[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fdf5add8 by Salvatore Bonaccorso at 2023-09-07T22:27:45+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,35 +1,35 @@ CVE-2023-4685 (Delta Electronics' CNCSoft-B version 1.0.0.4 and DOPSoft versions 4.0. ...) - TODO: check + NOT-FOR-US: Delta Electronics CVE-2023-4528 (Unsafe deserialization in JSCAPE MFT Server versions prior to2023.1.9 ...) - TODO: check + NOT-FOR-US: JSCAPE MFT Server CVE-2023-41316 (Tolgee is an open-source localization platform. Due to lack of validat ...) TODO: check CVE-2023-41064 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-41061 (A validation issue was addressed with improved logic. This issue is fi ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-40942 (Tenda AC9 V3.0BR_V15.03.06.42_multi_TD01 was discovered stack overflow ...) - TODO: check + NOT-FOR-US: Tenda CVE-2023-40060 (A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix ...) - TODO: check + NOT-FOR-US: SolarWinds Serv-U CVE-2023-3747 (Zero Trust Administrators have the ability to disallow end users from ...) TODO: check CVE-2023-39711 (Multiple cross-site scripting (XSS) vulnerabilities in Free and Open S ...) - TODO: check + NOT-FOR-US: Free and Open Source Inventory Management System CVE-2023-39424 (A vulnerability inRDPngFileUpload.dll, as used in theIRM Next Generati ...) - TODO: check + NOT-FOR-US: IRM Next Generation booking system CVE-2023-39423 (The RDPData.dll file exposes the/irmdata/api/common endpoint that hand ...) - TODO: check + NOT-FOR-US: Bitdefender CVE-2023-39422 (The/irmdata/api/ endpoints exposed by theIRM Next Generation booking e ...) - TODO: check + NOT-FOR-US: Bitdefender CVE-2023-39421 (The RDPWin.dll component as used in the IRM Next Generation booking en ...) - TODO: check + NOT-FOR-US: Bitdefender CVE-2023-39420 (The RDPCore.dll component as used in the IRM Next Generation booking e ...) - TODO: check + NOT-FOR-US: Bitdefender CVE-2023-37798 (A stored cross-site scripting (XSS) vulnerability in the new REDCap pr ...) - TODO: check + NOT-FOR-US: Vanderbilt REDCap CVE-2023-36635 (An improper access control in Fortinet FortiSwitchManager version 7.2. ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2023-4815 (Missing Authentication for Critical Function in GitHub repository answ ...) NOT-FOR-US: answerdev/answer CVE-2023-4792 (The Duplicate Post Page Menu & Custom Post Type plugin for WordPress i ...) @@ -16744,7 +16744,7 @@ CVE-2023-30802 CVE-2023-30801 RESERVED CVE-2023-30800 (The web server used by MikroTik RouterOS version 6 is affected by a he ...) - TODO: check + NOT-FOR-US: MikroTik CVE-2023-30799 (MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 ar ...) NOT-FOR-US: MikroTik RouterOS CVE-2023-30798 (There MultipartParser usage in Encode's Starlette python framework bef ...) @@ -97001,25 +97001,25 @@ CVE-2022-30648 (Adobe Illustrator versions 26.0.2 (and earlier) and 25.4.5 (and CVE-2022-30647 (Adobe Illustrator versions 26.0.2 (and earlier) and 25.4.5 (and earlie ...) NOT-FOR-US: Adobe CVE-2022-30646 (Adobe Illustrator versions 26.0.2 (and earlier) and 25.4.5 (and earlie ...) - TODO: check + NOT-FOR-US: Adobe CVE-2022-30645 (Adobe Illustrator versions 26.0.2 (and earlier) and 25.4.5 (and earlie ...) - TODO: check + NOT-FOR-US: Adobe CVE-2022-30644 (Adobe Illustrator versions 26.0.2 (and earlier) and 25.4.5 (and earlie ...) - TODO: check + NOT-FOR-US: Adobe CVE-2022-30643 (Adobe Illustrator versions 26.0.2 (and earlier) and 25.4.5 (and earlie ...) - TODO: check + NOT-FOR-US: Adobe CVE-2022-30642 (Adobe Illustrator versions 26.0.2 (and earlier) and 25.4.5 (and earlie ...) - TODO: check + NOT-FOR-US: Adobe CVE-2022-30641 (Adobe Illustrator versions 26.0.2 (and earlier) and 25.4.5 (and earlie ...) - TODO: check + NOT-FOR-US: Adobe CVE-2022-30640 (Adobe Illustrator versions 26.0.2 (and earlier) and 25.4.5 (and earlie ...) - TODO: check + NOT-FOR-US: Adobe CVE-2022-30639 (Adobe Illustrator versions 26.0.2 (and earlier) and 25.4.5 (and earlie ...) - TODO: check + NOT-FOR-US: Adobe CVE-2022-30638 (Adobe Illustrator versions 26.0.2 (and earlier) and 25.4.5 (and earlie ...) - TODO: check + NOT-FOR-US: Adobe CVE-2022-30637 (Adobe Illustrator versions 26.0.2 (and earlier) and 25.4.5 (and earlie ...) - TODO: check + NOT-FOR-US: Adobe CVE-2022-30636
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 23fc7645 by security tracker role at 2023-09-07T20:20:42+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,35 @@ +CVE-2023-4685 (Delta Electronics' CNCSoft-B version 1.0.0.4 and DOPSoft versions 4.0. ...) + TODO: check +CVE-2023-4528 (Unsafe deserialization in JSCAPE MFT Server versions prior to2023.1.9 ...) + TODO: check +CVE-2023-41316 (Tolgee is an open-source localization platform. Due to lack of validat ...) + TODO: check +CVE-2023-41064 (A buffer overflow issue was addressed with improved memory handling. T ...) + TODO: check +CVE-2023-41061 (A validation issue was addressed with improved logic. This issue is fi ...) + TODO: check +CVE-2023-40942 (Tenda AC9 V3.0BR_V15.03.06.42_multi_TD01 was discovered stack overflow ...) + TODO: check +CVE-2023-40060 (A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix ...) + TODO: check +CVE-2023-3747 (Zero Trust Administrators have the ability to disallow end users from ...) + TODO: check +CVE-2023-39711 (Multiple cross-site scripting (XSS) vulnerabilities in Free and Open S ...) + TODO: check +CVE-2023-39424 (A vulnerability inRDPngFileUpload.dll, as used in theIRM Next Generati ...) + TODO: check +CVE-2023-39423 (The RDPData.dll file exposes the/irmdata/api/common endpoint that hand ...) + TODO: check +CVE-2023-39422 (The/irmdata/api/ endpoints exposed by theIRM Next Generation booking e ...) + TODO: check +CVE-2023-39421 (The RDPWin.dll component as used in the IRM Next Generation booking en ...) + TODO: check +CVE-2023-39420 (The RDPCore.dll component as used in the IRM Next Generation booking e ...) + TODO: check +CVE-2023-37798 (A stored cross-site scripting (XSS) vulnerability in the new REDCap pr ...) + TODO: check +CVE-2023-36635 (An improper access control in Fortinet FortiSwitchManager version 7.2. ...) + TODO: check CVE-2023-4815 (Missing Authentication for Critical Function in GitHub repository answ ...) NOT-FOR-US: answerdev/answer CVE-2023-4792 (The Duplicate Post Page Menu & Custom Post Type plugin for WordPress i ...) @@ -255,15 +287,19 @@ CVE-2023-4778 (Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3-DE NOTE: https://huntr.dev/bounties/abb450fb-4ab2-49b0-90da-3d878eea5397/ NOTE: https://github.com/gpac/gpac/commit/d553698050af478049e1a09e44a15ac884f223ed CVE-2023-4764 (Incorrect security UI in BFCache in Google Chrome prior to 116.0.5845. ...) + {DSA-5491-1} - chromium 116.0.5845.180-1 [buster] - chromium (see DSA 5046) CVE-2023-4763 (Use after free in Networks in Google Chrome prior to 116.0.5845.179 al ...) + {DSA-5491-1} - chromium 116.0.5845.180-1 [buster] - chromium (see DSA 5046) CVE-2023-4762 (Type Confusion in V8 in Google Chrome prior to 116.0.5845.179 allowed ...) + {DSA-5491-1} - chromium 116.0.5845.180-1 [buster] - chromium (see DSA 5046) CVE-2023-4761 (Out of bounds memory access in FedCM in Google Chrome prior to 116.0.5 ...) + {DSA-5491-1} - chromium 116.0.5845.180-1 [buster] - chromium (see DSA 5046) CVE-2023-4531 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) @@ -568,6 +604,7 @@ CVE-2023-32102 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerabi CVE-2023-2813 (All of the above Aapna WordPress theme through 1.3, Anand WordPress th ...) NOT-FOR-US: WordPress theme CVE-2023-41164 + {DLA-3558-1} - python-django 3:3.2.21-1 (bug #1051226) NOTE: https://www.openwall.com/lists/oss-security/2023/09/04/1 NOTE: https://www.djangoproject.com/weblog/2023/sep/04/security-releases/ @@ -2399,6 +2436,7 @@ CVE-2023-36281 (An issue in langchain v.0.0.171 allows a remote attacker to exec CVE-2023-34853 (Buffer Overflow vulnerability in Supermicro motherboard X12DPG-QR 1.4b ...) NOT-FOR-US: Supermicro motherboard X12DPG-QR CVE-2022-48571 (memcached 1.6.7 allows a Denial of Service via multi-packet uploads in ...) + {DLA-3557-1} - memcached 1.6.8+dfsg-1 NOTE: Fixed by: https://github.com/memcached/memcached/commit/6b319c8c7a29e9c353dec83dc92f01905f6c8966 (1.6.8) CVE-2022-48570 (Crypto++ through 8.4 contains a timing side channel in ECDSA signature ...) @@ -16705,8 +16743,8 @@ CVE-2023-30802 RESERVED CVE-2023-30801 RESERVED -CVE-2023-30800 - RESERVED +CVE-2023-30800 (The web server used by MikroTik RouterOS version 6 is affected by a he ...) + TODO: check CVE-2023-30799 (MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 ar ...) NOT-FOR-US: MikroTik RouterOS CVE-20
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3558-1 for python-django
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: f9d082bc by Chris Lamb at 2023-09-07T13:11:18-07:00 Reserve DLA-3558-1 for python-django - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Sep 2023] DLA-3558-1 python-django - security update + {CVE-2023-41164} + [buster] - python-django 1:1.11.29-1+deb10u10 [07 Sep 2023] DLA-3557-1 memcached - security update {CVE-2022-48571} [buster] - memcached 1.5.6-1.1+deb10u1 = data/dla-needed.txt = @@ -167,11 +167,6 @@ orthanc (gladk) NOTE: 20230812: Experimental issue-based workflow: please self-assign and follow https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/41 NOTE: 20230812: Check DSA-5473-1 (Beuc/front-desk) -- -python-django (Chris Lamb) - NOTE: 20230905: Added by Front-Desk (lamby) - NOTE: 20230905: Chris Lamb is maintainer. (lamby) - NOTE: 20230905: VCS is in PMT. (lamby) --- python-glance-store NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9d082bc1876ee04f2b9d61aad48881a29418dac -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f9d082bc1876ee04f2b9d61aad48881a29418dac You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track planned update for openrefine via bookworm-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 84c86d3e by Salvatore Bonaccorso at 2023-09-07T21:56:33+02:00 Track planned update for openrefine via bookworm-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -37,3 +37,5 @@ CVE-2023-20212 [bookworm] - clamav 1.0.2+dfsg-1~deb12u1 CVE-2022-45582 [bookworm] - horizon 3:23.0.0-5+deb12u1 +CVE-2023-37476 + [bookworm] - openrefine 3.6.2-2+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84c86d3ea4746a920b8b3da84164152c59f4203b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84c86d3ea4746a920b8b3da84164152c59f4203b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f1cec95e by Salvatore Bonaccorso at 2023-09-07T21:35:32+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -59531,7 +59531,7 @@ CVE-2023-20271 CVE-2023-20270 RESERVED CVE-2023-20269 (A vulnerability in the remote access VPN feature of Cisco Adaptive Sec ...) - TODO: check + NOT-FOR-US: Cisco CVE-2023-20268 RESERVED CVE-2023-20267 @@ -59543,7 +59543,7 @@ CVE-2023-20265 CVE-2023-20264 RESERVED CVE-2023-20263 (A vulnerability in the web-based management interface of Cisco HyperFl ...) - TODO: check + NOT-FOR-US: Cisco CVE-2023-20262 RESERVED CVE-2023-20261 @@ -59569,7 +59569,7 @@ CVE-2023-20252 CVE-2023-20251 RESERVED CVE-2023-20250 (A vulnerability in the web-based management interface of Cisco Small B ...) - TODO: check + NOT-FOR-US: Cisco CVE-2023-20249 RESERVED CVE-2023-20248 @@ -59583,7 +59583,7 @@ CVE-2023-20245 CVE-2023-20244 RESERVED CVE-2023-20243 (A vulnerability in the RADIUS message processing feature of Cisco Iden ...) - TODO: check + NOT-FOR-US: Cisco CVE-2023-20242 (A vulnerability in the web-based management interface of Cisco Unified ...) NOT-FOR-US: Cisco CVE-2023-20241 @@ -59593,7 +59593,7 @@ CVE-2023-20240 CVE-2023-20239 RESERVED CVE-2023-20238 (A vulnerability in the single sign-on (SSO) implementation of Cisco Br ...) - TODO: check + NOT-FOR-US: Cisco CVE-2023-20237 (A vulnerability in Cisco Intersight Virtual Appliance could allow an u ...) NOT-FOR-US: Cisco CVE-2023-20236 @@ -90408,7 +90408,7 @@ CVE-2022-32922 (A use after free issue was addressed with improved memory manage CVE-2022-32921 REJECTED CVE-2022-32920 (The issue was addressed with improved checks. This issue is fixed in X ...) - TODO: check + NOT-FOR-US: Apple Xcode CVE-2022-32919 RESERVED CVE-2022-32918 (This issue was addressed with improved data protection. This issue is ...) @@ -145674,7 +145674,7 @@ CVE-2021-39861 (Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.00 CVE-2021-39860 (Acrobat Pro DC versions 2021.005.20060 (and earlier), 2020.004.30006 ( ...) NOT-FOR-US: Adobe CVE-2021-39859 (Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.3000 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-39858 (Acrobat Reader DC versions 2021.005.20060 (and earlier), 2020.004.3000 ...) NOT-FOR-US: Adobe CVE-2021-39857 (Adobe Acrobat Reader DC add-on for Internet Explorer versions 2021.005 ...) @@ -153874,7 +153874,7 @@ CVE-2021-36647 (Use of a Broken or Risky Cryptographic Algorithm in the function [buster] - mbedtls (Minor issue) NOTE: https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/mbedtls-security-advisory-2021-07-1/ CVE-2021-36646 (A Cross Site Scrtpting (XSS) vulnerability in KodExplorer 4.45 allows ...) - TODO: check + NOT-FOR-US: KodExplorer CVE-2021-36645 RESERVED CVE-2021-36644 @@ -155368,7 +155368,7 @@ CVE-2021-36062 (Adobe Connect version 11.2.2 (and earlier) is affected by a Refl CVE-2021-36061 (Adobe Connect version 11.2.2 (and earlier) is affected by a secure des ...) NOT-FOR-US: Adobe CVE-2021-36060 (Adobe Media Encoder version 15.2 (and earlier) is affected by an out-o ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-36059 (Adobe Bridge version 11.1 (and earlier) is affected by a memory corrup ...) NOT-FOR-US: Adobe CVE-2021-36058 (XMP Toolkit SDK version 2020.1 (and earlier) is affected by an Integer ...) @@ -155481,7 +155481,7 @@ CVE-2021-36038 (Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and ear CVE-2021-36037 (Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) ...) NOT-FOR-US: Magento CVE-2021-36036 (Magento versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) and 2.3.7 ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-36035 (Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) ...) NOT-FOR-US: Magento CVE-2021-36034 (Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) ...) @@ -155507,11 +155507,11 @@ CVE-2021-36025 (Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and ear CVE-2021-36024 (Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) ...) NOT-FOR-US: Magento CVE-2021-36023 (Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) ...) - TODO: check + NOT-FOR-US: Adobe CVE-2021-36022 (Magento Commerce versions 2.4.2 (and earlier), 2.4.2-p1 (and earlier) ...) NOT-FOR-US: Magento CVE-2021-36021 (Magento versions 2.4.2 (and earlier), 2.4.
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-23623/electron
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b5c48aa8 by Salvatore Bonaccorso at 2023-09-07T21:34:17+02:00 Add CVE-2023-23623/electron - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -38712,7 +38712,7 @@ CVE-2023-23625 (go-unixfs is an implementation of a unix-like filesystem on top CVE-2023-23624 (Discourse is an open-source discussion platform. Prior to version 3.0. ...) NOT-FOR-US: Discourse CVE-2023-23623 (Electron is a framework which lets you write cross-platform desktop ap ...) - TODO: check + - electron (bug #842420) CVE-2023-23622 (Discourse is an open-source discussion platform. Prior to version 3.0. ...) NOT-FOR-US: Discourse CVE-2023-23621 (Discourse is an open-source discussion platform. Prior to version 3.0. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5c48aa80dd0a5624de14e1a148c746b955f0402 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5c48aa80dd0a5624de14e1a148c746b955f0402 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-40591/golang-github-go-ethereum, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e69ab30 by Salvatore Bonaccorso at 2023-09-07T21:28:34+02:00 Add CVE-2023-40591/golang-github-go-ethereum, itp'ed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -92,7 +92,7 @@ CVE-2023-41050 (AccessControl provides a general security framework for use in Z CVE-2023-40601 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Estatik ...) NOT-FOR-US: WordPress plugin CVE-2023-40591 (go-ethereum (geth) is a golang execution layer implementation of the E ...) - TODO: check + - golang-github-go-ethereum (bug #890541) CVE-2023-40560 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Greg ...) NOT-FOR-US: WordPress plugin CVE-2023-40554 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Blog2Soc ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e69ab30d9ae4c3241fd312cc8c8550fab8ea684 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e69ab30d9ae4c3241fd312cc8c8550fab8ea684 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process several NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b4a79e46 by Salvatore Bonaccorso at 2023-09-07T21:22:55+02:00 Process several NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,20 +5,20 @@ CVE-2023-4792 (The Duplicate Post Page Menu & Custom Post Type plugin for WordPr CVE-2023-4772 (The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site ...) NOT-FOR-US: Newsletter plugin for WordPress CVE-2023-41329 (WireMock is a tool for mocking HTTP services. The proxy mode of WireMo ...) - TODO: check + NOT-FOR-US: WireMock CVE-2023-41327 (WireMock is a tool for mocking HTTP services. WireMock can be configur ...) - TODO: check + NOT-FOR-US: WireMock CVE-2023-41053 (Redis is an in-memory database that persists on disk. Redis does not c ...) - redis NOTE: https://github.com/redis/redis/commit/9e505e6cd842338424e05883521ca1fb7d0f47f6 (7.2.1) NOTE: https://github.com/redis/redis/commit/0f14d3279212e1b262869b6160db87d6f117cff5 (7.0.13) NOTE: https://github.com/redis/redis/security/advisories/GHSA-q4jr-5p56-4xwc CVE-2023-40397 (The issue was addressed with improved checks. This issue is fixed in m ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-40392 (A privacy issue was addressed with improved private data redaction for ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-39967 (WireMock is a tool for mocking HTTP services. When certain request URL ...) - TODO: check + NOT-FOR-US: WireMock CVE-2023-39956 (Electron is a framework which lets you write cross-platform desktop ap ...) - electron (bug #842420) CVE-2023-39240 (It is identified a format string vulnerability in ASUS RT-AX56U V2\u20 ...) @@ -32,9 +32,9 @@ CVE-2023-39237 (ASUS RT-AC86U Traffic Analyzer - Apps analysis function has insu CVE-2023-39236 (ASUS RT-AC86U Traffic Analyzer - Statistic function has insufficient f ...) NOT-FOR-US: ASUS CVE-2023-38616 (A race condition was addressed with improved state handling. This issu ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-38605 (This issue was addressed with improved redaction of sensitive informat ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-38033 (ASUS RT-AC86U unused Traffic Analyzer legacy Statistic function has in ...) NOT-FOR-US: ASUS CVE-2023-38032 (ASUS RT-AC86U AiProtection security- related function has insufficient ...) @@ -82,13 +82,13 @@ CVE-2023-41330 (knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot CVE-2023-41328 (Frappe is a low code web framework written in Python and Javascript. A ...) NOT-FOR-US: Frappe Framework CVE-2023-41319 (Fides is an open-source privacy engineering platform for managing the ...) - TODO: check + NOT-FOR-US: Fides CVE-2023-41150 (F-RevoCRM 7.3 series prior to version7.3.8 contains a cross-site scrip ...) NOT-FOR-US: F-RevoCRM CVE-2023-41149 (F-RevoCRM version7.3.7 and version7.3.8 contains an OS command injecti ...) NOT-FOR-US: F-RevoCRM CVE-2023-41050 (AccessControl provides a general security framework for use in Zope. P ...) - TODO: check + NOT-FOR-US: Zope CVE-2023-40601 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Estatik ...) NOT-FOR-US: WordPress plugin CVE-2023-40591 (go-ethereum (geth) is a golang execution layer implementation of the E ...) @@ -25041,21 +25041,21 @@ CVE-2019-25107 CVE-2019-25106 RESERVED CVE-2023-28215 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-28214 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-28213 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-28212 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-28211 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-28210 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-28209 (A buffer overflow issue was addressed with improved memory handling. T ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-28208 (A logic issue was addressed with improved state management. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-28207 RESERVED CVE-2023-28206 (An out-of-bounds write issue was addressed with improved input validat ...) @@ -25091,7 +25091,7 @@ CVE-2023-28197 CVE-2023-28196 RE
[Git][security-tracker-team/security-tracker][master] Process two CVEs for electron, itp'ed
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 042f123d by Salvatore Bonaccorso at 2023-09-07T21:22:00+02:00 Process two CVEs for electron, itp'ed - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20,7 +20,7 @@ CVE-2023-40392 (A privacy issue was addressed with improved private data redacti CVE-2023-39967 (WireMock is a tool for mocking HTTP services. When certain request URL ...) TODO: check CVE-2023-39956 (Electron is a framework which lets you write cross-platform desktop ap ...) - TODO: check + - electron (bug #842420) CVE-2023-39240 (It is identified a format string vulnerability in ASUS RT-AX56U V2\u20 ...) NOT-FOR-US: ASUS CVE-2023-39239 (It is identified a format string vulnerability in ASUS RT-AX56U V2\u20 ...) @@ -21519,7 +21519,7 @@ CVE-2023-29200 (Contao is an open source content management system. Prior to ver CVE-2023-29199 (There exists a vulnerability in source code transformer (exception san ...) NOT-FOR-US: Node vm2 CVE-2023-29198 (Electron is a framework which lets you write cross-platform desktop ap ...) - TODO: check + - electron (bug #842420) CVE-2023-29197 (guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. ...) - php-guzzlehttp-psr7 2.4.5-1 (bug #1034581) [bullseye] - php-guzzlehttp-psr7 (Minor issue; can be fixed via point release) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/042f123d376756d5baeb29020fc1819e9a0123bd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/042f123d376756d5baeb29020fc1819e9a0123bd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3557-1 for memcached
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 28df98ed by Chris Lamb at 2023-09-07T11:23:05-07:00 Reserve DLA-3557-1 for memcached - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[07 Sep 2023] DLA-3557-1 memcached - security update + {CVE-2022-48571} + [buster] - memcached 1.5.6-1.1+deb10u1 [06 Sep 2023] DLA-3556-1 aom - security update {CVE-2020-36130 CVE-2020-36131 CVE-2020-36133 CVE-2020-36135 CVE-2021-30473 CVE-2021-30474 CVE-2021-30475} [buster] - aom 1.0.0-3+deb10u1 = data/dla-needed.txt = @@ -120,10 +120,6 @@ libssh2 (guilhem) linux (Ben Hutchings) NOTE: 20230111: perma-added for LTS package-specific delegation (bwh) -- -memcached (Chris Lamb) - NOTE: 20230906: Added by Front-Desk (lamby) - NOTE: 20230906: lamby is maintainer (lamby) --- nasm NOTE: 20230907: Added by Front-Desk (lamby) NOTE: 20230907: Added due to CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28df98edbdd6d1690552d0ece0b760af5aaa13c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/28df98edbdd6d1690552d0ece0b760af5aaa13c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add missing commit for for CVE-2022-25901/node-cookiejar.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 57ba4142 by Chris Lamb at 2023-09-07T11:08:19-07:00 Add missing commit for for CVE-2022-25901/node-cookiejar. - - - - - 83aaca26 by Chris Lamb at 2023-09-07T11:09:16-07:00 data/dla-needed.txt: Triage node-cookiejar for buster LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -110907,6 +110907,7 @@ CVE-2022-25901 (Versions of the package cookiejar before 2.1.4 are vulnerable to [buster] - node-cookiejar (Minor issue, ReDoS) NOTE: https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984 NOTE: https://github.com/bmeck/node-cookiejar/pull/39 + NOTE: https://github.com/bmeck/node-cookiejar/commit/a9a320c3c49d65df491f5721969cfbf9e128d9af NOTE: https://github.com/bmeck/node-cookiejar/commit/eaa00021caf6ae09449dde826108153b578348e5 CVE-2022-25900 (All versions of package git-clone are vulnerable to Command Injection ...) NOT-FOR-US: Node git-clone = data/dla-needed.txt = @@ -129,6 +129,10 @@ nasm NOTE: 20230907: Added due to CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686, NOTE: 20230907: but some of these may require some investigation. (lamby) -- +node-cookiejar + NOTE: 20230907: Added by Front-Desk (lamby) + NOTE: 20230907: CVE-2022-25901 was ignored & now fixed in bullseye; patch easy to backport. (lamby) +-- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/039a69be4117a6509cdc415c80c2ad79ab29ebcd...83aaca268c9d5cda70548973a7303cfcbe530ce2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/039a69be4117a6509cdc415c80c2ad79ab29ebcd...83aaca268c9d5cda70548973a7303cfcbe530ce2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: Triage CVE-2023-39741 in lrzip for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c670cb02 by Chris Lamb at 2023-09-07T10:47:22-07:00 Triage CVE-2023-39741 in lrzip for buster LTS. - - - - - a78a6e18 by Chris Lamb at 2023-09-07T10:47:26-07:00 data/dla-needed.txt: Triage open-vm-tools for buster LTS (CVE-2023-20900) - - - - - 835ea036 by Chris Lamb at 2023-09-07T10:54:05-07:00 Triage CVE-2023-41080 in tomcat9 for buster LTS. - - - - - 52d329a9 by Chris Lamb at 2023-09-07T10:55:38-07:00 data/dla-needed.txt: Triage exempi for buster LTS (CVE-2020-18651 & CVE-2020-18652) - - - - - 03b707eb by Chris Lamb at 2023-09-07T10:57:48-07:00 data/dla-needed.txt: Triage nasm for buster LTS (CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686) - - - - - 039a69be by Chris Lamb at 2023-09-07T11:05:26-07:00 data/dla-needed.txt: Triage e2guardian for buster LTS (CVE-2021-44273) - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1835,6 +1835,7 @@ CVE-2023-41080 (URL Redirection to Untrusted Site ('Open Redirect') vulnerabilit [bookworm] - tomcat10 (Minor issue, fix along with future update) - tomcat9 9.0.70-2 [bullseye] - tomcat9 (Minor issue, fix along with future update) + [buster] - tomcat9 (Minor issue; can be fixed later) - tomcat8 NOTE: https://lists.apache.org/thread/71wvwprtx2j2m54fovq9zr7gbm2wow2f NOTE: https://github.com/apache/tomcat/commit/bb4624a9f3e69d495182ebfa68d7983076407a27 (10.1.13) @@ -2811,6 +2812,7 @@ CVE-2023-39741 (lrzip v0.651 was discovered to contain a heap overflow via the l - lrzip [bookworm] - lrzip (Minor issue) [bullseye] - lrzip (Minor issue) + [buster] - lrzip (Minor issue) NOTE: https://github.com/ckolivas/lrzip/issues/246 CVE-2023-38905 (SQL injection vulnerability in Jeecg-boot v.3.5.0 and before allows a ...) NOT-FOR-US: JeecgBoot = data/dla-needed.txt = @@ -54,9 +54,16 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- +e2guardian + NOTE: 20230907: Added by Front-Desk (lamby) + NOTE: 20230907: CVE-2021-44273 fixed in bullseye via DSA; patch easy to backport. (lamby) +-- elfutils (Thorsten Alteholz) NOTE: 20230903: Added by Front-Desk (gladk) -- +exempi + NOTE: 20230907: Added by Front-Desk (lamby) +-- exiv2 NOTE: 20230906: Added by Front-Desk (lamby) -- @@ -117,6 +124,11 @@ memcached (Chris Lamb) NOTE: 20230906: Added by Front-Desk (lamby) NOTE: 20230906: lamby is maintainer (lamby) -- +nasm + NOTE: 20230907: Added by Front-Desk (lamby) + NOTE: 20230907: Added due to CVE-2020-18780, CVE-2020-21685 & CVE-2020-21686, + NOTE: 20230907: but some of these may require some investigation. (lamby) +-- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression @@ -136,6 +148,9 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- +open-vm-tools + NOTE: 20230907: Added by Front-Desk (lamby) +-- opendkim NOTE: 20230821: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/91cf8ea2dcc916ede9b7333e3115828042c1bf09...039a69be4117a6509cdc415c80c2ad79ab29ebcd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/91cf8ea2dcc916ede9b7333e3115828042c1bf09...039a69be4117a6509cdc415c80c2ad79ab29ebcd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 91cf8ea2 by Moritz Mühlenhoff at 2023-09-07T19:43:56+02:00 chromium DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[07 Sep 2023] DSA-5491-1 chromium - security update + {CVE-2023-4761 CVE-2023-4762 CVE-2023-4763 CVE-2023-4764} + [bullseye] - chromium 116.0.5845.180-1~deb11u1 + [bookworm] - chromium 116.0.5845.180-1~deb12u1 [06 Sep 2023] DSA-5490-1 aom - security update {CVE-2020-36130 CVE-2020-36131 CVE-2020-36133 CVE-2020-36135 CVE-2021-30473 CVE-2021-30474 CVE-2021-30475} [bullseye] - aom 1.0.0.errata1-3+deb11u1 = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- cacti -- -chromium --- cinder/oldstable -- flac/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91cf8ea2dcc916ede9b7333e3115828042c1bf09 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/91cf8ea2dcc916ede9b7333e3115828042c1bf09 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] procps fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 47e77a8f by Moritz Muehlenhoff at 2023-09-07T14:40:39+02:00 procps fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5168,7 +5168,7 @@ CVE-2023-33383 (Shelly 4PM Pro four-channel smart switch 0.11.0 allows an attack CVE-2023-33257 (Verint Engagement Management 15.3 Update 2023R2 is vulnerable to HTML ...) NOT-FOR-US: Verint Engagement Management CVE-2023-4016 (Under some circumstances, this weakness allows a user who has access t ...) - - procps (bug #1042887) + - procps 2:4.0.4-1 (bug #1042887) [bookworm] - procps (Minor issue) [bullseye] - procps (Minor issue) [buster] - procps (Minor issue, DoS, rare conditions) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47e77a8f391063698b034fe1403b983f15dd49e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/47e77a8f391063698b034fe1403b983f15dd49e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 95731b3f by Moritz Muehlenhoff at 2023-09-07T12:11:29+02:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -436,6 +436,8 @@ CVE-2023-4587 (An IDOR vulnerability has been found in ZKTeco ZEM800 product aff NOT-FOR-US: ZKTeco ZEM800 product CVE-2023-4540 (Improper Handling of Exceptional Conditions vulnerability in Daurnimat ...) - lua-http + [bookworm] - lua-http (Minor issue) + [bullseye] - lua-http (Minor issue) NOTE: Fixed by: https://github.com/daurnimator/lua-http/commit/ddab2835c583d45dec62680ca8d3cbde55e0bae6 CVE-2023-4298 (The 123.chat WordPress plugin before 1.3.1 does not sanitise and escap ...) NOT-FOR-US: WordPress plugin @@ -705,9 +707,10 @@ CVE-2023-32806 (In wlan driver, there is a possible out of bounds write due to i CVE-2023-32805 (In power, there is a possible out of bounds write due to an insecure d ...) NOT-FOR-US: MediaTek CVE-2023-4751 (Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1 ...) - - vim + - vim (unimportant) NOTE: https://github.com/vim/vim/commit/e1121b139480f53d1b06f84f3e4574048108fa0b (v9.0.1331) NOTE: https://huntr.dev/bounties/db7be8d6-6cb7-4ae5-9c4e-805423afa378 + NOTE: Crash in CLI tool, no security impact CVE-2023-4740 (A vulnerability, which was classified as critical, was found in IBOS O ...) NOT-FOR-US: IBOS OA CVE-2023-4739 (A vulnerability, which was classified as critical, has been found in B ...) @@ -1413,6 +1416,8 @@ CVE-2023-39678 (A cross-site scripting (XSS) vulnerability in the device web int NOT-FOR-US: BDCOM OLT P3310D-2AC CVE-2023-39663 (Mathjax up to v2.7.9 was discovered to contain two Regular expression ...) - mathjax + [bookworm] - mathjax (Minor issue) + [bullseye] - mathjax (Minor issue) NOTE: https://github.com/mathjax/MathJax/issues/3074 CVE-2023-39616 (AOMedia v3.0.0 to v3.5.0 was discovered to contain an invalid read mem ...) [experimental] - aom 3.7.0-1~exp1 = data/dsa-needed.txt = @@ -38,6 +38,8 @@ nodejs -- nova/oldstable -- +open-vm-tools (jmm) +-- openjdk-17/oldstable (jmm) -- php-cas/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95731b3fce160a20d0d1d246a2e985aa76671f84 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95731b3fce160a20d0d1d246a2e985aa76671f84 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ae3e0b29 by Salvatore Bonaccorso at 2023-09-07T11:08:24+02:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22,27 +22,27 @@ CVE-2023-39967 (WireMock is a tool for mocking HTTP services. When certain reque CVE-2023-39956 (Electron is a framework which lets you write cross-platform desktop ap ...) TODO: check CVE-2023-39240 (It is identified a format string vulnerability in ASUS RT-AX56U V2\u20 ...) - TODO: check + NOT-FOR-US: ASUS CVE-2023-39239 (It is identified a format string vulnerability in ASUS RT-AX56U V2\u20 ...) - TODO: check + NOT-FOR-US: ASUS CVE-2023-39238 (It is identified a format string vulnerability in ASUS RT-AX56U V2. Th ...) - TODO: check + NOT-FOR-US: ASUS CVE-2023-39237 (ASUS RT-AC86U Traffic Analyzer - Apps analysis function has insufficie ...) - TODO: check + NOT-FOR-US: ASUS CVE-2023-39236 (ASUS RT-AC86U Traffic Analyzer - Statistic function has insufficient f ...) - TODO: check + NOT-FOR-US: ASUS CVE-2023-38616 (A race condition was addressed with improved state handling. This issu ...) TODO: check CVE-2023-38605 (This issue was addressed with improved redaction of sensitive informat ...) TODO: check CVE-2023-38033 (ASUS RT-AC86U unused Traffic Analyzer legacy Statistic function has in ...) - TODO: check + NOT-FOR-US: ASUS CVE-2023-38032 (ASUS RT-AC86U AiProtection security- related function has insufficient ...) - TODO: check + NOT-FOR-US: ASUS CVE-2023-38031 (ASUS RT-AC86U Adaptive QoS - Web History function has insufficient fil ...) - TODO: check + NOT-FOR-US: ASUS CVE-2023-34357 (Soar Cloud Ltd. HR Portal has a weak Password Recovery Mechanism for F ...) - TODO: check + NOT-FOR-US: Soar Cloud Ltd. HR Portal CVE-2023-4809 (In pf packet processing with a 'scrub fragment reassemble' rule, a pac ...) TODO: check CVE-2023-4634 (The Media Library Assistant plugin for WordPress is vulnerable to Loca ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae3e0b29cc06d78a96fb11b234ea163d4095f7b5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ae3e0b29cc06d78a96fb11b234ea163d4095f7b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-41053/redis
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 962fa4aa by Salvatore Bonaccorso at 2023-09-07T11:06:36+02:00 Add CVE-2023-41053/redis Note for reviewers, said to affect only 7.0 onwards, but needs verification and then updating the metadata for the CVE entry. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,10 @@ CVE-2023-41329 (WireMock is a tool for mocking HTTP services. The proxy mode of CVE-2023-41327 (WireMock is a tool for mocking HTTP services. WireMock can be configur ...) TODO: check CVE-2023-41053 (Redis is an in-memory database that persists on disk. Redis does not c ...) - TODO: check + - redis + NOTE: https://github.com/redis/redis/commit/9e505e6cd842338424e05883521ca1fb7d0f47f6 (7.2.1) + NOTE: https://github.com/redis/redis/commit/0f14d3279212e1b262869b6160db87d6f117cff5 (7.0.13) + NOTE: https://github.com/redis/redis/security/advisories/GHSA-q4jr-5p56-4xwc CVE-2023-40397 (The issue was addressed with improved checks. This issue is fixed in m ...) TODO: check CVE-2023-40392 (A privacy issue was addressed with improved private data redaction for ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/962fa4aaf7b2ed4b3860c76c52851f47591cbda0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/962fa4aaf7b2ed4b3860c76c52851f47591cbda0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e7203bc6 by Salvatore Bonaccorso at 2023-09-07T11:05:59+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2023-4815 (Missing Authentication for Critical Function in GitHub repository answ ...) - TODO: check + NOT-FOR-US: answerdev/answer CVE-2023-4792 (The Duplicate Post Page Menu & Custom Post Type plugin for WordPress i ...) NOT-FOR-US: Duplicate Post Page Menu & Custom Post Type plugin for WordPress CVE-2023-4772 (The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7203bc617651ff0a9935996f0e0816db4cba3be -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e7203bc617651ff0a9935996f0e0816db4cba3be You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cf0aa547 by Salvatore Bonaccorso at 2023-09-07T10:31:22+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2023-4815 (Missing Authentication for Critical Function in GitHub repository answ ...) TODO: check CVE-2023-4792 (The Duplicate Post Page Menu & Custom Post Type plugin for WordPress i ...) - TODO: check + NOT-FOR-US: Duplicate Post Page Menu & Custom Post Type plugin for WordPress CVE-2023-4772 (The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site ...) - TODO: check + NOT-FOR-US: Newsletter plugin for WordPress CVE-2023-41329 (WireMock is a tool for mocking HTTP services. The proxy mode of WireMo ...) TODO: check CVE-2023-41327 (WireMock is a tool for mocking HTTP services. WireMock can be configur ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf0aa547b007113afdbbb8a9df39fe7e54515c04 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf0aa547b007113afdbbb8a9df39fe7e54515c04 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 44d47fbb by security tracker role at 2023-09-07T08:12:38+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,45 @@ +CVE-2023-4815 (Missing Authentication for Critical Function in GitHub repository answ ...) + TODO: check +CVE-2023-4792 (The Duplicate Post Page Menu & Custom Post Type plugin for WordPress i ...) + TODO: check +CVE-2023-4772 (The Newsletter plugin for WordPress is vulnerable to Stored Cross-Site ...) + TODO: check +CVE-2023-41329 (WireMock is a tool for mocking HTTP services. The proxy mode of WireMo ...) + TODO: check +CVE-2023-41327 (WireMock is a tool for mocking HTTP services. WireMock can be configur ...) + TODO: check +CVE-2023-41053 (Redis is an in-memory database that persists on disk. Redis does not c ...) + TODO: check +CVE-2023-40397 (The issue was addressed with improved checks. This issue is fixed in m ...) + TODO: check +CVE-2023-40392 (A privacy issue was addressed with improved private data redaction for ...) + TODO: check +CVE-2023-39967 (WireMock is a tool for mocking HTTP services. When certain request URL ...) + TODO: check +CVE-2023-39956 (Electron is a framework which lets you write cross-platform desktop ap ...) + TODO: check +CVE-2023-39240 (It is identified a format string vulnerability in ASUS RT-AX56U V2\u20 ...) + TODO: check +CVE-2023-39239 (It is identified a format string vulnerability in ASUS RT-AX56U V2\u20 ...) + TODO: check +CVE-2023-39238 (It is identified a format string vulnerability in ASUS RT-AX56U V2. Th ...) + TODO: check +CVE-2023-39237 (ASUS RT-AC86U Traffic Analyzer - Apps analysis function has insufficie ...) + TODO: check +CVE-2023-39236 (ASUS RT-AC86U Traffic Analyzer - Statistic function has insufficient f ...) + TODO: check +CVE-2023-38616 (A race condition was addressed with improved state handling. This issu ...) + TODO: check +CVE-2023-38605 (This issue was addressed with improved redaction of sensitive informat ...) + TODO: check +CVE-2023-38033 (ASUS RT-AC86U unused Traffic Analyzer legacy Statistic function has in ...) + TODO: check +CVE-2023-38032 (ASUS RT-AC86U AiProtection security- related function has insufficient ...) + TODO: check +CVE-2023-38031 (ASUS RT-AC86U Adaptive QoS - Web History function has insufficient fil ...) + TODO: check +CVE-2023-34357 (Soar Cloud Ltd. HR Portal has a weak Password Recovery Mechanism for F ...) + TODO: check CVE-2023-4809 (In pf packet processing with a 'scrub fragment reassemble' rule, a pac ...) TODO: check CVE-2023-4634 (The Media Library Assistant plugin for WordPress is vulnerable to Loca ...) @@ -21466,8 +21508,8 @@ CVE-2023-29200 (Contao is an open source content management system. Prior to ver NOT-FOR-US: Contao CVE-2023-29199 (There exists a vulnerability in source code transformer (exception san ...) NOT-FOR-US: Node vm2 -CVE-2023-29198 - RESERVED +CVE-2023-29198 (Electron is a framework which lets you write cross-platform desktop ap ...) + TODO: check CVE-2023-29197 (guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. ...) - php-guzzlehttp-psr7 2.4.5-1 (bug #1034581) [bullseye] - php-guzzlehttp-psr7 (Minor issue; can be fixed via point release) @@ -38659,8 +38701,8 @@ CVE-2023-23625 (go-unixfs is an implementation of a unix-like filesystem on top NOT-FOR-US: go-unixfs CVE-2023-23624 (Discourse is an open-source discussion platform. Prior to version 3.0. ...) NOT-FOR-US: Discourse -CVE-2023-23623 - RESERVED +CVE-2023-23623 (Electron is a framework which lets you write cross-platform desktop ap ...) + TODO: check CVE-2023-23622 (Discourse is an open-source discussion platform. Prior to version 3.0. ...) NOT-FOR-US: Discourse CVE-2023-23621 (Discourse is an open-source discussion platform. Prior to version 3.0. ...) @@ -108585,7 +108627,7 @@ CVE-2022-0902 (Improper Limitation of a Pathname to a Restricted Directory ('Pat NOT-FOR-US: ABB CVE-2022-0901 (The Ad Inserter Free and Pro WordPress plugins before 2.7.12 do not sa ...) NOT-FOR-US: WordPress plugins -CVE-2022-0900 (A Stored Cross-Site Scripting (XSS) vulnerability in DivvyDrive's "aci ...) +CVE-2022-0900 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: DivvyDrive CVE-2022-0899 (The Header Footer Code Manager WordPress plugin before 1.1.24 does not ...) NOT-FOR-US: WordPress plugin @@ -134218,9 +134260,9 @@ CVE-2021-43364 RESERVED CVE-2021-43363 RESERVED -CVE-2021-43362 (Due to improper sanitization MedData HBYS software suffers from a remo
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 53a5c80f by Moritz Muehlenhoff at 2023-09-07T10:07:21+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -27291,13 +27291,13 @@ CVE-2023-27530 (A DoS vulnerability exists in Rack https://github.com/rack/rack/commit/b632718265fa5ffa547b060331341a1e216b4ffa (v2.1.4.3) NOTE: https://github.com/rack/rack/commit/5f6e2fcbbdbff2dfaa21baa693e9d23d12ac1459 (v2.0.9.3) CVE-2023-27526 (A non Admin authenticated user could incorrectly create resources usin ...) - TODO: check + NOT-FOR-US: Apache Superset CVE-2023-27525 (An authenticated user with Gamma role authorization could have access ...) NOT-FOR-US: Apache Superset CVE-2023-27524 (Session Validation attacks in Apache Superset versions up to and inclu ...) NOT-FOR-US: Apache Superset CVE-2023-27523 (Improper data authorization check on Jinja templated queries in Apache ...) - TODO: check + NOT-FOR-US: Apache Superset CVE-2023-27522 (HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_pr ...) {DSA-5376-1 DLA-3401-1} - apache2 2.4.56-1 (bug #1032476) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53a5c80f58973791043a7b43997709c5c889223f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/53a5c80f58973791043a7b43997709c5c889223f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits