[Git][security-tracker-team/security-tracker][master] Add information for CVE-2020-23793
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e9592226 by Salvatore Bonaccorso at 2023-09-02T08:57:23+02:00 Add information for CVE-2020-23793 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -217481,7 +217481,9 @@ CVE-2020-23795 CVE-2020-23794 RESERVED CVE-2020-23793 (An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1. ...) - TODO: check, likely same fix as CVE-2016-9577 + - spice 0.13.90-0.1 + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2234984 + NOTE: Fixed by: https://cgit.freedesktop.org/spice/spice/commit/?id=ec124b982abcd23364963ffcd4c370b1ec962fc9 (v0.13.90) CVE-2020-23792 RESERVED CVE-2020-23791 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e959222681927ce403d36325c0d77cc040489232 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e959222681927ce403d36325c0d77cc040489232 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag reference for CVE-2023-29383 commit
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7437530d by Salvatore Bonaccorso at 2023-09-01T22:58:40+02:00 Add upstream tag reference for CVE-2023-29383 commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20112,7 +20112,7 @@ CVE-2023-29383 (In Shadow 4.13, it is possible to inject control characters into [bullseye] - shadow (Minor issue) [buster] - shadow (Minor issue) NOTE: https://github.com/shadow-maint/shadow/pull/687 - NOTE: Fixed by: https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d + NOTE: Fixed by: https://github.com/shadow-maint/shadow/commit/e5905c4b84d4fb90aefcd96ee618411ebfac663d (4.14.0-rc1) NOTE: https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=31797 NOTE: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2023-29383-abusing-linux-chfn-to-misrepresent-etc-passwd/ CVE-2023-29382 (An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an atta ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7437530dfcfe7a88b03cfa582fb210d2ad5a5cde -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7437530dfcfe7a88b03cfa582fb210d2ad5a5cde You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-4641
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 85018055 by Salvatore Bonaccorso at 2023-09-01T22:57:42+02:00 Add Debian bug reference for CVE-2023-4641 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -285,7 +285,7 @@ CVE-2023-4650 (Improper Access Control in GitHub repository instantsoft/icms2 pr CVE-2023-4649 (Session Fixation in GitHub repository instantsoft/icms2 prior to 2.16. ...) NOT-FOR-US: icms2 CVE-2023-4641 [gpasswd(1) password leak] - - shadow + - shadow (bug #1051062) [bookworm] - shadow (Minor issue) [bullseye] - shadow (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2215945 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/850180550a41816071f2b4e279a169b05b364ca0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/850180550a41816071f2b4e279a169b05b364ca0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-40184
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d59fc282 by Salvatore Bonaccorso at 2023-09-01T22:56:50+02:00 Add Debian bug reference for CVE-2023-40184 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -459,7 +459,7 @@ CVE-2023-40186 (FreeRDP is a free implementation of the Remote Desktop Protocol - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hcj4-3c3r-5j3v CVE-2023-40184 (xrdp is an open source remote desktop protocol (RDP) server. In versio ...) - - xrdp + - xrdp (bug #1051061) NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq NOTE: https://github.com/neutrinolabs/xrdp/commit/25a1fab5b6c5ef2a8bb109232b765cb8b332ce5e CVE-2023-40181 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d59fc282d51cbc3e90809e535771d9b6cf927d78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d59fc282d51cbc3e90809e535771d9b6cf927d78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-28362: Add short description and Debian bug reference
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3bebbddb by Salvatore Bonaccorso at 2023-09-01T22:48:48+02:00 CVE-2023-28362: Add short description and Debian bug reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23608,9 +23608,9 @@ CVE-2023-28364 (An Open Redirect vulnerability exists prior to version 1.52.117, - brave-browser (bug #864795) CVE-2023-28363 RESERVED -CVE-2023-28362 +CVE-2023-28362 [Possible XSS via User Supplied Values to redirect_to] RESERVED - - rails + - rails (bug #1051058) NOTE: https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132 NOTE: https://github.com/rails/rails/commit/69e37c84e3f77d75566424c7d0015172d6a6fac5 (main) NOTE: https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441 (v6.1.7.4) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bebbddbf4ae831bf4bcf0a100b3e32acac0a384 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bebbddbf4ae831bf4bcf0a100b3e32acac0a384 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-38037/rails
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f7adb79 by Salvatore Bonaccorso at 2023-09-01T22:46:58+02:00 Add Debian bug reference for CVE-2023-38037/rails - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -142,7 +142,7 @@ CVE-2023-40317 CVE-2023-40316 - moodle CVE-2023-38037 [Active Support Possibly Discloses Locally Encrypted Files] - - rails + - rails (bug #1051057) NOTE: https://github.com/advisories/GHSA-cr5q-6q9f-rq6q NOTE: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml NOTE: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731 (v7.0.7.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f7adb79ccddafb64c1151feab598e8c4e415806 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f7adb79ccddafb64c1151feab598e8c4e415806 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-38037
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7660e25b by Salvatore Bonaccorso at 2023-09-01T22:43:10+02:00 Update information for CVE-2023-38037 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -141,8 +141,9 @@ CVE-2023-40317 - moodle CVE-2023-40316 - moodle -CVE-2023-38037 +CVE-2023-38037 [Active Support Possibly Discloses Locally Encrypted Files] - rails + NOTE: https://github.com/advisories/GHSA-cr5q-6q9f-rq6q NOTE: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml NOTE: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731 (v7.0.7.1) NOTE: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f (v6.1.7.5) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7660e25bb4a625c41210144c72469a2237c0f358 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7660e25bb4a625c41210144c72469a2237c0f358 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab4080e6 by Salvatore Bonaccorso at 2023-09-01T22:32:44+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14,29 +14,29 @@ CVE-2023-4720 (Floating Point Comparison with Incorrect Operator in GitHub repos NOTE: https://github.com/gpac/gpac/commit/e396648e48c57e2d53988d3fd4465b068b96c89a NOTE: https://huntr.dev/bounties/1dc2954c-8497-49fa-b2af-113e1e9381ad CVE-2023-4714 (A vulnerability was found in PlayTube 3.0.1 and classified as problema ...) - TODO: check + NOT-FOR-US: PlayTube CVE-2023-4713 (A vulnerability has been found in IBOS OA 4.5.5 and classified as crit ...) - TODO: check + NOT-FOR-US: IBOS OA CVE-2023-4712 (A vulnerability, which was classified as critical, was found in Xintia ...) TODO: check CVE-2023-4711 (A vulnerability, which was classified as critical, has been found in D ...) - TODO: check + NOT-FOR-US: D-Link CVE-2023-4710 (A vulnerability classified as problematic was found in TOTVS RM 12.1. ...) - TODO: check + NOT-FOR-US: TOTVS RM CVE-2023-4709 (A vulnerability classified as problematic has been found in TOTVS RM 1 ...) - TODO: check + NOT-FOR-US: TOTVS RM CVE-2023-4708 (A vulnerability was found in Infosoftbd Clcknshop 1.0.0. It has been r ...) - TODO: check + NOT-FOR-US: Infosoftbd Clcknshop CVE-2023-4707 (A vulnerability was found in Infosoftbd Clcknshop 1.0.0. It has been d ...) - TODO: check + NOT-FOR-US: Infosoftbd Clcknshop CVE-2023-4704 (External Control of System or Configuration Setting in GitHub reposito ...) - TODO: check + NOT-FOR-US: icms2 CVE-2023-41633 (Catdoc v0.95 was discovered to contain a NULL pointer dereference via ...) TODO: check CVE-2023-41628 (An issue in O-RAN Software Community E2 G-Release allows attackers to ...) - TODO: check + NOT-FOR-US: O-RAN CVE-2023-41627 (O-RAN Software Community ric-plt-lib-rmr v4.9.0 does not validate the ...) - TODO: check + NOT-FOR-US: O-RAN CVE-2023-41364 (In tine through 2023.01.14.325, the sort parameter of the /index.php e ...) TODO: check CVE-2023-41051 (In a typical Virtual Machine Monitor (VMM) there are several component ...) @@ -44,51 +44,51 @@ CVE-2023-41051 (In a typical Virtual Machine Monitor (VMM) there are several com CVE-2023-41049 (@dcl/single-sign-on-client is an open source npm library which deals w ...) TODO: check CVE-2023-41046 (XWiki Platform is a generic wiki platform offering runtime services fo ...) - TODO: check + NOT-FOR-US: XWiki CVE-2023-40980 (File Upload vulnerability in DWSurvey DWSurvey-OSS v.3.2.0 and before ...) - TODO: check + NOT-FOR-US: DWSurvey DWSurvey-OSS CVE-2023-40970 (Senayan Library Management Systems SLIMS 9 Bulian v 9.6.1 is vulnerabl ...) - TODO: check + NOT-FOR-US: Senayan Library Management Systems SLIMS 9 Bulian CVE-2023-40969 (Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vulnerable ...) - TODO: check + NOT-FOR-US: Senayan Library Management Systems SLIMS 9 Bulian CVE-2023-40968 (Buffer Overflow vulnerability in hzeller timg v.1.5.2 and before allow ...) TODO: check CVE-2023-40771 (SQL injection vulnerability in DataEase v.1.18.9 allows a remote attac ...) TODO: check CVE-2023-40239 (Certain Lexmark devices (such as CS310) before 2023-08-25 allow XXE at ...) - TODO: check + NOT-FOR-US: Lexmark CVE-2023-3210 (An issue has been discovered in GitLab affecting all versions starting ...) TODO: check CVE-2023-39714 (Multiple cross-site scripting (XSS) vulnerabilities in Free and Open S ...) - TODO: check + NOT-FOR-US: Free and Open Source Inventory Management System CVE-2023-39710 (Multiple cross-site scripting (XSS) vulnerabilities in Free and Open S ...) - TODO: check + NOT-FOR-US: Free and Open Source Inventory Management System CVE-2023-39703 (A cross site scripting (XSS) vulnerability in the Markdown Editor comp ...) - TODO: check + NOT-FOR-US: Typora CVE-2023-39685 (An issue in hjson-java up to v3.0.0 allows attackers to cause a Denial ...) TODO: check CVE-2023-39631 (An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker t ...) TODO: check CVE-2023-39582 (SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allow ...) - TODO: check + NOT-FOR-US: Chamilo LMS CVE-2023-37997 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Dharmesh ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-37994 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) - TODO: check + NOT-FOR-
[Git][security-tracker-team/security-tracker][master] Process new gpac CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dac9a7d0 by Salvatore Bonaccorso at 2023-09-01T22:32:16+02:00 Process new gpac CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,18 @@ CVE-2023-4722 (Integer Overflow or Wraparound in GitHub repository gpac/gpac prior to ...) - TODO: check + - gpac + [buster] - gpac (EOL in buster LTS) + NOTE: https://github.com/gpac/gpac/commit/de7f3a852bef72a52825fd307cf4e8f486401a76 + NOTE: https://huntr.dev/bounties/ddfdb41d-e708-4fec-afe5-68ff1f88f830 CVE-2023-4721 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.) - TODO: check + - gpac + [buster] - gpac (EOL in buster LTS) + NOTE: https://github.com/gpac/gpac/commit/3ec93d73d048ed7b46fe6e9f307cc7a0cc13db63 + NOTE: https://huntr.dev/bounties/f457dc62-3cff-47bd-8fd2-1cb2b4a832fc CVE-2023-4720 (Floating Point Comparison with Incorrect Operator in GitHub repository ...) - TODO: check + - gpac + [buster] - gpac (EOL in buster LTS) + NOTE: https://github.com/gpac/gpac/commit/e396648e48c57e2d53988d3fd4465b068b96c89a + NOTE: https://huntr.dev/bounties/1dc2954c-8497-49fa-b2af-113e1e9381ad CVE-2023-4714 (A vulnerability was found in PlayTube 3.0.1 and classified as problema ...) TODO: check CVE-2023-4713 (A vulnerability has been found in IBOS OA 4.5.5 and classified as crit ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dac9a7d03d703c4aa0173045161bfdb09bc19781 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dac9a7d03d703c4aa0173045161bfdb09bc19781 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-39616/aom
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ec50c1d8 by Salvatore Bonaccorso at 2023-09-01T22:15:55+02:00 Update information for CVE-2023-39616/aom - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -607,7 +607,16 @@ CVE-2023-39663 (Mathjax up to v2.7.9 was discovered to contain two Regular expre TODO: check CVE-2023-39616 (AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read mem ...) - aom 3.7.0~rc3-1 - NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=3372#c3 (fixes in 3.7.0~rc2) + [bullseye] - aom (Vulnerable code introduced later) + [buster] - aom (Vulnerable code introduced later) + NOTE: https://bugs.chromium.org/p/aomedia/issues/detail?id=3372#c3 + NOTE: Introduced by: https://aomedia.googlesource.com/aom/+/55318e3c27fbcff4b4888e6b413ca1e34e4fb8a1 (3.4.0_rc1) + NOTE: Fixed by: https://aomedia.googlesource.com/aom/+/35254736d9753447ac9bccf8e0062bdb74b0bdb7 (3.7.0_rc2) + NOTE: Fixed by: https://aomedia.googlesource.com/aom/+/cbce06167ac7adc945786320ae3ea6e39b11e1d1 (3.7.0_rc2) + NOTE: Fixed by: https://aomedia.googlesource.com/aom/+/54e4b8fffababa02c31674b3b37dc0c26dd0a898 (3.7.0_rc2) + NOTE: Fixed by: https://aomedia.googlesource.com/aom/+/df38eb169193f169bb4a81edd7b54d15cd5afc2a (3.7.0_rc2) + NOTE: Testcase: https://aomedia.googlesource.com/aom/+/7c3bcc8fa57ffda7f128f3cea9e8bb31c83fe4b7 (3.7.0_rc2) + NOTE: Testcase: https://aomedia.googlesource.com/aom/+/d90659acbb1487949195006d46c4582c62f1b90f (3.7.0_rc2) CVE-2023-39615 (Xmlsoft Libxml2 v2.11.0 was discovered to contain a global buffer over ...) - libxml2 [bookworm] - libxml2 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec50c1d8e40cf26c8808d7e3c7319cd0c263a028 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec50c1d8e40cf26c8808d7e3c7319cd0c263a028 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5263ddab by security tracker role at 2023-09-01T20:12:23+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,18 +1,116 @@ -CVE-2023-4647 +CVE-2023-4722 (Integer Overflow or Wraparound in GitHub repository gpac/gpac prior to ...) + TODO: check +CVE-2023-4721 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DEV.) + TODO: check +CVE-2023-4720 (Floating Point Comparison with Incorrect Operator in GitHub repository ...) + TODO: check +CVE-2023-4714 (A vulnerability was found in PlayTube 3.0.1 and classified as problema ...) + TODO: check +CVE-2023-4713 (A vulnerability has been found in IBOS OA 4.5.5 and classified as crit ...) + TODO: check +CVE-2023-4712 (A vulnerability, which was classified as critical, was found in Xintia ...) + TODO: check +CVE-2023-4711 (A vulnerability, which was classified as critical, has been found in D ...) + TODO: check +CVE-2023-4710 (A vulnerability classified as problematic was found in TOTVS RM 12.1. ...) + TODO: check +CVE-2023-4709 (A vulnerability classified as problematic has been found in TOTVS RM 1 ...) + TODO: check +CVE-2023-4708 (A vulnerability was found in Infosoftbd Clcknshop 1.0.0. It has been r ...) + TODO: check +CVE-2023-4707 (A vulnerability was found in Infosoftbd Clcknshop 1.0.0. It has been d ...) + TODO: check +CVE-2023-4704 (External Control of System or Configuration Setting in GitHub reposito ...) + TODO: check +CVE-2023-41633 (Catdoc v0.95 was discovered to contain a NULL pointer dereference via ...) + TODO: check +CVE-2023-41628 (An issue in O-RAN Software Community E2 G-Release allows attackers to ...) + TODO: check +CVE-2023-41627 (O-RAN Software Community ric-plt-lib-rmr v4.9.0 does not validate the ...) + TODO: check +CVE-2023-41364 (In tine through 2023.01.14.325, the sort parameter of the /index.php e ...) + TODO: check +CVE-2023-41051 (In a typical Virtual Machine Monitor (VMM) there are several component ...) + TODO: check +CVE-2023-41049 (@dcl/single-sign-on-client is an open source npm library which deals w ...) + TODO: check +CVE-2023-41046 (XWiki Platform is a generic wiki platform offering runtime services fo ...) + TODO: check +CVE-2023-40980 (File Upload vulnerability in DWSurvey DWSurvey-OSS v.3.2.0 and before ...) + TODO: check +CVE-2023-40970 (Senayan Library Management Systems SLIMS 9 Bulian v 9.6.1 is vulnerabl ...) + TODO: check +CVE-2023-40969 (Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vulnerable ...) + TODO: check +CVE-2023-40968 (Buffer Overflow vulnerability in hzeller timg v.1.5.2 and before allow ...) + TODO: check +CVE-2023-40771 (SQL injection vulnerability in DataEase v.1.18.9 allows a remote attac ...) + TODO: check +CVE-2023-40239 (Certain Lexmark devices (such as CS310) before 2023-08-25 allow XXE at ...) + TODO: check +CVE-2023-3210 (An issue has been discovered in GitLab affecting all versions starting ...) + TODO: check +CVE-2023-39714 (Multiple cross-site scripting (XSS) vulnerabilities in Free and Open S ...) + TODO: check +CVE-2023-39710 (Multiple cross-site scripting (XSS) vulnerabilities in Free and Open S ...) + TODO: check +CVE-2023-39703 (A cross site scripting (XSS) vulnerability in the Markdown Editor comp ...) + TODO: check +CVE-2023-39685 (An issue in hjson-java up to v3.0.0 allows attackers to cause a Denial ...) + TODO: check +CVE-2023-39631 (An issue in LanChain-ai Langchain v.0.0.245 allows a remote attacker t ...) + TODO: check +CVE-2023-39582 (SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allow ...) + TODO: check +CVE-2023-37997 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Dharmesh ...) + TODO: check +CVE-2023-37994 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) + TODO: check +CVE-2023-37986 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in mini ...) + TODO: check +CVE-2023-37893 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Chop-Cho ...) + TODO: check +CVE-2023-37830 (A cross-site scripting (XSS) vulnerability in General Solutions Steine ...) + TODO: check +CVE-2023-37829 (A cross-site scripting (XSS) vulnerability in General Solutions Steine ...) + TODO: check +CVE-2023-37828 (A cross-site scripting (XSS) vulnerability in General Solutions Steine ...) + TODO: check +CVE-2023-37827 (A cross-site scripting (XSS) vulnerability in General Solutions Steine ...) + TODO: check +CVE-2023-37826 (A cross-site scripting (XSS) vulnerability in General Solutions Steine ...
[Git][security-tracker-team/security-tracker][master] Clarify status for CVE-2021-34193
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e6b4d0ed by Salvatore Bonaccorso at 2023-09-01T21:29:16+02:00 Clarify status for CVE-2021-34193 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -158738,6 +158738,8 @@ CVE-2021-34193 (Stack overflow vulnerability in OpenSC smart card middleware bef NOTE: https://github.com/OpenSC/OpenSC/commit/05648b0604bf3e498e8d42dff3c6e7c56a5bf749 (0.22.0-rc1) NOTE: https://github.com/OpenSC/OpenSC/commit/715c17c469f6c463dd511a5deb229da4de9ee100 (0.22.0-rc1) NOTE: https://github.com/OpenSC/OpenSC/issues/2841 + NOTE: CVE-2021-34193 is containing fixes as well for CVE-2021-42778, CVE-2021-42779, CVE-2021-42780, + NOTE: CVE-2021-42781 and CVE-2021-42782 and might get rejected. CVE-2021-34192 RESERVED CVE-2021-34191 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6b4d0ed29f5560fb723def3d2e071e36b871817 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6b4d0ed29f5560fb723def3d2e071e36b871817 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Triage CVE-2023-34457 in python-mechanicalsoup for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 0088ca78 by Chris Lamb at 2023-09-01T11:50:58-07:00 Triage CVE-2023-34457 in python-mechanicalsoup for buster LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -8038,6 +8038,7 @@ CVE-2023-34457 (MechanicalSoup is a Python library for automating interaction wi - python-mechanicalsoup (bug #1041814) [bookworm] - python-mechanicalsoup (Minor issue) [bullseye] - python-mechanicalsoup (Minor issue) + [buster] - python-mechanicalsoup (Minor issue; invasive backport required) NOTE: https://github.com/MechanicalSoup/MechanicalSoup/security/advisories/GHSA-x456-3ccm-m6j4 NOTE: https://github.com/MechanicalSoup/MechanicalSoup/commit/d57c4a269bba3b9a0c5bfa20292955b849006d9e (v1.3.0) CVE-2023-34338 (AMI SPx contains a vulnerability in the BMC where an Attacker may caus ...) = data/dla-needed.txt = @@ -138,9 +138,6 @@ python-glance-store NOTE: 20230705: pushed a patched version to: https://salsa.debian.org/lts-team/packages/python-glance-store (jspricke) NOTE: 20230705: upstream patch looks fine to me but should probably be tested and released together with the other affected packages. (jspricke) -- -python-mechanicalsoup (Chris Lamb) - NOTE: 20230819: Added by Front-Desk (ta) --- python-os-brick NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0088ca78bd8e7fe7a1db6bd92fdad4316c7aa89a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0088ca78bd8e7fe7a1db6bd92fdad4316c7aa89a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-41080,tomcat10: fixed in unstable
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 5156a769 by Markus Koschany at 2023-09-01T20:15:00+02:00 CVE-2023-41080,tomcat10: fixed in unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -893,7 +893,7 @@ CVE-2023-4524 CVE-2023-41121 (Array AG OS before 9.4.0.499 allows denial of service: remote attacker ...) NOT-FOR-US: Array AG OS CVE-2023-41080 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in F ...) - - tomcat10 + - tomcat10 10.1.13-1 [bookworm] - tomcat10 (Minor issue, fix along with future update) - tomcat9 9.0.70-2 [bullseye] - tomcat9 (Minor issue, fix along with future update) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5156a769b06415d3ff8a3c90d5dea5366d8ed567 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5156a769b06415d3ff8a3c90d5dea5366d8ed567 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag references for CVE-2023-38037
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5b8a48ed by Salvatore Bonaccorso at 2023-09-01T19:39:42+02:00 Add upstream tag references for CVE-2023-38037 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -37,7 +37,8 @@ CVE-2023-40316 CVE-2023-38037 - rails NOTE: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml - NOTE: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731 + NOTE: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731 (v7.0.7.1) + NOTE: https://github.com/rails/rails/commit/c85cc667ebfd3c270df37c7575d580ea6462e12f (v6.1.7.5) CVE-2023-4698 (Improper Input Validation in GitHub repository usememos/memos prior to ...) NOT-FOR-US: Memos CVE-2023-4697 (Improper Privilege Management in GitHub repository usememos/memos prio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b8a48ed1149bb1a18594f978fe5f589440c24f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5b8a48ed1149bb1a18594f978fe5f589440c24f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for three CVEs for frr fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 24188544 by Salvatore Bonaccorso at 2023-09-01T19:34:02+02:00 Track fixed version for three CVEs for frr fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -525,7 +525,7 @@ CVE-2023-39267 (An authenticated remote code execution vulnerability exists in t CVE-2023-39266 (A vulnerability in the ArubaOS-Switch web management interface could a ...) NOT-FOR-US: Aruba CVE-2023-38802 (FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a remote ...) - - frr + - frr 8.4.4-1.1 NOTE: https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling NOTE: https://github.com/FRRouting/frr/pull/14290 NOTE: https://github.com/FRRouting/frr/commit/bcb6b58d9530173df41d3a3cbc4c600ee0b4b186 @@ -678,7 +678,7 @@ CVE-2023-41361 (An issue was discovered in FRRouting FRR 9.0. bgpd/bgp_open.c do NOTE: Backport for 9.0 branch: https://github.com/FRRouting/frr/pull/14250 NOTE: Fixed by: https://github.com/FRRouting/frr/commit/73ad93a83f18564bb7bff4659872f7ec1a64b05e CVE-2023-41360 (An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet. ...) - - frr + - frr 8.4.4-1.1 [bullseye] - frr (The vulnerable code was introduced later) NOTE: https://github.com/FRRouting/frr/pull/14245 NOTE: Fixed by: https://github.com/FRRouting/frr/commit/9b855a692e68e0d16467e190b466b4ecb6853702 @@ -692,7 +692,7 @@ CVE-2023-41359 (An issue was discovered in FRRouting FRR through 9.0. There is a NOTE: Backport for stable/8.5: https://github.com/FRRouting/frr/pull/14268 NOTE: Fixed by: https://github.com/FRRouting/frr/commit/460ee930d6dbce6e96ecbfcd568a291f31bae24e CVE-2023-41358 (An issue was discovered in FRRouting FRR through 9.0. bgpd/bgp_packet. ...) - - frr + - frr 8.4.4-1.1 NOTE: https://github.com/FRRouting/frr/pull/14260 NOTE: Fixed by: https://github.com/FRRouting/frr/commit/28ccc24d38df1d51ed8a563507e5d6f6171fdd38 NOTE: Backport for stable/8.5: https://github.com/FRRouting/frr/pull/14270 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24188544b0edccf589f9f5a3decbad8b03cdf1b2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/24188544b0edccf589f9f5a3decbad8b03cdf1b2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference backports for CVE-2023-38802
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 178d6c2d by Salvatore Bonaccorso at 2023-09-01T19:32:56+02:00 Reference backports for CVE-2023-38802 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -528,7 +528,9 @@ CVE-2023-38802 (FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a - frr NOTE: https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling NOTE: https://github.com/FRRouting/frr/pull/14290 - NOTE: https://github.com/FRRouting/frr/pull/14290/commits/bcb6b58d9530173df41d3a3cbc4c600ee0b4b186 + NOTE: https://github.com/FRRouting/frr/commit/bcb6b58d9530173df41d3a3cbc4c600ee0b4b186 + NOTE: Backport for stable/8.4: https://github.com/FRRouting/frr/pull/14295 + NOTE: https://github.com/FRRouting/frr/commit/46817adab03802355c3cce7b753c7a735bdcc5ae CVE-2023-38283 (In OpenBGPD before 8.1, incorrect handling of BGP update data (length ...) - openbgpd 8.1-1 NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/178d6c2d3cfcd7c97b4fa70e1caf1dbd8b667af6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/178d6c2d3cfcd7c97b4fa70e1caf1dbd8b667af6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: add file and frr
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: fdc54d79 by Anton Gladky at 2023-09-01T18:55:27+02:00 LTS: add file and frr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -54,6 +54,9 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +file + NOTE: 20230901: Added by Front-Desk (gladk) +-- firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- @@ -67,6 +70,9 @@ freeimage NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll NOTE: 20230826: out the DLA/ELA now. (utkarsh) -- +frr + NOTE: 20230901: Added by Front-Desk (gladk) +-- glib2.0 (santiago) NOTE: 20230612: Added by Front-Desk (apo) NOTE: 20230710: WIP (santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdc54d79b47bcfaf9ab433057f1f095504075ec4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fdc54d79b47bcfaf9ab433057f1f095504075ec4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: mark gpac CVEs as end-of-life for buster
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b02951f by Anton Gladky at 2023-09-01T18:52:11+02:00 LTS: mark gpac CVEs as end-of-life for buster - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -61,20 +61,24 @@ CVE-2023-39912 (Zoho ManageEngine ADManager Plus through 7202 allows admin users CVE-2023-4683 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-D ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/112767e8b178fc82dec3cf82a1ca14d802cdb8ec NOTE: https://huntr.dev/bounties/7852e4d2-af4e-4421-a39e-db23e0549922 CVE-2023-4682 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3 ...) - gpac + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/b1042c3eefca87c4bc32afb404ed6518d693e5be NOTE: https://huntr.dev/bounties/15232a74-e3b8-43f0-ae8a-4e89d56c474c CVE-2023-4681 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-D ...) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/4bac19ad854159b21ba70d8ab7c4e1cd1db8ea1c NOTE: https://huntr.dev/bounties/d67c5619-ab36-41cc-93b7-04828e25f60e CVE-2023-4678 (Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.) - gpac [bullseye] - gpac (Minor issue) + [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/commit/4607052c482a51dbdacfe1ade10645c181d07b07 NOTE: https://huntr.dev/bounties/688a4a01-8c18-469d-8cbe-a2e79e80c877 CVE-2023-41748 (Remote command execution due to improper input validation. The followi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b02951f0c92dd615f9995398d293bf8a0fa1f32 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b02951f0c92dd615f9995398d293bf8a0fa1f32 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3553-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 634c2cf0 by Emilio Pozuelo Monfort at 2023-09-01T15:27:40+02:00 Reserve DLA-3553-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[01 Sep 2023] DLA-3553-1 firefox-esr - security update + {CVE-2023-4573 CVE-2023-4574 CVE-2023-4575 CVE-2023-4581 CVE-2023-4584} + [buster] - firefox-esr 102.15.0esr-1~deb10u1 [31 Aug 2023] DLA-3552-1 gst-plugins-ugly1.0 - security update [buster] - gst-plugins-ugly1.0 1.14.4-1+deb10u2 [31 Aug 2023] DLA-3551-1 otrs2 - security update = data/dla-needed.txt = @@ -54,9 +54,6 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -firefox-esr (Emilio) - NOTE: 20230829: Added by pochu --- firmware-nonfree NOTE: 20230820: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/634c2cf04603de9f2fe73ed58cb5c283e3478e74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/634c2cf04603de9f2fe73ed58cb5c283e3478e74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new gitlab issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b63de8f9 by Moritz Muehlenhoff at 2023-09-01T12:52:40+02:00 new gitlab issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,19 @@ +CVE-2023-4647 + - gitlab +CVE-2023-3205 + - gitlab +CVE-2023-4018 + - gitlab +CVE-2023-4638 + - gitlab +CVE-2023-4630 + - gitlab +CVE-2023-3950 + - gitlab (Specific to EE) +CVE-2023-4378 + - gitlab +CVE-2023-3915 + - gitlab (Specific to EE) CVE-2023-40325 - moodle CVE-2023-40324 @@ -22174,6 +22190,7 @@ CVE-2023-1556 (A vulnerability was found in SourceCodester Judging Management Sy NOT-FOR-US: SourceCodester Judging Management System CVE-2023-1555 RESERVED + - gitlab CVE-2013-10022 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: WordPress plugin CVE-2023-28730 (A memory corruption vulnerability Panasonic Control FPWIN Pro versions ...) @@ -24877,6 +24894,7 @@ CVE-2023-1280 RESERVED CVE-2023-1279 RESERVED + - gitlab CVE-2023-1278 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: IBOS CVE-2023-1277 (A vulnerability, which was classified as critical, was found in kylin- ...) @@ -40250,6 +40268,7 @@ CVE-2023-0121 (A denial of service issue was discovered in GitLab CE/EE affectin - gitlab 15.10.8+ds1-2 CVE-2023-0120 RESERVED + - gitlab CVE-2023-0119 RESERVED - foreman (bug #663101) @@ -47958,6 +47977,7 @@ CVE-2022-4346 (The All-In-One Security (AIOS) WordPress plugin before 5.1.3 leak NOT-FOR-US: WordPress plugin CVE-2022-4343 RESERVED + - gitlab (Specific to EE) CVE-2022-4342 (An issue has been discovered in GitLab CE/EE affecting all versions st ...) - gitlab 15.10.8+ds1-2 CVE-2022-4341 (A vulnerability has been found in csliuwy coder-chain_gdut and classif ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b63de8f9198dfdfc9f460f52ef7618aec2270992 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b63de8f9198dfdfc9f460f52ef7618aec2270992 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new moodle issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f5da89f2 by Moritz Muehlenhoff at 2023-09-01T11:01:54+02:00 new moodle issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,23 @@ +CVE-2023-40325 + - moodle +CVE-2023-40324 + - moodle +CVE-2023-40323 + - moodle +CVE-2023-40322 + - moodle +CVE-2023-40321 + - moodle +CVE-2023-40320 + - moodle +CVE-2023-40319 + - moodle +CVE-2023-40318 + - moodle +CVE-2023-40317 + - moodle +CVE-2023-40316 + - moodle CVE-2023-38037 - rails NOTE: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5da89f2ab886148b272937bdae70a988efbf0c5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5da89f2ab886148b272937bdae70a988efbf0c5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new rails issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 99fc740f by Moritz Muehlenhoff at 2023-09-01T10:54:57+02:00 new rails issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2023-38037 + - rails + NOTE: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activesupport/CVE-2023-38037.yml + NOTE: https://github.com/rails/rails/commit/a21d6edf35a60383dfa6c4da49e4b1aef5f00731 CVE-2023-4698 (Improper Input Validation in GitHub repository usememos/memos prior to ...) NOT-FOR-US: Memos CVE-2023-4697 (Improper Privilege Management in GitHub repository usememos/memos prio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99fc740fd56ded7e2a29dfb34363d481515c3231 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99fc740fd56ded7e2a29dfb34363d481515c3231 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 49d298b8 by Moritz Muehlenhoff at 2023-09-01T10:40:10+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14620,23 +14620,23 @@ CVE-2023-31177 CVE-2023-31176 RESERVED CVE-2023-31175 (An Execution with Unnecessary Privileges vulnerability in the Schweitz ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2023-31174 (A Cross-Site Request Forgery (CSRF) vulnerability in the Schweitzer En ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2023-31173 (Use of Hard-coded Credentials vulnerability in Schweitzer Engineering ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2023-31172 (An Incomplete Filtering of Special Elements vulnerability in the Schwe ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2023-31171 (An Improper Neutralization of Special Elements used in an SQL Command ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2023-31170 (An Inclusion of Functionality from Untrusted Control Sphere vulnerabil ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2023-31169 (An Improper Handling of Unicode Encoding vulnerability in the Schweitz ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2023-31168 (An Inclusion of Functionality from Untrusted Control Sphere vulnerabil ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2023-31167 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) - TODO: check + NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2023-31166 (An Improper Limitation of a Pathname to a Restricted Directory ('Path ...) NOT-FOR-US: Schweitzer Engineering Laboratories CVE-2023-31165 (An Improper Neutralization of Input During Web Page Generation ('Cross ...) @@ -15324,7 +15324,7 @@ CVE-2023-2231 (A vulnerability, which was classified as critical, was found in M CVE-2023-2230 REJECTED CVE-2023-2229 (The Quick Post Duplicator for WordPress is vulnerable to SQL Injection ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-2228 (Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa ...) NOT-FOR-US: Modoboa CVE-2023-2227 (Improper Authorization in GitHub repository modoboa/modoboa prior to 2 ...) @@ -15444,7 +15444,7 @@ CVE-2023-2190 (An issue has been discovered in GitLab CE/EE affecting all versio CVE-2023-2189 (The Elementor Addons, Widgets and Enhancements \u2013 Stax plugin for ...) NOT-FOR-US: WordPress plugin CVE-2023-2188 (The Colibri Page Builder for WordPress is vulnerable to SQL Injection ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-30896 RESERVED CVE-2023-30895 @@ -21867,7 +21867,7 @@ CVE-2023-28803 CVE-2023-28802 RESERVED CVE-2023-28801 (An Improper Verification of Cryptographic Signature in the SAML authen ...) - TODO: check + NOT-FOR-US: Zscaler CVE-2023-28800 (When using local accounts for administration, the redirect url paramet ...) NOT-FOR-US: Zscaler CVE-2023-28799 (A URL parameter during login flow was vulnerable to injection. An atta ...) @@ -22265,7 +22265,7 @@ CVE-2023-28694 CVE-2023-28693 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Balasahe ...) NOT-FOR-US: WordPress plugin CVE-2023-28692 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Kevo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-28691 RESERVED CVE-2023-28690 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Marc ...) @@ -23270,7 +23270,7 @@ CVE-2023-28417 CVE-2023-28416 RESERVED CVE-2023-28415 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Xoot ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-28414 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Apex ...) NOT-FOR-US: WordPress plugin CVE-2023-28413 (Directory traversal vulnerability in Snow Monkey Forms versions v5.0.6 ...) @@ -25912,7 +25912,7 @@ CVE-2023-27623 CVE-2023-27622 RESERVED CVE-2023-27621 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in MrDe ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-27620 (Auth. (contributor+) Stored Cross-site Scripting (XSS) vulnerability i ...) NOT-FOR-US: WordPress plugin CVE-2023-27619 (Auth (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability ...) @@ -26533,7 +26533,7 @@ CVE-2023-27428 CVE-2023-27427 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in N
[Git][security-tracker-team/security-tracker][master] Synapse CVEs fixed in 1.90.0-1
Andrej Shadura pushed to branch master at Debian Security Tracker / security-tracker Commits: 5db38601 by Andrej Shadura at 2023-09-01T10:03:07+02:00 Synapse CVEs fixed in 1.90.0-1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11158,10 +11158,10 @@ CVE-2023-33457 (In Sogou Workflow v0.10.6, memcpy a negtive size in URIParser::p CVE-2023-33381 (A command injection vulnerability was found in the ping functionality ...) NOT-FOR-US: MitraStar CVE-2023-32683 (Synapse is a Matrix protocol homeserver written in Python with the Twi ...) - - matrix-synapse (bug #1037207) + - matrix-synapse 1.90.0-1 (bug #1037207) NOTE: https://github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qc CVE-2023-32682 (Synapse is a Matrix protocol homeserver written in Python with the Twi ...) - - matrix-synapse (bug #1037207) + - matrix-synapse 1.90.0-1 (bug #1037207) NOTE: https://github.com/matrix-org/synapse/security/advisories/GHSA-26c5-ppr8-f33p CVE-2023-32551 (Landscape allowed URLs which caused open redirection.) NOT-FOR-US: Landscape View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5db38601e6eb5ee60b2f7315271e0f319db8219c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5db38601e6eb5ee60b2f7315271e0f319db8219c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new gitlab issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a47b7c64 by Moritz Muehlenhoff at 2023-09-01T10:29:00+02:00 new gitlab issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -399,7 +399,7 @@ CVE-2023-4526 CVE-2023-4525 REJECTED CVE-2023-4522 (An issue has been discovered in GitLab affecting all versions starting ...) - TODO: check + - gitlab CVE-2023-4296 (If an attacker tricks an admin user of PTC Codebeamer into clicking on ...) NOT-FOR-US: PTC Codebeamer CVE-2023-41269 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a47b7c643cdb3cd806d4af9ccd4d40cafe4643f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a47b7c643cdb3cd806d4af9ccd4d40cafe4643f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e938aaa by Moritz Muehlenhoff at 2023-09-01T10:20:03+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,23 +1,23 @@ CVE-2023-4698 (Improper Input Validation in GitHub repository usememos/memos prior to ...) - TODO: check + NOT-FOR-US: Memos CVE-2023-4697 (Improper Privilege Management in GitHub repository usememos/memos prio ...) - TODO: check + NOT-FOR-US: Memos CVE-2023-4696 (Improper Access Control in GitHub repository usememos/memos prior to 0 ...) - TODO: check + NOT-FOR-US: Memos CVE-2023-4695 (Use of Predictable Algorithm in Random Number Generator in GitHub repo ...) - TODO: check + NOT-FOR-US: pkp-lib CVE-2023-4688 (Sensitive information leak through log files. The following products a ...) - TODO: check + NOT-FOR-US: Acronis CVE-2023-4299 (Digi RealPort Protocol is vulnerable to a replay attack that may allow ...) - TODO: check + NOT-FOR-US: Digi RealPort CVE-2023-41751 (Sensitive information disclosure due to improper token expiration vali ...) - TODO: check + NOT-FOR-US: Acronis CVE-2023-41750 (Sensitive information disclosure due to missing authorization. The fol ...) - TODO: check + NOT-FOR-US: Acronis CVE-2023-41749 (Sensitive information disclosure due to excessive collection of system ...) - TODO: check + NOT-FOR-US: Acronis CVE-2023-39912 (Zoho ManageEngine ADManager Plus through 7202 allows admin users to do ...) - TODO: check + NOT-FOR-US: Zoho CVE-2023-4683 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-D ...) - gpac [bullseye] - gpac (Minor issue) @@ -60,7 +60,7 @@ CVE-2023-41739 (Uncontrolled resource consumption vulnerability in File Function CVE-2023-41738 (Improper neutralization of special elements used in an OS command ('OS ...) NOT-FOR-US: Synology CVE-2023-41717 (Inappropriate file type control in Zscaler Proxy versions 3.6.1.25 and ...) - TODO: check + NOT-FOR-US: Zscaler Proxy CVE-2023-41642 (Multiple reflected cross-site scripting (XSS) vulnerabilities in the E ...) NOT-FOR-US: GruppoSCAI RealGimm CVE-2023-41640 (An improper error handling vulnerability in the component ErroreNonGes ...) @@ -78,7 +78,7 @@ CVE-2023-41045 (Graylog is a free and open log management platform. Graylog make CVE-2023-41044 (Graylog is a free and open log management platform. A partial path tra ...) - graylog2 (bug #652273) CVE-2023-41034 (Eclipse Leshan is a device management server and client Java implement ...) - TODO: check + NOT-FOR-US: Eclipse Leshan CVE-2023-40589 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gc34-mw6m-g42x @@ -185,7 +185,7 @@ CVE-2023-39137 (An issue in Archive v3.3.7 allows attackers to spoof zip filenam CVE-2023-39136 (An unhandled edge case in the component _sanitizedPath of ZipArchive v ...) TODO: check CVE-2023-39135 (An issue in Zip Swift v2.1.2 allows attackers to execute a path traver ...) - TODO: check + NOT-FOR-US: Zip Swift CVE-2023-38970 (Cross Site Scripting vulnerabiltiy in Badaso v.0.0.1 thru v.2.9.7 allo ...) NOT-FOR-US: Badaso CVE-2023-31925 (Brocade SANnav before v2.3.0 and v2.2.2a stores SNMPv3 Authentication ...) @@ -203,7 +203,7 @@ CVE-2023-2353 (The CHP Ads Block Detector plugin for WordPress is vulnerable to CVE-2023-2352 (The CHP Ads Block Detector plugin for WordPress is vulnerable to Cross ...) NOT-FOR-US: CHP Ads Block Detector plugin for WordPress CVE-2023-4640 (The controller responsible for setting the logging level does not incl ...) - TODO: check + NOT-FOR-US: YugabyteDB CVE-2023-4624 (Server-Side Request Forgery (SSRF) in GitHub repository bookstackapp/b ...) NOT-FOR-US: bookstack CVE-2023-4600 (The AffiliateWP for WordPress is vulnerable to unauthorized modificati ...) @@ -258,7 +258,6 @@ CVE-2023-41039 (RestrictedPython is a restricted execution environment for Pytho - restrictedpython NOTE: https://github.com/zopefoundation/RestrictedPython/security/advisories/GHSA-xjw2-6jm9-rf67 NOTE: Fixed by: https://github.com/zopefoundation/RestrictedPython/commit/4134aedcff17c977da7717693ed89ce56d54c120 - TODO: check details CVE-2023-40848 (Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is vulnerable to Bu ...) NOT-FOR-US: Tenda CVE-2023-40847 (Tenda AC6 US_AC6V1.0BR_V15.03.05.16_multi_TD01.bin is vulnerable to Bu ...) @@ -296,7 +295,7 @@ CVE-2023-40593 (In Splunk Enterprise versions lower than 9.0.6 and 8.2.12, a mal CVE-2023-40592 (In Splunk
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 31409c7b by security tracker role at 2023-09-01T08:12:40+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,23 @@ +CVE-2023-4698 (Improper Input Validation in GitHub repository usememos/memos prior to ...) + TODO: check +CVE-2023-4697 (Improper Privilege Management in GitHub repository usememos/memos prio ...) + TODO: check +CVE-2023-4696 (Improper Access Control in GitHub repository usememos/memos prior to 0 ...) + TODO: check +CVE-2023-4695 (Use of Predictable Algorithm in Random Number Generator in GitHub repo ...) + TODO: check +CVE-2023-4688 (Sensitive information leak through log files. The following products a ...) + TODO: check +CVE-2023-4299 (Digi RealPort Protocol is vulnerable to a replay attack that may allow ...) + TODO: check +CVE-2023-41751 (Sensitive information disclosure due to improper token expiration vali ...) + TODO: check +CVE-2023-41750 (Sensitive information disclosure due to missing authorization. The fol ...) + TODO: check +CVE-2023-41749 (Sensitive information disclosure due to excessive collection of system ...) + TODO: check +CVE-2023-39912 (Zoho ManageEngine ADManager Plus through 7202 allows admin users to do ...) + TODO: check CVE-2023-4683 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-D ...) - gpac [bullseye] - gpac (Minor issue) @@ -63,7 +83,7 @@ CVE-2023-40589 (FreeRDP is a free implementation of the Remote Desktop Protocol - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-gc34-mw6m-g42x NOTE: https://github.com/FreeRDP/FreeRDP/commit/16141a30f983dd6f7a6e5b0356084171942c9416 -CVE-2023-39356 +CVE-2023-39356 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-q5v5-qhj5-mh6m CVE-2023-39355 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) @@ -74,10 +94,10 @@ CVE-2023-39354 (FreeRDP is a free implementation of the Remote Desktop Protocol - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-c3r2-pxxp-f8r6 NOTE: https://github.com/FreeRDP/FreeRDP/commit/cd1da25a87358eb3b5512fd259310e95b19a05ec -CVE-2023-39353 +CVE-2023-39353 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hg53-9j9h-3c8f -CVE-2023-39352 +CVE-2023-39352 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-whwr-qcf2-2mvj CVE-2023-39351 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) @@ -277,20 +297,20 @@ CVE-2023-40592 (In Splunk Enterprise versions below 9.1.1, 9.0.6, and 8.2.12, an NOT-FOR-US: Splunk CVE-2023-40582 (find-exec is a utility to discover available shell commands. Versions ...) TODO: check -CVE-2023-40188 +CVE-2023-40188 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-9w28-wwj5-p4xq -CVE-2023-40187 +CVE-2023-40187 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-pwf9-v5p9-ch4f -CVE-2023-40186 +CVE-2023-40186 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-hcj4-3c3r-5j3v CVE-2023-40184 (xrdp is an open source remote desktop protocol (RDP) server. In versio ...) - xrdp NOTE: https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-f489-557v-47jq NOTE: https://github.com/neutrinolabs/xrdp/commit/25a1fab5b6c5ef2a8bb109232b765cb8b332ce5e -CVE-2023-40181 +CVE-2023-40181 (FreeRDP is a free implementation of the Remote Desktop Protocol (RDP), ...) - freerdp2 NOTE: https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-mxp4-rx7x-h2g8 CVE-2023-3992 (The PostX WordPress plugin before 3.0.6 does not sanitise and escape a ...) @@ -407,7 +427,7 @@ CVE-2023-4611 (A use-after-free flaw was found in mm/mempolicy.c in the memory m [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/6c21e066f9256ea1df6f88768f6ae1080b7cf509 (6.5-rc4) -CVE-2023-4481 +CVE-2023-4481 (An Improper Input Validation vulnerabil
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 36af2a11 by Moritz Muehlenhoff at 2023-09-01T10:01:06+02:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2023-4683 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-D ...) - gpac + [bullseye] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/112767e8b178fc82dec3cf82a1ca14d802cdb8ec NOTE: https://huntr.dev/bounties/7852e4d2-af4e-4421-a39e-db23e0549922 CVE-2023-4682 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3 ...) @@ -8,10 +9,12 @@ CVE-2023-4682 (Heap-based Buffer Overflow in GitHub repository gpac/gpac prior t NOTE: https://huntr.dev/bounties/15232a74-e3b8-43f0-ae8a-4e89d56c474c CVE-2023-4681 (NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-D ...) - gpac + [bullseye] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/4bac19ad854159b21ba70d8ab7c4e1cd1db8ea1c NOTE: https://huntr.dev/bounties/d67c5619-ab36-41cc-93b7-04828e25f60e CVE-2023-4678 (Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV.) - gpac + [bullseye] - gpac (Minor issue) NOTE: https://github.com/gpac/gpac/commit/4607052c482a51dbdacfe1ade10645c181d07b07 NOTE: https://huntr.dev/bounties/688a4a01-8c18-469d-8cbe-a2e79e80c877 CVE-2023-41748 (Remote command execution due to improper input validation. The followi ...) @@ -110,6 +113,8 @@ CVE-2023-4649 (Session Fixation in GitHub repository instantsoft/icms2 prior to NOT-FOR-US: icms2 CVE-2023-4641 [gpasswd(1) password leak] - shadow + [bookworm] - shadow (Minor issue) + [bullseye] - shadow (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2215945 NOTE: https://github.com/shadow-maint/shadow/commit/65c88a43a23c2391dcc90c0abda3e839e9c57904 (4.14.0-rc1) CVE-2023-4500 (The Order Tracking Pro plugin for WordPress is vulnerable to Stored Cr ...) @@ -19504,6 +19509,7 @@ CVE-2023-29452 (Currently, geomap configuration (Administration -> General -> Ge CVE-2023-29451 (Specially crafted string can cause a buffer overrun in the JSON parser ...) {DLA-3538-1} - zabbix + [bookworm] - zabbix (Minor issue) [bullseye] - zabbix (5.x not affected) NOTE: https://support.zabbix.com/browse/ZBX-22587 CVE-2023-29450 (JavaScript pre-processing can be used by the attacker to gain access t ...) @@ -2,6 +30005,8 @@ CVE-2023-0923 NOT-FOR-US: Red Hat OpenShift Data Science CVE-2023-0922 (The Samba AD DC administration tool, when operating against a remote L ...) - samba 2:4.17.7+dfsg-1 + [bullseye] - samba (Domain controller functionality is EOLed, see DSA DSA-5477-1) + [buster] - samba (Domain controller functionality is EOLed, see DSA-5015-1) NOTE: https://www.samba.org/samba/security/CVE-2023-0922.html CVE-2023-0921 (A lack of length validation in GitLab CE/EE affecting all versions fro ...) - gitlab 15.10.8+ds1-2 @@ -117984,15 +117992,18 @@ CVE-2022-23517 (rails-html-sanitizer is responsible for sanitizing HTML fragment NOTE: https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979 CVE-2022-23516 (Loofah is a general library for manipulating and transforming HTML/XML ...) - ruby-loofah 2.19.1-1 (bug #1026083) + [bullseye] - ruby-loofah (Minor issue) [buster] - ruby-loofah (Minor issue) NOTE: https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm NOTE: https://github.com/flavorjones/loofah/commit/86f7f6364491b0099d215db858ecdc0c89ded040 CVE-2022-23515 (Loofah is a general library for manipulating and transforming HTML/XML ...) - ruby-loofah 2.19.1-1 (bug #1026083) + [bullseye] - ruby-loofah (Minor issue) NOTE: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx NOTE: https://github.com/flavorjones/loofah/commit/415677f3cf7f9254f42f811e784985cd63c7407f CVE-2022-23514 (Loofah is a general library for manipulating and transforming HTML/XML ...) - ruby-loofah 2.19.1-1 (bug #1026083) + [bullseye] - ruby-loofah (Minor issue) [buster] - ruby-loofah (Minor issue) NOTE: https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh NOTE: https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143 @@ -150154,7 +150165,7 @@ CVE-2021-3670 (MaxQueryDuration not honoured in Samba AD DC LDAP) [buster] - ldb (Minor issue) [stretch] - ldb (Minor issue) - samba 2:4.16.0+dfsg-2 - [bullseye] - samba (Minor i