[Git][security-tracker-team/security-tracker][master] Reserve DLA-3662-1 for freeimage
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 22ea11b5 by Anton Gladky at 2023-11-24T06:51:27+01:00 Reserve DLA-3662-1 for freeimage - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Nov 2023] DLA-3662-1 freeimage - security update + {CVE-2020-21427 CVE-2020-21428 CVE-2020-22524} + [buster] - freeimage 3.18.0+ds2-1+deb10u2 [23 Nov 2023] DLA-3661-1 firefox-esr - security update {CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6207 CVE-2023-6208 CVE-2023-6209 CVE-2023-6212} [buster] - firefox-esr 115.5.0esr-1~deb10u1 = data/dla-needed.txt = @@ -65,13 +65,6 @@ flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) -- -freeimage (gladk) - NOTE: 20230826: Added by Front-Desk (utkarsh) - NOTE: 20230826: Anton Gladky is the maintainer. Please sync with him about the - NOTE: 20230826: about this. Anyway, too many CVEs piled up. I feel we should roll - NOTE: 20230826: out the DLA/ELA now. (utkarsh) - NOTE: 20231120: many CVEs, check with ASAN is needed. (gladk) --- frr NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22ea11b5c0e68482bfcb0169a846d12f3eff2ee2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22ea11b5c0e68482bfcb0169a846d12f3eff2ee2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update notes for outstanding freeimage issues
Anton Gladky pushed to branch master at Debian Security Tracker / security-tracker Commits: 8e1308ad by Anton Gladky at 2023-11-24T06:15:04+01:00 Update notes for outstanding freeimage issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -157555,26 +157555,31 @@ CVE-2021-40266 (FreeImage before 1.18.0, ReadPalette function in PluginTIFF.cpp - freeimage (bug #1055305) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/334/ CVE-2021-40265 (A heap overflow bug exists FreeImage before 1.18.0 via ofLoad function ...) - freeimage (bug #1055304) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/337/ CVE-2021-40264 (NULL pointer dereference vulnerability in FreeImage before 1.18.0 via ...) - freeimage (bug #1055303) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/335/ CVE-2021-40263 (A heap overflow vulnerability in FreeImage 1.18.0 via the ofLoad funct ...) - freeimage (bug #1055302) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/336/ CVE-2021-40262 (A stack exhaustion issue was discovered in FreeImage before 1.18.0 via ...) - freeimage (bug #1055301) [bookworm] - freeimage (Minor issue) [bullseye] - freeimage (Minor issue) + [buster] - freeimage (Minor issue) NOTE: https://sourceforge.net/p/freeimage/bugs/338/ CVE-2021-40261 (Multiple Cross Site Scripting (XSS) vulnerabilities exist in SourceCod ...) NOT-FOR-US: SourceCodester @@ -236524,6 +236529,7 @@ CVE-2020-21427 (Buffer Overflow vulnerability in function LoadPixelDataRLE8 in P CVE-2020-21426 (Buffer Overflow vulnerability in function C_IStream::read in PluginEXR ...) - freeimage (bug #1051736) NOTE: https://sourceforge.net/p/freeimage/bugs/300/ + NOTE: it looks like the issue is in openexr. No relevant patches in freeimage are detected CVE-2020-21425 RESERVED CVE-2020-21424 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e1308ad75a56bf0dd66cb4d1ec18df92aff30ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8e1308ad75a56bf0dd66cb4d1ec18df92aff30ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2022-48570/libcrypto++
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a8b9c09 by Salvatore Bonaccorso at 2023-11-23T23:43:02+01:00 Update status for CVE-2022-48570/libcrypto++ >From a comment from upstream: To fix the underlying issue a rewrite of the Integer class is required. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15042,12 +15042,14 @@ CVE-2022-48571 (memcached 1.6.7 allows a Denial of Service via multi-packet uplo - memcached 1.6.8+dfsg-1 NOTE: Fixed by: https://github.com/memcached/memcached/commit/6b319c8c7a29e9c353dec83dc92f01905f6c8966 (1.6.8) CVE-2022-48570 (Crypto++ through 8.4 contains a timing side channel in ECDSA signature ...) - - libcrypto++ 8.4.0-1 + - libcrypto++ + [bookworm] - libcrypto++ (Minor issue) + [bullseye] - libcrypto++ (Minor issue) [buster] - libcrypto++ (Minor issue) - NOTE: https://github.com/weidai11/cryptopp/issues/992 + NOTE: Related issue: https://github.com/weidai11/cryptopp/issues/992 NOTE: This issue exists because the CVE-2019-14318 fix was intentionally removed for - NOTE: functionality reasons. - NOTE: https://github.com/weidai11/cryptopp/commit/4bc7408ae2aefac9357c16809541ecbe225b7f3a (CRYPTOPP_8_4_0) + NOTE: functionality reasons. To fix the issue a rewrite of the rewrite the Integer class + NOTE: is required. CVE-2022-48566 (An issue was discovered in compare_digest in Lib/hmac.py in Python thr ...) {DLA-3614-1 DLA-3575-1} - python3.9 3.9.1~rc1-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a8b9c09772d7503c653d7f9a3570915782ac9c3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a8b9c09772d7503c653d7f9a3570915782ac9c3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3661-1 for firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b473de5 by Emilio Pozuelo Monfort at 2023-11-23T23:35:26+01:00 Reserve DLA-3661-1 for firefox-esr - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Nov 2023] DLA-3661-1 firefox-esr - security update + {CVE-2023-6204 CVE-2023-6205 CVE-2023-6206 CVE-2023-6207 CVE-2023-6208 CVE-2023-6209 CVE-2023-6212} + [buster] - firefox-esr 115.5.0esr-1~deb10u1 [22 Nov 2023] DLA-3660-1 gnutls28 - security update {CVE-2023-5981} [buster] - gnutls28 3.6.7-4+deb10u11 = data/dla-needed.txt = @@ -61,9 +61,6 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -firefox-esr (Emilio) - NOTE: 20231122: Added by Front-Desk (ola) --- flatpak NOTE: 20231006: Added by Front-Desk (Beuc) NOTE: 20231006: Follow fixes from bullseye 11.7 (2 CVEs) (Beuc/front-desk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b473de53704c7757d45a03db485bd9acce40ea2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b473de53704c7757d45a03db485bd9acce40ea2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-48230
