[Git][security-tracker-team/security-tracker][master] 2 commits: Claim asterisk in dsa-needed.txt
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 346e501d by Markus Koschany at 2023-12-29T00:06:20+01:00 Claim asterisk in dsa-needed.txt - - - - - 48def921 by Markus Koschany at 2023-12-29T00:07:48+01:00 Claim exim4 and netatalk in dla-needed.txt - - - - - 2 changed files: - data/dla-needed.txt - data/dsa-needed.txt Changes: = data/dla-needed.txt = @@ -72,7 +72,7 @@ dogecoin dropbear (guilhem) NOTE: 20231219: Added by Front-Desk (ta) -- -exim4 +exim4 (Markus Koschany) NOTE: 20231224: Added by Front-Desk (ta) -- firefox-esr (Emilio) @@ -144,7 +144,7 @@ linux-5.10 mariadb-10.3 NOTE: 20231129: Added by Front-Desk (Beuc) -- -netatalk +netatalk (Markus Koschany) NOTE: 20231119: Added by Front-Desk (apo) -- node-webpack = data/dsa-needed.txt = @@ -12,7 +12,7 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. -- -asterisk +asterisk (apo) -- cryptojs -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d420ec5228fd0d5fe5a0015d72ab585b1a3238a3...48def921c58bd6308eb95dab35d751484b216dfc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/d420ec5228fd0d5fe5a0015d72ab585b1a3238a3...48def921c58bd6308eb95dab35d751484b216dfc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3696-1 for asterisk
Markus Koschany pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d420ec52 by Markus Koschany at 2023-12-28T23:55:14+01:00
Reserve DLA-3696-1 for asterisk
- - - - -
2 changed files:
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[28 Dec 2023] DLA-3696-1 asterisk - security update
+ {CVE-2023-37457 CVE-2023-38703 CVE-2023-49294 CVE-2023-49786}
+ [buster] - asterisk 1:16.28.0~dfsg-0+deb10u4
[28 Dec 2023] DLA-3695-1 ansible - security update
{CVE-2019-10206 CVE-2021-3447 CVE-2021-3583 CVE-2021-3620
CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115}
[buster] - ansible 2.7.7+dfsg-1+deb10u2
=
data/dla-needed.txt
=
@@ -30,9 +30,6 @@ ansible
NOTE: 20231217: Triaging done a few mail send upstream for claryfication
purposes (rouca)
NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee
--
-asterisk (Markus Koschany)
- NOTE: 20231210: Added by Front-Desk (ta)
---
bind9 (Thorsten Alteholz)
NOTE: 20230921: Added by Front-Desk (apo)
NOTE: 20231008: backporting patches
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d420ec5228fd0d5fe5a0015d72ab585b1a3238a3
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d420ec5228fd0d5fe5a0015d72ab585b1a3238a3
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
fe08de6a by security tracker role at 2023-12-28T20:12:09+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,95 @@
+CVE-2023-7163 (A security issue exists in D-Link D-View 8 v2.0.2.89 and prior
that co ...)
+ TODO: check
+CVE-2023-7134 (A vulnerability was found in SourceCodester Medicine Tracking
System 1 ...)
+ TODO: check
+CVE-2023-7133 (A vulnerability was found in y_project RuoYi 4.7.8. It has been
declar ...)
+ TODO: check
+CVE-2023-7132 (A vulnerability was found in code-projects Intern Membership
Managemen ...)
+ TODO: check
+CVE-2023-7131 (A vulnerability was found in code-projects Intern Membership
Managemen ...)
+ TODO: check
+CVE-2023-7129 (A vulnerability, which was classified as critical, was found in
code-p ...)
+ TODO: check
+CVE-2023-7128 (A vulnerability, which was classified as critical, has been
found in c ...)
+ TODO: check
+CVE-2023-7127 (A vulnerability classified as critical was found in
code-projects Auto ...)
+ TODO: check
+CVE-2023-7126 (A vulnerability classified as critical has been found in
code-projects ...)
+ TODO: check
+CVE-2023-52082 (Lychee is a free photo-management tool. Prior to 5.0.2,
Lychee is vul ...)
+ TODO: check
+CVE-2023-52081 (ffcss is a CLI interface to apply and configure Firefox CSS
themes. Pr ...)
+ TODO: check
+CVE-2023-52079 (msgpackr is a fast MessagePack NodeJS/JavaScript
implementation. Prior ...)
+ TODO: check
+CVE-2023-51501 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2023-50874 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2023-50873 (Cross-Site Request Forgery (CSRF) vulnerability in Marios
Alexandrou A ...)
+ TODO: check
+CVE-2023-50860 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2023-50859 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2023-50858 (Cross-Site Request Forgery (CSRF) vulnerability in Bill
Minozzi Disabl ...)
+ TODO: check
+CVE-2023-50857 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50856 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50855 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50854 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50853 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50852 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50851 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50849 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50848 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50847 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50846 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50845 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50844 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50843 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50842 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50841 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50840 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50839 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50838 (Improper Neutralization of Special Elements used in an SQL
Command ('S ...)
+ TODO: check
+CVE-2023-50836 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+ TODO: check
+CVE-2023-50470 (A cross-site scripting (XSS) vulnerability in the component
admin_ Vid ...)
+ TODO: check
+CVE-2023-50267 (MeterSphere is a one-stop open source continuous testing
platform. Pri ...)
+ TODO: check
+CVE-2023-4672 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
+
[Git][security-tracker-team/security-tracker][master] Mark ansible as partial released
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f624555 by Bastien Roucariès at 2023-12-28T17:38:08+00:00 Mark ansible as partial released - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -21,13 +21,14 @@ To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. -- -ansible (rouca) +ansible NOTE: 20231202: Added by Front-Desk (Beuc) NOTE: 20231202: Supported package, but there's a CVE backlog, and no updates since 2021 NOTE: 20231202: (neither in LTS nor in stable/oldstable), so this is an opportunity to NOTE: 20231202: assess/fix the situation. NOTE: 20231217: Begin to triage CVEs (rouca) NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) + NOTE: 20231228: Made a partial release DLA-3695-1 (rouca), waiting for lee -- asterisk (Markus Koschany) NOTE: 20231210: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f624555685def68cbe5276b359cb794ef1b7452 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f624555685def68cbe5276b359cb794ef1b7452 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Reserve DLA-3695-1 for ansible" data/dla-needed.txt
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 5434a0d2 by Bastien Roucariès at 2023-12-28T17:36:12+00:00 Revert "Reserve DLA-3695-1 for ansible" data/dla-needed.txt This reverts commit 6f71a147a67d59c50b18a2daae81a5a2dc4eab02 for data/dla-needed.txt, because DLA-3695-1 is a partial update They are a few CVEs that need upstream confirmation/clarification and few other that need assement of backporting risk. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -20,6 +20,14 @@ https://wiki.debian.org/LTS/Development#Triage_new_security_issues To make it easier to see the entire history of an update, please append notes rather than remove/replace existing ones. +-- +ansible (rouca) + NOTE: 20231202: Added by Front-Desk (Beuc) + NOTE: 20231202: Supported package, but there's a CVE backlog, and no updates since 2021 + NOTE: 20231202: (neither in LTS nor in stable/oldstable), so this is an opportunity to + NOTE: 20231202: assess/fix the situation. + NOTE: 20231217: Begin to triage CVEs (rouca) + NOTE: 20231217: Triaging done a few mail send upstream for claryfication purposes (rouca) -- asterisk (Markus Koschany) NOTE: 20231210: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5434a0d2afdf476236c67f17f3f3f276996cf05c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5434a0d2afdf476236c67f17f3f3f276996cf05c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3695-1 for ansible
Bastien Roucariès pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6f71a147 by Bastien Roucariès at 2023-12-28T17:31:59+00:00
Reserve DLA-3695-1 for ansible
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=
data/CVE/list
=
@@ -79855,7 +79855,6 @@ CVE-2022-3698 (A denial of service vulnerability was
reported in the Lenovo Hard
CVE-2022-3697 (A flaw was found in Ansible in the amazon.aws collection when
using th ...)
- ansible 7.0.0+dfsg-1
[bullseye] - ansible (Minor issue)
- [buster] - ansible (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2137664
NOTE: https://github.com/ansible-collections/amazon.aws/pull/1199
CVE-2022-3696 (A post-auth code injection vulnerability allows admins to
execute code ...)
@@ -176021,7 +176020,6 @@ CVE-2021-3620 (A flaw was found in Ansible Engine's
ansible-connection module, w
- ansible-core 2.12.0-1
- ansible 5.4.0-1
[bullseye] - ansible (Minor issue, revisit when/if fixed
upstream)
- [buster] - ansible (Minor issue, revisit when/if fixed
upstream)
[stretch] - ansible (EOL'd for stretch)
- ansible-base
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1975767
@@ -178863,7 +178861,6 @@ CVE-2021-3584 (A server side remote code execution
vulnerability was found in Fo
CVE-2021-3583 (A flaw was found in Ansible, where a user's controller is
vulnerable t ...)
- ansible 5.4.0-1
[bullseye] - ansible (Minor issue)
- [buster] - ansible (Minor issue)
[stretch] - ansible (EOL'd for stretch)
- ansible-core 2.12.0-1
- ansible-base
@@ -193984,7 +193981,6 @@ CVE-2021-3448 (A flaw was found in dnsmasq in
versions before 2.85. When configu
NOTE:
https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=74d4fcd756a85bc1823232ea74334f7ccfb9d5d2
CVE-2021-3447 (A flaw was found in several ansible modules, where parameters
containi ...)
- ansible 2.10.7+merged+base+2.10.8+dfsg-1 (bug #1014721)
- [buster] - ansible (Minor issue)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1939349
NOTE: Fedora announcement
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JBZ75MAMVQVZROPYHMRDQKPPVASP63DG/
NOTE: Fixed by:
https://github.com/ansible/ansible/commit/9052b0e7f2d66aaec3420a5f6f678a22aab9fa8d
(v2.9.20rc1)
@@ -216386,7 +216382,6 @@ CVE-2021-20192
CVE-2021-20191 (A flaw was found in ansible. Credentials, such as secrets, are
being d ...)
- ansible 5.4.0-1 (bug #985753)
[bullseye] - ansible (Minor issue)
- [buster] - ansible (Minor issue)
[stretch] - ansible (EOL'd for stretch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1916813
NOTE: https://github.com/ansible-collections/cisco.nxos/pull/227
@@ -216437,7 +216432,6 @@ CVE-2021-20179 (A flaw was found in pki-core. An
attacker who has successfully c
CVE-2021-20178 (A flaw was found in ansible module where credentials are
disclosed in ...)
- ansible 5.4.0-1 (bug #985753)
[bullseye] - ansible (Minor issue)
- [buster] - ansible (Minor issue)
[stretch] - ansible (EOL'd for stretch)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1914774
NOTE: https://github.com/ansible-collections/community.general/pull/1621
=
data/DLA/list
=
@@ -1,3 +1,6 @@
+[28 Dec 2023] DLA-3695-1 ansible - security update
+ {CVE-2019-10206 CVE-2021-3447 CVE-2021-3583 CVE-2021-3620
CVE-2021-20178 CVE-2021-20191 CVE-2022-3697 CVE-2023-5115}
+ [buster] - ansible 2.7.7+dfsg-1+deb10u2
[25 Dec 2023] DLA-3694-1 openssh - security update
{CVE-2021-41617 CVE-2023-48795 CVE-2023-51385}
[buster] - openssh 1:7.9p1-10+deb10u4
=
data/dla-needed.txt
=
@@ -20,14 +20,6 @@
https://wiki.debian.org/LTS/Development#Triage_new_security_issues
To make it easier to see the entire history of an update, please append notes
rather than remove/replace existing ones.
