[Git][security-tracker-team/security-tracker][master] Track fixed version for firefox-esr via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ff7a103 by Salvatore Bonaccorso at 2024-01-24T07:47:23+01:00 Track fixed version for firefox-esr via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -135,7 +135,7 @@ CVE-2023-42143 (Missing Integrity Check in Shelly TRV 20220811-152343/v2.1.8@5af NOT-FOR-US: Shelly CVE-2024-0755 (Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thun ...) - firefox 122.0-1 - - firefox-esr + - firefox-esr 115.7.0esr-1 - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0755 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0755 @@ -145,7 +145,7 @@ CVE-2024-0754 (Some WASM source files could have caused a crash when loaded in d NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0754 CVE-2024-0753 (In specific HSTS configurations an attacker could have bypassed HSTS o ...) - firefox 122.0-1 - - firefox-esr + - firefox-esr 115.7.0esr-1 - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0753 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0753 @@ -155,21 +155,21 @@ CVE-2024-0752 (A use-after-free crash could have occurred on macOS if a Firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0752 CVE-2024-0751 (A malicious devtools extension could have been used to escalate privil ...) - firefox 122.0-1 - - firefox-esr + - firefox-esr 115.7.0esr-1 - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0751 CVE-2024-0750 (A bug in popup notifications delay calculation could have made it poss ...) - firefox 122.0-1 - - firefox-esr + - firefox-esr 115.7.0esr-1 - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0750 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0750 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0750 CVE-2024-0749 (A phishing site could have repurposed an `about:` dialog to show phish ...) - firefox 122.0-1 - - firefox-esr + - firefox-esr 115.7.0esr-1 - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0749 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0749 @@ -179,14 +179,14 @@ CVE-2024-0748 (A compromised content process could have updated the document URI NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0748 CVE-2024-0747 (When a parent page loaded a child in an iframe with `unsafe-inline`, t ...) - firefox 122.0-1 - - firefox-esr + - firefox-esr 115.7.0esr-1 - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0747 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0747 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0747 CVE-2024-0746 (A Linux user opening the print preview dialog could have caused the br ...) - firefox 122.0-1 - - firefox-esr + - firefox-esr 115.7.0esr-1 - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0746 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0746 @@ -203,14 +203,14 @@ CVE-2024-0743 (An unchecked return value in TLS handshake code could have caused TODO: check src:nss CVE-2024-0742 (It was possible for certain browser prompts and dialogs to be activate ...) - firefox 122.0-1 - - firefox-esr + - firefox-esr 115.7.0esr-1 - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0742 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0742 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0742 CVE-2024-0741 (An out of bounds write in ANGLE could have allowed an attacker to corr ...) - firefox 122.0-1 - - firefox-esr + - firefox-esr 115.7.0esr-1 - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/secur
[Git][security-tracker-team/security-tracker][master] Track fixed version for chromium via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 637520d7 by Salvatore Bonaccorso at 2024-01-24T07:45:49+01:00 Track fixed version for chromium via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,35 +1,35 @@ CVE-2024-0814 - - chromium + - chromium 121.0.6167.85-1 [buster] - chromium (see DSA 5046) CVE-2024-0813 - - chromium + - chromium 121.0.6167.85-1 [buster] - chromium (see DSA 5046) CVE-2024-0812 - - chromium + - chromium 121.0.6167.85-1 [buster] - chromium (see DSA 5046) CVE-2024-0811 - - chromium + - chromium 121.0.6167.85-1 [buster] - chromium (see DSA 5046) CVE-2024-0810 - - chromium + - chromium 121.0.6167.85-1 [buster] - chromium (see DSA 5046) CVE-2024-0809 - - chromium + - chromium 121.0.6167.85-1 [buster] - chromium (see DSA 5046) CVE-2024-0808 - - chromium + - chromium 121.0.6167.85-1 [buster] - chromium (see DSA 5046) CVE-2024-0807 - - chromium + - chromium 121.0.6167.85-1 [buster] - chromium (see DSA 5046) CVE-2024-0806 - - chromium + - chromium 121.0.6167.85-1 [buster] - chromium (see DSA 5046) CVE-2024-0805 - - chromium + - chromium 121.0.6167.85-1 [buster] - chromium (see DSA 5046) CVE-2024-0804 - - chromium + - chromium 121.0.6167.85-1 [buster] - chromium (see DSA 5046) CVE-2024-23854 REJECTED View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/637520d728bd6b2f418dc46bd0f43a6c4a5b9b99 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/637520d728bd6b2f418dc46bd0f43a6c4a5b9b99 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a4724ae2 by Salvatore Bonaccorso at 2024-01-24T07:40:55+01:00 Add chromium to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -16,6 +16,8 @@ atril -- cacti -- +chromium (dilinger) +-- cryptojs -- dnsdist (jmm) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4724ae2f92b48a08d1264565372812305d28993 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a4724ae2f92b48a08d1264565372812305d28993 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add batch of new chromium CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f7768b66 by Salvatore Bonaccorso at 2024-01-24T07:38:33+01:00 Add batch of new chromium CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,36 @@ +CVE-2024-0814 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2024-0813 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2024-0812 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2024-0811 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2024-0810 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2024-0809 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2024-0808 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2024-0807 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2024-0806 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2024-0805 + - chromium + [buster] - chromium (see DSA 5046) +CVE-2024-0804 + - chromium + [buster] - chromium (see DSA 5046) CVE-2024-23854 REJECTED CVE-2024-23851 (copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7768b662f11c283af90e93acefbcf2570406f0a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7768b662f11c283af90e93acefbcf2570406f0a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixes for thunderbird via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a949194 by Salvatore Bonaccorso at 2024-01-24T07:34:03+01:00 Track fixes for thunderbird via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -103,7 +103,7 @@ CVE-2023-42143 (Missing Integrity Check in Shelly TRV 20220811-152343/v2.1.8@5af CVE-2024-0755 (Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thun ...) - firefox 122.0-1 - firefox-esr - - thunderbird + - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0755 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0755 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0755 @@ -113,7 +113,7 @@ CVE-2024-0754 (Some WASM source files could have caused a crash when loaded in d CVE-2024-0753 (In specific HSTS configurations an attacker could have bypassed HSTS o ...) - firefox 122.0-1 - firefox-esr - - thunderbird + - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0753 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0753 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0753 @@ -123,21 +123,21 @@ CVE-2024-0752 (A use-after-free crash could have occurred on macOS if a Firefox CVE-2024-0751 (A malicious devtools extension could have been used to escalate privil ...) - firefox 122.0-1 - firefox-esr - - thunderbird + - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0751 CVE-2024-0750 (A bug in popup notifications delay calculation could have made it poss ...) - firefox 122.0-1 - firefox-esr - - thunderbird + - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0750 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0750 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0750 CVE-2024-0749 (A phishing site could have repurposed an `about:` dialog to show phish ...) - firefox 122.0-1 - firefox-esr - - thunderbird + - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0749 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0749 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0749 @@ -147,14 +147,14 @@ CVE-2024-0748 (A compromised content process could have updated the document URI CVE-2024-0747 (When a parent page loaded a child in an iframe with `unsafe-inline`, t ...) - firefox 122.0-1 - firefox-esr - - thunderbird + - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0747 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0747 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0747 CVE-2024-0746 (A Linux user opening the print preview dialog could have caused the br ...) - firefox 122.0-1 - firefox-esr - - thunderbird + - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0746 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0746 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0746 @@ -171,14 +171,14 @@ CVE-2024-0743 (An unchecked return value in TLS handshake code could have caused CVE-2024-0742 (It was possible for certain browser prompts and dialogs to be activate ...) - firefox 122.0-1 - firefox-esr - - thunderbird + - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0742 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0742 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0742 CVE-2024-0741 (An out of bounds write in ANGLE could have allowed an attacker to corr ...) - firefox 122.0-1 - firefox-esr - - thunderbird + - thunderbird 1:115.7.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0741 NOTE: https://www.mozilla.or
