[Git][security-tracker-team/security-tracker][master] Reserve DSA number for gimp update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b05646e5 by Salvatore Bonaccorso at 2023-11-24T23:26:45+01:00 Reserve DSA number for gimp update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[24 Nov 2023] DSA-5564-1 gimp - security update + {CVE-2023-1 CVE-2023-2 CVE-2023-3 CVE-2023-4} + [bullseye] - gimp 2.10.22-4+deb11u1 + [bookworm] - gimp 2.10.34-1+deb12u1 [23 Nov 2023] DSA-5563-1 intel-microcode - security update {CVE-2023-23583} [bullseye] - intel-microcode 3.20231114.1~deb11u1 = data/dsa-needed.txt = @@ -21,8 +21,6 @@ fastdds -- frr -- -gimp (carnil) --- gpac/oldstable -- gst-plugins-bad1.0 (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b05646e5ef99b4ccc2a03fa7f30912216a1c9c92 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b05646e5ef99b4ccc2a03fa7f30912216a1c9c92 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2020-10370 with bluez-firmware commit information
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d8f61c5 by Salvatore Bonaccorso at 2023-11-24T22:27:58+01:00 Update information for CVE-2020-10370 with bluez-firmware commit information - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -265088,7 +265088,8 @@ CVE-2020-10371 RESERVED CVE-2020-10370 RESERVED - NOT-FOR-US: Broadcom + - bluez-firmware (BCM4345C0.hcd introduced already in fixed version in Debian with bluez-firmware/1.2-6) + NOTE: https://github.com/RPi-Distro/bluez-firmware/commit/8445a53ce2c51a77472b908a0c8f6f8e1fa5c37a CVE-2020-10369 RESERVED CVE-2020-10368 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d8f61c580beab1ab7cc832c7d1ca31b1b5fa1a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5d8f61c580beab1ab7cc832c7d1ca31b1b5fa1a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6277/tiff
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5903916c by Salvatore Bonaccorso at 2023-11-24T21:59:48+01:00 Add CVE-2023-6277/tiff - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,10 @@ CVE-2023-6293 (Prototype Pollution in GitHub repository robinbuschmann/sequelize-type ...) TODO: check CVE-2023-6277 (An out-of-memory flaw was found in libtiff. Passing a crafted tiff fil ...) - TODO: check + - tiff + NOTE: https://gitlab.com/libtiff/libtiff/-/issues/614 + NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/545 + NOTE: https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a CVE-2023-6276 (A vulnerability classified as critical has been found in Tongda OA 201 ...) NOT-FOR-US: Tongda OA CVE-2023-6275 (A vulnerability was found in TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5903916cb89f915b49e95239c691e4809b332253 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5903916cb89f915b49e95239c691e4809b332253 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Associate CVE-2023-49298 with zfs-linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 422effeb by Salvatore Bonaccorso at 2023-11-24T21:55:53+01:00 Associate CVE-2023-49298 with zfs-linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,9 @@ CVE-2023-6274 (A vulnerability was found in Beijing Baichuo Smart S80 up to 2023 CVE-2023-6251 (Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p37, < ...) - check-mk CVE-2023-49298 (OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios i ...) - NOT-FOR-US: OpenZFS + - zfs-linux + NOTE: https://github.com/openzfs/zfs/issues/15526 + NOTE: https://github.com/openzfs/zfs/pull/15571 CVE-2023-48712 (Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux ...) NOT-FOR-US: Warpgate CVE-2023-48711 (google-translate-api-browser is an npm package which interfaces with t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/422effeb75c6024b00abf14316bcfc6ef9b6f56e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/422effeb75c6024b00abf14316bcfc6ef9b6f56e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Correct NFU naming for CVE-2023-49298