---
-ansible (rouca)
- NOTE: 20231202: Added by Front-Desk (Beuc)
- NOTE: 20231202: Supported package, but there's a CVE backlog, and no updates
since 2021
- NOTE: 20231202: (neither in LTS nor in stable/oldstable), so this is an
opportunity to
- NOTE: 20231202: assess/fix the situation.
- NOTE: 20231217: Begin to triage CVEs (rouca)
- NOTE: 20231217: Triaging done a few mail send upstream for claryfication
purposes (rouca)
--
asterisk (Markus Koschany)
NOTE: 20231210: Added by Front-Desk (ta)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f71a147a67d59c50b18a2daae81a5a2dc4eab02
[Git][security-tracker-team/security-tracker][master] 4 commits: Triage CVE-2023-51767 in openssh for buster LTS.
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 65e9905c by Chris Lamb at 2023-12-28T17:24:38+00:00 Triage CVE-2023-51767 in openssh for buster LTS. - - - - - 8466d112 by Chris Lamb at 2023-12-28T17:25:29+00:00 Triage CVE-2023-7104 in sqlite3 for buster LTS. - - - - - 30249332 by Chris Lamb at 2023-12-28T17:27:03+00:00 data/dla-needed.txt: Triage kodi for buster LTS (CVE-2021-42917) - - - - - b99caa35 by Chris Lamb at 2023-12-28T17:27:54+00:00 data/dla-needed.txt: Triage dask.distributed for buster LTS (CVE-2021-42343) - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -214,6 +214,7 @@ CVE-2023-7104 (A vulnerability was found in SQLite SQLite3 up to 3.43.0 and clas - sqlite3 3.43.1-1 [bookworm] - sqlite3 (Minor issue) [bullseye] - sqlite3 (Minor issue) + [buster] - sqlite3 (Minor issue) NOTE: https://sqlite.org/forum/forumpost/5bcbf4571c NOTE: Fixed by: https://sqlite.org/src/info/0e4e7a05c4204b47 CVE-2023-51775 (The jose4j component before 0.9.4 for Java allows attackers to cause a ...) @@ -376,6 +377,7 @@ CVE-2023-51767 (OpenSSH through 9.6, when common types of DRAM are used, might a - openssh (bug #1059393) [bookworm] - openssh (Revisit once hardening/mitigation for Rowhammer type of attack exists) [bullseye] - openssh (Revisit once hardening/mitigation for Rowhammer type of attack exists) + [buster] - openssh (Revisit once hardening/mitigation for Rowhammer type of attack exists) NOTE: https://arxiv.org/abs/2309.02545 CVE-2023-51766 (Exim through 4.97 allows SMTP smuggling in certain configurations. Rem ...) - exim4 4.97-3 (bug #1059387) = data/dla-needed.txt = @@ -53,6 +53,10 @@ cinder cjson (Thorsten Alteholz) NOTE: 20231225: Added by Front-Desk (ta) -- +dask.distributed + NOTE: 20231228: Added by Front-Desk (lamby) + NOTE: 20231228: CVE-2021-42343 fixed in bullseye via DSA or point release. (lamby) +-- docker.io NOTE: 20230303: Added by Front-Desk (Beuc) NOTE: 20230303: Follow fixes from bullseye 11.2 (3 CVEs) (Beuc/front-desk) @@ -104,6 +108,10 @@ keystone knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- +kodi + NOTE: 20231228: Added by Front-Desk (lamby) + NOTE: 20231228: CVE-2021-42917 was postponed in 2021; fixed in bullseye via DSA or point release. (lamby) +-- libde265 (Thorsten Alteholz) NOTE: 20231224: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c1376f504d3baf9021b2e783cd2f5dd4c26b9ea3...b99caa35b9e556c7eb34c507754e4c93f94d026c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c1376f504d3baf9021b2e783cd2f5dd4c26b9ea3...b99caa35b9e556c7eb34c507754e4c93f94d026c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage h2o for buster LTS (CVE-2023-41337)
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: c1376f50 by Chris Lamb at 2023-12-28T17:23:50+00:00 data/dla-needed.txt: Triage h2o for buster LTS (CVE-2023-41337) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -82,6 +82,9 @@ frr golang-go.crypto NOTE: 20231219: Added by Front-Desk (ta) -- +h2o + NOTE: 20231228: Added by Front-Desk (lamby) +-- haproxy (tobi) NOTE: 20231217: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1376f504d3baf9021b2e783cd2f5dd4c26b9ea3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1376f504d3baf9021b2e783cd2f5dd4c26b9ea3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2018-1311/xerces-c: Reference fixing commit.
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: 03643cec by Guilhem Moulin at 2023-12-28T17:33:18+01:00 CVE-2018-1311/xerces-c: Reference fixing commit. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -405863,6 +405863,7 @@ CVE-2018-1311 (The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-afte NOTE: https://issues.apache.org/jira/browse/XERCESC-2188 NOTE: http://vault.centos.org/7.7.1908/updates/Source/SPackages/xerces-c-3.1.1-10.el7_7.src.rpm (fix with memory leak, applied in DLA-2498-1 and DSA-4814-1) NOTE: Mitigation by setting the XERCES_DISABLE_DTD environment variable + NOTE: Fixed by: https://github.com/apache/xerces-c/commit/e0024267504188e42ace4dd9031d936786914835 (3.2.5) CVE-2018-1310 (Apache NiFi JMS Deserialization issue because of ActiveMQ client vulne ...) NOT-FOR-US: Apache NiFi CVE-2018-1309 (Apache NiFi External XML Entity issue in SplitXML processor. Malicious ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03643cecf5fe9d6515ae2f64bdc677bccecf2d57 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03643cecf5fe9d6515ae2f64bdc677bccecf2d57 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for libssh update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c21f2580 by Salvatore Bonaccorso at 2023-12-28T15:23:53+01:00
Reserve DSA number for libssh update
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[28 Dec 2023] DSA-5591-1 libssh - security update
+ {CVE-2023-6004 CVE-2023-6918 CVE-2023-48795}
+ [bullseye] - libssh 0.9.8-0+deb11u1
+ [bookworm] - libssh 0.10.6-0+deb12u1
[28 Dec 2023] DSA-5590-1 haproxy - security update
{CVE-2023-40225 CVE-2023-45539}
[bullseye] - haproxy 2.2.9-2+deb11u6
=
data/dsa-needed.txt
=
@@ -27,9 +27,6 @@ h2o (jmm)
libreswan (jmm)
Maintainer prepared bookworm-security update, but needs work on
bullseye-security backports
--
-libssh (carnil)
- Maintainer is working on updates, but we are waiting first for proper
exposure trough testing/unstable
---
linux (carnil)
Wait until more issues have piled up, though try to regulary rebase for point
releases to more recent v5.10.y and 6.1.y versions
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c21f25808a1aa9f47c685bd191d669d6d0095e16
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c21f25808a1aa9f47c685bd191d669d6d0095e16
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-51074/jayway-jsonpath
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 58dde891 by Salvatore Bonaccorso at 2023-12-28T14:13:57+01:00 Add CVE-2023-51074/jayway-jsonpath - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17,7 +17,8 @@ CVE-2023-51079 (A TimeOut error exists in the ParseTools.subCompileExpression me CVE-2023-51075 (hutool-core v5.8.23 was discovered to contain an infinite loop in the ...) NOT-FOR-US: Hutool CVE-2023-51074 (json-path v2.8.0 was discovered to contain a stack overflow via the Cr ...) - TODO: check + - jayway-jsonpath + NOTE: https://github.com/json-path/JsonPath/issues/973 CVE-2023-51010 (An issue in the export component AdSdkH5Activity of com.sdjictec.qdmet ...) NOT-FOR-US: com.sdjictec.qdmetro CVE-2023-51006 (An issue in the openFile method of Chinese Perpetual Calendar v9.0.0 a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58dde89109b3d689c2249a873d976b7598804593 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58dde89109b3d689c2249a873d976b7598804593 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fix via unstable for wolfssl issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 02079246 by Salvatore Bonaccorso at 2023-12-28T14:08:25+01:00 Track fix via unstable for wolfssl issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -457,15 +457,15 @@ CVE-2023-50727 (Resque is a Redis-backed Ruby library for creating background jo NOT-FOR-US: Resque CVE-2023-6937 [experimental] - wolfssl 5.6.6-1 - - wolfssl (bug #1059357) + - wolfssl 5.6.6-1.2 (bug #1059357) NOTE: https://github.com/wolfSSL/wolfssl/blob/v5.6.6-stable/ChangeLog.md#vulnerabilities CVE-2023-6936 [experimental] - wolfssl 5.6.6-1 - - wolfssl (bug #1059357) + - wolfssl 5.6.6-1.2 (bug #1059357) NOTE: https://github.com/wolfSSL/wolfssl/blob/v5.6.6-stable/ChangeLog.md#vulnerabilities CVE-2023-6935 [experimental] - wolfssl 5.6.6-1 - - wolfssl (bug #1059357) + - wolfssl 5.6.6-1.2 (bug #1059357) NOTE: https://github.com/wolfSSL/wolfssl/blob/v5.6.6-stable/ChangeLog.md#vulnerabilities CVE-2023-7076 (A vulnerability was found in slawkens MyAAC up to 0.8.13. It has been ...) NOT-FOR-US: slawkens MyAAC View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/020792462277d4b30a3a9fae1bc543743932047a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/020792462277d4b30a3a9fae1bc543743932047a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2023-32785
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3b140e46 by Salvatore Bonaccorso at 2023-12-28T13:51:25+01:00 Remove notes from CVE-2023-32785 This was a duplicate of CVE-2023-36189. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11883,7 +11883,6 @@ CVE-2023-32786 (In Langchain through 0.0.155, prompt injection allows an attacke NOT-FOR-US: Langchain CVE-2023-32785 REJECTED - NOT-FOR-US: Langchain CVE-2023-5690 (Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa ...) NOT-FOR-US: Modoboa CVE-2023-5689 (Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b140e464db045ba5e0cdb09af2629d81ab3c973 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3b140e464db045ba5e0cdb09af2629d81ab3c973 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Drop notes from rejected CVE-2023-42927 (got unused from the CNA)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a546720e by Salvatore Bonaccorso at 2023-12-28T13:50:10+01:00 Drop notes from rejected CVE-2023-42927 (got unused from the CNA) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3375,7 +3375,6 @@ CVE-2023-42932 (A logic issue was addressed with improved checks. This issue is NOT-FOR-US: Apple CVE-2023-42927 REJECTED - NOT-FOR-US: Apple CVE-2023-42926 (Multiple memory corruption issues were addressed with improved input v ...) NOT-FOR-US: Apple CVE-2023-42924 (A logic issue was addressed with improved checks. This issue is fixed ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a546720ecacfe2d1f6933fb32b6c8f951bfddf85 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a546720ecacfe2d1f6933fb32b6c8f951bfddf85 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for haproxy update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
ba650bc7 by Salvatore Bonaccorso at 2023-12-28T13:36:07+01:00
Reserve DSA number for haproxy update
- - - - -
3 changed files:
- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -22636,8 +22636,6 @@ CVE-2023-38103 [ZDI-CAN-21443: Integer overflow leading
to heap overwrite in Rea
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1007/
CVE-2023-40225 (HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x
and 2.4. ...)