[Git][security-tracker-team/security-tracker][master] Track fixes for firefox for mfsa2024-01 issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5e551b8d by Salvatore Bonaccorso at 2024-01-24T05:51:13+01:00 Track fixes for firefox for mfsa2024-01 issues fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -101,17 +101,17 @@ CVE-2023-44401 (The Silverstripe CMS GraphQL Server serves Silverstripe data as CVE-2023-42143 (Missing Integrity Check in Shelly TRV 20220811-152343/v2.1.8@5afc928c ...) NOT-FOR-US: Shelly CVE-2024-0755 (Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thun ...) - - firefox + - firefox 122.0-1 - firefox-esr - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0755 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0755 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0755 CVE-2024-0754 (Some WASM source files could have caused a crash when loaded in devtoo ...) - - firefox + - firefox 122.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0754 CVE-2024-0753 (In specific HSTS configurations an attacker could have bypassed HSTS o ...) - - firefox + - firefox 122.0-1 - firefox-esr - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0753 @@ -121,62 +121,62 @@ CVE-2024-0752 (A use-after-free crash could have occurred on macOS if a Firefox - firefox (Only affects Firefox on MacOS) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0752 CVE-2024-0751 (A malicious devtools extension could have been used to escalate privil ...) - - firefox + - firefox 122.0-1 - firefox-esr - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0751 CVE-2024-0750 (A bug in popup notifications delay calculation could have made it poss ...) - - firefox + - firefox 122.0-1 - firefox-esr - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0750 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0750 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0750 CVE-2024-0749 (A phishing site could have repurposed an `about:` dialog to show phish ...) - - firefox + - firefox 122.0-1 - firefox-esr - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0749 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0749 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0749 CVE-2024-0748 (A compromised content process could have updated the document URI. Thi ...) - - firefox + - firefox 122.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0748 CVE-2024-0747 (When a parent page loaded a child in an iframe with `unsafe-inline`, t ...) - - firefox + - firefox 122.0-1 - firefox-esr - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0747 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0747 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0747 CVE-2024-0746 (A Linux user opening the print preview dialog could have caused the br ...) - - firefox + - firefox 122.0-1 - firefox-esr - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0746 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0746 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0746 CVE-2024-0745 (The WebAudio `OscillatorNode` object was susceptible to a stack buffer ...) - - firefox + - firefox 122.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0745 CVE-2024-0744 (In some circumstances, JIT compiled code could have dereferenced a wil ...) - - firefox + - firefox 122.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0744 CVE-2024-0743 (An unchecked return value in TLS handshake code could have caused a po ...) - - firefox + - firefox 122.0-1 NOTE: https://www.mozilla.org/en-US/security/
[Git][security-tracker-team/security-tracker][master] openjdk-11 DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: e6d156ba by Moritz Mühlenhoff at 2024-01-23T22:44:42+01:00 openjdk-11 DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[23 Jan 2024] DSA-5604-1 openjdk-11 - security update + {CVE-2024-20918 CVE-2024-20919 CVE-2024-20921 CVE-2024-20926 CVE-2024-20945 CVE-2024-20952} + [bullseye] - openjdk-11 11.0.22+7-1~deb11u1 [23 Jan 2024] DSA-5603-1 xorg-server - security update {CVE-2023-6816 CVE-2024-0229 CVE-2024-0408 CVE-2024-0409 CVE-2024-21885 CVE-2024-21886} [bullseye] - xorg-server 2:1.20.11-1+deb11u11 = data/dsa-needed.txt = @@ -40,8 +40,6 @@ linux (carnil) nbconvert/oldstable Guilhem Moulin proposed an update ready for review -- -openjdk-11/oldstable (jmm) --- openjdk-17 (jmm) -- php-cas/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6d156ba15fe1d946dbebb748a3d1dbf28d1db6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e6d156ba15fe1d946dbebb748a3d1dbf28d1db6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2023-32728 for bullseye
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 95ac1b1c by Salvatore Bonaccorso at 2024-01-23T22:39:08+01:00 Update status for CVE-2023-32728 for bullseye - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6530,6 +6530,7 @@ CVE-2023-33214 (Cross-Site Request Forgery (CSRF) vulnerability in Tagbox Tagbox NOT-FOR-US: WordPress plugin CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its param ...) - zabbix 1:6.0.24+dfsg-1 + [bullseye] - zabbix (Vulnerable code introduced later) [buster] - zabbix (Vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-23858 NOTE: https://github.com/zabbix/zabbix/commit/51ee1af626f93c1656ee2e37aa3d611b0292c1d8 (6.0.24rc1) @@ -6539,7 +6540,8 @@ CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its NOTE: https://github.com/zabbix/zabbix/commit/09fa80bb16b094e4c17c036868c817f411efe4a0 (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/7c00b48ab998066962e5275efa50007cb72ea1ac (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/245fbae6039ebfbd720ab33c0349c82bae242fc9 (6.0.24rc1) - NOTE: Vulnerable feature introduced with versions 5.0.9rc1, 5.3.5rc1 and 5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339 + NOTE: Vulnerable feature introduced with versions 5.0.9rc1, 5.3.5rc1 and 5.4.0alpha2: + NOTE: https://support.zabbix.com/browse/ZBXNEXT-6339 CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items can use fu ...) - zabbix 1:6.0.23+dfsg-1 [buster] - zabbix (Vulnerable code introduced later) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95ac1b1cea5f86b647ae653ef4b0021729fd6482 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/95ac1b1cea5f86b647ae653ef4b0021729fd6482 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream commit reference for CVE-2017-20189
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3a6bb8f9 by Salvatore Bonaccorso at 2024-01-23T22:34:45+01:00 Add upstream commit reference for CVE-2017-20189 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -377,6 +377,7 @@ CVE-2023-47352 (Technicolor TC8715D devices have predictable default WPA2 securi NOT-FOR-US: Technicolor CVE-2017-20189 (In Clojure before 1.9.0, classes can be used to construct a serialized ...) - clojure 1.9.0-1 + NOTE: https://github.com/clojure/clojure/commit/271674c9b484d798484d134a5ac40a6df15d3ac3 (clojure-1.9.0-alpha20) CVE-2024-0775 (A use-after-free flaw was found in the __ext4_remount in fs/ext4/super ...) - linux 6.3.7-1 [bookworm] - linux 6.1.37-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a6bb8f93a40297dcf39cc447e3cfd2bc2ca9af3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3a6bb8f93a40297dcf39cc447e3cfd2bc2ca9af3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert back URL for CVE-2023-32725
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d15630e7 by Salvatore Bonaccorso at 2024-01-23T22:19:46+01:00 Revert back URL for CVE-2023-32725 Fixes: 36e9a77145dd ("CVE-2023-32727/zabbix - buster is not affected.") - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6554,7 +6554,7 @@ CVE-2023-32725 (The website configured in the URL widget will receive a session - zabbix 1:6.0.23+dfsg-1 [bullseye] - zabbix (Vulnerable code not present) [buster] - zabbix (vulnerable code introduced later) - NOTE: https://support.zabbix.com/browse/ZBX-2354 + NOTE: https://support.zabbix.com/browse/ZBX-23854 NOTE: https://github.com/zabbix/zabbix/commit/89e0cd6ea93a097671d6bcfbfa674047a3096b26 (6.0.22rc1) NOTE: report_manager introduced with: https://github.com/zabbix/zabbix/commit/a06a08111546081e8256267bc0062cbd74dc3309 (6.0.0alpha1) CVE-2023-32230 (An improper handling of a malformed API request to an API server in Bo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d15630e70c5e27b9b5eab99c2444c2ee7c896590 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d15630e70c5e27b9b5eab99c2444c2ee7c896590 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 31822729 by Salvatore Bonaccorso at 2024-01-23T22:15:39+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14,58 +14,58 @@ CVE-2024-23848 (In the Linux kernel through 6.7.1, there is a use-after-free in - linux NOTE: https://lore.kernel.org/lkml/e9f42704-2f99-4f2c-ade5-f952e5fd53e5%40xs4all.nl/ CVE-2024-23636 (SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA He ...) - TODO: check + NOT-FOR-US: SOFARPC CVE-2024-23348 (Improper input validation vulnerability in a-blog cms Ver.3.1.x series ...) - TODO: check + NOT-FOR-US: a-blog cms CVE-2024-23341 (TuiTse-TsuSin is a package for organizing the comparative corpus of Ta ...) - TODO: check + NOT-FOR-US: TuiTse-TsuSin CVE-2024-23330 (Tuta is an encrypted email service. In versions prior to 119.10, an at ...) - TODO: check + NOT-FOR-US: Tuta CVE-2024-23183 (Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series vers ...) - TODO: check + NOT-FOR-US: a-blog cms CVE-2024-23182 (Relative path traversal vulnerability in a-blog cms Ver.3.1.x series v ...) - TODO: check + NOT-FOR-US: a-blog cms CVE-2024-23181 (Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series vers ...) - TODO: check + NOT-FOR-US: a-blog cms CVE-2024-23180 (Improper input validation vulnerability in a-blog cms Ver.3.1.x series ...) - TODO: check + NOT-FOR-US: a-blog cms CVE-2024-22705 (An issue was discovered in ksmbd in the Linux kernel before 6.6.10. sm ...) - linux 6.6.11-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/d10c77873ba1e9e6b91905018e29e196fd5f863d (6.7-rc8) CVE-2024-22663 (TOTOLINK_A3700R_V9.1.2u.6165_20211012has a command Injection vulnerabi ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2024-22662 (TOTOLINK A3700R_V9.1.2u.6165_20211012 has a stack overflow vulnerabili ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2024-22660 (TOTOLINK_A3700R_V9.1.2u.6165_20211012has a stack overflow vulnerabilit ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2024-22497 (Cross Site Scripting (XSS) vulnerability in /admin/login password para ...) - TODO: check + NOT-FOR-US: JFinalcms CVE-2024-22496 (Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows att ...) - TODO: check + NOT-FOR-US: JFinalcms CVE-2024-22490 (Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attac ...) - TODO: check + NOT-FOR-US: beetl-bbs CVE-2024-22417 (Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 a ...) - TODO: check + NOT-FOR-US: Whoogle Search CVE-2024-22205 (Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 a ...) - TODO: check + NOT-FOR-US: Whoogle Search CVE-2024-22204 (Whoogle Search is a self-hosted metasearch engine. Versions 0.8.3 and ...) - TODO: check + NOT-FOR-US: Whoogle Search CVE-2024-22203 (Whoogle Search is a self-hosted metasearch engine. In versions prior t ...) - TODO: check + NOT-FOR-US: Whoogle Search CVE-2024-22076 (MyQ Print Server before 8.2 patch 43 allows Unauthenticated Remote Cod ...) - TODO: check + NOT-FOR-US: MyQ Print Server CVE-2024-0703 (The Sticky Buttons \u2013 floating buttons builder plugin for WordPres ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-7238 (A XSS payload can be uploaded as a DICOM study and when a user tries t ...) - TODO: check + NOT-FOR-US: Osimis WebViewer CVE-2023-6926 (There is an OS command injection vulnerability in Crestron AM-300 firm ...) - TODO: check + NOT-FOR-US: Crestron CVE-2023-6573 (HPE OneView may have a missing passphrase during restore.) - TODO: check + NOT-FOR-US: HPE CVE-2023-51210 (SQL injection vulnerability in Webkul Bundle Product 6.0.1 allows a re ...) - TODO: check + NOT-FOR-US: Webkul Bundle Product CVE-2023-51043 (In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a u ...) - linux 6.4.11-1 [bookworm] - linux 6.1.52-1 @@ -79,15 +79,15 @@ CVE-2023-51042 (In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in [buster] - linux 4.19.304-1 NOTE: https://git.kernel.org/linus/2e54154b9f27262efd0cb4f903cc7d5ad1fe9628 (6.5-rc1) CVE-2023-50275 (HPE OneView may allow clusterService Authentication Bypass resulting i ...) - TODO: check + NOT-FOR-US: HPE CVE-2023-50274 (HPE OneView may allow command injection with local privilege escalatio ...) - TODO: check +
[Git][security-tracker-team/security-tracker][master] Remove one additional whitespace
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2cfba19e by Salvatore Bonaccorso at 2024-01-23T21:59:46+01:00 Remove one additional whitespace - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30,7 +30,7 @@ CVE-2024-23181 (Cross-site scripting vulnerability in a-blog cms Ver.3.1.x serie CVE-2024-23180 (Improper input validation vulnerability in a-blog cms Ver.3.1.x series ...) TODO: check CVE-2024-22705 (An issue was discovered in ksmbd in the Linux kernel before 6.6.10. sm ...) -- linux 6.6.11-1 + - linux 6.6.11-1 [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/d10c77873ba1e9e6b91905018e29e196fd5f863d (6.7-rc8) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cfba19e14afc259374f85611dc05d621dafff5d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2cfba19e14afc259374f85611dc05d621dafff5d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-22705/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 967815e6 by Salvatore Bonaccorso at 2024-01-23T21:57:24+01:00 Add CVE-2024-22705/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -30,7 +30,10 @@ CVE-2024-23181 (Cross-site scripting vulnerability in a-blog cms Ver.3.1.x serie CVE-2024-23180 (Improper input validation vulnerability in a-blog cms Ver.3.1.x series ...) TODO: check CVE-2024-22705 (An issue was discovered in ksmbd in the Linux kernel before 6.6.10. sm ...) - TODO: check +- linux 6.6.11-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/d10c77873ba1e9e6b91905018e29e196fd5f863d (6.7-rc8) CVE-2024-22663 (TOTOLINK_A3700R_V9.1.2u.6165_20211012has a command Injection vulnerabi ...) TODO: check CVE-2024-22662 (TOTOLINK A3700R_V9.1.2u.6165_20211012 has a stack overflow vulnerabili ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/967815e6eb5593f26a7417668854237d94b90f67 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/967815e6eb5593f26a7417668854237d94b90f67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-51043/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7482a156 by Salvatore Bonaccorso at 2024-01-23T21:53:31+01:00 Add CVE-2023-51043/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -64,7 +64,11 @@ CVE-2023-6573 (HPE OneView may have a missing passphrase during restore.) CVE-2023-51210 (SQL injection vulnerability in Webkul Bundle Product 6.0.1 allows a re ...) TODO: check CVE-2023-51043 (In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a u ...) - TODO: check + - linux 6.4.11-1 + [bookworm] - linux 6.1.52-1 + [bullseye] - linux 5.10.191-1 + [buster] - linux 4.19.304-1 + NOTE: https://git.kernel.org/linus/4e076c73e4f6e90816b30fcd4a0d7ab365087255 (6.5-rc3) CVE-2023-51042 (In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in driver ...) - linux 6.4.13-1 [bookworm] - linux 6.1.52-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7482a1565b486cde3f22cf5485c762f390bd1873 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7482a1565b486cde3f22cf5485c762f390bd1873 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-51042/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 03cf by Salvatore Bonaccorso at 2024-01-23T21:48:49+01:00 Add CVE-2023-51042/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66,7 +66,11 @@ CVE-2023-51210 (SQL injection vulnerability in Webkul Bundle Product 6.0.1 allow CVE-2023-51043 (In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a u ...) TODO: check CVE-2023-51042 (In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in driver ...) - TODO: check + - linux 6.4.13-1 + [bookworm] - linux 6.1.52-1 + [bullseye] - linux 5.10.197-1 + [buster] - linux 4.19.304-1 + NOTE: https://git.kernel.org/linus/2e54154b9f27262efd0cb4f903cc7d5ad1fe9628 (6.5-rc1) CVE-2023-50275 (HPE OneView may allow clusterService Authentication Bypass resulting i ...) TODO: check CVE-2023-50274 (HPE OneView may allow command injection with local privilege escalatio ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03cf9bca72055a310f478371725102b08efd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03cf9bca72055a310f478371725102b08efd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-46343/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2118c5f4 by Salvatore Bonaccorso at 2024-01-23T21:40:16+01:00 Add CVE-2023-46343/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -78,7 +78,11 @@ CVE-2023-49657 (A stored cross-site scripting (XSS) vulnerability exists in Apac CVE-2023-48714 (Silverstripe Framework is the framework that forms the base of the Sil ...) TODO: check CVE-2023-46343 (In the Linux kernel before 6.5.9, there is a NULL pointer dereference ...) - TODO: check + - linux 6.5.10-1 + [bookworm] - linux 6.1.64-1 + [bullseye] - linux 5.10.205-1 + [buster] - linux 4.19.304-1 + NOTE: https://git.kernel.org/linus/7937609cd387246aed994e81aa4fa951358fba41 (6.6-rc7) CVE-2023-45889 (A Universal Cross Site Scripting (UXSS) vulnerability in ClassLink One ...) TODO: check CVE-2023-44401 (The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2118c5f463eab8352506695ff2c9c21fc4836943 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2118c5f463eab8352506695ff2c9c21fc4836943 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-23848/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 619309dd by Salvatore Bonaccorso at 2024-01-23T21:34:08+01:00 Add CVE-2024-23848/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,8 @@ CVE-2024-23849 (In rds_recv_track_latency in net/rds/af_rds.c in the Linux kerne - linux NOTE: https://lore.kernel.org/netdev/1705715319-19199-1-git-send-email-sharath.srinivasan%40oracle.com/ CVE-2024-23848 (In the Linux kernel through 6.7.1, there is a use-after-free in cec_qu ...) - TODO: check + - linux + NOTE: https://lore.kernel.org/lkml/e9f42704-2f99-4f2c-ade5-f952e5fd53e5%40xs4all.nl/ CVE-2024-23636 (SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA He ...) TODO: check CVE-2024-23348 (Improper input validation vulnerability in a-blog cms Ver.3.1.x series ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/619309dd38b94c74608f63cea600d96f1aba15db -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/619309dd38b94c74608f63cea600d96f1aba15db You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-23849/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b4078026 by Salvatore Bonaccorso at 2024-01-23T21:25:32+01:00 Add CVE-2024-23849/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8,7 +8,8 @@ CVE-2024-23850 (In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel [buster] - linux (Vulnerable code not present) NOTE: https://lore.kernel.org/all/6a80cb4b32af89787dadee728310e5e2ca85343f.1705741883.git.wqu%40suse.com/ CVE-2024-23849 (In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel thro ...) - TODO: check + - linux + NOTE: https://lore.kernel.org/netdev/1705715319-19199-1-git-send-email-sharath.srinivasan%40oracle.com/ CVE-2024-23848 (In the Linux kernel through 6.7.1, there is a use-after-free