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1bcf209e by Salvatore Bonaccorso at 2023-11-24T21:52:11+01:00 Correct NFU naming for CVE-2023-49298 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,7 @@ CVE-2023-6274 (A vulnerability was found in Beijing Baichuo Smart S80 up to 2023 CVE-2023-6251 (Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p37, < ...) - check-mk CVE-2023-49298 (OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios i ...) - NOT-FOR-US: IBM + NOT-FOR-US: OpenZFS CVE-2023-48712 (Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux ...) NOT-FOR-US: Warpgate CVE-2023-48711 (google-translate-api-browser is an npm package which interfaces with t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1bcf209eaeea4b9a3064e4aa8c8cbd47cc9031ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1bcf209eaeea4b9a3064e4aa8c8cbd47cc9031ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6251/check-mk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5dfc7cec by Salvatore Bonaccorso at 2023-11-24T21:48:24+01:00 Add CVE-2023-6251/check-mk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9,7 +9,7 @@ CVE-2023-6275 (A vulnerability was found in TOTVS Fluig Platform 1.6.x/1.7.x/1.8 CVE-2023-6274 (A vulnerability was found in Beijing Baichuo Smart S80 up to 20231108. ...) NOT-FOR-US: Beijing Baichuo Smart S80 CVE-2023-6251 (Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p37, < ...) - TODO: check + - check-mk CVE-2023-49298 (OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios i ...) NOT-FOR-US: IBM CVE-2023-48712 (Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dfc7cec92df6732365b3f7dbdb2af575e72ef53 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5dfc7cec92df6732365b3f7dbdb2af575e72ef53 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e1cc3703 by Salvatore Bonaccorso at 2023-11-24T21:47:26+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,27 +3,27 @@ CVE-2023-6293 (Prototype Pollution in GitHub repository robinbuschmann/sequelize CVE-2023-6277 (An out-of-memory flaw was found in libtiff. Passing a crafted tiff fil ...) TODO: check CVE-2023-6276 (A vulnerability classified as critical has been found in Tongda OA 201 ...) - TODO: check + NOT-FOR-US: Tongda OA CVE-2023-6275 (A vulnerability was found in TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1. ...) - TODO: check + NOT-FOR-US: TOTVS Fluig Platform CVE-2023-6274 (A vulnerability was found in Beijing Baichuo Smart S80 up to 20231108. ...) - TODO: check + NOT-FOR-US: Beijing Baichuo Smart S80 CVE-2023-6251 (Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p37, < ...) TODO: check CVE-2023-49298 (OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios i ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-48712 (Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux ...) - TODO: check + NOT-FOR-US: Warpgate CVE-2023-48711 (google-translate-api-browser is an npm package which interfaces with t ...) TODO: check CVE-2023-48708 (CodeIgniter Shield is an authentication and authorization provider for ...) - TODO: check + NOT-FOR-US: CodeIgniter Shield CVE-2023-48707 (CodeIgniter Shield is an authentication and authorization provider for ...) - TODO: check + NOT-FOR-US: CodeIgniter Shield CVE-2023-48312 (capsule-proxy is a reverse proxy for the capsule operator project. Aff ...) TODO: check CVE-2023-46575 (A SQL injection vulnerability in Meshery before 0.6.179 allows a remot ...) - TODO: check + NOT-FOR-US: Meshery CVE-2023-38914 REJECTED CVE-2023-49068 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1cc3703c1f5b82260e611b742847bbebf5b323a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1cc3703c1f5b82260e611b742847bbebf5b323a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Postponed CVEs for buster just as for bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: a7dd83b1 by Ola Lundqvist at 2023-11-24T20:12:29+00:00 Postponed CVEs for buster just as for bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -230235,21 +230235,25 @@ CVE-2020-24295 (Buffer Overflow vulnerability in PSDParser.cpp::ReadImageLine() - freeimage [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) + [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24294 (Buffer Overflow vulnerability in psdParser::UnpackRLE function in PSDP ...) - freeimage [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) + [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24293 (Buffer Overflow vulnerability in psdThumbnail::Read in PSDParser.cpp i ...) - freeimage [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) + [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24292 (Buffer Overflow vulnerability in load function in PluginICO.cpp in Fre ...) - freeimage [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) + [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ CVE-2020-24291 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7dd83b17e3c96fbeb23a8084ca2a20353f3cb10 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7dd83b17e3c96fbeb23a8084ca2a20353f3cb10 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a9221deb by security tracker role at 2023-11-24T20:11:59+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,31 @@ +CVE-2023-6293 (Prototype Pollution in GitHub repository robinbuschmann/sequelize-type ...) + TODO: check +CVE-2023-6277 (An out-of-memory flaw was found in libtiff. Passing a crafted tiff fil ...) + TODO: check +CVE-2023-6276 (A vulnerability classified as critical has been found in Tongda OA 201 ...) + TODO: check +CVE-2023-6275 (A vulnerability was found in TOTVS Fluig Platform 1.6.x/1.7.x/1.8.0/1. ...) + TODO: check +CVE-2023-6274 (A vulnerability was found in Beijing Baichuo Smart S80 up to 20231108. ...) + TODO: check +CVE-2023-6251 (Cross-site Request Forgery (CSRF) in Checkmk < 2.2.0p15, < 2.1.0p37, < ...) + TODO: check +CVE-2023-49298 (OpenZFS through 2.1.13 and 2.2.x through 2.2.1, in certain scenarios i ...) + TODO: check +CVE-2023-48712 (Warpgate is an open source SSH, HTTPS and MySQL bastion host for Linux ...) + TODO: check +CVE-2023-48711 (google-translate-api-browser is an npm package which interfaces with t ...) + TODO: check +CVE-2023-48708 (CodeIgniter Shield is an authentication and authorization provider for ...) + TODO: check +CVE-2023-48707 (CodeIgniter Shield is an authentication and authorization provider for ...) + TODO: check +CVE-2023-48312 (capsule-proxy is a reverse proxy for the capsule operator project. Aff ...) + TODO: check +CVE-2023-46575 (A SQL injection vulnerability in Meshery before 0.6.179 allows a remot ...) + TODO: check +CVE-2023-38914 + REJECTED CVE-2023-49068 NOT-FOR-US: Apache DolphinScheduler CVE-2023-49216 (Usedesk before 1.7.57 allows profile stored XSS.) @@ -561,7 +589,7 @@ CVE-2023-5764 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2247629 TODO: check with Red Hat for details CVE-2023-41913 - {DSA-5560-1} + {DSA-5560-1 DLA-3663-1} - strongswan NOTE: https://www.strongswan.org/blog/2023/11/20/strongswan-vulnerability-(cve-2023-41913).html NOTE: Patches: https://download.strongswan.org/security/CVE-2023-41913/ @@ -2159,6 +2187,7 @@ CVE-2023-46735 (Symfony is a PHP framework for web and console applications and NOTE: https://github.com/symfony/symfony/security/advisories/GHSA-72x2-5c85-6wmr NOTE: https://github.com/symfony/symfony/commit/8128c302430394f639e818a7103b3f6815d8d962 (v6.3.8) CVE-2023-46734 (Symfony is a PHP framework for web and console applications and a set ...) + {DLA-3664-1} - symfony 5.4.31+dfsg-1 (bug #1055774) [bookworm] - symfony (Minor issue) [bullseye] - symfony (Minor issue) @@ -81957,7 +81986,7 @@ CVE-2022-40736 (An issue was discovered in Bento4 1.6.0-639. There ie excessive NOT-FOR-US: Bento4 CVE-2022-40735 (The Diffie-Hellman Key Agreement Protocol allows use of long exponents ...) NOTE: Generic Diffie-Hellman protocol issue -CVE-2022-40734 (UniSharp laravel-filemanager (aka Laravel Filemanager) through 2.5.1 a ...) +CVE-2022-40734 (UniSharp laravel-filemanager (aka Laravel Filemanager) before 2.6.4 al ...) NOT-FOR-US: Laravel Filemanager CVE-2022-40733 RESERVED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9221debf1937af3f670c0063e7cc7f1842792ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9221debf1937af3f670c0063e7cc7f1842792ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: cd2aa86b by Moritz Muehlenhoff at 