[Git][security-tracker-team/security-tracker][master] Remove all notes from CVE-2022-40433
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 57826af0 by Salvatore Bonaccorso at 2024-02-18T08:55:46+01:00 Remove all notes from CVE-2022-40433 Oracle as assigning CNA has rejected the CVE, as it was not a security issue. This should hit any next CVE feed update as well, so track it already as such. - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -99202,11 +99202,8 @@ CVE-2022-40435 (Employee Performance Evaluation System v1.0 was discovered to co NOT-FOR-US: Employee Performance Evaluation System CVE-2022-40434 (Softr v2.0 was discovered to be vulnerable to HTML injection via the N ...) NOT-FOR-US: Softr -CVE-2022-40433 (An issue was discovered in function ciMethodBlocks::make_block_at in O ...) - {DSA-5331-1} - - openjdk-11 11.0.17+8-1 - NOTE: https://github.com/openjdk/jdk11u-dev/commit/fb76f0e7beb0e79eabf63399fc09923a0b3a04d2 (jdk-11.0.17-ga) - NOTE: https://bugs.openjdk.org/browse/JDK-8283441 +CVE-2022-40433 + REJECTED CVE-2022-40432 (The d8s-strings for python, as distributed on PyPI, included a potenti ...) NOT-FOR-US: d8s-strings for python CVE-2022-40431 (The d8s-pdfs for python, as distributed on PyPI, included a potential ...) = data/DSA/list = @@ -1036,7 +1036,7 @@ {CVE-2022-23521 CVE-2022-24765 CVE-2022-29187 CVE-2022-39253 CVE-2022-39260 CVE-2022-41903} [bullseye] - git 1:2.30.2-1+deb11u1 [28 Jan 2023] DSA-5331-1 openjdk-11 - security update - {CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 CVE-2022-39399 CVE-2023-21835 CVE-2023-21843 CVE-2022-40433} + {CVE-2022-21619 CVE-2022-21624 CVE-2022-21626 CVE-2022-21628 CVE-2022-39399 CVE-2023-21835 CVE-2023-21843} [bullseye] - openjdk-11 11.0.18+10-1~deb11u1 [27 Jan 2023] DSA-5330-1 curl - security update {CVE-2022-32221 CVE-2022-43552} View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57826af035c46e15f721e5ac125936c189424dec -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/57826af035c46e15f721e5ac125936c189424dec You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-24814
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9bf38214 by Salvatore Bonaccorso at 2024-02-18T08:16:54+01:00 Add Debian bug reference for CVE-2024-24814 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -702,7 +702,7 @@ CVE-2024-24921 (A vulnerability has been identified in Simcenter Femap (All vers CVE-2024-24920 (A vulnerability has been identified in Simcenter Femap (All versions < ...) NOT-FOR-US: Siemens CVE-2024-24814 (mod_auth_openidc is an OpenID Certified\u2122 authentication and autho ...) - - libapache2-mod-auth-openidc + - libapache2-mod-auth-openidc (bug #1064183) NOTE: https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv NOTE: https://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d (v2.4.15.2) CVE-2024-24782 (An unauthenticated attacker can send a ping request from one network t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bf38214abdf9fb74b3be5a7cfe684f93879bd9a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bf38214abdf9fb74b3be5a7cfe684f93879bd9a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add a note on sendmail/dla
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: a81b52a4 by Bastien Roucariès at 2024-02-17T20:24:58+00:00 Add a note on sendmail/dla I have a patch that is private and being reviewed - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -250,6 +250,7 @@ samba sendmail (rouca) NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches + NOTE: 20240217: Patch extracted and being reviewed (rouca) -- squid NOTE: 20240109: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a81b52a46a1882d0c99f30c37eb459b710c4ef98 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a81b52a46a1882d0c99f30c37eb459b710c4ef98 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] mark dnspython/CVE-2023-29483 as ignored for oldstable/stable
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 99cb6308 by Moritz Muehlenhoff at 2024-02-17T18:32:08+01:00 mark dnspython/CVE-2023-29483 as ignored for oldstable/stable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49445,11 +49445,13 @@ CVE-2023-29484 (In Terminalfour before 8.3.16, misconfigured LDAP users are able CVE-2023-29483 RESERVED - dnspython 2.6.0-1 + [bookworm] - dnspython (Minor issue) + [bullseye] - dnspython (Minor issue) NOTE: https://www.dnspython.org/news/2.6.0rc1/ NOTE: https://github.com/rthalley/dnspython/commit/f66e25b5f549acf66d1fb6ead13eb3cff7d09af3 (v2.6.0rc1) NOTE: https://github.com/rthalley/dnspython/commit/e093299a49967696b1c58b68e4767de5031a3e46 (v2.6.0) -NOTE: Upstream recommends not backporting fix: -NOTE: https://github.com/rthalley/dnspython/issues/1051#issuecomment-1949383928 + NOTE: Upstream recommends not backporting fix: + NOTE: https://github.com/rthalley/dnspython/issues/1051#issuecomment-1949383928 CVE-2023-29482 RESERVED CVE-2023-29481 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99cb6308ad607ac974129091e34bb14b0a9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/99cb6308ad607ac974129091e34bb14b0a9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note on upstream fix recommendations for CVE-2023-29483
Scott Kitterman pushed to branch master at Debian Security Tracker / security-tracker Commits: af4e408e by Scott Kitterman at 2024-02-17T10:21:36-05:00 Add note on upstream fix recommendations for CVE-2023-29483 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -49448,6 +49448,8 @@ CVE-2023-29483 NOTE: https://www.dnspython.org/news/2.6.0rc1/ NOTE: https://github.com/rthalley/dnspython/commit/f66e25b5f549acf66d1fb6ead13eb3cff7d09af3 (v2.6.0rc1) NOTE: https://github.com/rthalley/dnspython/commit/e093299a49967696b1c58b68e4767de5031a3e46 (v2.6.0) +NOTE: Upstream recommends not backporting fix: +NOTE: https://github.com/rthalley/dnspython/issues/1051#issuecomment-1949383928 CVE-2023-29482 RESERVED CVE-2023-29481 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af4e408e140b203f29782946d53b361ed25d3e74 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af4e408e140b203f29782946d53b361ed25d3e74 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3734-1 for openvswitch
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 3926f7c1 by Tobias Frost at 2024-02-17T16:13:47+01:00 Reserve DLA-3734-1 for openvswitch - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -24970,7 +24970,6 @@ CVE-2023-5366 (A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Adve - openvswitch 3.1.2-1 [bookworm] - openvswitch (Minor issue) [bullseye] - openvswitch (Minor issue) - [buster] - openvswitch (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2006347 NOTE: https://github.com/openvswitch/ovs/commit/694c7b4e097c4d89e23ea9b3c7b677b4fcbe0459 (v3.1.2) NOTE: https://github.com/openvswitch/ovs/commit/489553b1c21692063931a9f50b6849b23128443c (v3.2.0) = data/DLA/list = @@ -1,3 +1,6 @@ +[17 Feb 2024] DLA-3734-1 openvswitch - security update + {CVE-2023-5366} + [buster] - openvswitch 2.10.7+ds1-0+deb10u5 [03 Feb 2024] DLA-3733-1 rear - security update {CVE-2024-23301} [buster] - rear 2.4+dfsg-1+deb10u1 = data/dla-needed.txt = @@ -193,9 +193,6 @@ nvidia-cuda-toolkit NOTE: 20230610: Details: https://lists.debian.org/debian-lts/2023/06/msg00032.html NOTE: 20230610: my recommendation would be to put the package on the "not-supported" list. (tobi) -- -openvswitch (tobi) - NOTE: 20240209: Added by Front-Desk (utkarsh) --- putty NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20230104: massive code change against bullseye. May be better to backport bullseye (rouca) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3926f7c1b720db3bdf27bc746f1a2b231f775878 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3926f7c1b720db3bdf27bc746f1a2b231f775878 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 03264623 by Moritz Muehlenhoff at 2024-02-17T15:03:17+01:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1377,6 +1377,8 @@ CVE-2024-21624 (nonebot2 is a cross-platform Python asynchronous chatbot framewo NOT-FOR-US: nonebot2 CVE-2024-21490 (This affects versions of the package angular from 1.3.0. A regular exp ...) - angular.js + [bookworm] - angular.js (Minor issue) + [bullseye] - angular.js (Minor issue) [buster] - angular.js (Fix along with the next DLA) NOTE: https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113 CVE-2024-1406 (A vulnerability was found in Linksys WRT54GL 4.30.18. It has been decl ...) @@ -1654,6 +1656,8 @@ CVE-2024-25190 (l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify NOT-FOR-US: l8w8jwt CVE-2024-25189 (libjwt 1.15.3 uses strcmp (which is not constant time) to verify authe ...) - libjwt (bug #1063534) + [bookworm] - libjwt (Minor issue) + [bullseye] - libjwt (Minor issue) NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/benmcollins%3Alibjwt.md NOTE: https://github.com/benmcollins/libjwt/commit/f73bac57c5bece16ac24f1a70022aa34355fc1bf (v1.17.0) NOTE: https://github.com/benmcollins/libjwt/commit/a5d61ef4f1b383876e0a78534383f38159471fd6 (v1.17.0) @@ -2773,6 +2777,8 @@ CVE-2024-23824 (mailcow is a dockerized email package, with multiple containers NOT-FOR-US: mailcow CVE-2024-23635 (AntiSamy is a library for performing fast, configurable cleansing of H ...) - libowasp-antisamy-java (bug #1062846) + [bookworm] - libowasp-antisamy-java (Minor issue) + [bullseye] - libowasp-antisamy-java (Minor issue) NOTE: https://github.com/nahsra/antisamy/security/advisories/GHSA-2mrq-w8pv-5pvq CVE-2024-22851 (Directory Traversal Vulnerability in LiveConfig before v.2.5.2 allows ...) NOT-FOR-US: LiveConfig @@ -3545,6 +3551,8 @@ CVE-2024-1030 (A vulnerability was found in Cogites eReserv 7.7.58. It has been NOT-FOR-US: Cogites eReserv CVE-2024-1019 (ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypa ...) - modsecurity 3.0.12-1 + [bookworm] - modsecurity (Minor issue) + [bullseye] - modsecurity (Minor issue) NOTE: https://owasp.org/www-project-modsecurity/tab_cves#cve-2024-1019-2024-01-30 CVE-2024-0676 (Weak password requirement vulnerability in Lamassu Bitcoin ATM Douro ...) NOT-FOR-US: Lamassu Bitcoin ATM Douro machines @@ -9947,6 +9955,8 @@ CVE-2023-51775 (The jose4j component before 0.9.4 for Java allows attackers to c NOTE: https://bitbucket.org/b_c/jose4j/commits/1afaa1e174b3 CVE-2023-51774 (The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypa ...) - ruby-json-jwt + [bookworm] - ruby-json-jwt (Revisit when addressed upstream) + [bullseye] - ruby-json-jwt (Revisit when addressed upstream) NOTE: https://github.com/P3ngu1nW/CVE_Request/blob/main/novjson-jwt.md NOTE: https://github.com/nov/json-jwt/issues/113 CVE-2023-51773 (BACnet Stack before 1.3.2 has a decode function APDU buffer over-read ...) @@ -30375,6 +30385,7 @@ CVE-2023-38802 (FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a NOTE: https://github.com/FRRouting/frr/commit/46817adab03802355c3cce7b753c7a735bdcc5ae CVE-2023-38283 (In OpenBGPD before 8.1, incorrect handling of BGP update data (length ...) - openbgpd 8.1-1 + [bookworm] - openbgpd (Minor issue) NOTE: https://ftp.openbsd.org/pub/OpenBSD/patches/7.3/common/006_bgpd.patch.sig CVE-2023-34039 (Aria Operations for Networks contains an Authentication Bypass vulnera ...) NOT-FOR-US: VMware = data/dsa-needed.txt = @@ -30,6 +30,8 @@ gtkwave -- h2o (jmm) -- +imagemagick (jmm) +-- iwd (carnil) -- libreswan (jmm) @@ -48,7 +50,7 @@ opennds/stable -- openvswitch -- -pdns-recursor +pdns-recursor (jmm) -- php-cas/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03264623db87c09c7203a74eb9b04447ac3a756c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/03264623db87c09c7203a74eb9b04447ac3a756c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add iwd to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c9293d00 by Salvatore Bonaccorso at 2024-02-17T10:03:35+01:00 Add iwd to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -30,6 +30,8 @@ gtkwave -- h2o (jmm) -- +iwd (carnil) +-- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9293d005141d6b07ab5f49ba562c0bcdd9c6568 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c9293d005141d6b07ab5f49ba562c0bcdd9c6568 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits