[Git][security-tracker-team/security-tracker][master] Add CVE-2024-22365/pam
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9c6ed559 by Salvatore Bonaccorso at 2024-01-18T08:35:05+01:00 Add CVE-2024-22365/pam - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,6 @@ +CVE-2024-22365 [pam_namespace: protect_dir(): use O_DIRECTORY to prevent local DoS situations] + - pam + NOTE: https://github.com/linux-pam/linux-pam/commit/031bb5a5d0d950253b68138b498dc93be69a64cb (v1.6.0) CVE-2023-6596 NOT-FOR-US: Red Hat OpenShift (specific for incomplete fixes in Red Hat for two OpenShift Containers) CVE-2024-22715 (Stupid Simple CMS <=1.2.4 was discovered to contain a Cross-Site Reque ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c6ed559188690ae79ac3ac9d4b785d2ca8fd263 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9c6ed559188690ae79ac3ac9d4b785d2ca8fd263 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-6596 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d1f83c1a by Salvatore Bonaccorso at 2024-01-18T07:33:01+01:00 Add CVE-2023-6596 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2023-6596 + NOT-FOR-US: Red Hat OpenShift (specific for incomplete fixes in Red Hat for two OpenShift Containers) CVE-2024-22715 (Stupid Simple CMS <=1.2.4 was discovered to contain a Cross-Site Reque ...) NOT-FOR-US: Stupid Simple CMS CVE-2024-22714 (Stupid Simple CMS <=1.2.4 is vulnerable to Cross Site Scripting (XSS) ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1f83c1a1a52ee3d95321617c7b712c1c7554832 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d1f83c1a1a52ee3d95321617c7b712c1c7554832 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium DSA
Andres Salomon pushed to branch master at Debian Security Tracker / security-tracker Commits: e571cd25 by Andres Salomon at 2024-01-17T18:24:30-05:00 chromium DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[17 Jan 2024] DSA-5602-1 chromium - security update + {CVE-2024-0517 CVE-2024-0518 CVE-2024-0519} + [bullseye] - chromium 120.0.6099.224-1~deb11u1 + [bookworm] - chromium 120.0.6099.224-1~deb12u1 [12 Jan 2024] DSA-5601-1 php-phpseclib3 - security update {CVE-2023-48795} [bookworm] - php-phpseclib3 3.0.19-1+deb12u2 = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- cacti -- -chromium (dilinger) --- cryptojs -- dnsdist (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e571cd2501eb629bd136649dfb3d23b2cc8730f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e571cd2501eb629bd136649dfb3d23b2cc8730f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Claim python-asyncssh
Daniel Leidert pushed to branch master at Debian Security Tracker / security-tracker Commits: 63a68d30 by Daniel Leidert at 2024-01-17T22:50:56+01:00 Claim python-asyncssh - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -174,7 +174,7 @@ putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) -- -python-asyncssh +python-asyncssh (dleidert) NOTE: 20240116: Added by Front-Desk (lamby) -- python-django (Chris Lamb) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63a68d309a36a4e4deb321309094467462c7603e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/63a68d309a36a4e4deb321309094467462c7603e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: efc55e54 by Salvatore Bonaccorso at 2024-01-17T21:57:38+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,19 +1,19 @@ CVE-2024-22715 (Stupid Simple CMS <=1.2.4 was discovered to contain a Cross-Site Reque ...) - TODO: check + NOT-FOR-US: Stupid Simple CMS CVE-2024-22714 (Stupid Simple CMS <=1.2.4 is vulnerable to Cross Site Scripting (XSS) ...) - TODO: check + NOT-FOR-US: Stupid Simple CMS CVE-2024-20287 (A vulnerability in the web-based management interface of the Cisco WAP ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20277 (A vulnerability in the web-based management interface of Cisco Thousan ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20272 (A vulnerability in the web-based management interface of Cisco Unity C ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20270 (A vulnerability in the web-based management interface of Cisco BroadWo ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-20251 (A vulnerability in the web-based management interface of Cisco Identit ...) - TODO: check + NOT-FOR-US: Cisco CVE-2024-0647 (A vulnerability, which was classified as problematic, was found in Spa ...) - TODO: check + NOT-FOR-US: Sparksuite SimpleMDE CVE-2024-0646 (An out-of-bounds memory write flaw was found in the Linux kernel\u2019 ...) - linux 6.6.8-1 [bookworm] - linux 6.1.69-1 @@ -22,9 +22,9 @@ CVE-2024-0646 (An out-of-bounds memory write flaw was found in the Linux kernel\ CVE-2024-0645 (Buffer overflow vulnerability in Explorer++ affecting version 1.3.5.53 ...) TODO: check CVE-2024-0643 (Unrestricted upload of dangerous file types in the C21 Live Encoder an ...) - TODO: check + NOT-FOR-US: C21 Live encoder and Live Mosaic CVE-2024-0642 (Inadequate access control in the C21 Live Encoder and Live Mosaic prod ...) - TODO: check + NOT-FOR-US: C21 Live encoder and Live Mosaic CVE-2024-0641 (A denial of service vulnerability was found in tipc_crypto_key_revoke ...) - linux 6.5.8-1 [bookworm] - linux 6.1.64-1 @@ -38,21 +38,21 @@ CVE-2024-0639 (A denial of service vulnerability due to a deadlock was found in [buster] - linux 4.19.304-1 NOTE: https://git.kernel.org/linus/6feb37b3b06e9049e20dcf7e23998f92c9c5be9a (6.5-rc1) CVE-2024-0396 (In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.1 ...) - TODO: check + NOT-FOR-US: Progress MOVEit Transfer CVE-2023-7031 (Insecure Direct Object Reference vulnerabilities were discovered in th ...) - TODO: check + NOT-FOR-US: Avaya CVE-2023-5041 (The Track The Click WordPress plugin before 0.3.12 does not properly s ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5006 (The WP Discord Invite WordPress plugin before 2.5.1 does not protect s ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-50950 (IBM QRadar SIEM 7.5 could disclose sensitive email information in resp ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-44077 (Studio Network Solutions ShareBrowser before 7.0 on macOS mishandles s ...) - TODO: check + NOT-FOR-US: Studio Network Solutions ShareBrowser CVE-2023-34379 (Missing Authorization vulnerability in MagneticOne Cart2Cart: Magento ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2021-4434 (The Social Warfare plugin for WordPress is vulnerable to Remote Code E ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-20968 - mysql-8.0 8.0.35-1 CVE-2024-20984 @@ -61128,7 +61128,7 @@ CVE-2023-23898 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerabi CVE-2023-23897 (Cross-Site Request Forgery (CSRF) vulnerability in Ozette Plugins Simp ...) NOT-FOR-US: WordPress plugin CVE-2023-23896 (Missing Authorization vulnerability in MyThemeShop URL Shortener by My ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-23895 RESERVED CVE-2023-23894 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) @@ -61156,7 +61156,7 @@ CVE-2023-23884 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i CVE-2023-23883 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerabilityin David ...) NOT-FOR-US: WordPress plugin CVE-2023-23882 (Missing Authorization vulnerability in Brainstorm Force Ultimate Addon ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-23881 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gree ...) NOT-FOR-US: WordPress plugin CVE-2023-23880 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) @@ -82889,
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-0646/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 06d8d643 by Salvatore Bonaccorso at 2024-01-17T21:47:03+01:00 Add CVE-2024-0646/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,7 +15,10 @@ CVE-2024-20251 (A vulnerability in the web-based management interface of Cisco I CVE-2024-0647 (A vulnerability, which was classified as problematic, was found in Spa ...) TODO: check CVE-2024-0646 (An out-of-bounds memory write flaw was found in the Linux kernel\u2019 ...) - TODO: check + - linux 6.6.8-1 + [bookworm] - linux 6.1.69-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/c5a595000e2677e865a39f249c056bc05d6e55fd (6.7-rc5) CVE-2024-0645 (Buffer overflow vulnerability in Explorer++ affecting version 1.3.5.53 ...) TODO: check CVE-2024-0643 (Unrestricted upload of dangerous file types in the C21 Live Encoder an ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06d8d643f72e4e9568721a4f3c246745148bd2f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/06d8d643f72e4e9568721a4f3c246745148bd2f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-0641/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8a82c2a0 by Salvatore Bonaccorso at 2024-01-17T21:36:20+01:00 Add CVE-2024-0641/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,7 +23,11 @@ CVE-2024-0643 (Unrestricted upload of dangerous file types in the C21 Live Encod CVE-2024-0642 (Inadequate access control in the C21 Live Encoder and Live Mosaic prod ...) TODO: check CVE-2024-0641 (A denial of service vulnerability was found in tipc_crypto_key_revoke ...) - TODO: check + - linux 6.5.8-1 + [bookworm] - linux 6.1.64-1 + [bullseye] - linux 5.10.205-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/08e50cf071847323414df0835109b6f3560d44f5 (6.6-rc5) CVE-2024-0639 (A denial of service vulnerability due to a deadlock was found in sctp_ ...) - linux 6.4.4-1 [bookworm] - linux 6.1.52-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a82c2a094d43825e12dad480d3c495cd942a4aa -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a82c2a094d43825e12dad480d3c495cd942a4aa You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-0639/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cd5eace7 by Salvatore Bonaccorso at 2024-01-17T21:27:54+01:00 Add CVE-2024-0639/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,7 +25,11 @@ CVE-2024-0642 (Inadequate access control in the C21 Live Encoder and Live Mosaic CVE-2024-0641 (A denial of service vulnerability was found in tipc_crypto_key_revoke ...) TODO: check CVE-2024-0639 (A denial of service vulnerability due to a deadlock was found in sctp_ ...) - TODO: check + - linux 6.4.4-1 + [bookworm] - linux 6.1.52-1 + [bullseye] - linux 5.10.191-1 + [buster] - linux 4.19.304-1 + NOTE: https://git.kernel.org/linus/6feb37b3b06e9049e20dcf7e23998f92c9c5be9a (6.5-rc1) CVE-2024-0396 (In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.1 ...) TODO: check CVE-2023-7031 (Insecure Direct Object Reference vulnerabilities were discovered in th ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd5eace70e2eb275b544754b06cf1f5c886bfae1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd5eace70e2eb275b544754b06cf1f5c886bfae1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for openjdk-11 issues via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a3d4bf10 by Salvatore Bonaccorso at 2024-01-17T21:17:32+01:00 Track fixed version for openjdk-11 issues via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -257,32 +257,32 @@ CVE-2024-20925 - openjfx (Only affects JavaFX 8) CVE-2024-20945 - openjdk-8 - - openjdk-11 + - openjdk-11 11.0.22+7-1 - openjdk-17 17.0.10+7-1 - openjdk-21 21.0.2+13-1 CVE-2024-20926 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - - openjdk-11 + - openjdk-11 11.0.22+7-1 - openjdk-17 17.0.10+7-1 - openjdk-21 CVE-2024-20921 - openjdk-8 - - openjdk-11 + - openjdk-11 11.0.22+7-1 - openjdk-17 17.0.10+7-1 - openjdk-21 21.0.2+13-1 CVE-2024-20919 - openjdk-8 - - openjdk-11 + - openjdk-11 11.0.22+7-1 - openjdk-17 17.0.10+7-1 - openjdk-21 21.0.2+13-1 CVE-2024-20952 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - - openjdk-11 + - openjdk-11 11.0.22+7-1 - openjdk-17 17.0.10+7-1 - openjdk-21 21.0.2+13-1 CVE-2024-20918 