- haproxy 2.6.15-1 (bug #1043502)
- [bookworm] - haproxy (Minor issue, fix along with future
DSA)
- [bullseye] - haproxy (Minor issue, fix along with future
DSA)
[buster] - haproxy (Vulnerable code not present)
NOTE: https://github.com/haproxy/haproxy/issues/2237
NOTE:
https://github.com/haproxy/haproxy/commit/6492f1f29d738457ea9f382aca54537f35f9d856
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[28 Dec 2023] DSA-5590-1 haproxy - security update
+ {CVE-2023-40225 CVE-2023-45539}
+ [bullseye] - haproxy 2.2.9-2+deb11u6
+ [bookworm] - haproxy 2.6.12-1+deb12u1
[27 Dec 2023] DSA-5589-1 nodejs - security update
{CVE-2023-23918 CVE-2023-23919 CVE-2023-23920 CVE-2023-30581
CVE-2023-30588 CVE-2023-30589 CVE-2023-30590 CVE-2023-32002 CVE-2023-32006
CVE-2023-32559 CVE-2023-38552 CVE-2023-39333}
[bookworm] - nodejs 18.19.0+dfsg-6~deb12u1
=
data/dsa-needed.txt
=
@@ -24,8 +24,6 @@ gpac/oldstable
--
h2o (jmm)
--
-haproxy (carnil)
---
libreswan (jmm)
Maintainer prepared bookworm-security update, but needs work on
bullseye-security backports
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba650bc780fcf020fde063abdf282ad4ff277edb
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ba650bc780fcf020fde063abdf282ad4ff277edb
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-49469/shaarli
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7a30cf43 by Salvatore Bonaccorso at 2023-12-28T09:51:16+01:00 Add CVE-2023-49469/shaarli - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,7 +29,9 @@ CVE-2023-50445 (Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4. CVE-2023-50038 (There is an arbitrary file upload vulnerability in the background of t ...) - textpattern CVE-2023-49469 (Reflected Cross Site Scripting (XSS) vulnerability in Shaarli v0.12.2, ...) - TODO: check + - shaarli 0.13.0+dfsg-1 + NOTE: https://github.com/shaarli/Shaarli/issues/2038 + NOTE: https://github.com/shaarli/Shaarli/commit/326870f216ba52d80488cb4ba3fadcf1247d7cf8 (v0.13.0) CVE-2023-49230 (An issue was discovered in Peplink Balance Two before 8.4.0. A missing ...) NOT-FOR-US: Peplink Balance Two CVE-2023-49229 (An issue was discovered in Peplink Balance Two before 8.4.0. A missing ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a30cf4353d0fdd16044df3d5e40268b319f8c0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7a30cf4353d0fdd16044df3d5e40268b319f8c0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 44787419 by Salvatore Bonaccorso at 2023-12-28T09:50:41+01:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,13 +13,13 @@ CVE-2023-51084 (hyavijava v6.0.07.1 was discovered to contain a stack overflow v CVE-2023-51080 (The NumberUtil.toBigDecimal method in hutool-core v5.8.23 was discover ...) NOT-FOR-US: Hutool CVE-2023-51079 (A TimeOut error exists in the ParseTools.subCompileExpression method i ...) - TODO: check + NOT-FOR-US: mvel2 CVE-2023-51075 (hutool-core v5.8.23 was discovered to contain an infinite loop in the ...) NOT-FOR-US: Hutool CVE-2023-51074 (json-path v2.8.0 was discovered to contain a stack overflow via the Cr ...) TODO: check CVE-2023-51010 (An issue in the export component AdSdkH5Activity of com.sdjictec.qdmet ...) - TODO: check + NOT-FOR-US: com.sdjictec.qdmetro CVE-2023-51006 (An issue in the openFile method of Chinese Perpetual Calendar v9.0.0 a ...) NOT-FOR-US: Chinese Perpetual Calendar CVE-2023-50692 (File Upload vulnerability in JIZHICMS v.2.5, allows remote attacker to ...) @@ -45,25 +45,25 @@ CVE-2023-49001 (An issue in Indi Browser (aka kvbrowser) v.12.11.23 allows an at CVE-2023-49000 (An issue in ArtistScope ArtisBrowser v.34.1.5 and before allows an att ...) NOT-FOR-US: ArtistScope ArtisBrowser CVE-2023-47883 (The com.altamirano.fabricio.tvbrowser TV browser application through 4 ...) - TODO: check + NOT-FOR-US: com.altamirano.fabricio.tvbrowser TV browser application CVE-2023-47882 (The Kami Vision YI IoT com.yunyi.smartcamera application through 4.1.9 ...) - TODO: check + NOT-FOR-US: Kami Vision YI IoT com.yunyi.smartcamera application CVE-2023-46989 (SQL Injection vulnerability in the Innovadeluxe Quick Order module for ...) - TODO: check + NOT-FOR-US: PrestaShop module CVE-2023-46919 (Phlox com.phlox.simpleserver (aka Simple HTTP Server) 1.8 and com.phlo ...) - TODO: check + NOT-FOR-US: Phlox CVE-2023-46918 (Phlox com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1- ...) - TODO: check + NOT-FOR-US: Phlox CVE-2023-45702 (An HCL UrbanCode Deploy Agent installed as a Windows service in a non- ...) - TODO: check + NOT-FOR-US: HCL CVE-2023-45701 (HCL Launch could allow a remote attacker to obtain sensitive informati ...) - TODO: check + NOT-FOR-US: HCL CVE-2023-43955 (The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Androi ...) - TODO: check + NOT-FOR-US: com.phlox.tvwebbrowser TV Bro application CVE-2023-43481 (An issue in Shenzhen TCL Browser TV Web BrowseHere (aka com.tcl.browse ...) - TODO: check + NOT-FOR-US: Shenzhen TCL Browser TV Web BrowseHere (aka com.tcl.browser) CVE-2023-34829 (Incorrect access control in TP-Link Tapo before v3.1.315 allows attack ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2023-7116 (A vulnerability, which was classified as critical, has been found in W ...) NOT-FOR-US: WeiYe-Jing datax-web CVE-2023-6531 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4478741950ec914c54ea9b65bd70026c427feb44 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4478741950ec914c54ea9b65bd70026c427feb44 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Clarify CVE-2023-26852 NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c25b5cca by Salvatore Bonaccorso at 2023-12-28T09:38:46+01:00 Clarify CVE-2023-26852 NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -48201,7 +48201,7 @@ CVE-2023-26854 CVE-2023-26853 RESERVED CVE-2023-26852 (An arbitrary file upload vulnerability in the upload plugin of Textpat ...) - NOT-FOR-US: Textpattern CMS + NOT-FOR-US: Textpattern CMS plugin CVE-2023-26851 RESERVED CVE-2023-26850 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c25b5cca75d9c7b1d3f9d1b91a31d339f62fd164 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c25b5cca75d9c7b1d3f9d1b91a31d339f62fd164 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Adjust some older Textpattern CMS entries
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
8f39ad41 by Salvatore Bonaccorso at 2023-12-28T09:38:03+01:00
Adjust some older Textpattern CMS entries
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -23587,7 +23587,7 @@ CVE-2023-38044 (Improper Neutralization of Special
Elements used in an SQL Comma
CVE-2023-36499 (Netgear XR300 v1.0.3.78 was discovered to contain multiple
buffer over ...)
NOT-FOR-US: Netgear
CVE-2023-36220 (Directory Traversal vulnerability in Textpattern CMS v4.8.8
allows a r ...)
- NOT-FOR-US: Textpattern CMS
+ - textpattern
CVE-2023-36054 (lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before
1.20.2 an ...)
{DLA-3626-1}
- krb5 1.20.1-3 (bug #1043431)
@@ -150237,7 +150237,7 @@ CVE-2021-44084
CVE-2021-44083
RESERVED
CVE-2021-44082 (textpattern 4.8.7 is vulnerable to Cross Site Scripting (XSS)
via /tex ...)
- NOT-FOR-US: Textpattern CMS
+ - textpattern
CVE-2021-44081 (A buffer overflow vulnerability exists in the AMF of open5gs
2.1.4. Wh ...)
NOT-FOR-US: Open5GS
CVE-2021-44080 (A Command Injection vulnerability in httpd web server
(setup.cgi) in S ...)
@@ -162881,7 +162881,7 @@ CVE-2021-40660 (An issue was discovered in Delight
Nashorn Sandbox 0.2.0. There
CVE-2021-40659
RESERVED
CVE-2021-40658 (Textpattern 4.8.7 is affected by a HTML injection
vulnerability throug ...)
- NOT-FOR-US: Textpattern CMS
+ - textpattern
CVE-2021-40657
RESERVED
CVE-2021-40656 (libsixel before 1.10 is vulnerable to Buffer Overflow in
libsixel/src/ ...)
@@ -162927,7 +162927,7 @@ CVE-2021-40644 (An SQL Injection vulnerability exists
in oasys oa_system as of 9
CVE-2021-40643 (EyesOfNetwork before 07-07-2021 has a Remote Code Execution
vulnerabil ...)
NOT-FOR-US: EyesOfNetwork (EON)
CVE-2021-40642 (Textpattern CMS v4.8.7 and older vulnerability exists through
Sensitiv ...)
- NOT-FOR-US: Textpattern CMS
+ - textpattern
CVE-2021-40641
RESERVED
CVE-2021-40640
@@ -189822,7 +189822,7 @@ CVE-2021-30211 (Knowage Suite 7.3 is vulnerable to
Stored Cross-Site Scripting (
CVE-2021-30210
RESERVED
CVE-2021-30209 (Textpattern V4.8.4 contains an arbitrary file upload
vulnerability whe ...)
- NOT-FOR-US: Textpattern CMS
+ - textpattern
CVE-2021-30208
RESERVED
CVE-2021-30207
@@ -195617,9 +195617,9 @@ CVE-2021-28004
CVE-2021-28003
RESERVED
CVE-2021-28002 (A persistent cross-site scripting vulnerability was discovered
in the ...)
- NOT-FOR-US: Textpattern CMS
+ - textpattern
CVE-2021-28001 (A cross-site scripting vulnerability was discovered in the
Comments pa ...)
- NOT-FOR-US: Textpattern CMS
+ - textpattern
CVE-2021-28000 (A persistent cross-site scripting vulnerability was discovered
in Loca ...)
NOT-FOR-US: Local Services Search Engine Management System Project
CVE-2021-27999 (A SQL injection vulnerability was discovered in the editid
parameter i ...)
@@ -212254,7 +212254,7 @@ CVE-2020-35856 (SolarWinds Orion Platform before
2020.2.5 allows stored XSS atta
CVE-2020-35855
RESERVED
CVE-2020-35854 (Textpattern 4.8.4 is affected by cross-site scripting (XSS) in
the Bod ...)
- NOT-FOR-US: Textpattern CMS
+ - textpattern
CVE-2020-35853 (4images Image Gallery Management System 1.7.11 is affected by
cross-si ...)
NOT-FOR-US: 4images Image Gallery Management System
CVE-2020-35852 (Chatbox is affected by cross-site scripting (XSS). An attacker
has to ...)
@@ -220412,7 +220412,7 @@ CVE-2020-29460
CVE-2020-29459
RESERVED
CVE-2020-29458 (Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.)
- NOT-FOR-US: Textpattern CMS
+ - textpattern
CVE-2020-29457 (A Privilege Elevation vulnerability in OPC UA .NET Standard
Stack 1.4. ...)
NOT-FOR-US: OPC UA .NET
CVE-2020-29456 (Multiple cross-site scripting (XSS) vulnerabilities in
Papermerge befo ...)
@@ -238935,7 +238935,7 @@ CVE-2020-23241 (Cross Site Scripting (XSS)
vulnerability in CMS Made Simple 2.2.
CVE-2020-23240 (Cross Site Scripting (XSS) vulnerablity in CMS Made Simple
2.2.14 via ...)
NOT-FOR-US: CMS Made Simple
CVE-2020-23239 (Cross Site Scripting (XSS) vulnerability in Textpattern CMS
4.8.1 via ...)
- NOT-FOR-US: Textpattern CMS
+ - textpattern
CVE-2020-23238 (Cross Site Scripting (XSS) vulnerability in Evolution CMS
2.0.2 via th ...)
NOT-FOR-US: Evolution CMS
CVE-2020-23237
@@ -246994,7 +246994,7 @@ CVE-2020-19512
CVE-2020-19511 (Cross Site Scriptiong vulnerability in Typesetter 5.1 via the
!1) clas ...)
NOT-FOR-US: Typesetter CMS
CVE-2020-19510 (Textpattern 4.7.3 contains an aribtrary file load via the
file_insert ...)
- NOT-FOR-US: Textpattern CMS
+
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6879/aom
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c1fd43a2 by Salvatore Bonaccorso at 2023-12-28T09:35:20+01:00 Add CVE-2023-6879/aom - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,11 @@ CVE-2023-7124 (A vulnerability, which was classified as problematic, was found i CVE-2023-7123 (A vulnerability, which was classified as critical, has been found in S ...) NOT-FOR-US: SourceCodester Medicine Tracking System CVE-2023-6879 (Increasing the resolution of video frames, while performing a multi-th ...) - TODO: check + - aom 3.7.1-1 + NOTE: https://crbug.com/aomedia/3491 + NOTE: Fixed by: https://aomedia.googlesource.com/aom/+/7ae7bef246e85c8f349513d668b4571c79a43c5c (v3.7.1-rc1) + NOTE: Followup: https://aomedia.googlesource.com/aom/+/24467e8ac3b0f6f5d09457d342327393b8e3da3d (v3.7.1-rc1) + NOTE: Tests: https://aomedia.googlesource.com/aom/+/8b9ea452396a00f2d019b8b11b8876d363d62659 (v3.7.1-rc1) CVE-2023-51084 (hyavijava v6.0.07.1 was discovered to contain a stack overflow via the ...) NOT-FOR-US: hyavijava CVE-2023-51080 (The NumberUtil.toBigDecimal method in hutool-core v5.8.23 was discover ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1fd43a24558b417af395b45d1b3826a79325430 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c1fd43a24558b417af395b45d1b3826a79325430 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f5ef231 by Salvatore Bonaccorso at 2023-12-28T09:35:01+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,45 +1,45 @@ CVE-2023-7124 (A vulnerability, which was classified as problematic, was found in cod ...) - TODO: check + NOT-FOR-US: code-projects E-Commerce Site CVE-2023-7123 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Medicine Tracking System CVE-2023-6879 (Increasing the resolution of video frames, while performing a multi-th ...) TODO: check CVE-2023-51084 (hyavijava v6.0.07.1 was discovered to contain a stack overflow via the ...) - TODO: check + NOT-FOR-US: hyavijava CVE-2023-51080 (The NumberUtil.toBigDecimal method in hutool-core v5.8.23 was discover ...) - TODO: check + NOT-FOR-US: Hutool CVE-2023-51079 (A TimeOut error exists in the ParseTools.subCompileExpression method i ...) TODO: check CVE-2023-51075 (hutool-core v5.8.23 was discovered to contain an infinite loop in the ...) - TODO: check + NOT-FOR-US: Hutool CVE-2023-51074 (json-path v2.8.0 was discovered to contain a stack overflow via the Cr ...) TODO: check CVE-2023-51010 (An issue in the export component AdSdkH5Activity of com.sdjictec.qdmet ...) TODO: check CVE-2023-51006 (An issue in the openFile method of Chinese Perpetual Calendar v9.0.0 a ...) - TODO: check + NOT-FOR-US: Chinese Perpetual Calendar CVE-2023-50692 (File Upload vulnerability in JIZHICMS v.2.5, allows remote attacker to ...) - TODO: check + NOT-FOR-US: JIZHICMS CVE-2023-50445 (Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT ...) - TODO: check + NOT-FOR-US: GL.iNet CVE-2023-50038 (There is an arbitrary file upload vulnerability in the background of t ...) - textpattern CVE-2023-49469 (Reflected Cross Site Scripting (XSS) vulnerability in Shaarli v0.12.2, ...) TODO: check CVE-2023-49230 (An issue was discovered in Peplink Balance Two before 8.4.0. A missing ...) - TODO: check + NOT-FOR-US: Peplink Balance Two CVE-2023-49229 (An issue was discovered in Peplink Balance Two before 8.4.0. A missing ...) - TODO: check + NOT-FOR-US: Peplink Balance Two CVE-2023-49228 (An issue was discovered in Peplink Balance Two before 8.4.0. Console p ...) - TODO: check + NOT-FOR-US: Peplink Balance Two CVE-2023-49003 (An issue in simplemobiletools Simple Dialer 5.18.1 allows an attacker ...) - TODO: check + NOT-FOR-US: simplemobiletools Simple Dialer CVE-2023-49002 (An issue in Xenom Technologies (sinous) Phone Dialer-voice Call Dialer ...) - TODO: check + NOT-FOR-US: Phone Dialer-voice Call Dialer CVE-2023-49001 (An issue in Indi Browser (aka kvbrowser) v.12.11.23 allows an attacker ...) - TODO: check + NOT-FOR-US: Indi Browser (aka kvbrowser) CVE-2023-49000 (An issue in ArtistScope ArtisBrowser v.34.1.5 and before allows an att ...) - TODO: check + NOT-FOR-US: ArtistScope ArtisBrowser CVE-2023-47883 (The com.altamirano.fabricio.tvbrowser TV browser application through 4 ...) TODO: check CVE-2023-47882 (The Kami Vision YI IoT com.yunyi.smartcamera application through 4.1.9 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f5ef231e8459cca3ba1e21cc1c63cd02a49cabf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f5ef231e8459cca3ba1e21cc1c63cd02a49cabf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-50038/textpattern
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fbba6185 by Salvatore Bonaccorso at 2023-12-28T09:34:25+01:00 Add CVE-2023-50038/textpattern - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,7 +23,7 @@ CVE-2023-50692 (File Upload vulnerability in JIZHICMS v.2.5, allows remote attac CVE-2023-50445 (Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT ...) TODO: check CVE-2023-50038 (There is an arbitrary file upload vulnerability in the background of t ...) - TODO: check + - textpattern CVE-2023-49469 (Reflected Cross Site Scripting (XSS) vulnerability in Shaarli v0.12.2, ...) TODO: check CVE-2023-49230 (An issue was discovered in Peplink Balance Two before 8.4.0. A missing ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbba6185d1d0997dcb936a36fa31c0e3d9551aae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbba6185d1d0997dcb936a36fa31c0e3d9551aae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1023a8b7 by security tracker role at 2023-12-28T08:11:37+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,3 +1,65 @@
+CVE-2023-7124 (A vulnerability, which was classified as problematic, was found
in cod ...)
+ TODO: check
+CVE-2023-7123 (A vulnerability, which was classified as critical, has been
found in S ...)
+ TODO: check
+CVE-2023-6879 (Increasing the resolution of video frames, while performing a
multi-th ...)
+ TODO: check
+CVE-2023-51084 (hyavijava v6.0.07.1 was discovered to contain a stack overflow
via the ...)
+ TODO: check
+CVE-2023-51080 (The NumberUtil.toBigDecimal method in hutool-core v5.8.23 was
discover ...)
+ TODO: check
+CVE-2023-51079 (A TimeOut error exists in the ParseTools.subCompileExpression
method i ...)
+ TODO: check
+CVE-2023-51075 (hutool-core v5.8.23 was discovered to contain an infinite loop
in the ...)
+ TODO: check
+CVE-2023-51074 (json-path v2.8.0 was discovered to contain a stack overflow
via the Cr ...)
+ TODO: check
+CVE-2023-51010 (An issue in the export component AdSdkH5Activity of
com.sdjictec.qdmet ...)
+ TODO: check
+CVE-2023-51006 (An issue in the openFile method of Chinese Perpetual Calendar
v9.0.0 a ...)
+ TODO: check
+CVE-2023-50692 (File Upload vulnerability in JIZHICMS v.2.5, allows remote
attacker to ...)
+ TODO: check
+CVE-2023-50445 (Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800
v4.4.6, AXT ...)
+ TODO: check
+CVE-2023-50038 (There is an arbitrary file upload vulnerability in the
background of t ...)
+ TODO: check
+CVE-2023-49469 (Reflected Cross Site Scripting (XSS) vulnerability in Shaarli
v0.12.2, ...)
+ TODO: check
+CVE-2023-49230 (An issue was discovered in Peplink Balance Two before 8.4.0. A
missing ...)
+ TODO: check
+CVE-2023-49229 (An issue was discovered in Peplink Balance Two before 8.4.0. A
missing ...)
+ TODO: check
+CVE-2023-49228 (An issue was discovered in Peplink Balance Two before 8.4.0.
Console p ...)
+ TODO: check
+CVE-2023-49003 (An issue in simplemobiletools Simple Dialer 5.18.1 allows an
attacker ...)
+ TODO: check
+CVE-2023-49002 (An issue in Xenom Technologies (sinous) Phone Dialer-voice
Call Dialer ...)
+ TODO: check
+CVE-2023-49001 (An issue in Indi Browser (aka kvbrowser) v.12.11.23 allows an
attacker ...)
+ TODO: check
+CVE-2023-49000 (An issue in ArtistScope ArtisBrowser v.34.1.5 and before
allows an att ...)
+ TODO: check
+CVE-2023-47883 (The com.altamirano.fabricio.tvbrowser TV browser application
through 4 ...)
+ TODO: check
+CVE-2023-47882 (The Kami Vision YI IoT com.yunyi.smartcamera application
through 4.1.9 ...)
+ TODO: check
+CVE-2023-46989 (SQL Injection vulnerability in the Innovadeluxe Quick Order
module for ...)
+ TODO: check
+CVE-2023-46919 (Phlox com.phlox.simpleserver (aka Simple HTTP Server) 1.8 and
com.phlo ...)
+ TODO: check
+CVE-2023-46918 (Phlox com.phlox.simpleserver.plus (aka Simple HTTP Server
PLUS) 1.8.1- ...)
+ TODO: check
+CVE-2023-45702 (An HCL UrbanCode Deploy Agent installed as a Windows service
in a non- ...)
+ TODO: check
+CVE-2023-45701 (HCL Launch could allow a remote attacker to obtain sensitive
informati ...)
+ TODO: check
+CVE-2023-43955 (The com.phlox.tvwebbrowser TV Bro application through 2.0.0
for Androi ...)
+ TODO: check
+CVE-2023-43481 (An issue in Shenzhen TCL Browser TV Web BrowseHere (aka
com.tcl.browse ...)
+ TODO: check
+CVE-2023-34829 (Incorrect access control in TP-Link Tapo before v3.1.315
allows attack ...)
+ TODO: check
CVE-2023-7116 (A vulnerability, which was classified as critical, has been
found in W ...)
NOT-FOR-US: WeiYe-Jing datax-web
CVE-2023-6531
@@ -11616,6 +11678,7 @@ CVE-2023-5625 (A regression was introduced in the Red
Hat build of python-eventl
- python-eventlet (Red Hat-specific regression)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2244717
CVE-2023-39333
+ {DSA-5589-1}
- nodejs 18.13.0+dfsg1-1.1 (bug #1054892)
[bullseye] - nodejs (Only affects 18.x and later)
[buster] - nodejs (Only affects 18.x and later)
@@ -12433,6 +12496,7 @@ CVE-2023-39277 (SonicOS post-authentication stack-based
buffer overflow vulnerab
CVE-2023-39276 (SonicOS post-authentication stack-based buffer overflow
vulnerability ...)
NOT-FOR-US: SonicOS
CVE-2023-38552 (When the Node.js policy feature checks the integrity of a
resource aga ...)
+ {DSA-5589-1}
- nodejs 18.13.0+dfsg1-1.1 (bug #1054892)
[bullseye] - nodejs (Only affects 18.x and later)
[buster] - nodejs (Only affects 18.x and later)
@@ -22771,6 +22835,7 @@ CVE-