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3937d25f by Salvatore Bonaccorso at 2023-11-23T23:03:25+01:00 Add Debian bug reference for CVE-2023-48230 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -356,7 +356,7 @@ CVE-2023-48299 (TorchServe is a tool for serving and scaling PyTorch models in p CVE-2023-48239 (Nextcloud Server provides data storage for Nextcloud, an open source c ...) - nextcloud-server (bug #941708) CVE-2023-48230 (Cap'n Proto is a data interchange format and capability-based RPC syst ...) - - capnproto + - capnproto (bug #1056615) [bookworm] - capnproto (Vulnerable code not present) [bullseye] - capnproto (Vulnerable code not present) [buster] - capnproto (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3937d25fe929b4b8081feeac8ddf489c1bcc99bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3937d25fe929b4b8081feeac8ddf489c1bcc99bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2023-49208 as not affected for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: f4a918a4 by Ola Lundqvist at 2023-11-23T21:50:05+00:00 Marked CVE-2023-49208 as not affected for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,6 +21,7 @@ CVE-2023-49210 (The openssl (aka node-openssl) NPM package through 2.0.0 was cha NOT-FOR-US: malicious node module CVE-2023-49208 (scheme/webauthn.c in Glewlwyd SSO server before 2.7.6 has a possible b ...) - glewlwyd 2.7.6+ds-1 + [buster] - glewlwyd (Vulnerable code not present) NOTE: https://github.com/babelouest/glewlwyd/commit/f9d8c06aae8dfe17e761b18b577ff169e059e812 (v2.7.6) CVE-2023-41812 (Unrestricted Upload of File with Dangerous Type vulnerability in Pando ...) NOT-FOR-US: Pandora FMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4a918a491b7b3da3375d1708cb0c4ffcb71a1b7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4a918a491b7b3da3375d1708cb0c4ffcb71a1b7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added tinymce to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 8905071c by Ola Lundqvist at 2023-11-23T21:44:06+00:00 Added tinymce to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -264,6 +264,9 @@ symfony (Markus Koschany) thunderbird (Emilio) NOTE: 20231122: Added by Front-Desk (ola) -- +tinymce + NOTE: 20231123: Added by Front-Desk (ola) +-- tor NOTE: 20231119: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8905071c2ab66288080a9a2655cdf7799a08cd1a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8905071c2ab66288080a9a2655cdf7799a08cd1a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2023-40030 as no-dsa for buster following bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: ffc07270 by Ola Lundqvist at 2023-11-23T21:41:14+00:00 Marked CVE-2023-40030 as no-dsa for buster following bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14583,9 +14583,11 @@ CVE-2023-40030 (Cargo downloads a Rust project\u2019s dependencies and compiles - cargo [bookworm] - cargo (Minor issue) [bullseye] - cargo (Minor issue) + [buster] - cargo (Minor issue) - rust-cargo [bookworm] - rust-cargo (Minor issue) [bullseye] - rust-cargo (Minor issue) + [buster] - rust-cargo (Minor issue) NOTE: https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p NOTE: https://github.com/rust-lang/cargo/pull/12291 NOTE: https://github.com/rust-lang/cargo/commit/9835622853f08be9a4b58ebe29dcec8f43b64b33 (0.75.0) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffc07270565352d6ed9d3bd0ef57e3e0bcaa3558 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ffc07270565352d6ed9d3bd0ef57e3e0bcaa3558 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2023-20246 as not affected for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e7dc086 by Ola Lundqvist at 2023-11-23T21:29:24+00:00 Marked CVE-2023-20246 as not affected for buster. It should be marked as not affected for all versions since the vulnerability is only in snort 3.x, but Ill leave that to the regular security team to do. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -72399,6 +72399,7 @@ CVE-2023-20247 (A vulnerability in the remote access SSL VPN feature of Cisco Ad NOT-FOR-US: Cisco CVE-2023-20246 (Multiple Cisco products are affected by a vulnerability in Snort acces ...) - snort (bug #1056281) + [buster] - snort (only affects 3.x) NOTE: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort3acp-bypass-3bdR2BEh CVE-2023-20245 (Multiple vulnerabilities in the per-user-override feature of Cisco Ada ...) NOT-FOR-US: Cisco View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e7dc086640f001045f40767ab048f35c21f9ba6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e7dc086640f001045f40767ab048f35c21f9ba6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-6212/thunderbird via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f5484dc1 by Salvatore Bonaccorso at 2023-11-23T22:09:11+01:00 Track fixed version for CVE-2023-6212/thunderbird via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -412,7 +412,7 @@ CVE-2023-6212 (Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and {DSA-5561-1} - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - - thunderbird + - thunderbird 1:115.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6212 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6212 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6212 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5484dc171e3e3b6ec0aaa506b74bc65ed88454f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f5484dc171e3e3b6ec0aaa506b74bc65ed88454f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix typo in source package name for thunderbird
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0da0f8a4 by Salvatore Bonaccorso at 2023-11-23T22:07:21+01:00 Fix typo in source package name for thunderbird - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -412,7 +412,7 @@ CVE-2023-6212 (Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and {DSA-5561-1} - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - - tunderbird + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6212 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6212 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6212 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0da0f8a406fa513265a853c450d0bc6ff1682966 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0da0f8a406fa513265a853c450d0bc6ff1682966 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 70356eb7 by Salvatore Bonaccorso at 2023-11-23T22:02:32+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10,11 +10,11 @@ CVE-2023-5972 (A null pointer dereference flaw was found in the nft_inner.c func CVE-2023-4677 (Cron log backup files contain administrator session IDs. It is trivial ...) NOT-FOR-US: Pandora FMS Console CVE-2023-4595 (An information exposure vulnerability has been found, the exploitation ...) - TODO: check + NOT-FOR-US: SLmail CVE-2023-4594 (Stored XSS vulnerability. This vulnerability could allow an attacker t ...) - TODO: check + NOT-FOR-US: SLmail CVE-2023-4593 (Path traversal vulnerability whose exploitation could allow an authent ...) - TODO: check + NOT-FOR-US: SLmail CVE-2023-4406 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: KC Group E-Commerce Software CVE-2023-49210 (The openssl (aka node-openssl) NPM package through 2.0.0 was character ...) @@ -35610,9 +35610,9 @@ CVE-2023-28815 CVE-2023-28814 RESERVED CVE-2023-28813 (An attacker could exploit a vulnerability by sending crafted messages ...) - TODO: check + NOT-FOR-US: Hikvision Web Browser Plug-in LocalServiceComponents CVE-2023-28812 (There is a buffer overflow vulnerability in a web browser plug-in coul ...) - TODO: check + NOT-FOR-US: Hikvision Web Browser Plug-in LocalServiceComponents CVE-2023-28811 (There is a buffer overflow in the password recovery feature of Hikvisi ...) NOT-FOR-US: hikvison CVE-2023-28810 (Some access control/intercom products have unauthorized modification o ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70356eb76dcfd710d49997f58b2683c50f0b9e04 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70356eb76dcfd710d49997f58b2683c50f0b9e04 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-49208/glewlwyd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 62ec7603 by Salvatore Bonaccorso at 2023-11-23T21:46:27+01:00 Add CVE-2023-49208/glewlwyd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -20,7 +20,8 @@ CVE-2023-4406 (Improper Neutralization of Input During Web Page Generation ('Cro CVE-2023-49210 (The openssl (aka node-openssl) NPM package through 2.0.0 was character ...) NOT-FOR-US: malicious node module CVE-2023-49208 (scheme/webauthn.c in Glewlwyd SSO server before 2.7.6 has a possible b ...) - TODO: check + - glewlwyd 2.7.6+ds-1 + NOTE: https://github.com/babelouest/glewlwyd/commit/f9d8c06aae8dfe17e761b18b577ff169e059e812 (v2.7.6) CVE-2023-41812 (Unrestricted Upload of File with Dangerous Type vulnerability in Pando ...) NOT-FOR-US: Pandora FMS CVE-2023-41811 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62ec7603aa1045eaec5e69667d6f5ec6f17a43b1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62ec7603aa1045eaec5e69667d6f5ec6f17a43b1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-33202/bouncycastle
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: abe352cd by Salvatore Bonaccorso at 2023-11-23T21:44:58+01:00 Add CVE-2023-33202/bouncycastle - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -52,7 +52,8 @@ CVE-2023-3631 (Improper Neutralization of Special Elements used in an SQL Comman CVE-2023-3377 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) NOT-FOR-US: Veribilim Software Computer Veribase CVE-2023-33202 (Bouncy Castle for Java before 1.73 contains a potential Denial of Serv ...) - TODO: check + - bouncycastle + NOTE: https://github.com/bcgit/bc-java/wiki/CVE-2023-33202 CVE-2023-43123 (On unix-like systems, the temporary directory is shared between all us ...) NOT-FOR-US: Apache Storm CVE-2023-49146 (DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG do ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abe352cd8f1d51278aaae372beff7a20a9bfa528 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abe352cd8f1d51278aaae372beff7a20a9bfa528 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-5972/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b01852e8 by Salvatore Bonaccorso at 2023-11-23T21:34:02+01:00 Add CVE-2023-5972/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,12 @@ CVE-2023-6118 (: Path Traversal: '/../filedir' vulnerability in Neutron IP Camera all ...) NOT-FOR-US: Neutron IP Camera CVE-2023-5972 (A null pointer dereference flaw was found in the nft_inner.c functiona ...) - TODO: check + - linux 6.5.10-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/505ce0630ad5d31185695f8a29dde8d29f28faa7 (6.6-rc7) + NOTE: https://git.kernel.org/linus/52177bbf19e6e9398375a148d2e13ed492b40b80 (6.6-rc7) CVE-2023-4677 (Cron log backup files contain administrator session IDs. It is trivial ...) NOT-FOR-US: Pandora FMS Console CVE-2023-4595 (An information exposure vulnerability has been found, the exploitation ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b01852e87e7b8923ffb1fda70226818d19d09f1e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b01852e87e7b8923ffb1fda70226818d19d09f1e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a0ac1c94 by Salvatore Bonaccorso at 2023-11-23T21:28:24+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2023-6118 (: Path Traversal: '/../filedir' vulnerability in Neutron IP Camera all ...) - TODO: check + NOT-FOR-US: Neutron IP Camera CVE-2023-5972 (A null pointer dereference flaw was found in the nft_inner.c functiona ...) TODO: check CVE-2023-4677 (Cron log backup files contain administrator session IDs. It is trivial ...) - TODO: check + NOT-FOR-US: Pandora FMS Console CVE-2023-4595 (An information exposure vulnerability has been found, the exploitation ...) TODO: check CVE-2023-4594 (Stored XSS vulnerability. This vulnerability could allow an attacker t ...) @@ -11,41 +11,41 @@ CVE-2023-4594 (Stored XSS vulnerability. This vulnerability could allow an attac CVE-2023-4593 (Path traversal vulnerability whose exploitation could allow an authent ...) TODO: check CVE-2023-4406 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: KC Group E-Commerce Software CVE-2023-49210 (The openssl (aka node-openssl) NPM package through 2.0.0 was character ...) - TODO: check + NOT-FOR-US: malicious node module CVE-2023-49208 (scheme/webauthn.c in Glewlwyd SSO server before 2.7.6 has a possible b ...) TODO: check CVE-2023-41812 (Unrestricted Upload of File with Dangerous Type vulnerability in Pando ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2023-41811 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2023-41810 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2023-41808 (Improper Privilege Management vulnerability in Pandora FMS on all allo ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2023-41807 (Improper Privilege Management vulnerability in Pandora FMS on all allo ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2023-41806 (Improper Privilege Management vulnerability in Pandora FMS on all allo ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2023-41792 (Cross-Site Request Forgery (CSRF) vulnerability in Pandora FMS on all ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2023-41791 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2023-41790 (Uncontrolled Search Path Element vulnerability in Pandora FMS on all a ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2023-41789 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2023-41788 (Unrestricted Upload of File with Dangerous Type vulnerability in Pando ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2023-41787 (Uncontrolled Search Path Element vulnerability in Pandora FMS on all a ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2023-41786 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: Pandora FMS CVE-2023-3631 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: Medart Health Services Medart Notification Panel CVE-2023-3377 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: Veribilim Software Computer Veribase CVE-2023-33202 (Bouncy Castle for Java before 1.73 contains a potential Denial of Serv ...) TODO: check CVE-2023-43123 (On unix-like systems, the temporary directory is shared between all us ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0ac1c9481e131d92dcee58b06ad42afe51312ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0ac1c9481e131d92dcee58b06ad42afe51312ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8213b5fe by security tracker role at 2023-11-23T20:11:37+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,54 @@ -CVE-2023-43123 +CVE-2023-6118 (: Path Traversal: '/../filedir' vulnerability in Neutron IP Camera all ...) + TODO: check +CVE-2023-5972 (A null pointer dereference flaw was found in the nft_inner.c functiona ...) + TODO: check +CVE-2023-4677 (Cron log backup files contain administrator session IDs. It is trivial ...) + TODO: check +CVE-2023-4595 (An information exposure vulnerability has been found, the exploitation ...) + TODO: check +CVE-2023-4594 (Stored XSS vulnerability. This vulnerability could allow an attacker t ...) + TODO: check +CVE-2023-4593 (Path traversal vulnerability whose exploitation could allow an authent ...) + TODO: check +CVE-2023-4406 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-49210 (The openssl (aka node-openssl) NPM package through 2.0.0 was character ...) + TODO: check +CVE-2023-49208 (scheme/webauthn.c in Glewlwyd SSO server before 2.7.6 has a possible b ...) + TODO: check +CVE-2023-41812 (Unrestricted Upload of File with Dangerous Type vulnerability in Pando ...) + TODO: check +CVE-2023-41811 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-41810 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-41808 (Improper Privilege Management vulnerability in Pandora FMS on all allo ...) + TODO: check +CVE-2023-41807 (Improper Privilege Management vulnerability in Pandora FMS on all allo ...) + TODO: check +CVE-2023-41806 (Improper Privilege Management vulnerability in Pandora FMS on all allo ...) + TODO: check +CVE-2023-41792 (Cross-Site Request Forgery (CSRF) vulnerability in Pandora FMS on all ...) + TODO: check +CVE-2023-41791 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-41790 (Uncontrolled Search Path Element vulnerability in Pandora FMS on all a ...) + TODO: check +CVE-2023-41789 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-41788 (Unrestricted Upload of File with Dangerous Type vulnerability in Pando ...) + TODO: check +CVE-2023-41787 (Uncontrolled Search Path Element vulnerability in Pandora FMS on all a ...) + TODO: check +CVE-2023-41786 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + TODO: check +CVE-2023-3631 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check +CVE-2023-3377 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check +CVE-2023-33202 (Bouncy Castle for Java before 1.73 contains a potential Denial of Serv ...) + TODO: check +CVE-2023-43123 (On unix-like systems, the temporary directory is shared between all us ...) NOT-FOR-US: Apache Storm CVE-2023-49146 (DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG do ...) NOT-FOR-US: dom-sanitizer @@ -1748,6 +1798,7 @@ CVE-2023-22327 (Out-of-bounds write in firmware for some Intel(R) FPGA products CVE-2023-5528 (A security issue was discovered in Kubernetes where a user that can cr ...) - kubernetes (Windows-specific) CVE-2023-23583 (Sequence of processor instructions leads to unexpected behavior for so ...) + {DSA-5563-1} - intel-microcode 3.20231114.1 (bug #1055962) [buster] - intel-microcode (Wait for exposure in unstable) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00950.html @@ -35551,10 +35602,10 @@ CVE-2023-28815 RESERVED CVE-2023-28814 RESERVED -CVE-2023-28813 - RESERVED -CVE-2023-28812 - RESERVED +CVE-2023-28813 (An attacker could exploit a vulnerability by sending crafted messages ...) + TODO: check +CVE-2023-28812 (There is a buffer overflow vulnerability in a web browser plug-in coul ...) + TODO: check CVE-2023-28811 (There is a buffer overflow in the password recovery feature of Hikvisi ...) NOT-FOR-US: hikvison CVE-2023-28810 (Some access control/intercom products have unauthorized modification o ...) @@ -70909,10 +70960,10 @@ CVE-2022-44013 (An issue was discovered in Simmeth Lieferantenmanager before 5.6 NOT-FOR-US: Simmeth Lieferantenmanager CVE-2022-44012 (An issue was discovered in /DS/LM_API/api/SelectionService/InsertQuery ...) NOT-FOR-US: Simmeth Lieferantenmanager -CVE-2022-44011 - RESERVED -CVE-2022-44010 -
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for intel-microcode update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ab0e66e6 by Salvatore Bonaccorso at 2023-11-23T16:36:01+01:00 Reserve DSA number for intel-microcode update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[23 Nov 2023] DSA-5563-1 intel-microcode - security update + {CVE-2023-23583} + [bullseye] - intel-microcode 3.20231114.1~deb11u1 + [bookworm] - intel-microcode 3.20231114.1~deb12u1 [22 Nov 2023] DSA-5562-1 tor - security update [bookworm] - tor 0.4.7.16-1 [22 Nov 2023] DSA-5561-1 firefox-esr - security update = data/dsa-needed.txt = @@ -29,9 +29,6 @@ gst-plugins-bad1.0 (carnil) -- h2o (jmm) -- -intel-microcode (carnil) - wait for exposure of update in unstable --- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab0e66e697d9ef7779fa0490f2ddb69971b37b71 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab0e66e697d9ef7779fa0490f2ddb69971b37b71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] thunderbird fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cd527a01 by Moritz Muehlenhoff at 2023-11-23T15:35:14+01:00 thunderbird fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -369,7 +369,7 @@ CVE-2023-6209 (Relative URLs starting with three slashes were incorrectly parsed {DSA-5561-1} - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - - thunderbird + - thunderbird 1:115.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6209 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6209 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6209 @@ -377,7 +377,7 @@ CVE-2023-6208 (When using X11, text selected by the page using the Selection API {DSA-5561-1} - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - - thunderbird + - thunderbird 1:115.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6208 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6208 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6208 @@ -385,7 +385,7 @@ CVE-2023-6207 (Ownership mismanagement led to a use-after-free in ReadableByteSt {DSA-5561-1} - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - - thunderbird + - thunderbird 1:115.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6207 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6207 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6207 @@ -393,7 +393,7 @@ CVE-2023-6206 (The black fade animation when exiting fullscreen is roughly the l {DSA-5561-1} - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - - thunderbird + - thunderbird 1:115.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6206 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6206 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6206 @@ -401,7 +401,7 @@ CVE-2023-6205 (It was possible to cause the use of a MessagePort after it had al {DSA-5561-1} - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - - thunderbird + - thunderbird 1:115.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6205 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6205 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6205 @@ -409,7 +409,7 @@ CVE-2023-6204 (On some systems\u2014depending on the graphics settings and drive {DSA-5561-1} - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - - thunderbird + - thunderbird 1:115.5.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6204 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6204 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6204 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd527a012b13014ce3a1a0e32e368d582b99eca9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd527a012b13014ce3a1a0e32e368d582b99eca9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 46935e67 by Moritz Muehlenhoff at 2023-11-23T13:58:01+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-43123 + NOT-FOR-US: Apache Storm CVE-2023-49146 (DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG do ...) NOT-FOR-US: dom-sanitizer CVE-2023-49102 (NZBGet 21.1 allows authenticated remote code execution because the una ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46935e67399a9f2e579bfa5fe6b7cc825850dcb1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/46935e67399a9f2e579bfa5fe6b7cc825850dcb1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] record upstream fix for libcrypto++
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 98c8f5dc by Moritz Muehlenhoff at 2023-11-23T12:53:00+01:00 record upstream fix for libcrypto++ - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14979,14 +14979,12 @@ CVE-2022-48571 (memcached 1.6.7 allows a Denial of Service via multi-packet uplo - memcached 1.6.8+dfsg-1 NOTE: Fixed by: https://github.com/memcached/memcached/commit/6b319c8c7a29e9c353dec83dc92f01905f6c8966 (1.6.8) CVE-2022-48570 (Crypto++ through 8.4 contains a timing side channel in ECDSA signature ...) - - libcrypto++ - [bookworm] - libcrypto++ (Minor issue) - [bullseye] - libcrypto++ (Minor issue) + - libcrypto++ 8.4.0-1 [buster] - libcrypto++ (Minor issue) NOTE: https://github.com/weidai11/cryptopp/issues/992 NOTE: This issue exists because the CVE-2019-14318 fix was intentionally removed for NOTE: functionality reasons. - TODO: check details on upstream fix (in 8.4?) + NOTE: https://github.com/weidai11/cryptopp/commit/4bc7408ae2aefac9357c16809541ecbe225b7f3a (CRYPTOPP_8_4_0) CVE-2022-48566 (An issue was discovered in compare_digest in Lib/hmac.py in Python thr ...) {DLA-3614-1 DLA-3575-1} - python3.9 3.9.1~rc1-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98c8f5dc6bae0401a57d5334f5dd14d55c82a2d0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98c8f5dc6bae0401a57d5334f5dd14d55c82a2d0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new cargo issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 384a7bb4 by Moritz Muehlenhoff at 2023-11-23T12:04:37+01:00 new cargo issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14520,7 +14520,15 @@ CVE-2023-40036 (Notepad++ is a free and open-source source code editor. Versions CVE-2023-40031 (Notepad++ is a free and open-source source code editor. Versions 8.5.6 ...) NOT-FOR-US: Notepad++ CVE-2023-40030 (Cargo downloads a Rust project\u2019s dependencies and compiles the pr ...) - TODO: check + - cargo + [bookworm] - cargo (Minor issue) + [bullseye] - cargo (Minor issue) + - rust-cargo + [bookworm] - rust-cargo (Minor issue) + [bullseye] - rust-cargo (Minor issue) + NOTE: https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p + NOTE: https://github.com/rust-lang/cargo/pull/12291 + NOTE: https://github.com/rust-lang/cargo/commit/9835622853f08be9a4b58ebe29dcec8f43b64b33 (0.75.0) CVE-2023-40022 (Rizin is a UNIX-like reverse engineering framework and command-line to ...) NOT-FOR-US: Rizin CVE-2023-40017 (GeoNode is an open source platform that facilitates the creation, shar ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/384a7bb46c32fbd70efe50cfcb108f551595c697 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/384a7bb46c32fbd70efe50cfcb108f551595c697 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ckeditor non issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d718f171 by Moritz Muehlenhoff at 2023-11-23T12:00:17+01:00 ckeditor non issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -907,7 +907,8 @@ CVE-2023-6015 (MLflow allowed arbitrary files to be PUT onto the server.) CVE-2023-6013 (H2O is vulnerable to stored XSS vulnerability which can lead to a Loca ...) NOT-FOR-US: H2O (h2ai) (not the same as src:h2o) CVE-2023-4771 (A Cross-Site scripting vulnerability has been found in CKSource CKEdit ...) - TODO: check + - ckeditor (unimportant) + NOTE: Seems bogus, only affects an example CVE-2023-48134 (nagayama_copabowl Line 13.6.1 is vulnerable to Exposure of Sensitive I ...) NOT-FOR-US: nagayama_copabowl CVE-2023-48056 (PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chai ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d718f171815fcce90284fb3dba9591b24461a302 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d718f171815fcce90284fb3dba9591b24461a302 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5a13f24c by Moritz Muehlenhoff at 2023-11-23T11:14:34+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,11 +1,11 @@ CVE-2023-49146 (DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG do ...) - TODO: check + NOT-FOR-US: dom-sanitizer CVE-2023-49102 (NZBGet 21.1 allows authenticated remote code execution because the una ...) NOT-FOR-US: NZBGet CVE-2023-48107 (Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an ...) - zlib-ng (bug #1002056) CVE-2023-48105 (An heap overflow vulnerability was discovered in Bytecode alliance was ...) - TODO: check + NOT-FOR-US: wasm-micro-runtime CVE-2023-47839 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: WordPress plugin CVE-2023-47835 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) @@ -65,7 +65,7 @@ CVE-2023-41140 (A maliciously crafted PRT file when parsed through Autodesk Auto CVE-2023-41139 (A maliciously crafted STP file when parsed through Autodesk AutoCAD 20 ...) NOT-FOR-US: Autodesk CVE-2023-40002 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: WooCommerce plugin CVE-2023-39253 (Dell OS Recovery Tool, versions 2.2.4013, 2.3.7012.0, and 2.3.7515.0 c ...) NOT-FOR-US: Dell CVE-2023-48706 (Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-a ...) @@ -222,9 +222,9 @@ CVE-2023-47313 (Headwind MDM Web panel 5.22.1 is vulnerable to Directory Travers CVE-2023-47312 (Headwind MDM Web panel 5.22.1 is vulnerable to Incorrect Access Contro ...) NOT-FOR-US: Headwind MDM Web panel CVE-2023-47251 (In mprivacy-tools before 2.0.406g in m-privacy TightGate-Pro Server, a ...) - TODO: check + NOT-FOR-US: TightGate-Pro Server CVE-2023-47250 (In mprivacy-tools before 2.0.406g in m-privacy TightGate-Pro Server, b ...) - TODO: check + NOT-FOR-US: TightGate-Pro Server CVE-2023-47014 (A Cross-Site Request Forgery (CSRF) vulnerability in Sourcecodester St ...) NOT-FOR-US: Sourcecodester Sticky Notes App CVE-2023-46673 (It was identified that malformed scripts used in the script processor ...) @@ -238,9 +238,9 @@ CVE-2023-43082 (Dell Unity prior to 5.3 contains a 'man in the middle' vulnerabi CVE-2023-43081 (PowerProtect Agent for File System Version 19.14 and prior, contains a ...) NOT-FOR-US: Dell CVE-2023-3104 (Lack of authentication vulnerability. An unauthenticated local user is ...) - TODO: check + NOT-FOR-US: Unitree Robotics A1 CVE-2023-3103 (Authentication bypass vulnerability, the exploitation of which could a ...) - TODO: check + NOT-FOR-US: Unitree Robotics A1 CVE-2023-39925 (Cross-Site Request Forgery (CSRF) vulnerability in PeepSo Download Com ...) NOT-FOR-US: WordPress plugin CVE-2023-2889 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) @@ -34522,13 +34522,13 @@ CVE-2023-29078 CVE-2023-29077 RESERVED CVE-2023-29076 (A maliciously crafted MODEL, SLDASM, SAT or CATPART file when parsed t ...) - TODO: check + NOT-FOR-US: Autodesk CVE-2023-29075 (A maliciously crafted PRT file when parsed through Autodesk AutoCAD 20 ...) - TODO: check + NOT-FOR-US: Autodesk CVE-2023-29074 (A maliciously crafted CATPART file when parsed through Autodesk AutoCA ...) - TODO: check + NOT-FOR-US: Autodesk CVE-2023-29073 (A maliciously crafted MODEL file when parsed through Autodesk AutoCAD ...) - TODO: check + NOT-FOR-US: Autodesk CVE-2023-29072 RESERVED CVE-2023-29071 @@ -35547,7 +35547,7 @@ CVE-2023-28813 CVE-2023-28812 RESERVED CVE-2023-28811 (There is a buffer overflow in the password recovery feature of Hikvisi ...) - TODO: check + NOT-FOR-US: hikvison CVE-2023-28810 (Some access control/intercom products have unauthorized modification o ...) NOT-FOR-US: hikvison CVE-2023-28809 (Some access control products are vulnerable to a session hijacking att ...) @@ -50287,7 +50287,7 @@ CVE-2023-23980 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-23979 (Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Fullworks Q ...) NOT-FOR-US: WordPress plugin CVE-2023-23978 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-23977 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) NOT-FOR-US: WordPress plugin CVE-2023-23976 View it on GitLab:
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr and thunderbird
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 97415239 by Emilio Pozuelo Monfort at 2023-11-23T10:36:59+01:00 lts: take firefox-esr and thunderbird - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -61,7 +61,7 @@ dogecoin NOTE: 20230619: also I just referenced 3 older bitcoin-related CVEs to fix; NOTE: 20230619: dogecoin not present in bullseye/bookworm, so we lead the initiatives. (Beuc/front-desk) -- -firefox-esr +firefox-esr (Emilio) NOTE: 20231122: Added by Front-Desk (ola) -- flatpak @@ -261,7 +261,7 @@ suricata (Adrian Bunk) symfony (Markus Koschany) NOTE: 20231118: Added by Front-Desk (apo) -- -thunderbird +thunderbird (Emilio) NOTE: 20231122: Added by Front-Desk (ola) -- tor View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97415239a90462de31fc4d637dfd8b2d8fa6c5f6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/97415239a90462de31fc4d637dfd8b2d8fa6c5f6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6803feda by Salvatore Bonaccorso at 2023-11-23T09:37:26+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,73 +1,73 @@ CVE-2023-49146 (DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG do ...) TODO: check CVE-2023-49102 (NZBGet 21.1 allows authenticated remote code execution because the una ...) - TODO: check + NOT-FOR-US: NZBGet CVE-2023-48107 (Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an ...) - zlib-ng (bug #1002056) CVE-2023-48105 (An heap overflow vulnerability was discovered in Bytecode alliance was ...) TODO: check CVE-2023-47839 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47835 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47834 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47833 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47831 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47829 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47821 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47817 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47816 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47815 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47814 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47813 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47812 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47811 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47810 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47809 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47808 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47790 (Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47786 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47773 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47768 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47767 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47766 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47668 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-44290 (Dell Command | Monitor versions prior to 10.10.0, contain an improper ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-44289 (Dell Command | Configure versions prior to 4.11.0, contain an improper ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-43086 (Dell Command | Configure, versions prior to 4.11.0, contains an improp ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-41140 (A maliciously crafted PRT file when parsed through Autodesk AutoCAD 20 ...) - TODO:
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-48107/zlib-ng
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 197e5223 by Salvatore Bonaccorso at 2023-11-23T09:35:54+01:00 Add CVE-2023-48107/zlib-ng - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,7 @@ CVE-2023-49146 (DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an CVE-2023-49102 (NZBGet 21.1 allows authenticated remote code execution because the una ...) TODO: check CVE-2023-48107 (Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an ...) - TODO: check + - zlib-ng (bug #1002056) CVE-2023-48105 (An heap overflow vulnerability was discovered in Bytecode alliance was ...) TODO: check CVE-2023-47839 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/197e5223270c4dc72f7fc8cfd76a5a8a9447aef0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/197e5223270c4dc72f7fc8cfd76a5a8a9447aef0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7338ce99 by security tracker role at 2023-11-23T08:12:01+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,74 @@ -CVE-2023-48706 [heap-use-after-free in ex_substitute] +CVE-2023-49146 (DOMSanitizer (aka dom-sanitizer) before 1.0.7 allows XSS via an SVG do ...) + TODO: check +CVE-2023-49102 (NZBGet 21.1 allows authenticated remote code execution because the una ...) + TODO: check +CVE-2023-48107 (Buffer Overflow vulnerability in zlib-ng minizip-ng v.4.0.2 allows an ...) + TODO: check +CVE-2023-48105 (An heap overflow vulnerability was discovered in Bytecode alliance was ...) + TODO: check +CVE-2023-47839 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47835 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47834 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47833 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47831 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47829 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47821 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47817 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47816 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47815 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47814 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47813 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47812 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47811 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47810 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47809 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47808 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47790 (Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS ...) + TODO: check +CVE-2023-47786 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47773 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47768 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47767 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47766 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2023-47668 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + TODO: check +CVE-2023-44290 (Dell Command | Monitor versions prior to 10.10.0, contain an improper ...) + TODO: check +CVE-2023-44289 (Dell Command | Configure versions prior to 4.11.0, contain an improper ...) + TODO: check +CVE-2023-43086 (Dell Command | Configure, versions prior to 4.11.0, contains an improp ...) + TODO: check +CVE-2023-41140 (A maliciously crafted PRT file when parsed through Autodesk AutoCAD 20 ...) + TODO: check +CVE-2023-41139 (A maliciously crafted STP file when parsed through Autodesk AutoCAD 20 ...) + TODO: check +CVE-2023-40002 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + TODO: check +CVE-2023-39253 (Dell OS Recovery Tool, versions 2.2.4013, 2.3.7012.0, and 2.3.7515.0 c ...) + TODO: check +CVE-2023-48706 (Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-a ...) - vim (unimportant) NOTE: https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q NOTE: Fixed by: https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf8 (v9.0.2121) @@ -1310,9 +1380,9 @@ CVE-2023-39199 (Cryptographic issues with In-Meeting Chat for some Zoom clients NOT-FOR-US: Zoom CVE-2023-38544 (A logged in user can modify specific files that may lead to unauthoriz ...) NOT-FOR-US: Ivanti -CVE-2023-38543 (When a specific component is