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - - openjdk-11 + - openjdk-11 11.0.22+7-1 - openjdk-17 17.0.10+7-1 - openjdk-21 21.0.2+13-1 CVE-2024-20932 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3d4bf10aa96918a78eafe756dab3f6449b5a575 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a3d4bf10aa96918a78eafe756dab3f6449b5a575 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track openjdk-21 issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9f9b15c5 by Salvatore Bonaccorso at 2024-01-17T21:14:20+01:00 Track openjdk-21 issues fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -259,7 +259,7 @@ CVE-2024-20945 - openjdk-8 - openjdk-11 - openjdk-17 17.0.10+7-1 - - openjdk-21 + - openjdk-21 21.0.2+13-1 CVE-2024-20926 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - openjdk-11 @@ -269,22 +269,22 @@ CVE-2024-20921 - openjdk-8 - openjdk-11 - openjdk-17 17.0.10+7-1 - - openjdk-21 + - openjdk-21 21.0.2+13-1 CVE-2024-20919 - openjdk-8 - openjdk-11 - openjdk-17 17.0.10+7-1 - - openjdk-21 + - openjdk-21 21.0.2+13-1 CVE-2024-20952 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - openjdk-11 - openjdk-17 17.0.10+7-1 - - openjdk-21 + - openjdk-21 21.0.2+13-1 CVE-2024-20918 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - openjdk-11 - openjdk-17 17.0.10+7-1 - - openjdk-21 + - openjdk-21 21.0.2+13-1 CVE-2024-20932 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-17 17.0.10+7-1 CVE-2024-23347 (Prior to v176, when opening a new project Meta Spark Studio would exec ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f9b15c5220c37a2a1a9f4c58f0b056c856a580b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9f9b15c5220c37a2a1a9f4c58f0b056c856a580b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 49480703 by security tracker role at 2024-01-17T20:12:12+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,47 @@ +CVE-2024-22715 (Stupid Simple CMS <=1.2.4 was discovered to contain a Cross-Site Reque ...) + TODO: check +CVE-2024-22714 (Stupid Simple CMS <=1.2.4 is vulnerable to Cross Site Scripting (XSS) ...) + TODO: check +CVE-2024-20287 (A vulnerability in the web-based management interface of the Cisco WAP ...) + TODO: check +CVE-2024-20277 (A vulnerability in the web-based management interface of Cisco Thousan ...) + TODO: check +CVE-2024-20272 (A vulnerability in the web-based management interface of Cisco Unity C ...) + TODO: check +CVE-2024-20270 (A vulnerability in the web-based management interface of Cisco BroadWo ...) + TODO: check +CVE-2024-20251 (A vulnerability in the web-based management interface of Cisco Identit ...) + TODO: check +CVE-2024-0647 (A vulnerability, which was classified as problematic, was found in Spa ...) + TODO: check +CVE-2024-0646 (An out-of-bounds memory write flaw was found in the Linux kernel\u2019 ...) + TODO: check +CVE-2024-0645 (Buffer overflow vulnerability in Explorer++ affecting version 1.3.5.53 ...) + TODO: check +CVE-2024-0643 (Unrestricted upload of dangerous file types in the C21 Live Encoder an ...) + TODO: check +CVE-2024-0642 (Inadequate access control in the C21 Live Encoder and Live Mosaic prod ...) + TODO: check +CVE-2024-0641 (A denial of service vulnerability was found in tipc_crypto_key_revoke ...) + TODO: check +CVE-2024-0639 (A denial of service vulnerability due to a deadlock was found in sctp_ ...) + TODO: check +CVE-2024-0396 (In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.1 ...) + TODO: check +CVE-2023-7031 (Insecure Direct Object Reference vulnerabilities were discovered in th ...) + TODO: check +CVE-2023-5041 (The Track The Click WordPress plugin before 0.3.12 does not properly s ...) + TODO: check +CVE-2023-5006 (The WP Discord Invite WordPress plugin before 2.5.1 does not protect s ...) + TODO: check +CVE-2023-50950 (IBM QRadar SIEM 7.5 could disclose sensitive email information in resp ...) + TODO: check +CVE-2023-44077 (Studio Network Solutions ShareBrowser before 7.0 on macOS mishandles s ...) + TODO: check +CVE-2023-34379 (Missing Authorization vulnerability in MagneticOne Cart2Cart: Magento ...) + TODO: check +CVE-2021-4434 (The Social Warfare plugin for WordPress is vulnerable to Remote Code E ...) + TODO: check CVE-2024-20968 - mysql-8.0 8.0.35-1 CVE-2024-20984 @@ -560,7 +604,7 @@ CVE-2023-49107 (Generation of Error Message Containing Sensitive Information vul NOT-FOR-US: Hitachi CVE-2023-49106 (Missing Password Field Masking vulnerability in Hitachi Device Manager ...) NOT-FOR-US: Hitachi -CVE-2023-48104 (Alinto SOGo 5.8.0 is vulnerable to HTML Injection.) +CVE-2023-48104 (Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.) - sogo (bug #1060925) NOTE: Fixed by: https://github.com/Alinto/sogo/commit/7481ccf37087c3f456d7e5a844da01d0f8883098 (SOGo-5.9.1) CVE-2023-47460 (SQL injection vulnerability in Knovos Discovery v.22.67.0 allows a rem ...) @@ -41804,6 +41848,7 @@ CVE-2023-30209 CVE-2023-30208 RESERVED CVE-2023-30207 (A divide by zero issue discovered in Kodi Home Theater Software 19.5 a ...) + {DLA-3712-1} - kodi 2:20.0~rc2+dfsg-2 (bug #1040593) [bullseye] - kodi (Minor issue) NOTE: https://github.com/xbmc/xbmc/issues/22378 @@ -61071,8 +61116,8 @@ CVE-2023-23898 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerabi NOT-FOR-US: WordPress plugin CVE-2023-23897 (Cross-Site Request Forgery (CSRF) vulnerability in Ozette Plugins Simp ...) NOT-FOR-US: WordPress plugin -CVE-2023-23896 - RESERVED +CVE-2023-23896 (Missing Authorization vulnerability in MyThemeShop URL Shortener by My ...) + TODO: check CVE-2023-23895 RESERVED CVE-2023-23894 (Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability i ...) @@ -61099,8 +61144,8 @@ CVE-2023-23884 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability i NOT-FOR-US: WordPress plugin CVE-2023-23883 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerabilityin David ...) NOT-FOR-US: WordPress plugin -CVE-2023-23882 - RESERVED +CVE-2023-23882 (Missing Authorization vulnerability in Brainstorm Force Ultimate Addon ...) + TODO: check CVE-2023-23881 (Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gree ...) NOT-FOR-US: WordPress plugin CVE-2023-23880 (Aut
[Git][security-tracker-team/security-tracker][master] Track fixed version for gnutls28 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d0e16d53 by Salvatore Bonaccorso at 2024-01-17T19:35:28+01:00 Track fixed version for gnutls28 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -295,7 +295,7 @@ CVE-2024-0570 (A vulnerability classified as critical was found in Totolink N350 CVE-2024-0569 (A vulnerability classified as problematic has been found in Totolink T ...) NOT-FOR-US: Totolink CVE-2024-0567 (A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTL ...) - - gnutls28 (bug #1061045) + - gnutls28 3.8.3-1 (bug #1061045) NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1521 NOTE: https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-09 NOTE: https://lists.gnupg.org/pipermail/gnutls-help/2024-January/004841.html @@ -307,7 +307,7 @@ CVE-2024-0555 (A Cross-Site Request Forgery (CSRF) vulnerability has been found CVE-2024-0554 (A Cross-site scripting (XSS) vulnerability has been found on WIC1200, ...) NOT-FOR-US: WIC200 CVE-2024-0553 (A vulnerability was found in GnuTLS. The response times to malformed c ...) - - gnutls28 (bug #1061046) + - gnutls28 3.8.3-1 (bug #1061046) NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1522 NOTE: https://gnutls.org/security-new.html#GNUTLS-SA-2024-01-14 NOTE: https://gitlab.com/gnutls/gnutls/-/commit/40dbbd8de499668590e8af51a15799fbc430595e (3.8.3) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0e16d5329463668cd1be9ca4e929834cdba6608 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0e16d5329463668cd1be9ca4e929834cdba6608 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-0607/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f455721 by Salvatore Bonaccorso at 2024-01-17T07:59:58+01:00 Add CVE-2024-0607/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024-0607 [netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()] + - linux 6.5.13-1 + [bookworm] - linux 6.1.64-1 + NOTE: https://git.kernel.org/linus/c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 (6.7-rc2) CVE-2024-0519 - chromium 120.0.6099.224-1 [buster] - chromium (see DSA 5046) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f455721453ae69b70a993ef08de923ebc1000a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f455721453ae69b70a993ef08de923ebc1000a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: claim frr
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 779a6cd7 by Abhijith PA at 2024-01-17T17:46:02+05:30 data/dla-needed.txt: claim frr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -77,7 +77,7 @@ edk2 NOTE: 20231230: Added by Front-Desk (lamby) NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby) -- -frr +frr (Abhijith PA) NOTE: 20231119: Added by Front-Desk (apo) -- golang-go.crypto View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/779a6cd7cbdc7906a7b3984264ae089b3619fb2e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/779a6cd7cbdc7906a7b3984264ae089b3619fb2e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 3 commits: Add new chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: eaf475ce by Salvatore Bonaccorso at 2024-01-17T06:06:20+01:00 Add new chromium issues - - - - - 83c0b17f by Salvatore Bonaccorso at 2024-01-17T06:07:05+01:00 Add chromium to dsa-needed list - - - - - 21ca1f64 by Salvatore Bonaccorso at 2024-01-17T06:08:12+01:00 Track fixes for chromium via unstable - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,3 +1,12 @@ +CVE-2024-0519 + - chromium 120.0.6099.224-1 + [buster] - chromium (see DSA 5046) +CVE-2024-0518 + - chromium 120.0.6099.224-1 + [buster] - chromium (see DSA 5046) +CVE-2024-0517 + - chromium 120.0.6099.224-1 + [buster] - chromium (see DSA 5046) CVE-2024-20922 - openjfx (Only affects JavaFX 8) CVE-2024-20923 = data/dsa-needed.txt = @@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the name of the source pa -- cacti -- +chromium (dilinger) +-- cryptojs -- dnsdist (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/906f5afcccb9549a19147be3a326a4334cc2e3fe...21ca1f6416c6d4c9cf59776121a5112d4d0e46e2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/906f5afcccb9549a19147be3a326a4334cc2e3fe...21ca1f6416c6d4c9cf59776121a5112d4d0e46e2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new mysql issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d10a6281 by Moritz Muehlenhoff at 2024-01-17T09:44:44+01:00 new mysql issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024-20964 + - mysql-8.0 +CVE-2024-20960 + - mysql-8.0 +CVE-2024-20962 + - mysql-8.0 CVE-2024-22916 (In D-LINK Go-RT-AC750 v101b03, the sprintf function in the sub_40E700 ...) TODO: check CVE-2024-22411 (Avo is a framework to create admin panels for Ruby on Rails apps. In A ...) @@ -19,7 +25,7 @@ CVE-2024-21670 (Ursa is a cryptographic library for use with blockchains. The re CVE-2024-20987 (Vulnerability in the Oracle BI Publisher product of Oracle Analytics ( ...) TODO: check CVE-2024-20985 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-20983 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) TODO: check CVE-2024-20981 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) @@ -27,23 +33,23 @@ CVE-2024-20981 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-20979 (Vulnerability in the Oracle BI Publisher product of Oracle Analytics ( ...) TODO: check CVE-2024-20977 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-20975 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 (Only affects 8.2) CVE-2024-20973 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-20971 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) TODO: check CVE-2024-20969 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-20967 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-20965 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + NOT-FOR-US: MySQL Cluster CVE-2024-20963 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-20961 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-20959 (Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracl ...) TODO: check CVE-2024-20957 (Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d10a62814212cae35ac540938de327ab0b6a48a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d10a62814212cae35ac540938de327ab0b6a48a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3712-1 for kodi