in cec_qu ...) TODO: check CVE-2024-23636 (SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA He ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4078026c9d426265a1bad96e7cf5b852dd9b8c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b4078026c9d426265a1bad96e7cf5b852dd9b8c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-23850/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 78b69305 by Salvatore Bonaccorso at 2024-01-23T21:22:53+01:00 Add CVE-2024-23850/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4,7 +4,9 @@ CVE-2024-23851 (copy_params in drivers/md/dm-ioctl.c in the Linux kernel through - linux NOTE: https://www.spinics.net/lists/dm-devel/msg56574.html CVE-2024-23850 (In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel throug ...) - TODO: check + - linux + [buster] - linux (Vulnerable code not present) + NOTE: https://lore.kernel.org/all/6a80cb4b32af89787dadee728310e5e2ca85343f.1705741883.git.wqu%40suse.com/ CVE-2024-23849 (In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel thro ...) TODO: check CVE-2024-23848 (In the Linux kernel through 6.7.1, there is a use-after-free in cec_qu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78b693057c5c0196821d22703738ebb992622904 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/78b693057c5c0196821d22703738ebb992622904 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-23851/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: baaeafb5 by Salvatore Bonaccorso at 2024-01-23T21:18:38+01:00 Add CVE-2024-23851/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,8 @@ CVE-2024-23854 REJECTED CVE-2024-23851 (copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 ...) - TODO: check + - linux + NOTE: https://www.spinics.net/lists/dm-devel/msg56574.html CVE-2024-23850 (In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel throug ...) TODO: check CVE-2024-23849 (In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel thro ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/baaeafb58a157bc68ac1651d123f266ad04d7bfd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/baaeafb58a157bc68ac1651d123f266ad04d7bfd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ff81e261 by security tracker role at 2024-01-23T20:13:30+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,79 +1,161 @@ -CVE-2024-0755 +CVE-2024-23854 + REJECTED +CVE-2024-23851 (copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 ...) + TODO: check +CVE-2024-23850 (In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel throug ...) + TODO: check +CVE-2024-23849 (In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel thro ...) + TODO: check +CVE-2024-23848 (In the Linux kernel through 6.7.1, there is a use-after-free in cec_qu ...) + TODO: check +CVE-2024-23636 (SOFARPC is a Java RPC framework. SOFARPC defaults to using the SOFA He ...) + TODO: check +CVE-2024-23348 (Improper input validation vulnerability in a-blog cms Ver.3.1.x series ...) + TODO: check +CVE-2024-23341 (TuiTse-TsuSin is a package for organizing the comparative corpus of Ta ...) + TODO: check +CVE-2024-23330 (Tuta is an encrypted email service. In versions prior to 119.10, an at ...) + TODO: check +CVE-2024-23183 (Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series vers ...) + TODO: check +CVE-2024-23182 (Relative path traversal vulnerability in a-blog cms Ver.3.1.x series v ...) + TODO: check +CVE-2024-23181 (Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series vers ...) + TODO: check +CVE-2024-23180 (Improper input validation vulnerability in a-blog cms Ver.3.1.x series ...) + TODO: check +CVE-2024-22705 (An issue was discovered in ksmbd in the Linux kernel before 6.6.10. sm ...) + TODO: check +CVE-2024-22663 (TOTOLINK_A3700R_V9.1.2u.6165_20211012has a command Injection vulnerabi ...) + TODO: check +CVE-2024-22662 (TOTOLINK A3700R_V9.1.2u.6165_20211012 has a stack overflow vulnerabili ...) + TODO: check +CVE-2024-22660 (TOTOLINK_A3700R_V9.1.2u.6165_20211012has a stack overflow vulnerabilit ...) + TODO: check +CVE-2024-22497 (Cross Site Scripting (XSS) vulnerability in /admin/login password para ...) + TODO: check +CVE-2024-22496 (Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows att ...) + TODO: check +CVE-2024-22490 (Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attac ...) + TODO: check +CVE-2024-22417 (Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 a ...) + TODO: check +CVE-2024-22205 (Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 a ...) + TODO: check +CVE-2024-22204 (Whoogle Search is a self-hosted metasearch engine. Versions 0.8.3 and ...) + TODO: check +CVE-2024-22203 (Whoogle Search is a self-hosted metasearch engine. In versions prior t ...) + TODO: check +CVE-2024-22076 (MyQ Print Server before 8.2 patch 43 allows Unauthenticated Remote Cod ...) + TODO: check +CVE-2024-0703 (The Sticky Buttons \u2013 floating buttons builder plugin for WordPres ...) + TODO: check +CVE-2023-7238 (A XSS payload can be uploaded as a DICOM study and when a user tries t ...) + TODO: check +CVE-2023-6926 (There is an OS command injection vulnerability in Crestron AM-300 firm ...) + TODO: check +CVE-2023-6573 (HPE OneView may have a missing passphrase during restore.) + TODO: check +CVE-2023-51210 (SQL injection vulnerability in Webkul Bundle Product 6.0.1 allows a re ...) + TODO: check +CVE-2023-51043 (In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a u ...) + TODO: check +CVE-2023-51042 (In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in driver ...) + TODO: check +CVE-2023-50275 (HPE OneView may allow clusterService Authentication Bypass resulting i ...) + TODO: check +CVE-2023-50274 (HPE OneView may allow command injection with local privilege escalatio ...) + TODO: check +CVE-2023-49783 (Silverstripe Admin provides a basic management interface for the Silve ...) + TODO: check +CVE-2023-49657 (A stored cross-site scripting (XSS) vulnerability exists in Apache Sup ...) + TODO: check +CVE-2023-48714 (Silverstripe Framework is the framework that forms the base of the Sil ...) + TODO: check +CVE-2023-46343 (In the Linux kernel before 6.5.9, there is a NULL pointer dereference ...) + TODO: check +CVE-2023-45889 (A Universal Cross Site Scripting (UXSS) vulnerability in ClassLink One ...) + TODO: check +CVE-2023-44401 (The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQ ...) + TODO: check +CVE-2023-42143 (Missing Integrity Check in Shelly TRV 20220811-152343/v2.1.8@5afc928c ...) + TODO: check +CVE-2024-0755 (Memory safety bugs present in Firefox 121, Fi
[Git][security-tracker-team/security-tracker][master] Correct entry for CVE-2023-29159/starlette
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: adc25532 by Salvatore Bonaccorso at 2024-01-23T20:58:15+01:00 Correct entry for CVE-2023-29159/starlette - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -36669,7 +36669,11 @@ CVE-2023-33461 (iniparser v4.1 is vulnerable to NULL Pointer Dereference in func CVE-2023-30758 (Cross-site scripting vulnerability in Pleasanter 1.3.38.1 and earlier ...) NOT-FOR-US: Pleasanter CVE-2023-29159 (Directory traversal vulnerability in Starlette versions 0.13.5 and lat ...) - NOT-FOR-US: Starlette + - starlette 0.28.0-1 + [bookworm] - starlette (Minor issue) + [bullseye] - starlette (Minor issue) + NOTE: https://github.com/encode/starlette/security/advisories/GHSA-v5gw-mw7f-84px + NOTE: https://github.com/encode/starlette/commit/1797de464124b090f10cf570441e8292936d63e3 (0.27.0) CVE-2023-29154 (SQL injection vulnerability exists in the CONPROSYS HMI System (CHS) v ...) NOT-FOR-US: CONPROSYS CVE-2023-28937 (DataSpider Servista version 4.4 and earlier uses a hard-coded cryptogr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/adc2553295737f45114e98e19ad455ea226466f4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/adc2553295737f45114e98e19ad455ea226466f4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for xorg-server update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6fb5a281 by Salvatore Bonaccorso at 2024-01-23T20:39:31+01:00 Reserve DSA number for xorg-server update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[23 Jan 2024] DSA-5603-1 xorg-server - security update + {CVE-2023-6816 CVE-2024-0229 CVE-2024-0408 CVE-2024-0409 CVE-2024-21885 CVE-2024-21886} + [bullseye] - xorg-server 2:1.20.11-1+deb11u11 + [bookworm] - xorg-server 2:21.1.7-3+deb12u5 [17 Jan 2024] DSA-5602-1 chromium - security update {CVE-2024-0517 CVE-2024-0518 CVE-2024-0519} [bullseye] - chromium 120.0.6099.224-1~deb11u1 = data/dsa-needed.txt = @@ -97,9 +97,6 @@ thunderbird (jmm) -- varnish -- -xorg-server (carnil) - Waiting for exposure of unstable fixes for potential regressions --- zbar (carnil) Prepared update but needs some additional testing before the release -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fb5a2811e8282942fc701ba37fd9b30b6bd6a86 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6fb5a2811e8282942fc701ba37fd9b30b6bd6a86 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Fix indentation in entries
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3f6b7ba8 by Salvatore Bonaccorso at 2024-01-23T20:38:57+01:00 Fix indentation in entries - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6419,7 +6419,7 @@ CVE-2023-33214 (Cross-Site Request Forgery (CSRF) vulnerability in Tagbox Tagbox NOT-FOR-US: WordPress plugin CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its param ...) - zabbix 1:6.0.24+dfsg-1 -[buster] - zabbix (Vulnerable code introduced later) + [buster] - zabbix (Vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-23858 NOTE: https://github.com/zabbix/zabbix/commit/51ee1af626f93c1656ee2e37aa3d611b0292c1d8 (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/f4557473616f455eefe8f303721b4cec473ece4c (6.0.24rc1) @@ -6428,14 +6428,14 @@ CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its NOTE: https://github.com/zabbix/zabbix/commit/09fa80bb16b094e4c17c036868c817f411efe4a0 (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/7c00b48ab998066962e5275efa50007cb72ea1ac (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/245fbae6039ebfbd720ab33c0349c82bae242fc9 (6.0.24rc1) -NOTE: Vulnerable feature introduced with versions 5.0.9rc1, 5.3.5rc1 and 5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339 + NOTE: Vulnerable feature introduced with versions 5.0.9rc1, 5.3.5rc1 and 5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339 CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items can use fu ...) - zabbix 1:6.0.23+dfsg-1 -[buster] - zabbix (Vulnerable code introduced later) + [buster] - zabbix (Vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-23857 NOTE: https://github.com/zabbix/zabbix/commit/93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34 (6.0.23rc1) NOTE: https://github.com/zabbix/zabbix/commit/610f9fdbb86667f4094972547deb936c6cdfc6d5 (6.0.23rc1) -NOTE: introduced in https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464 (4.4.0alpha3) + NOTE: introduced in https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464 (4.4.0alpha3) CVE-2023-32726 (The vulnerability is caused by improper check for check if RDLENGTH do ...) - zabbix 1:6.0.24+dfsg-1 NOTE: https://support.zabbix.com/browse/ZBX-23855 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f6b7ba836eb8467134cedf842e3b284f9af4c4f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3f6b7ba836eb8467134cedf842e3b284f9af4c4f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] s/ttps/https
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 016eb657 by Tobias Frost at 2024-01-23T20:14:20+01:00 s/ttps/https - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6435,7 +6435,7 @@ CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items can NOTE: https://support.zabbix.com/browse/ZBX-23857 NOTE: https://github.com/zabbix/zabbix/commit/93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34 (6.0.23rc1) NOTE: https://github.com/zabbix/zabbix/commit/610f9fdbb86667f4094972547deb936c6cdfc6d5 (6.0.23rc1) -NOTE: introduced in ttps://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464 (4.4.0alpha3) +NOTE: introduced in https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464 (4.4.0alpha3) CVE-2023-32726 (The vulnerability is caused by improper check for check if RDLENGTH do ...) - zabbix 1:6.0.24+dfsg-1 NOTE: https://support.zabbix.com/browse/ZBX-23855 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/016eb657b4453e3becdfa55ebbdfa411c0f313f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/016eb657b4453e3becdfa55ebbdfa411c0f313f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-32727/zabbix - buster is not affected.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 36e9a771 by Tobias Frost at 2024-01-23T20:13:31+01:00 CVE-2023-32727/zabbix - buster is not affected. The vulnerability is a format-string vulnerability, a user provided input (dst - intented to be a target host for fping) is passed to a shell without saniziting. the key line for the patch for CVE-2023-32727 is in function get_interval_option(): - zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i%u %s", fping, intervals[j], dst); + zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i%u", fping, intervals[j]); "dst" is the ping target, and the resulting tmp is the complete command to be executed in the vulnerable version. (via execl("/bin/sh", "sh", "-c", command, (char *)NULL); in zbx_execute()) Bisecting upstream brings the following commits introducing this: Commit: 57abe5a1f2c208d05cc59029026098c2f13ed464 [1] + zbx_snprintf(tmp, sizeof(tmp), "%s -c1 -t50 -i0 %s", fping, dst); [1] https://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464#src/libs/zbxicmpping/icmpping.c line 102 List of affected versions, where the commit is seen first time: git tag --contains 57abe5a1f2c208d05cc59029026098c2f13ed464 (manually filtered to show only first tag of every affected version) 4.4.0alpha3 5.0.0alpha1 5.2.0alpha1 5.4.0alpha1 6.0.0alpha1 6.2.0alpha1 6.4.0alpha1 7.0.0alpha1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6428,12 +6428,14 @@ CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its NOTE: https://github.com/zabbix/zabbix/commit/09fa80bb16b094e4c17c036868c817f411efe4a0 (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/7c00b48ab998066962e5275efa50007cb72ea1ac (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/245fbae6039ebfbd720ab33c0349c82bae242fc9 (6.0.24rc1) -NOTE: Vulnerable feature introduced with version 5.0.9rc1 resp. 5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339 +NOTE: Vulnerable feature introduced with versions 5.0.9rc1, 5.3.5rc1 and 5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339 CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items can use fu ...) - zabbix 1:6.0.23+dfsg-1 +[buster] - zabbix (Vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-23857 NOTE: https://github.com/zabbix/zabbix/commit/93e090592fc6de7ec5d3d42c1bb9074ad1f3ba34 (6.0.23rc1) NOTE: https://github.com/zabbix/zabbix/commit/610f9fdbb86667f4094972547deb936c6cdfc6d5 (6.0.23rc1) +NOTE: introduced in ttps://git.zabbix.com/projects/ZBX/repos/zabbix/commits/57abe5a1f2c208d05cc59029026098c2f13ed464 (4.4.0alpha3) CVE-2023-32726 (The vulnerability is caused by improper check for check if RDLENGTH do ...) - zabbix 1:6.0.24+dfsg-1 NOTE: https://support.zabbix.com/browse/ZBX-23855 @@ -6442,7 +6444,7 @@ CVE-2023-32725 (The website configured in the URL widget will receive a session - zabbix 1:6.0.23+dfsg-1 [bullseye] - zabbix (Vulnerable code not present) [buster] - zabbix (vulnerable code introduced later) - NOTE: https://support.zabbix.com/browse/ZBX-23854 + NOTE: https://support.zabbix.com/browse/ZBX-2354 NOTE: https://github.com/zabbix/zabbix/commit/89e0cd6ea93a097671d6bcfbfa674047a3096b26 (6.0.22rc1) NOTE: report_manager introduced with: https://github.com/zabbix/zabbix/commit/a06a08111546081e8256267bc0062cbd74dc3309 (6.0.0alpha1) CVE-2023-32230 (An improper handling of a malformed API request to an API server in Bo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36e9a77145dd28bbc338686e27d75ada2c9f7279 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/36e9a77145dd28bbc338686e27d75ada2c9f7279 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-32728/zabbix (buster) vulnerable code introduced later.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: c7631825 by Tobias Frost at 2024-01-23T18:59:00+01:00 CVE-2023-32728/zabbix (buster) vulnerable code introduced later. Vulnerable feature was introduced with this ticket: https://support.zabbix.com/browse/ZBXNEXT-6339 Quote: > Available in: > > 5.0.9rc1 1ee48854146 > 5.2.5rc1 68cf640f12d > 5.4.0alpha2 (master) 434243ef35a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6419,6 +6419,7 @@ CVE-2023-33214 (Cross-Site Request Forgery (CSRF) vulnerability in Tagbox Tagbox NOT-FOR-US: WordPress plugin CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its param ...) - zabbix 1:6.0.24+dfsg-1 +[buster] - zabbix (Vulnerable code introduced later) NOTE: https://support.zabbix.com/browse/ZBX-23858 NOTE: https://github.com/zabbix/zabbix/commit/51ee1af626f93c1656ee2e37aa3d611b0292c1d8 (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/f4557473616f455eefe8f303721b4cec473ece4c (6.0.24rc1) @@ -6427,6 +6428,7 @@ CVE-2023-32728 (The Zabbix Agent 2 item key smart.disk.get does not sanitize its NOTE: https://github.com/zabbix/zabbix/commit/09fa80bb16b094e4c17c036868c817f411efe4a0 (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/7c00b48ab998066962e5275efa50007cb72ea1ac (6.0.24rc1) NOTE: https://github.com/zabbix/zabbix/commit/245fbae6039ebfbd720ab33c0349c82bae242fc9 (6.0.24rc1) +NOTE: Vulnerable feature introduced with version 5.0.9rc1 resp. 5.4.0alpha2 https://support.zabbix.com/browse/ZBXNEXT-6339 CVE-2023-32727 (An attacker who has the privilege to configure Zabbix items can use fu ...) - zabbix 1:6.0.23+dfsg-1 NOTE: https://support.zabbix.com/browse/ZBX-23857 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7631825c06eb9331e5fcc22abdf7fe9e749b7cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c7631825c06eb9331e5fcc22abdf7fe9e749b7cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3716-1 for ruby-httparty
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: e41e5bb7 by Chris Lamb at 2024-01-23T09:02:36-08:00 Reserve DLA-3716-1 for ruby-httparty - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Jan 2024] DLA-3716-1 ruby-httparty - security update + {CVE-2024-22049} + [buster] - ruby-httparty 0.16.2+dfsg1-3+deb10u1 [23 Jan 2024] DLA-3715-1 jinja2 - security update {CVE-2024-22195} [buster] - jinja2 2.10-2+deb10u1 = data/dla-needed.txt = @@ -241,9 +241,6 @@ ring NOTE: 20230903: Added by Front-Desk (gladk) NOTE: 20230928: will be likely hard to fix see https://lists.debian.org/debian-lts/2023/09/msg00035.html (rouca) -- -ruby-httparty (Chris Lamb) - NOTE: 20240121: Added by Front-Desk (apo) --- salt NOTE: 20220814: Added by Front-Desk (gladk) NOTE: 20220814: I am not sure, whether it is possible to fix issues View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e41e5bb72ab609e9e6c2767790ca9929f0f06543 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e41e5bb72ab609e9e6c2767790ca9929f0f06543 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3715-1 for jinja2
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 92240195 by Chris Lamb at 2024-01-23T08:53:12-08:00 Reserve DLA-3715-1 for jinja2 - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,6 @@ +[23 Jan 2024] DLA-3715-1 jinja2 - security update + {CVE-2024-22195} + [buster] - jinja2 2.10-2+deb10u1 [22 Jan 2024] DLA-3709-2 squid - regression update [buster] - squid 4.6-1+deb10u10 [21 Jan 2024] DLA-3714-1 keystone - security update = data/dla-needed.txt = @@ -122,9 +122,6 @@ jenkins-htmlunit-core-js NOTE: 20231231: … TransformerFactory without setting the ~secure flag, so it may NOTE: 20231231: … indeed be vulnerable. (lamby) -- -jinja2 (Chris Lamb) - NOTE: 20240121: Added by Front-Desk (apo) --- knot-resolver (Markus Koschany) NOTE: 20231029: Added by Front-Desk (gladk) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92240195d687f646ce55c635a62c80d87fccb30a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92240195d687f646ce55c635a62c80d87fccb30a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add thunderbird issues from mfsa2024-04
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fbdf9fef by Salvatore Bonaccorso at 2024-01-23T16:56:17+01:00 Add thunderbird issues from mfsa2024-04 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,47 +1,61 @@ CVE-2024-0755 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0755 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0755 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0755 CVE-2024-0754 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0754 CVE-2024-0753 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0753 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0753 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0753 CVE-2024-0752 - firefox (Only affects Firefox on MacOS) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0752 CVE-2024-0751 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0751 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0751 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0751 CVE-2024-0750 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0750 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0750 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0750 CVE-2024-0749 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0749 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0749 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0749 CVE-2024-0748 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0748 CVE-2024-0747 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0747 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0747 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0747 CVE-2024-0746 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0746 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0746 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0746 CVE-2024-0745 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0745 @@ -55,13 +69,17 @@ CVE-2024-0743 CVE-2024-0742 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0742 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0742 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0742 CVE-2024-0741 - firefox - firefox-esr + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0741 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0741 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/#CVE-2024-0741 CVE-2024-23842 (Improper Input Validation in Hitron Systems DVR LGUVR-16H 1.02~4.02 al ...) NOT-FOR-US: Hitron Systems DVR LGUVR-16H CVE-2024-23678 (In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splun ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbdf9fef018f5a1bcf7c1467e2ea129abf19c1ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fbdf9fef018f5a1bcf7c1467e2ea129abf19c1ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add firefox-esr and thunderbird to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3c37ae22 by Salvatore Bonaccorso at 2024-01-23T16:53:21+01:00 Add firefox-esr and thunderbird to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -20,6 +20,8 @@ cryptojs -- dnsdist (jmm) -- +firefox-esr (jmm) +-- frr -- gpac/oldstable @@ -91,6 +93,8 @@ slurm-wlm -- squid (apo) -- +thunderbird (jmm) +-- varnish -- xorg-server (carnil) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c37ae22448f16305e71dbc4c6cca579ce40b46c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3c37ae22448f16305e71dbc4c6cca579ce40b46c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add firefox-esr issues from mfsa2024-02
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: aa9fe727 by Salvatore Bonaccorso at 2024-01-23T16:51:11+01:00 Add firefox-esr issues from mfsa2024-02 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,33 +1,47 @@ CVE-2024-0755 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0755 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0755 CVE-2024-0754 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0754 CVE-2024-0753 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0753 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0753 CVE-2024-0752 - firefox (Only affects Firefox on MacOS) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0752 CVE-2024-0751 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0751 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0751 CVE-2024-0750 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0750 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0750 CVE-2024-0749 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0749 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0749 CVE-2024-0748 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0748 CVE-2024-0747 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0747 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0747 CVE-2024-0746 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0746 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0746 CVE-2024-0745 - firefox NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0745 @@ -40,10 +54,14 @@ CVE-2024-0743 TODO: check src:nss CVE-2024-0742 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0742 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0742 CVE-2024-0741 - firefox + - firefox-esr NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0741 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/#CVE-2024-0741 CVE-2024-23842 (Improper Input Validation in Hitron Systems DVR LGUVR-16H 1.02~4.02 al ...) NOT-FOR-US: Hitron Systems DVR LGUVR-16H CVE-2024-23678 (In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splun ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa9fe727e5ff7e00ca91b06bb5c6974e1acd2c7d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa9fe727e5ff7e00ca91b06bb5c6974e1acd2c7d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add firefox issues from mfsa204-01
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: da57220d by Salvatore Bonaccorso at 2024-01-23T16:48:03+01:00 Add firefox issues from mfsa204-01 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,49 @@ +CVE-2024-0755 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0755 +CVE-2024-0754 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0754 +CVE-2024-0753 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0753 +CVE-2024-0752 + - firefox (Only affects Firefox on MacOS) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0752 +CVE-2024-0751 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0751 +CVE-2024-0750 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0750 +CVE-2024-0749 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0749 +CVE-2024-0748 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0748 +CVE-2024-0747 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0747 +CVE-2024-0746 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0746 +CVE-2024-0745 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0745 +CVE-2024-0744 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0744 +CVE-2024-0743 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0743 + TODO: check src:nss +CVE-2024-0742 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0742 +CVE-2024-0741 + - firefox + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0741 CVE-2024-23842 (Improper Input Validation in Hitron Systems DVR LGUVR-16H 1.02~4.02 al ...) NOT-FOR-US: Hitron Systems DVR LGUVR-16H CVE-2024-23678 (In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splun ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da57220dc167876a8ea55e17b76474c0a60df4e8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da57220dc167876a8ea55e17b76474c0a60df4e8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: update cacti status
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker Commits: cafee77e by Sylvain Beucler at 2024-01-23T12:02:00+01:00 dla: update cacti status - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -43,6 +43,7 @@ cacti (Sylvain Beucler) NOTE: 20231218: Keep triaging CVEs backlog (Beuc) NOTE: 20240102: Triage more CVEs backlog, fix a couple bullseye triage, sync with maintainer (Beuc) NOTE: 20240112: No progress as I've been busy on other tasks, but all bugs are minor so far (Beuc) + NOTE: 20240123: Backport patches, report duplicate to MITRE (Beuc) -- cairosvg NOTE: 20230323: Added by Front-Desk (gladk) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cafee77eee377c40dd51915b3492dd67838e6084 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cafee77eee377c40dd51915b3492dd67838e6084 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 701fab4b by Moritz Muehlenhoff at 2024-01-23T11:47:30+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,45 +15,45 @@ CVE-2024-23342 (The `ecdsa` PyPI package is a pure Python implementation of ECC NOTE: https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp NOTE: https://minerva.crocs.fi.muni.cz/ CVE-2024-23340 (@hono/node-server is an adapter that allows users to run Hono applicat ...) - TODO: check + NOT-FOR-US: Hono CVE-2024-23339 (hoolock is a suite of lightweight utilities designed to maintain a sma ...) - TODO: check + NOT-FOR-US: hoolock CVE-2024-23224 (The issue was addressed with improved checks. This issue is fixed in m ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23223 (A privacy issue was addressed with improved handling of files. This is ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23222 (A type confusion issue was addressed with improved checks. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23219 (The issue was addressed with improved authentication. This issue is fi ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23218 (A timing side-channel issue was addressed with improvements to constan ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23217 (A privacy issue was addressed with improved handling of temporary file ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23215 (An issue was addressed with improved handling of temporary files. This ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23214 (Multiple memory corruption issues were addressed with improved memory ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23213 (The issue was addressed with improved memory handling. This issue is f ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23212 (The issue was addressed with improved memory handling. This issue is f ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23211 (A privacy issue was addressed with improved handling of user preferenc ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23210 (This issue was addressed with improved redaction of sensitive informat ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23209 (The issue was addressed with improved memory handling. This issue is f ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23208 (The issue was addressed with improved memory handling. This issue is f ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23207 (This issue was addressed with improved redaction of sensitive informat ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23206 (An access issue was addressed with improved access restrictions. This ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23204 (The issue was addressed with additional permissions checks. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-23203 (The issue was addressed with additional permissions checks. This issue ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-22772 (Improper Input Validation in Hitron Systems DVR LGUVR-8H 1.02~4.02 all ...) NOT-FOR-US: Hitron Systems DVR LGUVR-8H CVE-2024-22771 (Improper Input Validation in Hitron Systems DVR LGUVR-4H 1.02~4.02 all ...) @@ -69,19 +69,19 @@ CVE-2024-0587 (The AMP for WP \u2013 Accelerated Mobile Pages plugin for WordPre CVE-2023-47141 (IIBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11. ...) NOT-FOR-US: IBM CVE-2023-42937 (A privacy issue was addressed with improved private data redaction for ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42935 (An authentication issue was addressed with improved state management. ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42915 (Multiple issues were addressed by updating to curl version 8.4.0. This ...) - TODO: check + NOT-FOR-US: Apple (bundling curl) CVE-2023-42888 (The issue was addressed with improved checks. This issue is fixed in i ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42887 (An access issue was addressed with additional sandbox restrictions. Th ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-42881 (The issue was addressed with improved memory handling. This issue is f ...) - TODO: check + NOT-FOR-US: Apple CVE-2023-40528 (This issue was addressed by removing the vulnerable code. This issue i ...) - TODO: check + NOT-FOR-US: Apple CVE-2024-22895 (DedeCMS 5.7.112 has a File Upload vulnerability via uploads/dede/modul ...) NOT-FOR-US: DedeCMS CVE-2024-22233 (In Spring Framework versions 6.0.15 and 6.1.2
[Git][security-tracker-team/security-tracker][master] gitlab fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 5599f978 by Moritz Muehlenhoff at 2024-01-23T11:41:59+01:00 gitlab fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1770,11 +1770,11 @@ CVE-2024-23659 (SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the nam NOTE: https://git.spip.net/spip/bigup/commit/0757f015717cb72b84dba0e9a375ec71caddf1c2 NOTE: https://blog.spip.net/Mise-a-jour-de-maintenance-et-securite-sortie-de-SPIP-4-2-8-SPIP-4-1-14.html?lang=fr CVE-2023-6955 (An improper access control vulnerability exists in GitLab Remote Devel ...) - - gitlab + - gitlab 16.6.5-3 CVE-2023-4812 (An issue has been discovered in GitLab EE affecting all versions start ...) - - gitlab + - gitlab 16.6.5-3 CVE-2023-5356 (Incorrect authorization checks in GitLab CE/EE from all versions start ...) - - gitlab + - gitlab 16.6.5-3 CVE-2023-7028 (An issue has been discovered in GitLab CE/EE affecting all versions fr ...) - gitlab 16.4.5+ds2-1 CVE-2024-23179 (An issue was discovered in the GlobalBlocking extension in MediaWiki b ...) @@ -41547,7 +41547,7 @@ CVE-2023-2032 (The Custom 404 Pro WordPress plugin before 3.8.1 does not properl CVE-2023-2031 (The Locatoraid Store Locator plugin for WordPress is vulnerable to Sto ...) NOT-FOR-US: WordPress plugin CVE-2023-2030 (An issue has been discovered in GitLab CE/EE affecting all versions fr ...) - - gitlab + - gitlab 16.6.5-3 CVE-2023-2029 (The PrePost SEO WordPress plugin through 3.0 does not properly sanitiz ...) NOT-FOR-US: WordPress plugin CVE-2023-2028 (The Call Now Accessibility Button WordPress plugin before 1.1 does not ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5599f97838d4d1c8b202c5c555348eacfcec95de -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5599f97838d4d1c8b202c5c555348eacfcec95de You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Claim rear
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: e1dc196f by Abhijith PA at 2024-01-23T16:09:26+05:30 data/dla-needed.txt: Claim rear - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -236,7 +236,7 @@ rails NOTE: 20230131: Utkarsh to start a thread with sec+ruby team with the possible path forward. (utkarsh) NOTE: 20230828: want to rollout ruby-rack first. (utkarsh) -- -rear +rear (Abhijith PA) NOTE: 20240121: Added by Front-Desk (apo) -- ring View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1dc196f59932d4101b78f88b6a4688b75a8bc9a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e1dc196f59932d4101b78f88b6a4688b75a8bc9a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c70bc3a7 by Salvatore Bonaccorso at 2024-01-23T10:13:12+01:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -76169,11 +76169,11 @@ CVE-2022-45794 (An attacker with network access to the affected PLC (CJ-series a CVE-2022-45793 (Sysmac Studio installs executables in a directory with poor permission ...) NOT-FOR-US: Omron CVE-2022-45792 (Project files may contain malicious contents which the software will u ...) - TODO: check + NOT-FOR-US: Dragos CVE-2022-45791 REJECTED CVE-2022-45790 (The Omron FINS protocol has an authenticated feature to prevent access ...) - TODO: check + NOT-FOR-US: Dragos CVE-2022-45789 (A CWE-294: Authentication Bypass by Capture-replay vulnerability exist ...) NOT-FOR-US: Schneider Electric CVE-2022-45788 (A CWE-754: Improper Check for Unusual or Exceptional Conditions vulner ...) @@ -163914,7 +163914,7 @@ CVE-2021-42143 CVE-2021-42142 RESERVED CVE-2021-42141 (An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. One ...) - TODO: check + NOT-FOR-US: Contiki-NG tinyDTLS CVE-2021-42140 RESERVED CVE-2021-42139 (Deno Standard Modules before 0.107.0 allows Code Injection via an untr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c70bc3a782998abf60c509ee9173495dafe61984 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c70bc3a782998abf60c509ee9173495dafe61984 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0540a760 by Salvatore Bonaccorso at 2024-01-23T09:48:48+01:00 Process some more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -55,17 +55,17 @@ CVE-2024-23204 (The issue was addressed with additional permissions checks. This CVE-2024-23203 (The issue was addressed with additional permissions checks. This issue ...) TODO: check CVE-2024-22772 (Improper Input Validation in Hitron Systems DVR LGUVR-8H 1.02~4.02 all ...) - TODO: check + NOT-FOR-US: Hitron Systems DVR LGUVR-8H CVE-2024-22771 (Improper Input Validation in Hitron Systems DVR LGUVR-4H 1.02~4.02 all ...) - TODO: check + NOT-FOR-US: Hitron Systems DVR LGUVR-4H CVE-2024-22770 (Improper Input Validation in Hitron Systems DVR HVR-16781 1.03~4.02 al ...) - TODO: check + NOT-FOR-US: Hitron Systems DVR HVR-16781 CVE-2024-22769 (Improper Input Validation in Hitron Systems DVR HVR-8781 1.03~4.02 all ...) - TODO: check + NOT-FOR-US: Hitron Systems DVR HVR-8781 CVE-2024-22768 (Improper Input Validation in Hitron Systems DVR HVR-4781 1.03~4.02 all ...) - TODO: check + NOT-FOR-US: Hitron Systems DVR HVR-4781 CVE-2024-0587 (The AMP for WP \u2013 Accelerated Mobile Pages plugin for WordPress is ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-47141 (IIBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11. ...) NOT-FOR-US: IBM CVE-2023-42937 (A privacy issue was addressed with improved private data redaction for ...) @@ -61236,7 +61236,7 @@ CVE-2023-24137 CVE-2023-24136 RESERVED CVE-2023-24135 (Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to c ...) - TODO: check + NOT-FOR-US: Jensen of Scandinavia Eagle 1200AC CVE-2023-24134 (Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to c ...) NOT-FOR-US: Jensen of Scandinavia Eagle 1200AC CVE-2023-24133 (Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0540a7602957a5371429d61617a2c46f82b47c5a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0540a7602957a5371429d61617a2c46f82b47c5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-23342/python-ecdsa
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cfcf513f by Salvatore Bonaccorso at 2024-01-23T09:40:22+01:00 Add CVE-2024-23342/python-ecdsa - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,7 +11,9 @@ CVE-2024-23675 (In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app CVE-2024-23345 (Nautobot is a Network Source of Truth and Network Automation Platform ...) NOT-FOR-US: Nautobot CVE-2024-23342 (The `ecdsa` PyPI package is a pure Python implementation of ECC (Ellip ...) - TODO: check + - python-ecdsa + NOTE: https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-wj6h-64fc-37mp + NOTE: https://minerva.crocs.fi.muni.cz/ CVE-2024-23340 (@hono/node-server is an adapter that allows users to run Hono applicat ...) TODO: check CVE-2024-23339 (hoolock is a suite of lightweight utilities designed to maintain a sma ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfcf513f91e5d7ea31c3e9a255b63e36d48af697 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cfcf513f91e5d7ea31c3e9a255b63e36d48af697 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: dd48cbc8 by Salvatore Bonaccorso at 2024-01-23T09:38:15+01:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -65,7 +65,7 @@ CVE-2024-22768 (Improper Input Validation in Hitron Systems DVR HVR-4781 1.03~4. CVE-2024-0587 (The AMP for WP \u2013 Accelerated Mobile Pages plugin for WordPress is ...) TODO: check CVE-2023-47141 (IIBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11. ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-42937 (A privacy issue was addressed with improved private data redaction for ...) TODO: check CVE-2023-42935 (An authentication issue was addressed with improved state management. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd48cbc8e6cbc2a5f3574675cb1f4ada79dd51f1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd48cbc8e6cbc2a5f3574675cb1f4ada79dd51f1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 30adcb2e by Salvatore Bonaccorso at 2024-01-23T09:36:28+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,15 +1,15 @@ CVE-2024-23842 (Improper Input Validation in Hitron Systems DVR LGUVR-16H 1.02~4.02 al ...) - TODO: check + NOT-FOR-US: Hitron Systems DVR LGUVR-16H CVE-2024-23678 (In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splun ...) - TODO: check + NOT-FOR-US: Splunk CVE-2024-23677 (In Splunk Enterprise versions below 9.0.8, the Splunk RapidDiag utilit ...) - TODO: check + NOT-FOR-US: Splunk CVE-2024-23676 (In Splunk versions below 9.0.8 and 9.1.3, the \u201cmrollup\u201d SPL ...) - TODO: check + NOT-FOR-US: Splunk CVE-2024-23675 (In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key va ...) - TODO: check + NOT-FOR-US: Splunk CVE-2024-23345 (Nautobot is a Network Source of Truth and Network Automation Platform ...) - TODO: check + NOT-FOR-US: Nautobot CVE-2024-23342 (The `ecdsa` PyPI package is a pure Python implementation of ECC (Ellip ...) TODO: check CVE-2024-23340 (@hono/node-server is an adapter that allows users to run Hono applicat ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30adcb2e2f8a0c28502219b4b70a563a79f79bfd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30adcb2e2f8a0c28502219b4b70a563a79f79bfd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark spring as n/a, regardless of the affected upstream version we only have 4.x anyway
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6babd916 by Moritz Muehlenhoff at 2024-01-23T09:29:45+01:00 mark spring as n/a, regardless of the affected upstream version we only have 4.x anyway - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -83,9 +83,8 @@ CVE-2023-40528 (This issue was addressed by removing the vulnerable code. This i CVE-2024-22895 (DedeCMS 5.7.112 has a File Upload vulnerability via uploads/dede/modul ...) NOT-FOR-US: DedeCMS CVE-2024-22233 (In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a us ...) - - libspring-java + - libspring-java (Only affects 6.x) NOTE: https://spring.io/security/cve-2024-22233/ - TODO: check, might affect only specific 6.x versions as the advisory only mentions 6.0.15 and 6.1.2 CVE-2024-0784 (A vulnerability was found in biantaibao octopus 1.0. It has been class ...) NOT-FOR-US: biantaibao octopus CVE-2024-0783 (A vulnerability was found in Project Worlds Online Admission System 1. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6babd916af9eb6df0db1874f8b605532ce0f93e0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6babd916af9eb6df0db1874f8b605532ce0f93e0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new AMD GPU issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 8ee4783e by Moritz Muehlenhoff at 2024-01-23T09:24:03+01:00 new AMD GPU issue While related fixes might also be needed in the Linux drivers, the gist of the fixes will be in the firmware, so tracking this for firmware-nonfree. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1160,7 +1160,11 @@ CVE-2023-52041 (An issue discovered in TOTOLINK X6000R V9.4.0cu.852_B20230719 al CVE-2023-51381 REJECTED CVE-2023-4969 (A GPU kernel can read sensitive data from another GPU kernel (even fro ...) - TODO: check + - firmware-nonfree + [bookworm] - firmware-nonfree (Minor issue, revisit when updates are available) + [bullseye] - firmware-nonfree (Non-free not supported) + NOTE: https://blog.trailofbits.com/2024/01/16/leftoverlocals-listening-to-llm-responses-through-leaked-gpu-local-memory/ + NOTE: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-6010.html CVE-2023-4797 (The Newsletters WordPress plugin before 4.9.3 does not properly escape ...) NOT-FOR-US: WordPress plugin CVE-2023-4757 (The Staff / Employee Business Directory for Active Directory WordPress ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ee4783e5d93c11c4db5075b3479475ab5deb3ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8ee4783e5d93c11c4db5075b3479475ab5deb3ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 53671dca by security tracker role at 2024-01-23T08:11:54+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,85 @@ +CVE-2024-23842 (Improper Input Validation in Hitron Systems DVR LGUVR-16H 1.02~4.02 al ...) + TODO: check +CVE-2024-23678 (In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splun ...) + TODO: check +CVE-2024-23677 (In Splunk Enterprise versions below 9.0.8, the Splunk RapidDiag utilit ...) + TODO: check +CVE-2024-23676 (In Splunk versions below 9.0.8 and 9.1.3, the \u201cmrollup\u201d SPL ...) + TODO: check +CVE-2024-23675 (In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key va ...) + TODO: check +CVE-2024-23345 (Nautobot is a Network Source of Truth and Network Automation Platform ...) + TODO: check +CVE-2024-23342 (The `ecdsa` PyPI package is a pure Python implementation of ECC (Ellip ...) + TODO: check +CVE-2024-23340 (@hono/node-server is an adapter that allows users to run Hono applicat ...) + TODO: check +CVE-2024-23339 (hoolock is a suite of lightweight utilities designed to maintain a sma ...) + TODO: check +CVE-2024-23224 (The issue was addressed with improved checks. This issue is fixed in m ...) + TODO: check +CVE-2024-23223 (A privacy issue was addressed with improved handling of files. This is ...) + TODO: check +CVE-2024-23222 (A type confusion issue was addressed with improved checks. This issue ...) + TODO: check +CVE-2024-23219 (The issue was addressed with improved authentication. This issue is fi ...) + TODO: check +CVE-2024-23218 (A timing side-channel issue was addressed with improvements to constan ...) + TODO: check +CVE-2024-23217 (A privacy issue was addressed with improved handling of temporary file ...) + TODO: check +CVE-2024-23215 (An issue was addressed with improved handling of temporary files. This ...) + TODO: check +CVE-2024-23214 (Multiple memory corruption issues were addressed with improved memory ...) + TODO: check +CVE-2024-23213 (The issue was addressed with improved memory handling. This issue is f ...) + TODO: check +CVE-2024-23212 (The issue was addressed with improved memory handling. This issue is f ...) + TODO: check +CVE-2024-23211 (A privacy issue was addressed with improved handling of user preferenc ...) + TODO: check +CVE-2024-23210 (This issue was addressed with improved redaction of sensitive informat ...) + TODO: check +CVE-2024-23209 (The issue was addressed with improved memory handling. This issue is f ...) + TODO: check +CVE-2024-23208 (The issue was addressed with improved memory handling. This issue is f ...) + TODO: check +CVE-2024-23207 (This issue was addressed with improved redaction of sensitive informat ...) + TODO: check +CVE-2024-23206 (An access issue was addressed with improved access restrictions. This ...) + TODO: check +CVE-2024-23204 (The issue was addressed with additional permissions checks. This issue ...) + TODO: check +CVE-2024-23203 (The issue was addressed with additional permissions checks. This issue ...) + TODO: check +CVE-2024-22772 (Improper Input Validation in Hitron Systems DVR LGUVR-8H 1.02~4.02 all ...) + TODO: check +CVE-2024-22771 (Improper Input Validation in Hitron Systems DVR LGUVR-4H 1.02~4.02 all ...) + TODO: check +CVE-2024-22770 (Improper Input Validation in Hitron Systems DVR HVR-16781 1.03~4.02 al ...) + TODO: check +CVE-2024-22769 (Improper Input Validation in Hitron Systems DVR HVR-8781 1.03~4.02 all ...) + TODO: check +CVE-2024-22768 (Improper Input Validation in Hitron Systems DVR HVR-4781 1.03~4.02 all ...) + TODO: check +CVE-2024-0587 (The AMP for WP \u2013 Accelerated Mobile Pages plugin for WordPress is ...) + TODO: check +CVE-2023-47141 (IIBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11. ...) + TODO: check +CVE-2023-42937 (A privacy issue was addressed with improved private data redaction for ...) + TODO: check +CVE-2023-42935 (An authentication issue was addressed with improved state management. ...) + TODO: check +CVE-2023-42915 (Multiple issues were addressed by updating to curl version 8.4.0. This ...) + TODO: check +CVE-2023-42888 (The issue was addressed with improved checks. This issue is fixed in i ...) + TODO: check +CVE-2023-42887 (An access issue was addressed with additional sandbox restrictions. Th ...) + TODO: check +CVE-2023-42881 (The issue was addressed with improved memory handling. This issue is f ...) + TODO: check +CVE-2023-40528 (This issue was addressed by removing the vulnerable code. This issue i .