2023-11-24T20:50:57+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -265050,6 +265050,7 @@ CVE-2020-10371 RESERVED CVE-2020-10370 RESERVED + NOT-FOR-US: Broadcom CVE-2020-10369 RESERVED CVE-2020-10368 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd2aa86b7f699b451d347905e52490a2e4d6748f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd2aa86b7f699b451d347905e52490a2e4d6748f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Mark CVE-2023-45853 as no-dsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4766305d by Salvatore Bonaccorso at 2023-11-24T20:39:44+01:00 Mark CVE-2023-45853 as no-dsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6804,6 +6804,8 @@ CVE-2023-45853 (MiniZip in zlib through 1.3 has an integer overflow and resultan [bullseye] - zlib (contrib/minizip not built and producing binary packages) [buster] - zlib (contrib/minizip not built and producing binary packages) - minizip + [bookworm] - minizip (Minor issue; can be fixed in point release) + [bullseye] - minizip (Minor issue; can be fixed in point release) NOTE: https://github.com/madler/zlib/pull/843 NOTE: https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c NOTE: src:zlib only starts building minizip starting in 1:1.2.13.dfsg-2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4766305db043ef0ac4a288f413f7bd8b5d8aecc7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4766305db043ef0ac4a288f413f7bd8b5d8aecc7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Remove curl from dla-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ad8336e by Markus Koschany at 2023-11-24T19:40:42+01:00 Remove curl from dla-needed.txt This was a bit confusing. Apparently curl was added to dla-needed.txt and afterwards someone triaged the two open CVE as no-dsa. I reviewed the decision to mark CVE-2023-27534 and CVE-2023-28322 and I believe no-dsa is the correct decision. CVE-2023-28322 does not affect the command line tool and even a use after free is not present in libcurl. This is a rather theoretical behavior violation. CVE-2023-27534 requires the new internal dnybuf functions which are not present in Buster's curl version. The described scenario is unlikely because sftp users are usually restricted by the ssh server and a buggy client can't just simply access a file in another user's home directory. - - - - - 658354ca by Markus Koschany at 2023-11-24T19:40:42+01:00 Claim rabbitmq-server in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -43,10 +43,6 @@ cinder cryptojs (guilhem) NOTE: 20231119: Added by Front-Desk (apo) -- -curl (Markus Koschany) - NOTE: 20231103: Added by Front-Desk (lamby) - NOTE: 20231103: Sync with stable. (lamby) --- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) @@ -188,7 +184,7 @@ python-requestbuilder NOTE: 20231108: Added by Front-Desk (santiago) NOTE: 20231108: Need to handle incompatibilities with versions in debian packages, brought up by PEP 440. See https://salsa.debian.org/lts-team/lts-updates-tasks/-/issues/70 -- -rabbitmq-server +rabbitmq-server (Markus Koschany) NOTE: 20231119: Added by Front-Desk (apo) -- rails View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7e00cf6fe4933a4259a4e230e870dcbaa59337e3...658354ca67fe6ddab6709e10ebf22a55c4c7c53e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7e00cf6fe4933a4259a4e230e870dcbaa59337e3...658354ca67fe6ddab6709e10ebf22a55c4c7c53e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] unadf spu
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e00cf6f by Moritz Muehlenhoff at 2023-11-24T19:27:04+01:00 unadf spu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -68,3 +68,7 @@ CVE-2023-46734 [bookworm] - symfony 5.4.23+dfsg-1+deb12u1 CVE-2023-46733 [bookworm] - symfony 5.4.23+dfsg-1+deb12u1 +CVE-2016-1243 + [bookworm] - unadf 0.7.11a-5+deb12u1 +CVE-2016-1244 + [bookworm] - unadf 0.7.11a-5+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e00cf6fe4933a4259a4e230e870dcbaa59337e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e00cf6fe4933a4259a4e230e870dcbaa59337e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3664-1 for symfony
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 317bbfde by Markus Koschany at 2023-11-24T19:19:15+01:00 Reserve DLA-3664-1 for symfony - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Nov 2023] DLA-3664-1 symfony - security update + {CVE-2023-46734} + [buster] - symfony 3.4.22+dfsg-2+deb10u3 [24 Nov 2023] DLA-3663-1 strongswan - security update {CVE-2023-41913} [buster] - strongswan 5.7.2-1+deb10u4 = data/dla-needed.txt = @@ -245,9 +245,6 @@ suricata (Adrian Bunk) NOTE: 20231016: Still reviewing+testing CVEs. (bunk) NOTE: 20231120: DLA coming soon. (bunk) -- -symfony (Markus Koschany) - NOTE: 20231118: Added by Front-Desk (apo) --- thunderbird (Emilio) NOTE: 20231122: Added by Front-Desk (ola) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/317bbfde51264bb0ced64c23b7db51a99a7172b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/317bbfde51264bb0ced64c23b7db51a99a7172b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: claim cacti
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: 4dbe2095 by Sylvain Beucler at 2023-11-24T18:27:01+01:00 dla: claim cacti - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -29,7 +29,7 @@ bind9 (Thorsten Alteholz) NOTE: 20231008: backporting patches NOTE: 20231119: almost done with testing -- -cacti +cacti (Sylvain Beucler) NOTE: 20230906: Added by Front-Desk (lamby) -- cairosvg View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4dbe20952793723dc2847e31707ff1d977de58ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4dbe20952793723dc2847e31707ff1d977de58ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b7ff8810 by Moritz Muehlenhoff at 2023-11-24T16:07:50+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -160717,7 +160717,7 @@ CVE-2021-39010 CVE-2021-39009 (IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 stores user credential ...) NOT-FOR-US: IBM CVE-2021-39008 (IBM QRadar WinCollect Agent 10.0 through 10.1.7 could allow a privileg ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-39007 RESERVED CVE-2021-39006 (IBM QRadar WinCollect Agent 10.0 and 10.0.1 could allow an attacker to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7ff88100f1492982c972faefc88265f2d8c3243 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7ff88100f1492982c972faefc88265f2d8c3243 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new clickhouse issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 45267fed by Moritz Muehlenhoff at 2023-11-24T16:05:50+01:00 new clickhouse issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -70993,9 +70993,11 @@ CVE-2022-44013 (An issue was discovered in Simmeth Lieferantenmanager before 5.6 CVE-2022-44012 (An issue was discovered in /DS/LM_API/api/SelectionService/InsertQuery ...) NOT-FOR-US: Simmeth Lieferantenmanager CVE-2022-44011 (An issue was discovered in ClickHouse before 22.9.1.2603. An authentic ...) - TODO: check + - clickhouse + NOTE: https://github.com/ClickHouse/ClickHouse/pull/40241 CVE-2022-44010 (An issue was discovered in ClickHouse before 22.9.1.2603. An attacker ...) - TODO: check + - clickhouse + NOTE: https://github.com/ClickHouse/ClickHouse/pull/40292 CVE-2022-44009 (Improper access control in Key-Value RBAC in StackStorm version 3.7.0 ...) NOT-FOR-US: StackStorm CVE-2022-44008 (An issue was discovered in BACKCLICK Professional 5.9.63. Due to impro ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45267fed12b6a4348fccbdf2a3c434395c276d49 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/45267fed12b6a4348fccbdf2a3c434395c276d49 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFU
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 43526e38 by Moritz Muehlenhoff at 2023-11-24T15:26:47+01:00 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-49068 + NOT-FOR-US: Apache DolphinScheduler CVE-2023-49216 (Usedesk before 1.7.57 allows profile stored XSS.) NOT-FOR-US: Usedesk CVE-2023-49215 (Usedesk before 1.7.57 allows filter reflected XSS.) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43526e38b73bf6e1584f0035cf1f5438f9f3e06f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/43526e38b73bf6e1584f0035cf1f5438f9f3e06f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3663-1 for strongswan
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: bfaa8fe4 by Chris Lamb at 2023-11-24T14:10:15+00:00 Reserve DLA-3663-1 for strongswan - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[24 Nov 2023] DLA-3663-1 strongswan - security update + {CVE-2023-41913} + [buster] - strongswan 5.7.2-1+deb10u4 [24 Nov 2023] DLA-3662-1 freeimage - security update {CVE-2020-21427 CVE-2020-21428 CVE-2020-22524} [buster] - freeimage 3.18.0+ds2-1+deb10u2 = data/dla-needed.txt = @@ -235,9 +235,6 @@ samba squid NOTE: 20231102: Added by Front-Desk (lamby) -- -strongswan (Chris Lamb) - NOTE: 20231121: Added by Front-Desk (ola) --- suricata (Adrian Bunk) NOTE: 20230620: Added by Front-Desk (Beuc) NOTE: 20230620: 15+ CVEs marked no-dsa; since the package is supported, with last LTS update in Jessie, View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfaa8fe41ed75c95c63494b8a67074ec5dbe3883 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfaa8fe41ed75c95c63494b8a67074ec5dbe3883 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information on CVE-2023-20246/snort
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 260193aa by Salvatore Bonaccorso at 2023-11-24T09:39:22+01:00 Update information on CVE-2023-20246/snort - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -72421,8 +72421,7 @@ CVE-2023-20248 CVE-2023-20247 (A vulnerability in the remote access SSL VPN feature of Cisco Adaptive ...) NOT-FOR-US: Cisco CVE-2023-20246 (Multiple Cisco products are affected by a vulnerability in Snort acces ...) - - snort (bug #1056281) - [buster] - snort (only affects 3.x) + - snort (Vulnerable code only in 3.x series) NOTE: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-snort3acp-bypass-3bdR2BEh CVE-2023-20245 (Multiple vulnerabilities in the per-user-override feature of Cisco Ada ...) NOT-FOR-US: Cisco View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/260193aa35567ff1b025bb38bdc2f2f09a660dc2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/260193aa35567ff1b025bb38bdc2f2f09a660dc2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 084c2885 by Salvatore Bonaccorso at 2023-11-24T09:37:09+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,21 +1,21 @@ CVE-2023-49216 (Usedesk before 1.7.57 allows profile stored XSS.) - TODO: check + NOT-FOR-US: Usedesk CVE-2023-49215 (Usedesk before 1.7.57 allows filter reflected XSS.) - TODO: check + NOT-FOR-US: Usedesk CVE-2023-49214 (Usedesk before 1.7.57 allows chat template injection.) - TODO: check + NOT-FOR-US: Usedesk CVE-2023-49213 (The API endpoints in Ironman PowerShell Universal 3.0.0 through 4.2.0 ...) - TODO: check + NOT-FOR-US: Ironman PowerShell Universal CVE-2023-48796 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: Apache DolphinScheduler CVE-2023-47529 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: ThemeIsle Cloud Templates & Patterns collection CVE-2023-47244 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: Omnisend Email Marketing for WooCommerce by Omnisend CVE-2023-44303 (RVTools, Version 3.9.2 and above, contain a sensitive data exposure vu ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-33706 (SysAid before 23.2.15 allows Indirect Object Reference (IDOR) attacks ...) - TODO: check + NOT-FOR-US: SysAid CVE-2023-6118 (Path Traversal: '/../filedir' vulnerability in Neutron IP Camera allow ...) NOT-FOR-US: Neutron IP Camera CVE-2023-5972 (A null pointer dereference flaw was found in the nft_inner.c functiona ...) @@ -43344,7 +43344,7 @@ CVE-2023-26281 (IBM HTTP Server 8.5 used by IBM WebSphere Application Server cou CVE-2023-26280 RESERVED CVE-2023-26279 (IBM QRadar WinCollect Agent 10.0 through 10.1.7 could allow a local us ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-26278 (IBM QRadar WinCollect Agent 10.0 through 10.1.3 could allow a local au ...) NOT-FOR-US: IBM CVE-2023-26277 (IBM QRadar WinCollect Agent 10.0 though 10.1.3 could allow a local use ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/084c288555f8bb527375e69e05b3f21970390a06 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/084c288555f8bb527375e69e05b3f21970390a06 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f67c4f0a by security tracker role at 2023-11-24T08:11:29+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,22 @@ -CVE-2023-6118 (: Path Traversal: '/../filedir' vulnerability in Neutron IP Camera all ...) +CVE-2023-49216 (Usedesk before 1.7.57 allows profile stored XSS.) + TODO: check +CVE-2023-49215 (Usedesk before 1.7.57 allows filter reflected XSS.) + TODO: check +CVE-2023-49214 (Usedesk before 1.7.57 allows chat template injection.) + TODO: check +CVE-2023-49213 (The API endpoints in Ironman PowerShell Universal 3.0.0 through 4.2.0 ...) + TODO: check +CVE-2023-48796 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + TODO: check +CVE-2023-47529 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + TODO: check +CVE-2023-47244 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + TODO: check +CVE-2023-44303 (RVTools, Version 3.9.2 and above, contain a sensitive data exposure vu ...) + TODO: check +CVE-2023-33706 (SysAid before 23.2.15 allows Indirect Object Reference (IDOR) attacks ...) + TODO: check +CVE-2023-6118 (Path Traversal: '/../filedir' vulnerability in Neutron IP Camera allow ...) NOT-FOR-US: Neutron IP Camera CVE-2023-5972 (A null pointer dereference flaw was found in the nft_inner.c functiona ...) - linux 6.5.10-1 @@ -410,7 +428,7 @@ CVE-2023-6213 (Memory safety bugs present in Firefox 119. Some of these bugs sho - firefox 120.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6213 CVE-2023-6212 (Memory safety bugs present in Firefox 119, Firefox ESR 115.4, and Thun ...) - {DSA-5561-1} + {DSA-5561-1 DLA-3661-1} - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - thunderbird 1:115.5.0-1 @@ -424,7 +442,7 @@ CVE-2023-6210 (When an https: web page created a pop-up from a "javascript:" URL - firefox 120.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-49/#CVE-2023-6210 CVE-2023-6209 (Relative URLs starting with three slashes were incorrectly parsed, and ...) - {DSA-5561-1} + {DSA-5561-1 DLA-3661-1} - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - thunderbird 1:115.5.0-1 @@ -432,7 +450,7 @@ CVE-2023-6209 (Relative URLs starting with three slashes were incorrectly parsed NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6209 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6209 CVE-2023-6208 (When using X11, text selected by the page using the Selection API was ...) - {DSA-5561-1} + {DSA-5561-1 DLA-3661-1} - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - thunderbird 1:115.5.0-1 @@ -440,7 +458,7 @@ CVE-2023-6208 (When using X11, text selected by the page using the Selection API NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6208 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6208 CVE-2023-6207 (Ownership mismanagement led to a use-after-free in ReadableByteStreams ...) - {DSA-5561-1} + {DSA-5561-1 DLA-3661-1} - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - thunderbird 1:115.5.0-1 @@ -448,7 +466,7 @@ CVE-2023-6207 (Ownership mismanagement led to a use-after-free in ReadableByteSt NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6207 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6207 CVE-2023-6206 (The black fade animation when exiting fullscreen is roughly the length ...) - {DSA-5561-1} + {DSA-5561-1 DLA-3661-1} - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - thunderbird 1:115.5.0-1 @@ -456,7 +474,7 @@ CVE-2023-6206 (The black fade animation when exiting fullscreen is roughly the l NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6206 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6206 CVE-2023-6205 (It was possible to cause the use of a MessagePort after it had already ...) - {DSA-5561-1} + {DSA-5561-1 DLA-3661-1} - firefox 120.0-1 - firefox-esr 115.5.0esr-1 - thunderbird 1:115.5.0-1 @@ -464,7 +482,7 @@ CVE-2023-6205 (It was possible to cause the use of a MessagePort after it had al NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-50/#CVE-2023-6205 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2023-52/#CVE-2023-6205 CVE-2023-6204 (On some systems\u2014de