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: cc67988d by Abhijith PA at 2024-01-17T15:52:17+05:30 Reserve DLA-3712-1 for kodi - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -41801,7 +41801,6 @@ CVE-2023-30208 CVE-2023-30207 (A divide by zero issue discovered in Kodi Home Theater Software 19.5 a ...) - kodi 2:20.0~rc2+dfsg-2 (bug #1040593) [bullseye] - kodi (Minor issue) - [buster] - kodi (Minor issue) NOTE: https://github.com/xbmc/xbmc/issues/22378 NOTE: https://github.com/xbmc/xbmc/commit/dbc00c500f4c4830049cc040a61c439c580eea73 NOTE: https://github.com/xbmc/xbmc/pull/22391 @@ -63494,7 +63493,6 @@ CVE-2023-23083 CVE-2023-23082 (A heap buffer overflow vulnerability in Kodi Home Theater Software up ...) - kodi 2:20.0+dfsg-2 (bug #1031048) [bullseye] - kodi (Minor issue) - [buster] - kodi (Minor issue) NOTE: https://github.com/xbmc/xbmc/issues/22377 NOTE: https://github.com/xbmc/xbmc/commit/00fec1dbdd1df827872c7b55ad93059636dfc076 NOTE: https://github.com/xbmc/xbmc/commit/7e5f9fbf9aaa3540aab35e7504036855b23dcf60 @@ -159825,7 +159823,6 @@ CVE-2021-42918 CVE-2021-42917 (Buffer overflow vulnerability in Kodi xbmc up to 19.0, allows attacker ...) - kodi 2:19.3+dfsg1-1 (bug #998419) [bullseye] - kodi 2:19.1+dfsg2-2+deb11u1 - [buster] - kodi (Minor issue) [stretch] - kodi (no point in fixing this when the more severe CVE-2017-5982 is ignored) - xbmc NOTE: https://github.com/xbmc/xbmc/commit/80c8138c09598e88b4ddb6dbb279fa193bbb3237 @@ -448280,7 +448277,6 @@ CVE-2017-5983 (The JIRA Workflow Designer Plugin in Atlassian JIRA Server before NOT-FOR-US: JIRA Workflow Designer Plugin CVE-2017-5982 (Directory traversal vulnerability in the Chorus2 2.4.2 add-on for Kodi ...) - kodi 2:18.6+dfsg1-1 (bug #855225) - [buster] - kodi (Minor issue) [stretch] - kodi (Minor issue) [jessie] - kodi (Minor issue) - xbmc (bug #861274) = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Jan 2024] DLA-3712-1 kodi - security update + {CVE-2017-5982 CVE-2021-42917 CVE-2023-23082 CVE-2023-30207} + [buster] - kodi 2:17.6+dfsg1-4+deb10u1 [10 Jan 2024] DLA-3711-1 linux-5.10 - security update {CVE-2021-44879 CVE-2023-5178 CVE-2023-5197 CVE-2023-5717 CVE-2023-6121 CVE-2023-6531 CVE-2023-6817 CVE-2023-6931 CVE-2023-6932 CVE-2023-25775 CVE-2023-34324 CVE-2023-35827 CVE-2023-45863 CVE-2023-46813 CVE-2023-46862 CVE-2023-51780 CVE-2023-51781 CVE-2023-51782} [buster] - linux-5.10 5.10.205-2~deb10u1 = data/dla-needed.txt = @@ -115,11 +115,6 @@ keystone (rouca) knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) -- -kodi (Abhijith PA) - NOTE: 20231228: Added by Front-Desk (lamby) - NOTE: 20231228: CVE-2021-42917 was postponed in 2021; fixed in bullseye via DSA or point release. (lamby) - NOTE: 20240414: Fixed issues. https://people.debian.org/~abhijith/upload/kport/update/. Testing (abhijith) --- libreswan NOTE: 20230817: Added by Front-Desk (ta) NOTE: 20230909: Prepared a patch for CVE-2023-38712 and pushed it to View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc67988d2ce63a7661ca0091af3876ce01cb50f5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc67988d2ce63a7661ca0091af3876ce01cb50f5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update information for CVE-2023-6395/{mock,templated-dictionary}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ad173a0 by Salvatore Bonaccorso at 2024-01-17T07:53:14+01:00 Update information for CVE-2023-6395/{mock,templated-dictionary} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -279,8 +279,10 @@ CVE-2023-6395 (The Mock software contains a vulnerability wherein an attacker co - mock - templated-dictionary (bug #1025862) NOTE: https://www.openwall.com/lists/oss-security/2024/01/16/1 - NOTE: https://github.com/xsuchy/templated-dictionary/commit/bcd90f0dafa365575c4b101e6f5d98c4ef4e4b69 - NOTE: https://github.com/xsuchy/templated-dictionary/commit/0740bd0ca8d487301881541028977d120f8b8933 + NOTE: Introduced in: https://github.com/rpm-software-management/mock/commit/426d973c2917a18303eea243bdf496ff6942bd27 (mock-1.4.14-1) + NOTE: templated-dictionary spit up from mock project in: https://github.com/rpm-software-management/mock/commit/c989e28ba92c571c0834e9b5d10ef29340e661f8 (mock-2.9) + NOTE: Fixed by: https://github.com/xsuchy/templated-dictionary/commit/bcd90f0dafa365575c4b101e6f5d98c4ef4e4b69 (python-templated-dictionary-1.4-1) + NOTE: Fixed by: https://github.com/xsuchy/templated-dictionary/commit/0740bd0ca8d487301881541028977d120f8b8933 (python-templated-dictionary-1.4-1) CVE-2024-0408 [SELinux unlabeled GLX PBuffer] - xorg-server 2:21.1.11-1 - xwayland View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ad173a06ad80c9e2214223f4e41e2771d95f58c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ad173a06ad80c9e2214223f4e41e2771d95f58c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f53c59a by Moritz Muehlenhoff at 2024-01-17T09:54:28+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,25 +23,25 @@ CVE-2024-20960 CVE-2024-20962 - mysql-8.0 CVE-2024-22916 (In D-LINK Go-RT-AC750 v101b03, the sprintf function in the sub_40E700 ...) - TODO: check + NOT-FOR-US: D-LINK CVE-2024-22411 (Avo is a framework to create admin panels for Ruby on Rails apps. In A ...) - TODO: check + NOT-FOR-US: Avo CVE-2024-22409 (DataHub is an open-source metadata platform. In affected versions a lo ...) - TODO: check + NOT-FOR-US: DataHub CVE-2024-22408 (Shopware is an open headless commerce platform. The implemented Flow B ...) - TODO: check + NOT-FOR-US: Shopware CVE-2024-22407 (Shopware is an open headless commerce platform. In the Shopware CMS, t ...) - TODO: check + NOT-FOR-US: Shopware CVE-2024-22406 (Shopware is an open headless commerce platform. The Shopware applicati ...) - TODO: check + NOT-FOR-US: Shopware CVE-2024-22192 (Ursa is a cryptographic library for use with blockchains. The revocati ...) - TODO: check + NOT-FOR-US: Ursa CVE-2024-22191 (Avo is a framework to create admin panels for Ruby on Rails apps. A st ...) - TODO: check + NOT-FOR-US: Avo CVE-2024-21670 (Ursa is a cryptographic library for use with blockchains. The revocati ...) - TODO: check + NOT-FOR-US: Ursa CVE-2024-20987 (Vulnerability in the Oracle BI Publisher product of Oracle Analytics ( ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20985 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2024-20983 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) @@ -49,7 +49,7 @@ CVE-2024-20983 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-20981 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2024-20979 (Vulnerability in the Oracle BI Publisher product of Oracle Analytics ( ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20977 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2024-20975 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) @@ -69,129 +69,129 @@ CVE-2024-20963 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-20961 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2024-20959 (Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracl ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20957 (Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20955 (Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20950 (Vulnerability in the Oracle Customer Interaction History product of Or ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20948 (Vulnerability in the Oracle Knowledge Management product of Oracle E-B ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20946 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20944 (Vulnerability in the Oracle iSupport product of Oracle E-Business Suit ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20942 (Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20940 (Vulnerability in the Oracle Knowledge Management product of Oracle E-B ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20938 (Vulnerability in the Oracle iStore product of Oracle E-Business Suite ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20936 (Vulnerability in the Oracle One-to-One Fulfillment product of Oracle E ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20934 (Vulnerability in the Oracle Installed Base product of Oracle E-Busines ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20930 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20928 (Vulnerability in the Oracle WebCenter Content product of Oracle Fusion ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20924 (Vulnerability in Oracle Audit Vault and Database Firewall (component: ...) - TODO: check + NOT-FOR-US: Oracle CVE-2024-20920 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) -
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-51698/atril via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a16293ce by Salvatore Bonaccorso at 2024-01-17T07:15:11+01:00 Track fixed version for CVE-2023-51698/atril via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -642,7 +642,7 @@ CVE-2023-51805 (SQL Injection vulnerability in TDuckCLoud tduck-platform v.4.0 a CVE-2023-51804 (An issue in rymcu forest v.0.02 allows a remote attacker to obtain sen ...) NOT-FOR-US: rymcu forest CVE-2023-51698 (Atril is a simple multi-page document viewer. Atril is vulnerable to a ...) - - atril (bug #1060751) + - atril 1.26.1-4 (bug #1060751) - evince 3.25.92-1 NOTE: https://github.com/mate-desktop/atril/security/advisories/GHSA-34rr-j8v9-v4p2 NOTE: Fixed by: https://github.com/mate-desktop/atril/commit/ce41df6467521ff9fd4f16514ae7d6ebb62eb1ed View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a16293ce07c91dcd6a25ce0f82a9f774ba8d4a30 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a16293ce07c91dcd6a25ce0f82a9f774ba8d4a30 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] more mysql issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c7910d51 by Moritz Muehlenhoff at 2024-01-17T09:49:11+01:00 more mysql issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,21 @@ +CVE-2024-20968 + - mysql-8.0 8.0.35-1 +CVE-2024-20984 + - mysql-8.0 +CVE-2024-20982 + - mysql-8.0 +CVE-2024-20978 + - mysql-8.0 +CVE-2024-20976 + - mysql-8.0 +CVE-2024-20974 + - mysql-8.0 +CVE-2024-20972 + - mysql-8.0 +CVE-2024-20970 + - mysql-8.0 +CVE-2024-20966 + - mysql-8.0 CVE-2024-20964 - mysql-8.0 CVE-2024-20960 @@ -27,9 +45,9 @@ CVE-2024-20987 (Vulnerability in the Oracle BI Publisher product of Oracle Analy CVE-2024-20985 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2024-20983 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 8.0.35-1 CVE-2024-20981 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-20979 (Vulnerability in the Oracle BI Publisher product of Oracle Analytics ( ...) TODO: check CVE-2024-20977 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) @@ -39,13 +57,13 @@ CVE-2024-20975 (Vulnerability in the MySQL Server product of Oracle MySQL (compo CVE-2024-20973 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2024-20971 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - TODO: check + - mysql-8.0 CVE-2024-20969 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2024-20967 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2024-20965 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - NOT-FOR-US: MySQL Cluster + - mysql-8.0 CVE-2024-20963 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) - mysql-8.0 CVE-2024-20961 (Vulnerability in the MySQL Server product of Oracle MySQL (component: ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7910d51e8456a979141bde63e7cb9521de76b12 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7910d51e8456a979141bde63e7cb9521de76b12 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 13a1b911 by Moritz Muehlenhoff at 2024-01-17T10:40:59+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -578,7 +578,7 @@ CVE-2023-41619 (Emlog Pro v2.1.14 was discovered to contain a cross-site scripti CVE-2011-10005 (A vulnerability, which was classified as critical, was found in EasyFT ...) NOT-FOR-US: EasyFTP CVE-2024-22207 (fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior ...) - TODO: check + NOT-FOR-US: fastify-swagger-ui CVE-2024-20721 (Acrobat Reader T5 (MSFT Edge) versions 120.0.2210.91 and earlier are a ...) NOT-FOR-US: Acrobat Reader T5 (MSFT Edge) CVE-2024-20709 (Acrobat Reader T5 (MSFT Edge) versions 120.0.2210.91 and earlier are a ...) @@ -640,7 +640,7 @@ CVE-2023-5905 (The DeMomentSomTres WordPress Export Posts With Images WordPress CVE-2023-5253 (A missing authentication check in the WebSocket channel used for the C ...) NOT-FOR-US: Nozomi Networks CVE-2023-50729 (Traccar is an open source GPS tracking system. Prior to 5.11, Traccar ...) - TODO: check + NOT-FOR-US: Traccar CVE-2023-4925 (The Easy Forms for Mailchimp WordPress plugin through 6.8.10 does not ...) NOT-FOR-US: WordPress plugin CVE-2023-4818 (PAX A920 device allows to downgrade bootloader due to a bug in its ver ...) @@ -57012,7 +57012,7 @@ CVE-2023-25297 CVE-2023-25296 RESERVED CVE-2023-25295 (Cross Site Scripting (XSS) vulnerability in GRN Software Group eVEWA3 ...) - TODO: check + NOT-FOR-US: GRN Software Group eVEWA3 Community CVE-2023-25294 RESERVED CVE-2023-25293 @@ -69433,7 +69433,7 @@ CVE-2023-21903 (Vulnerability in the Oracle Banking Virtual Account Management p CVE-2023-21902 (Vulnerability in the Oracle Financial Services Behavior Detection Plat ...) NOT-FOR-US: Oracle CVE-2023-21901 (Vulnerability in the Oracle Financial Services Analytical Applications ...) - TODO: check + NOT-FOR-US: Oracle CVE-2023-21900 (Vulnerability in the Oracle Solaris product of Oracle Systems (compone ...) NOT-FOR-US: Oracle CVE-2023-21899 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) @@ -119176,7 +119176,7 @@ CVE-2022-31022 (Bleve is a text indexing library for go. Bleve includes HTTP uti NOTE: https://github.com/blevesearch/bleve/security/advisories/GHSA-9w9f-6mg8-jp7w NOTE: Fix only documents a shortcoming CVE-2022-31021 (Ursa is a cryptographic library for use with blockchains. A weakness i ...) - TODO: check + NOT-FOR-US: Ursa CVE-2022-31020 (Indy Node is the server portion of a distributed ledger purpose-built ...) NOT-FOR-US: Indy Node CVE-2022-31019 (Vapor is a server-side Swift HTTP web framework. When using automatic ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13a1b911ec04b863db3bca17782c310adfe241a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/13a1b911ec04b863db3bca17782c310adfe241a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 6 commits: data/dla-needed.txt: Triage xorg-server for buster LTS (CVE-2023-6816,...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: ae90db2f by Chris Lamb at 2024-01-17T10:50:46+00:00 data/dla-needed.txt: Triage xorg-server for buster LTS (CVE-2023-6816, CVE-2024-0229 & CVE-2024-0408) - - - - - cc17a071 by Chris Lamb at 2024-01-17T10:51:32+00:00 Triage CVE-2023-44487 in grpc for buster LTS. - - - - - 152b362e by Chris Lamb at 2024-01-17T10:52:00+00:00 Triage CVE-2023-52339 in libebml for buster LTS. - - - - - 12e88488 by Chris Lamb at 2024-01-17T10:52:20+00:00 Triage CVE-2024-21647 in puma for buster LTS. - - - - - 8d27bcc8 by Chris Lamb at 2024-01-17T10:52:42+00:00 Triage CVE-2023-52323 in pycryptodome for buster LTS. - - - - - 55dff7d8 by Chris Lamb at 2024-01-17T10:54:05+00:00 Triage CVE-2023-48795 in trilead-ssh2 for buster LTS. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -1076,6 +1076,7 @@ CVE-2023-52339 (In libebml before 1.4.5, an integer overflow in MemIOCallback.cp - libebml 1.4.5-1 [bookworm] - libebml (Minor issue) [bullseye] - libebml (Minor issue) + [buster] - libebml (Minor issue) NOTE: https://github.com/Matroska-Org/libebml/issues/147 NOTE: https://github.com/Matroska-Org/libebml/pull/148 NOTE: https://github.com/Matroska-Org/libebml/commit/4d577f5c3e267b2988d56dafebc82dedb4c45506 (master) @@ -2107,6 +2108,7 @@ CVE-2024-21647 (Puma is a web server for Ruby/Rack applications built for parall - puma (bug #1060345) [bookworm] - puma (Minor issue) [bullseye] - puma (Minor issue) + [buster] - puma (Minor issue) NOTE: https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2 NOTE: https://github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d (v5.6.8) CVE-2024-21645 (pyLoad is the free and open-source Download Manager written in pure Py ...) @@ -2711,6 +2713,7 @@ CVE-2023-52323 (PyCryptodome and pycryptodomex before 3.19.1 allow side-channel - pycryptodome (bug #1060059) [bookworm] - pycryptodome (Minor issue) [bullseye] - pycryptodome (Minor issue) + [buster] - pycryptodome (Minor issue) NOTE: https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd (v3.19.1) CVE-2023-52184 (Cross-Site Request Forgery (CSRF) vulnerability in WP Job Portal WP Jo ...) NOT-FOR-US: WordPress plugin @@ -5591,6 +5594,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun - trilead-ssh2 (bug #1059294) [bookworm] - trilead-ssh2 (Minor issue) [bullseye] - trilead-ssh2 (Minor issue) + [buster] - trilead-ssh2 (Minor issue) NOTE: https://terrapin-attack.com/ NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3 NOTE: dropbear: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 @@ -18134,6 +18138,7 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource - grpc [bookworm] - grpc (Minor issue) [bullseye] - grpc (Minor issue) + [buster] - grpc (Minor issue) - h2o 2.2.5+dfsg2-8 (bug #1054232) - haproxy 1.8.13-1 - nginx 1.24.0-2 (unimportant; bug #1053770) = data/dla-needed.txt = @@ -273,6 +273,9 @@ wireshark (Adrian Bunk) NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) -- +xorg-server + NOTE: 20240117: Added by Front-Desk (lamby) +-- zabbix (tobi) NOTE: 20231015: Added by Front-Desk (ta) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/49ed17cb5052b4f944c755ba3c50ce1e07c78780...55dff7d87dc873a7d7bed1823c687f22f5f994f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/49ed17cb5052b4f944c755ba3c50ce1e07c78780...55dff7d87dc873a7d7bed1823c687f22f5f994f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes for xwayland via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 49ed17cb by Salvatore Bonaccorso at 2024-01-17T11:41:02+01:00 Track fixes for xwayland via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -483,32 +483,32 @@ CVE-2023-6395 (The Mock software contains a vulnerability wherein an attacker co NOTE: Fixed by: https://github.com/xsuchy/templated-dictionary/commit/0740bd0ca8d487301881541028977d120f8b8933 (python-templated-dictionary-1.4-1) CVE-2024-0408 [SELinux unlabeled GLX PBuffer] - xorg-server 2:21.1.11-1 - - xwayland + - xwayland 2:23.2.4-1 [bookworm] - xwayland (Minor issue; Xwayland shouldn't be running as root) NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/e5e8586a12a3ec915673edffa10dc8fe5e15dac3 CVE-2024-0409 [SELinux context corruption] - xorg-server 2:21.1.11-1 - - xwayland + - xwayland 2:23.2.4-1 [bookworm] - xwayland (Minor issue; Xwayland shouldn't be running as root) NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/2ef0f1116c65d5cb06d7b6d83f8a1aea702c94f7 CVE-2024-21886 [Heap buffer overflow in DisableDevice] - xorg-server 2:21.1.11-1 - - xwayland + - xwayland 2:23.2.4-1 [bookworm] - xwayland (Minor issue; Xwayland shouldn't be running as root) NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/bc1fdbe46559dd947674375946bbef54dd0ce36b NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/26769aa71fcbe0a8403b7fb13b7c9010cc07c3a8 CVE-2024-21885 [Heap buffer overflow in XISendDeviceHierarchyEvent] - xorg-server 2:21.1.11-1 - - xwayland + - xwayland 2:23.2.4-1 [bookworm] - xwayland (Minor issue; Xwayland shouldn't be running as root) NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/4a5e9b1895627d40d26045bd0b7ef3dce503cbd1 CVE-2024-0229 [Reattaching to different master device may lead to out-of-bounds memory access] - xorg-server 2:21.1.11-1 - - xwayland + - xwayland 2:23.2.4-1 [bookworm] - xwayland (Minor issue; Xwayland shouldn't be running as root) NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/ece23be888a93b741aa1209d1dbf64636109d6a5 @@ -516,7 +516,7 @@ CVE-2024-0229 [Reattaching to different master device may lead to out-of-bounds NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/df3c65706eb169d5938df0052059f3e0d5981b74 CVE-2023-6816 [Heap buffer overflow in DeviceFocusEvent and ProcXIQueryPointer] - xorg-server 2:21.1.11-1 - - xwayland + - xwayland 2:23.2.4-1 [bookworm] - xwayland (Minor issue; Xwayland shouldn't be running as root) NOTE: https://lists.x.org/archives/xorg/2024-January/061525.html NOTE: https://gitlab.freedesktop.org/xorg/xserver/-/commit/9e2ecb2af8302dedc49cb6a63ebe063c58a9e7e3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49ed17cb5052b4f944c755ba3c50ce1e07c78780 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/49ed17cb5052b4f944c755ba3c50ce1e07c78780 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] openjdk-17 fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 48c70ae2 by Moritz Muehlenhoff at 2024-01-17T13:10:45+01:00 openjdk-17 fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -214,35 +214,35 @@ CVE-2024-20925 CVE-2024-20945 - openjdk-8 - openjdk-11 - - openjdk-17 + - openjdk-17 17.0.10+7-1 - openjdk-21 CVE-2024-20926 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - openjdk-11 - - openjdk-17 + - openjdk-17 17.0.10+7-1 - openjdk-21 CVE-2024-20921 - openjdk-8 - openjdk-11 - - openjdk-17 + - openjdk-17 17.0.10+7-1 - openjdk-21 CVE-2024-20919 - openjdk-8 - openjdk-11 - - openjdk-17 + - openjdk-17 17.0.10+7-1 - openjdk-21 CVE-2024-20952 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - openjdk-11 - - openjdk-17 + - openjdk-17 17.0.10+7-1 - openjdk-21 CVE-2024-20918 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - openjdk-8 - openjdk-11 - - openjdk-17 + - openjdk-17 17.0.10+7-1 - openjdk-21 CVE-2024-20932 (Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle Gr ...) - - openjdk-17 + - openjdk-17 17.0.10+7-1 CVE-2024-23347 (Prior to v176, when opening a new project Meta Spark Studio would exec ...) NOT-FOR-US: Meta Spark Studio CVE-2024-22628 (Budget and Expense Tracker System v1.0 is vulnerable to SQL Injection ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48c70ae2158f44a536a682ab35abe7bf2c88df78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/48c70ae2158f44a536a682ab35abe7bf2c88df78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update assignment for xorg-server in dla-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b2942824 by Salvatore Bonaccorso at 2024-01-17T14:36:23+01:00 Update assignment for xorg-server in dla-needed list It's beeing worked on already. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -273,7 +273,7 @@ wireshark (Adrian Bunk) NOTE: 20231204: DLA pending (bunk) NOTE: 20231218: Debugging a problem with the update. (bunk) -- -xorg-server +xorg-server (Markus Koschany) NOTE: 20240117: Added by Front-Desk (lamby) -- zabbix (tobi) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2942824ae6174bb8cc7dea5d50cb8b24f8a0c53 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b2942824ae6174bb8cc7dea5d50cb8b24f8a0c53 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits