[Git][security-tracker-team/security-tracker][master] Reserve DLA-3642-1 for request-tracker4
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7546d4f0 by Salvatore Bonaccorso at 2023-10-31T05:49:56+01:00 Reserve DLA-3642-1 for request-tracker4 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[31 Oct 2023] DLA-3642-1 request-tracker4 - security update + {CVE-2023-41259 CVE-2023-41260} + [buster] - request-tracker4 4.4.3-2+deb10u3 [30 Oct 2023] DLA-3641-1 jetty9 - security update {CVE-2020-27218 CVE-2023-36478 CVE-2023-44487} [buster] - jetty9 9.4.50-4+deb10u1 = data/dla-needed.txt = @@ -193,14 +193,6 @@ rails NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) -- -request-tracker4 - NOTE: 20231024: Added by Front-Desk (gladk) - NOTE: 20231024: Please check the commit: https://github.com/bestpractical/rt/commit/a7a83dfdf591cd4d9f547048e89a5a310eeef32d - NOTE: 20231024: Please check the commit: https://github.com/bestpractical/rt/commit/afb7dcded721e27028e47b62e7e5ed8ffc492beb - NOTE: 20231025: Andrew Ruthven is working on the buster-security upload, but will let the LTS handle the paperwork (santiago) - NOTE: 20231028: Andrew has provided the buster patch, it has been posted to the team mailing list (Message-ID: ) (roberto) - NOTE: 20231030: Andrew pushed his work at https://salsa.debian.org/request-tracker-team/request-tracker4/-/commits/buster/ (Beuc) --- ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7546d4f04848043706bd80109f1dcfcab614ff9e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7546d4f04848043706bd80109f1dcfcab614ff9e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for request-tracker4 update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 052745e6 by Salvatore Bonaccorso at 2023-10-30T21:36:12+01:00 Reserve DSA number for request-tracker4 update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[30 Oct 2023] DSA-5542-1 request-tracker4 - security update + {CVE-2023-41259 CVE-2023-41260} + [bullseye] - request-tracker4 4.4.4+dfsg-2+deb11u3 + [bookworm] - request-tracker4 4.4.6+dfsg-1.1+deb12u1 [30 Oct 2023] DSA-5541-1 request-tracker5 - security update {CVE-2023-41259 CVE-2023-41260 CVE-2023-45024} [bookworm] - request-tracker5 5.0.3+dfsg-3~deb12u2 = data/dsa-needed.txt = @@ -64,8 +64,6 @@ python-glance-store/oldstable -- python-os-brick/oldstable -- -request-tracker4 (carnil) --- ring might make sense to rebase to current version -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/052745e6e5b2b18869f3db9d79861e777dd7057a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/052745e6e5b2b18869f3db9d79861e777dd7057a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for request-tracker5 update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2ce09ee3 by Salvatore Bonaccorso at 2023-10-30T21:24:04+01:00 Reserve DSA number for request-tracker5 update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[30 Oct 2023] DSA-5541-1 request-tracker5 - security update + {CVE-2023-41259 CVE-2023-41260 CVE-2023-45024} + [bookworm] - request-tracker5 5.0.3+dfsg-3~deb12u2 [30 Oct 2023] DSA-5540-1 jetty9 - security update {CVE-2023-36478 CVE-2023-44487} [bullseye] - jetty9 9.4.50-4+deb11u1 = data/dsa-needed.txt = @@ -66,8 +66,6 @@ python-os-brick/oldstable -- request-tracker4 (carnil) -- -request-tracker5 (carnil) --- ring might make sense to rebase to current version -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ce09ee3a1d7a4261dd21816324ccf51f251c9e4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2ce09ee3a1d7a4261dd21816324ccf51f251c9e4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54b4542f by Salvatore Bonaccorso at 2023-10-30T21:20:52+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,73 +1,73 @@ CVE-2023-5844 (Unverified Password Change in GitHub repository pimcore/admin-ui-class ...) - TODO: check + NOT-FOR-US: Pimcore admin-ui-classic-bundle CVE-2023-5843 (The Ads by datafeedr.com plugin for WordPress is vulnerable to Remote ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5833 (Improper Access Control in GitHub repository mintplex-labs/anything-ll ...) TODO: check CVE-2023-5832 (Improper Input Validation in GitHub repository mintplex-labs/anything- ...) TODO: check CVE-2023-5666 (The Accordion plugin for WordPress is vulnerable to Stored Cross-Site ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5583 (The WP Simple Galleries plugin for WordPress is vulnerable to PHP Obje ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5566 (The Simple Shortcodes plugin for WordPress is vulnerable to Stored Cro ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5565 (The Shortcode Menu plugin for WordPress is vulnerable to Stored Cross- ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5362 (The Carousel, Recent Post Slider and Banner Slider plugin for WordPres ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5335 (The Buzzsprout Podcasting plugin for WordPress is vulnerable to Stored ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5315 (The Google Maps made Simple plugin for WordPress is vulnerable to SQL ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5252 (The FareHarbor plugin for WordPress is vulnerable to Stored Cross-Site ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5251 (The Grid Plus plugin for WordPress is vulnerable to unauthorized modif ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5250 (The Grid Plus plugin for WordPress is vulnerable to Local File Inclusi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5199 (The PHP to Page plugin for WordPress is vulnerable Local File Inclusio ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5164 (The Bellows Accordion Menu plugin for WordPress is vulnerable to Store ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5049 (The Giveaways and Contests by RafflePress plugin for WordPress is vuln ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-4964 (Potential open redirect vulnerability in opentext Service Management A ...) TODO: check CVE-2023-47104 (tinyfiledialogs (aka tiny file dialogs) before 3.15.0 allows shell met ...) TODO: check CVE-2023-47101 (The installer (aka openvpn-client-installer) in Securepoint SSL VPN Cl ...) - TODO: check + NOT-FOR-US: Securepoint SSL VPN Client CVE-2023-45780 (In Print Service, there is a possible background activity launch due t ...) - TODO: check + NOT-FOR-US: Android CVE-2023-44323 (Adobe Acrobat for Edge version 118.0.2088.46 (and earlier) is affected ...) - TODO: check + NOT-FOR-US: Adobe CVE-2023-44078 REJECTED CVE-2023-43792 (baserCMS is a website development framework. In versions 4.6.0 through ...) - TODO: check + NOT-FOR-US: baserCMS CVE-2023-43649 (baserCMS is a website development framework. Prior to version 4.8.0, t ...) - TODO: check + NOT-FOR-US: baserCMS CVE-2023-43648 (baserCMS is a website development framework. Prior to version 4.8.0, t ...) - TODO: check + NOT-FOR-US: baserCMS CVE-2023-43647 (baserCMS is a website development framework. Prior to version 4.8.0, t ...) - TODO: check + NOT-FOR-US: baserCMS CVE-2023-42804 (BigBlueButton is an open-source virtual classroom. BigBlueButton prior ...) - TODO: check + NOT-FOR-US: BigBlueButton CVE-2023-42803 (BigBlueButton is an open-source virtual classroom. BigBlueButton prior ...) - TODO: check + NOT-FOR-US: BigBlueButton CVE-2023-42431 (Cross-site Scripting (XSS) vulnerability in BlueSpiceAvatars extension ...) - TODO: check + NOT-FOR-US: BlueSpiceAvatars extension of BlueSpice CVE-2023-41891 (FlyteAdmin is the control plane for Flyte responsible for managing ent ...) - TODO: check + NOT-FOR-US: FlyteAdmin CVE-2023-41605 REJECTED CVE-2023-40943 REJECTED CVE-2023-40101 (In collapse of canonicalize_md.c, there is a possible out of bounds re ...) - TODO: check + NOT-FOR-US: Android CVE-2023-36920 (In SAP Enable Now - versions WPB_MANAGER
