-2023-38991 (An issue in the delete function in the ActModelController class of jee ...) - TODO: check + NOT-FOR-US: jeesite CVE-2023-38952 (Insecure access control in ZKTeco BioTime v8.5.5 allows unauthenticate ...) - TODO: check + NOT-FOR-US: ZKTeco BioTime CVE-2023-38951 (A path traversal vulnerability in ZKTeco BioTime v8.5.5 allows attacke ...) - TODO: check + NOT-FOR-US: ZKTeco BioTime CVE-2023-38950 (A path traversal vulnerability in the iclock API of ZKTeco BioTime v8. ...) - TODO: check + NOT-FOR-US: ZKTeco BioTime CVE-2023-38949 (An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticat ...) - TODO: check + NOT-FOR-US: ZKTeco BioTime CVE-2023-38941 (django-sspanel v2022.2.2 was discovered to contain a remote command ex ...) TODO: check CVE-2023-38708 (Pimcore is an Open Source Data & Experience Management Platform: PIM, ...) - TODO: check + NOT-FOR-US: Pimcore CVE-2023-37501 (A Persistent XSS vulnerability can be carried out in a certain field o ...) - TODO: check + NOT-FOR-US: Unica Campaign CVE-2023-37500 (A Persistent Cross-site Scripting (XSS) vulnerability can be carried o ...) - TODO: check + NOT-FOR-US: Unica Platform CVE-2023-37499 (A Persistent Cross-site Scripting (XSS) vulnerability can be carried o ...) - TODO: check + NOT-FOR-US: Unica Platform CVE-2023-37498 (A user is capable of assigning him/herself to arbitrary groups by reus ...) - TODO: check + NOT-FOR-US: HCL CVE-2023-37497 (The Unica application exposes an API which accepts arbitrary XML input ...) - TODO: check + NOT-FOR-US: Unica application CVE-2023-36159 (Cross Site Scripting (XSS) vulnerability in sourcecodester Lost and Fo ...) - TODO: check + NOT-FOR-US: Sourcecodester Lost and Found Information System CVE-2023-36158 (Cross Site Scripting (XSS) vulnerability in sourcecodester Toll Tax Ma ...) - TODO: check + NOT-FOR-US: sourcecodester Toll Tax Management System CVE-2023-36141 (User enumeration is found in in PHPJabbers Cleaning Business Software ...) - TODO: check + NOT-FOR-US: PHPJabbers CVE-2023-36139 (In PHPJabbers Cleaning Business Software 1.0, lack of verification whe ...) - TODO: check + NOT-FOR-US: PHPJabbers CVE-2023-36138 (PHPJabbers Cleaning Business Software 1.0 is vulnerable to Cross Site ...) - TODO: check + NOT-FOR-US: PHPJabbers CVE-2023-36137 (There is a Cross Site Scripting (XSS) vulnerability in the "theme" par ...) TODO: check CVE-2023-36135 (User enumeration is found in in PHPJabbers Class Scheduling System v1. ...) - TODO: check + NOT-FOR-US: PHPJabbers CVE-2023-36134 (In PHP Jabbers Class Scheduling System 1.0, lack of verification when ...) - TODO: check + NOT-FOR-US: PHPJabbers CVE-2023-36133 (PHPJabbers Availability Booking Calendar 5.0 is vulnerable to User Acc ...) - TODO: check + NOT-FOR-US: PHPJabbers CVE-2023-36132 (PHP Jabbers Availability Booking Calendar 5.0 is vulnerable to Incorre ...) - TODO: check + NOT-FOR-US: PHPJabbers CVE-2023-36131 (PHPJabbers Availability Booking Calendar 5.0 is vulnerable to Incorrec ...) - TODO: check + NOT-FOR-US: PHPJabbers CVE-2023-33665 (ai-dev aitable before v0.2.2 was discovered to contain a SQL injection ...) TODO: check CVE-2023-38497 [Cargo does not respect umask when extracting packages] View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c75243ebb0af58ef9e32dc2db922335480b571f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c75243ebb0af58ef9e32dc2db922335480b571f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c7e5a5b7 by Salvatore Bonaccorso at 2023-08-04T11:01:01+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,11 @@ CVE-2023-4142 (The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Rem ...) - TODO: check + NOT-FOR-US: WP Ultimate CSV Importer plugin for WordPress CVE-2023-4141 (The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Rem ...) - TODO: check + NOT-FOR-US: WP Ultimate CSV Importer plugin for WordPress CVE-2023-4140 (The WP Ultimate CSV Importer plugin for WordPress is vulnerable to pri ...) - TODO: check + NOT-FOR-US: WP Ultimate CSV Importer plugin for WordPress CVE-2023-4139 (The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Sen ...) - TODO: check + NOT-FOR-US: WP Ultimate CSV Importer plugin for WordPress CVE-2023-3373 (Predictable Exact Value from Previous Values vulnerability in Mitsubis ...) TODO: check CVE-2023-39343 (Sulu is an open-source PHP content management system based on the Symf ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7e5a5b7f96059bed0cea26a0b9ac8d5b3bcb56f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7e5a5b7f96059bed0cea26a0b9ac8d5b3bcb56f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1762860f by security tracker role at 2023-08-04T08:11:38+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,63 @@ +CVE-2023-4142 (The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Rem ...) + TODO: check +CVE-2023-4141 (The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Rem ...) + TODO: check +CVE-2023-4140 (The WP Ultimate CSV Importer plugin for WordPress is vulnerable to pri ...) + TODO: check +CVE-2023-4139 (The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Sen ...) + TODO: check +CVE-2023-3373 (Predictable Exact Value from Previous Values vulnerability in Mitsubis ...) + TODO: check +CVE-2023-39343 (Sulu is an open-source PHP content management system based on the Symf ...) + TODO: check +CVE-2023-38991 (An issue in the delete function in the ActModelController class of jee ...) + TODO: check +CVE-2023-38952 (Insecure access control in ZKTeco BioTime v8.5.5 allows unauthenticate ...) + TODO: check +CVE-2023-38951 (A path traversal vulnerability in ZKTeco BioTime v8.5.5 allows attacke ...) + TODO: check +CVE-2023-38950 (A path traversal vulnerability in the iclock API of ZKTeco BioTime v8. ...) + TODO: check +CVE-2023-38949 (An issue in a hidden API in ZKTeco BioTime v8.5.5 allows unauthenticat ...) + TODO: check +CVE-2023-38941 (django-sspanel v2022.2.2 was discovered to contain a remote command ex ...) + TODO: check +CVE-2023-38708 (Pimcore is an Open Source Data & Experience Management Platform: PIM, ...) + TODO: check +CVE-2023-37501 (A Persistent XSS vulnerability can be carried out in a certain field o ...) + TODO: check +CVE-2023-37500 (A Persistent Cross-site Scripting (XSS) vulnerability can be carried o ...) + TODO: check +CVE-2023-37499 (A Persistent Cross-site Scripting (XSS) vulnerability can be carried o ...) + TODO: check +CVE-2023-37498 (A user is capable of assigning him/herself to arbitrary groups by reus ...) + TODO: check +CVE-2023-37497 (The Unica application exposes an API which accepts arbitrary XML input ...) + TODO: check +CVE-2023-36159 (Cross Site Scripting (XSS) vulnerability in sourcecodester Lost and Fo ...) + TODO: check +CVE-2023-36158 (Cross Site Scripting (XSS) vulnerability in sourcecodester Toll Tax Ma ...) + TODO: check +CVE-2023-36141 (User enumeration is found in in PHPJabbers Cleaning Business Software ...) + TODO: check +CVE-2023-36139 (In PHPJabbers Cleaning Business Software 1.0, lack of verification whe ...) + TODO: check +CVE-2023-36138 (PHPJabbers Cleaning Business Software 1.0 is vulnerable to Cross Site ...) + TODO: check +CVE-2023-36137 (There is a Cross Site Scripting (XSS) vulnerability in the "theme" par ...) + TODO: check +CVE-2023-36135 (User enumeration is found in in PHPJabbers Class Scheduling System v1. ...) + TODO: check +CVE-2023-36134 (In PHP Jabbers Class Scheduling System 1.0, lack of verification when ...) + TODO: check +CVE-2023-36133 (PHPJabbers Availability Booking Calendar 5.0 is vulnerable to User Acc ...) + TODO: check +CVE-2023-36132 (PHP Jabbers Availability Booking Calendar 5.0 is vulnerable to Incorre ...) + TODO: check +CVE-2023-36131 (PHPJabbers Availability Booking Calendar 5.0 is vulnerable to Incorrec ...) + TODO: check +CVE-2023-33665 (ai-dev aitable before v0.2.2 was discovered to contain a SQL injection ...) + TODO: check CVE-2023-38497 [Cargo does not respect umask when extracting packages] - rustc NOTE: https://www.openwall.com/lists/oss-security/2023/08/03/2 @@ -331,7 +391,7 @@ CVE-2023-4008 (An issue has been discovered in GitLab CE/EE affecting all versio - gitlab CVE-2023-4011 (An issue has been discovered in GitLab EE affecting all versions from ...) - gitlab (Specific to EE) -CVE-2023-4002 +CVE-2023-4002 (An issue has been discovered in GitLab EE affecting all versions start ...) - gitlab (Specific to EE) CVE-2023-3993 (An issue has been discovered in GitLab EE affecting all versions start ...) - gitlab (Specific to EE) @@ -665,6 +725,7 @@ CVE-2023-32226 (Sysaid - CWE-552: Files or Directories Accessible to External P CVE-2023-32225 (Sysaid - CWE-434: Unrestricted Upload of File with Dangerous Type - A ...) NOT-FOR-US: SysAid CVE-2023-4012 [crash on NTS requests] + {DSA-5466-1} - ntpsec 1.2.2+dfsg1-2 (bug #1038422) [bullseye] - ntpsec (Vulnerable code introduced later) [buster] - ntpsec (Vulnerable code introduced later) @@ -4147,7 +4208,7 @@ CVE-2023-34451 (CometBFT is a Byzantine Fault Tolerant (BFT) middleware that