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4f23fa19 by security tracker role at 2023-10-30T20:12:13+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,75 @@ +CVE-2023-5844 (Unverified Password Change in GitHub repository pimcore/admin-ui-class ...) + TODO: check +CVE-2023-5843 (The Ads by datafeedr.com plugin for WordPress is vulnerable to Remote ...) + TODO: check +CVE-2023-5833 (Improper Access Control in GitHub repository mintplex-labs/anything-ll ...) + TODO: check +CVE-2023-5832 (Improper Input Validation in GitHub repository mintplex-labs/anything- ...) + TODO: check +CVE-2023-5666 (The Accordion plugin for WordPress is vulnerable to Stored Cross-Site ...) + TODO: check +CVE-2023-5583 (The WP Simple Galleries plugin for WordPress is vulnerable to PHP Obje ...) + TODO: check +CVE-2023-5566 (The Simple Shortcodes plugin for WordPress is vulnerable to Stored Cro ...) + TODO: check +CVE-2023-5565 (The Shortcode Menu plugin for WordPress is vulnerable to Stored Cross- ...) + TODO: check +CVE-2023-5362 (The Carousel, Recent Post Slider and Banner Slider plugin for WordPres ...) + TODO: check +CVE-2023-5335 (The Buzzsprout Podcasting plugin for WordPress is vulnerable to Stored ...) + TODO: check +CVE-2023-5315 (The Google Maps made Simple plugin for WordPress is vulnerable to SQL ...) + TODO: check +CVE-2023-5252 (The FareHarbor plugin for WordPress is vulnerable to Stored Cross-Site ...) + TODO: check +CVE-2023-5251 (The Grid Plus plugin for WordPress is vulnerable to unauthorized modif ...) + TODO: check +CVE-2023-5250 (The Grid Plus plugin for WordPress is vulnerable to Local File Inclusi ...) + TODO: check +CVE-2023-5199 (The PHP to Page plugin for WordPress is vulnerable Local File Inclusio ...) + TODO: check +CVE-2023-5164 (The Bellows Accordion Menu plugin for WordPress is vulnerable to Store ...) + TODO: check +CVE-2023-5049 (The Giveaways and Contests by RafflePress plugin for WordPress is vuln ...) + TODO: check +CVE-2023-4964 (Potential open redirect vulnerability in opentext Service Management A ...) + TODO: check +CVE-2023-47104 (tinyfiledialogs (aka tiny file dialogs) before 3.15.0 allows shell met ...) + TODO: check +CVE-2023-47101 (The installer (aka openvpn-client-installer) in Securepoint SSL VPN Cl ...) + TODO: check +CVE-2023-45780 (In Print Service, there is a possible background activity launch due t ...) + TODO: check +CVE-2023-44323 (Adobe Acrobat for Edge version 118.0.2088.46 (and earlier) is affected ...) + TODO: check +CVE-2023-44078 + REJECTED +CVE-2023-43792 (baserCMS is a website development framework. In versions 4.6.0 through ...) + TODO: check +CVE-2023-43649 (baserCMS is a website development framework. Prior to version 4.8.0, t ...) + TODO: check +CVE-2023-43648 (baserCMS is a website development framework. Prior to version 4.8.0, t ...) + TODO: check +CVE-2023-43647 (baserCMS is a website development framework. Prior to version 4.8.0, t ...) + TODO: check +CVE-2023-42804 (BigBlueButton is an open-source virtual classroom. BigBlueButton prior ...) + TODO: check +CVE-2023-42803 (BigBlueButton is an open-source virtual classroom. BigBlueButton prior ...) + TODO: check +CVE-2023-42431 (Cross-site Scripting (XSS) vulnerability in BlueSpiceAvatars extension ...) + TODO: check +CVE-2023-41891 (FlyteAdmin is the control plane for Flyte responsible for managing ent ...) + TODO: check +CVE-2023-41605 + REJECTED +CVE-2023-40943 + REJECTED +CVE-2023-40101 (In collapse of canonicalize_md.c, there is a possible out of bounds re ...) + TODO: check +CVE-2023-36920 (In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_M ...) + TODO: check +CVE-2020-36767 (tinyfiledialogs (aka tiny file dialogs) before 3.8.0 allows shell meta ...) + TODO: check CVE-2023-5842 (Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/doli ...) - dolibarr NOTE: https://huntr.com/bounties/aed81114-5952-46f5-ae3a-e66518e98ba3 @@ -75,7 +147,7 @@ CVE-2023-46129 [nkeys: xkeys Seal encryption used fixed key for all encryption] [bookworm] - nats-server (Vulnerable code not present) NOTE: https://advisories.nats.io/CVE/secnote-2023-02.txt NOTE: https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9 -CVE-2023-47090 [Adding accounts for just the system account adds auth bypass] +CVE-2023-47090 (NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authent ...) - nats-server 2.10.3-1 NOTE: https://advisories.nats.io/CVE/secnote-2023-01.txt NOTE:
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3641-1 for jetty9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c93dfd66 by Markus Koschany at 2023-10-30T21:05:48+01:00 Reserve DLA-3641-1 for jetty9 - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -218554,7 +218554,6 @@ CVE-2020-27219 (In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 NOT-FOR-US: Eclipse Hawkbit CVE-2020-27218 (In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 ...) - jetty9 9.4.35-1 (bug #976211) - [buster] - jetty9 (Minor issue, too intrusive to backport, patch introduces regressions, workarounds exist) [stretch] - jetty9 (Minor issue, request smuggling in specific conditions, invasive, patch introduces regressions, workarounds exist) NOTE: https://bugs.eclipse.org/bugs/show_bug.cgi?id=568892 NOTE: https://github.com/eclipse/jetty.project/security/advisories/GHSA-86wm-rrjm-8wh8 = data/DLA/list = @@ -1,3 +1,6 @@ +[30 Oct 2023] DLA-3641-1 jetty9 - security update + {CVE-2020-27218 CVE-2023-36478 CVE-2023-44487} + [buster] - jetty9 9.4.50-4+deb10u1 [30 Oct 2023] DLA-3640-1 distro-info - database update [buster] - distro-info 0.21+deb10u1 [30 Oct 2023] DLA-3639-1 distro-info-data - database update = data/dla-needed.txt = @@ -87,9 +87,6 @@ imagemagick NOTE: 20230622: Requested by maintainer (rouca) to tidy remaining open CVEs (Beuc/front-desk) NOTE: 20231014: Some work under git branch debian/buster but unease -- -jetty9 (Markus Koschany) - NOTE: 20231011: Added by Front-Desk (ta) --- knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c93dfd66cac3e599ad34df17a76ce1764e427450 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c93dfd66cac3e599ad34df17a76ce1764e427450 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA-5540-1 for jetty9
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 61ae1034 by Markus Koschany at 2023-10-30T20:33:50+01:00 Reserve DSA-5540-1 for jetty9 - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[30 Oct 2023] DSA-5540-1 jetty9 - security update + {CVE-2023-36478 CVE-2023-44487} + [bullseye] - jetty9 9.4.50-4+deb11u1 + [bookworm] - jetty9 9.4.50-4+deb12u2 [30 Oct 2023] DSA-5539-1 node-browserify-sign - security update {CVE-2023-46234} [bullseye] - node-browserify-sign 4.2.1-1+deb11u1 = data/dsa-needed.txt = @@ -24,8 +24,6 @@ fastdds -- gpac/oldstable (jmm) -- -jetty9 --- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ae1034546fcc75a7dcd658c9e8345fdc5eead4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61ae1034546fcc75a7dcd658c9e8345fdc5eead4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add open-vm-tools to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 345d25ee by Salvatore Bonaccorso at 2023-10-30T20:17:42+01:00 Add open-vm-tools to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -43,6 +43,9 @@ nodejs -- nova/oldstable -- +open-vm-tools + Maintainer posted debdiffs for review +-- openjdk-17 (jmm) -- php-cas/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/345d25eecf8866fc94a66530111eaa5d472cbe30 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/345d25eecf8866fc94a66530111eaa5d472cbe30 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add assigned CVE-2023-47090/nats-server
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f7505e17 by Salvatore Bonaccorso at 2023-10-30T19:09:59+01:00 Add assigned CVE-2023-47090/nats-server - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -75,7 +75,7 @@ CVE-2023-46129 [nkeys: xkeys Seal encryption used fixed key for all encryption] [bookworm] - nats-server (Vulnerable code not present) NOTE: https://advisories.nats.io/CVE/secnote-2023-02.txt NOTE: https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9 -CVE-2023- [Adding accounts for just the system account adds auth bypass] +CVE-2023-47090 [Adding accounts for just the system account adds auth bypass] - nats-server 2.10.3-1 NOTE: https://advisories.nats.io/CVE/secnote-2023-01.txt NOTE: https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7505e17dbd8b5e0425acf229659d1e5b7627648 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7505e17dbd8b5e0425acf229659d1e5b7627648 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update request-tracker4 status + attribute past notes
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 388619d7 by Sylvain Beucler at 2023-10-30T18:16:10+01:00 dla: update request-tracker4 status + attribute past notes - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -200,8 +200,9 @@ request-tracker4 NOTE: 20231024: Added by Front-Desk (gladk) NOTE: 20231024: Please check the commit: https://github.com/bestpractical/rt/commit/a7a83dfdf591cd4d9f547048e89a5a310eeef32d NOTE: 20231024: Please check the commit: https://github.com/bestpractical/rt/commit/afb7dcded721e27028e47b62e7e5ed8ffc492beb - NOTE: 20231025: Andrew Ruthven is working on the buster-security upload, but will let the LTS handle the paperwork - NOTE: 20231028: Andrew has provided the buster patch, it has been posted to the team mailing list (Message-ID: ) + NOTE: 20231025: Andrew Ruthven is working on the buster-security upload, but will let the LTS handle the paperwork (santiago) + NOTE: 20231028: Andrew has provided the buster patch, it has been posted to the team mailing list (Message-ID: ) (roberto) + NOTE: 20231030: Andrew pushed his work at https://salsa.debian.org/request-tracker-team/request-tracker4/-/commits/buster/ (Beuc) -- ring NOTE: 20230903: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/388619d7f493faa8aabf5e77eaf2f8137fe9cdb8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/388619d7f493faa8aabf5e77eaf2f8137fe9cdb8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference merge commits for CVE-2023-41259, CVE-2023-41260 and CVE-2023-45024
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7895b1ff by Salvatore Bonaccorso at 2023-10-30T17:47:32+01:00 Reference merge commits for CVE-2023-41259, CVE-2023-41260 and CVE-2023-45024 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1883,16 +1883,21 @@ CVE-2023-34366 (A use-after-free vulnerability exists in the Figure stream parsi CVE-2023-45024 - request-tracker5 5.0.5+dfsg-1 (bug #1054517) NOTE: https://github.com/bestpractical/rt/releases/tag/rt-5.0.5 + NOTE: https://github.com/bestpractical/rt/commit/90fb016e604942256edf00a36644ce077bb5ea4e (rt-5.0.5) CVE-2023-41260 - request-tracker5 5.0.5+dfsg-1 (bug #1054517) - request-tracker4 4.4.7+dfsg-1 (bug #1054516) NOTE: https://github.com/bestpractical/rt/releases/tag/rt-5.0.5 + NOTE: https://github.com/bestpractical/rt/commit/90fb016e604942256edf00a36644ce077bb5ea4e (rt-5.0.5) NOTE: https://github.com/bestpractical/rt/releases/tag/rt-4.4.7 + NOTE: https://github.com/bestpractical/rt/commit/33e9203bf2a61e20f8b8e682d57f55cb7a995967 (rt-4.4.7) CVE-2023-41259 - request-tracker5 5.0.5+dfsg-1 (bug #1054517) - request-tracker4 4.4.7+dfsg-1 (bug #1054516) NOTE: https://github.com/bestpractical/rt/releases/tag/rt-5.0.5 + NOTE: https://github.com/bestpractical/rt/commit/90fb016e604942256edf00a36644ce077bb5ea4e (rt-5.0.5) NOTE: https://github.com/bestpractical/rt/releases/tag/rt-4.4.7 + NOTE: https://github.com/bestpractical/rt/commit/33e9203bf2a61e20f8b8e682d57f55cb7a995967 (rt-4.4.7) CVE-2023-5639 (The Team Showcase plugin for WordPress is vulnerable to Stored Cross-S ...) NOT-FOR-US: WordPress plugin CVE-2023-5638 (The Booster for WooCommerce plugin for WordPress is vulnerable to Stor ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7895b1e76c8fe4678ab4eaae4c8988f09eb4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7895b1e76c8fe4678ab4eaae4c8988f09eb4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for node-browserify-sign update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 505fb0d6 by Salvatore Bonaccorso at 2023-10-30T17:04:59+01:00 Reserve DSA number for node-browserify-sign update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[30 Oct 2023] DSA-5539-1 node-browserify-sign - security update + {CVE-2023-46234} + [bullseye] - node-browserify-sign 4.2.1-1+deb11u1 + [bookworm] - node-browserify-sign 4.2.1-3+deb12u1 [27 Oct 2023] DSA-5538-1 thunderbird - security update {CVE-2023-5721 CVE-2023-5724 CVE-2023-5725 CVE-2023-5728 CVE-2023-5730 CVE-2023-5732} [bullseye] - thunderbird 1:115.4.1-1~deb11u1 = data/dsa-needed.txt = @@ -38,9 +38,6 @@ nbconvert/oldstable -- nghttp2 -- -node-browserify-sign (carnil) - Yadd proposed an update --- nodejs maintainer proposed to follow the upstream 18.x LTS branch -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/505fb0d6cae827382e514ced568408829e352e69 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/505fb0d6cae827382e514ced568408829e352e69 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update version information for CVE-2023-1289
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 22176b6d by Salvatore Bonaccorso at 2023-10-30T15:08:43+01:00 Update version information for CVE-2023-1289 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34227,12 +34227,13 @@ CVE-2023-1291 (A vulnerability, which was classified as critical, was found in S CVE-2023-1290 (A vulnerability, which was classified as critical, has been found in S ...) NOT-FOR-US: SourceCodester Sales Tracker Management System CVE-2023-1289 (A vulnerability was discovered in ImageMagick where a specially create ...) - - imagemagick 8:6.9.12.98+dfsg1-1 + - imagemagick 8:6.9.12.98+dfsg1-2 [bookworm] - imagemagick (Minor issue) [bullseye] - imagemagick (Minor issue) [buster] - imagemagick (Should be fixed together with some other CVEs) NOTE: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j96m-mjp6-99xr - NOTE: https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4 + NOTE: https://github.com/ImageMagick/ImageMagick/commit/c5b23cbf2119540725e6dc81f4deb25798ead6a4 (7.1.1-0) + NOTE: https://github.com/ImageMagick/ImageMagick6/commit/706d381b7eb79927d328c96f7b7faab5dc109368 (6.9.12-78) CVE-2023-1288 (An XML External Entity injection (XXE) vulnerability in ENOVIA Live Co ...) NOT-FOR-US: ENOVIA Live Collaboration V6R2013xE CVE-2023-1287 (An XSL template vulnerability in ENOVIA Live Collaboration V6R2013xE a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22176b6d51367e5ebf06eab6c27540a33daf5c8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22176b6d51367e5ebf06eab6c27540a33daf5c8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3639-1 and DLA-3640-1 for distro-info-data and distro-info updates
Stefano Rivera pushed to branch master at Debian Security Tracker / security-tracker Commits: 4997e061 by Stefano Rivera at 2023-10-30T15:06:15+02:00 Reserve DLA-3639-1 and DLA-3640-1 for distro-info-data and distro-info updates - - - - - 1 changed file: - data/DLA/list Changes: = data/DLA/list = @@ -1,3 +1,7 @@ +[30 Oct 2023] DLA-3640-1 distro-info - database update + [buster] - distro-info 0.21+deb10u1 +[30 Oct 2023] DLA-3639-1 distro-info-data - database update + [buster] - distro-info-data 0.41+deb10u8 [29 Oct 2023] DLA-3638-1 h2o - security update {CVE-2023-44487} [buster] - h2o 2.2.5+dfsg2-2+deb10u2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4997e0611a14bf13222b6e277a294c3358dd080b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4997e0611a14bf13222b6e277a294c3358dd080b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: ff404e88 by Roberto C. Sánchez at 2023-10-30T07:51:06-04:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -62,7 +62,7 @@ flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -freeimage (gladk) +freeimage NOTE: 20230826: Added by Front-Desk (utkarsh) NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll @@ -226,7 +226,7 @@ salt samba NOTE: 20230918: Added by Front-Desk (apo) -- -suricata (Adrian Bunk) +suricata NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, NOTE: 20230620: I'd suggest reviewing the CVEs, precise the triage (postponed/ignored), View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff404e889f7029f106cb3958c537e3fbc2e55449 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ff404e889f7029f106cb3958c537e3fbc2e55449 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bullseye/bookworm triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 96bead19 by Moritz Mühlenhoff at 2023-10-30T12:13:05+01:00 bullseye/bookworm triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -479,6 +479,8 @@ CVE-2023-46232 (era-compiler-vyper is the EraVM Vyper compiler for zkSync Era, a NOT-FOR-US: era-compiler-vyper CVE-2023-46137 (Twisted is an event-based framework for internet applications. Prior t ...) - twisted (bug #1054913) + [bookworm] - twisted (Minor issue) + [bullseye] - twisted (Minor issue) NOTE: https://github.com/twisted/twisted/security/advisories/GHSA-xc8x-vp79-p3wm CVE-2023-46134 (D-Tale is the combination of a Flask back-end and a React front-end to ...) NOT-FOR-US: D-Tale = data/dsa-needed.txt = @@ -101,6 +101,6 @@ wpewebkit/oldstable -- xen (jmm) -- -zookeeper +zookeeper (jmm) Pierre Gruet proposed debdiff, reviewed, question asked back -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96bead19d3019e56bcbe9ab522aeb06bf953c732 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96bead19d3019e56bcbe9ab522aeb06bf953c732 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-1289 (imagemagick) as fixed in unstable/testing
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: bfb7d930 by Bastien Roucariès at 2023-10-30T09:20:06+00:00 Mark CVE-2023-1289 (imagemagick) as fixed in unstable/testing - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34225,7 +34225,7 @@ CVE-2023-1291 (A vulnerability, which was classified as critical, was found in S CVE-2023-1290 (A vulnerability, which was classified as critical, has been found in S ...) NOT-FOR-US: SourceCodester Sales Tracker Management System CVE-2023-1289 (A vulnerability was discovered in ImageMagick where a specially create ...) - - imagemagick (bug #1033254) + - imagemagick 8:6.9.12.98+dfsg1-1 [bookworm] - imagemagick (Minor issue) [bullseye] - imagemagick (Minor issue) [buster] - imagemagick (Should be fixed together with some other CVEs) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb7d9309f59715622afa64583451d88c94278c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfb7d9309f59715622afa64583451d88c94278c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 83ef7873 by Salvatore Bonaccorso at 2023-10-30T09:47:45+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2023-5842 (Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr NOTE: https://huntr.com/bounties/aed81114-5952-46f5-ae3a-e66518e98ba3 NOTE: https://github.com/dolibarr/dolibarr/commit/f569048eb2bd823525bce4ef52316e7a83e3345c CVE-2023-4393 (HTML and SMTP injections on the registration page of LiquidFiles versi ...) - TODO: check + NOT-FOR-US: LiquidFiles CVE-2023-46867 (In International Color Consortium DemoIccMAX 79ecb74, CIccXformMatrixT ...) TODO: check CVE-2023-46866 (In International Color Consortium DemoIccMAX 79ecb74, CIccCLUT::Interp ...) @@ -11,15 +11,15 @@ CVE-2023-46866 (In International Color Consortium DemoIccMAX 79ecb74, CIccCLUT:: CVE-2023-46865 (/api/v1/company/upload-logo in CompanyController.php in crater through ...) TODO: check CVE-2023-46864 (Peppermint Ticket Management through 0.2.4 allows remote attackers to ...) - TODO: check + NOT-FOR-US: Peppermint Ticket Management CVE-2023-46863 (Peppermint Ticket Management before 0.2.4 allows remote attackers to r ...) - TODO: check + NOT-FOR-US: Peppermint Ticket Management CVE-2023-45799 (In MLSoft TCO!stream versions 8.0.22.1115 and below, a vulnerability e ...) - TODO: check + NOT-FOR-US: MLSoft TCO!stream CVE-2023-45798 (In Yettiesoft VestCert versions 2.36 to 2.5.29, a vulnerability exists ...) - TODO: check + NOT-FOR-US: Yettiesoft VestCert CVE-2023-45797 (A Buffer overflow vulnerability in DreamSecurity MagicLine4NX versions ...) - TODO: check + NOT-FOR-US: DreamSecurity MagicLine4NX CVE-2023-45746 (Cross-site scripting vulnerability in Movable Type series allows a rem ...) TODO: check CVE-2023-44141 (Inkdrop prior to v5.6.0 allows a local attacker to conduct a code inje ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83ef78732dac1763af4c72528ff94d830774d674 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/83ef78732dac1763af4c72528ff94d830774d674 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-5842/dolibarr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fa9f7c7f by Salvatore Bonaccorso at 2023-10-30T09:45:34+01:00 Add CVE-2023-5842/dolibarr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2023-5842 (Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/doli ...) - TODO: check + - dolibarr + NOTE: https://huntr.com/bounties/aed81114-5952-46f5-ae3a-e66518e98ba3 + NOTE: https://github.com/dolibarr/dolibarr/commit/f569048eb2bd823525bce4ef52316e7a83e3345c CVE-2023-4393 (HTML and SMTP injections on the registration page of LiquidFiles versi ...) TODO: check CVE-2023-46867 (In International Color Consortium DemoIccMAX 79ecb74, CIccXformMatrixT ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa9f7c7f4555aca79565e4db155a434e72b8013d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa9f7c7f4555aca79565e4db155a434e72b8013d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 56debb5b by security tracker role at 2023-10-30T08:11:38+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,29 @@ +CVE-2023-5842 (Cross-site Scripting (XSS) - Stored in GitHub repository dolibarr/doli ...) + TODO: check +CVE-2023-4393 (HTML and SMTP injections on the registration page of LiquidFiles versi ...) + TODO: check +CVE-2023-46867 (In International Color Consortium DemoIccMAX 79ecb74, CIccXformMatrixT ...) + TODO: check +CVE-2023-46866 (In International Color Consortium DemoIccMAX 79ecb74, CIccCLUT::Interp ...) + TODO: check +CVE-2023-46865 (/api/v1/company/upload-logo in CompanyController.php in crater through ...) + TODO: check +CVE-2023-46864 (Peppermint Ticket Management through 0.2.4 allows remote attackers to ...) + TODO: check +CVE-2023-46863 (Peppermint Ticket Management before 0.2.4 allows remote attackers to r ...) + TODO: check +CVE-2023-45799 (In MLSoft TCO!stream versions 8.0.22.1115 and below, a vulnerability e ...) + TODO: check +CVE-2023-45798 (In Yettiesoft VestCert versions 2.36 to 2.5.29, a vulnerability exists ...) + TODO: check +CVE-2023-45797 (A Buffer overflow vulnerability in DreamSecurity MagicLine4NX versions ...) + TODO: check +CVE-2023-45746 (Cross-site scripting vulnerability in Movable Type series allows a rem ...) + TODO: check +CVE-2023-44141 (Inkdrop prior to v5.6.0 allows a local attacker to conduct a code inje ...) + TODO: check +CVE-2023-44002 + REJECTED CVE-2007-10003 (A vulnerability, which was classified as critical, has been found in T ...) NOT-FOR-US: WordPress plugin CVE-2005-10002 (A vulnerability, which was classified as critical, was found in almost ...) @@ -3662,7 +3688,7 @@ CVE-2023-3961 [smbd allows client access to unix domain sockets on the file syst NOTE: https://www.samba.org/samba/security/CVE-2023-3961.html NOTE: In scope for continued Samba support CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource consum ...) - {DSA-5522-1 DSA-5521-1 DLA-3621-1 DLA-3617-1} + {DSA-5522-1 DSA-5521-1 DLA-3638-1 DLA-3621-1 DLA-3617-1} - tomcat9 9.0.70-2 - tomcat10 10.1.14-1 - trafficserver (bug #1053801; bug #1054427) @@ -190490,8 +190516,7 @@ CVE-2021-25737 (A security issue was discovered in Kubernetes where a user may b NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed version NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here NOTE: https://www.openwall.com/lists/oss-security/2021/05/18/4 -CVE-2021-25736 - RESERVED +CVE-2021-25736 (Kube-proxy on Windows can unintentionally forward traffic to local pr ...) - kubernetes (Windows-specific) CVE-2021-25735 (A security issue was discovered in kube-apiserver that could allow nod ...) - kubernetes 1.20.5+really1.20.2-1 (bug #990793) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56debb5b97700ef8a4b49aed8756e9441d90b5ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56debb5b97700ef8a4b49aed8756e9441d90b5ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2023-31582/libjose4j-java
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 00c6aadc by Salvatore Bonaccorso at 2023-10-30T07:07:28+01:00 Track fixed version via unstable for CVE-2023-31582/libjose4j-java - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -859,7 +859,7 @@ CVE-2023-34056 (vCenter Server contains a partial information disclosure vulnera CVE-2023-34048 (vCenter Server contains an out-of-bounds write vulnerability in the im ...) NOT-FOR-US: VMware CVE-2023-31582 (jose4j before v0.9.3 allows attackers to set a low iteration count of ...) - - libjose4j-java (bug #1054872) + - libjose4j-java 0.7.12-2 (bug #1054872) NOTE: https://bitbucket.org/b_c/jose4j/issues/203/insecure-support-of-setting-pbe-less-then NOTE: Fixed by: https://bitbucket.org/b_c/jose4j/commits/1929fe3 (jose4j/0.9.3) CVE-2023-31581 (Dromara Sureness before v1.0.8 was discovered to use a hardcoded key.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00c6aadc07fa3d62831d4e7b4f9964a70db0f79a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/00c6aadc07fa3d62831d4e7b4f9964a70db0f79a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits