[Git][security-tracker-team/security-tracker][master] Add CVE-2024-2002
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a75dd73f by Salvatore Bonaccorso at 2024-03-05T07:42:14+01:00 Add CVE-2024-2002 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024-2002 + - dwarfutils + NOTE: https://www.prevanders.net/dwarfbug.html#DW202402-002 + NOTE: Fixed by: https://github.com/davea42/libdwarf-code/commit/404e6b1b14f60c81388d50b4239f81d461b3c3ad CVE-2024-27351 [Potential regular expression denial-of-service in django.utils.text.Truncator.words()] - python-django NOTE: https://www.djangoproject.com/weblog/2024/mar/04/security-releases/ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a75dd73ff153935bb0aeb4bc3cbf3d80aede3b8a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a75dd73ff153935bb0aeb4bc3cbf3d80aede3b8a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-27351/python-django
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bd79e769 by Salvatore Bonaccorso at 2024-03-05T07:30:44+01:00 Add CVE-2024-27351/python-django - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,10 @@ +CVE-2024-27351 [Potential regular expression denial-of-service in django.utils.text.Truncator.words()] + - python-django + NOTE: https://www.djangoproject.com/weblog/2024/mar/04/security-releases/ + NOTE: https://github.com/django/django/commit/3394fc6132436eca89e997083bae9985fb7e761e (5.0.3) + NOTE: https://github.com/django/django/commit/3c9a2771cc80821e041b16eb36c1c37af5349d4a (4.2.11) + NOTE: https://github.com/django/django/commit/072963e4c4d0b3a7a8c5412bc0c7d27d1a9c3521 (3.2.25) + NOTE: CVE is a followup to CVE-2019-14232 and CVE-2023-43665. CVE-2024-2167 REJECTED CVE-2024-1657 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd79e76943e6e20315332e9a31b4bb16d920a405 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bd79e76943e6e20315332e9a31b4bb16d920a405 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-1657 as NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 935bac93 by Salvatore Bonaccorso at 2024-03-05T07:25:52+01:00 Add CVE-2024-1657 as NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2024-2167 REJECTED +CVE-2024-1657 + NOT-FOR-US: Red Hat Ansible Automation Platform CVE-2024-2048 (Vault and Vault Enterprise (\u201cVault\u201d) TLS certificate auth me ...) NOT-FOR-US: HashiCorp Vault CVE-2024-27889 (Multiple SQL Injection vulnerabilities exist in the reporting applicat ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/935bac932800959892a0ebc3c486db916b66f698 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/935bac932800959892a0ebc3c486db916b66f698 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-28084/iwd via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d03a9bed by Salvatore Bonaccorso at 2024-03-05T07:21:27+01:00 Track fixed version for CVE-2024-28084/iwd via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -229,7 +229,7 @@ CVE-2024-2151 (A vulnerability classified as problematic was found in SourceCode CVE-2024-28088 (LangChain through 0.1.10 allows ../ directory traversal by an actor wh ...) NOT-FOR-US: LanChain-ai Langchain CVE-2024-28084 (p2putil.c in iNet wireless daemon (IWD) through 2.15 allows attackers ...) - - iwd (bug #1065443) + - iwd 2.16-1 (bug #1065443) NOTE: https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=52a47c9fd428904de611a90cbf8b223af879684d (2.16) NOTE: https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=d34b4e16e045142590ed7cb653e01ed0ae5362eb (2.16) CVE-2024-21826 (in OpenHarmony v3.2.4 and prior versions allow a local attacker cause ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d03a9bedfe1aff4e6801a59e716fc379dce4dea7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d03a9bedfe1aff4e6801a59e716fc379dce4dea7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Added libapache2-mod-auth-openidc to dla-needed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: cebf4215 by Ola Lundqvist at 2024-03-05T00:19:10+01:00 Added libapache2-mod-auth-openidc to dla-needed. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -144,6 +144,9 @@ jetty9 knot-resolver NOTE: 20231029: Added by Front-Desk (gladk) -- +libapache2-mod-auth-openidc + NOTE: 20240305: Added by Front-Desk (opal) +-- libcommons-compress-java (Markus Koschany) NOTE: 20240303: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cebf4215d80c124fa2d5b48f26d05bb002ce3567 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cebf4215d80c124fa2d5b48f26d05bb002ce3567 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Concluded that CVE-2024-25768 is a minor issue.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 4da981b2 by Ola Lundqvist at 2024-03-05T00:08:30+01:00 Concluded that CVE-2024-25768 is a minor issue. The issue occurs if a null list buffer is provided but a non-zero length of that buffer is provided. In opendmarc itself this will never happen because the list buffer is always provided with null value and zero length. When opendmarc is used as a library it is reasonable to assume that providing a null list and non-zero value for such a list is a programming error. There are no reverse dependencies for libopendmarc-dev in buster. If someone builds an application that have such an error it is likely going to have other more severe problems. It is still a vulnerability but the vulnerability is more in the application calling this function than something else. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2653,6 +2653,7 @@ CVE-2024-25770 (libming 0.4.8 contains a memory leak vulnerability in /libming/s - ming CVE-2024-25768 (OpenDMARC 1.4.2 contains a null pointer dereference vulnerability in / ...) - opendmarc + [buster] - opendmarc (Minor issue) NOTE: https://github.com/LuMingYinDetect/OpenDMARC_defects/blob/main/OpenDMARC_detect_1.md CVE-2024-25767 (nanomq 0.21.2 contains a Use-After-Free vulnerability in /nanomq/nng/s ...) NOT-FOR-US: NanoMQ View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4da981b21fb6ef71f9d3230708c2589372934e34 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4da981b21fb6ef71f9d3230708c2589372934e34 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked two CVEs for wireshark as no-dsa for buster following bookworm and bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: a623b0d4 by Ola Lundqvist at 2024-03-04T23:48:05+01:00 Marked two CVEs for wireshark as no-dsa for buster following bookworm and bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13573,6 +13573,7 @@ CVE-2024-0211 (DOCSIS dissector crash in Wireshark 4.2.0 allows denial of servic - wireshark 4.2.2-1 (bug #1059925) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-05.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19557 CVE-2024-0210 (Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service ...) @@ -13586,6 +13587,7 @@ CVE-2024-0209 (IEEE 1609.2 dissector crash in Wireshark 4.2.0, 4.0.0 to 4.0.11, - wireshark 4.2.2-1 (bug #1059925) [bookworm] - wireshark (Minor issue) [bullseye] - wireshark (Minor issue) + [buster] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-02.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19501 NOTE: The bug references two crashes, this is for the one labelled "BUG log 2", View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a623b0d449144a3bbf7a2db21c4508cd552ed236 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a623b0d449144a3bbf7a2db21c4508cd552ed236 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2023-6917 as no-dsa for buster following bookworm and bullseye.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: aa87e4a0 by Ola Lundqvist at 2024-03-04T23:46:11+01:00 Marked CVE-2023-6917 as no-dsa for buster following bookworm and bullseye. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1666,6 +1666,7 @@ CVE-2023-6917 (A vulnerability has been identified in the Performance Co-Pilot ( - pcp 6.2.0-1 [bookworm] - pcp (Minor issue) [bullseye] - pcp (Minor issue) + [buster] - pcp (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/02/28/1 NOTE: https://github.com/performancecopilot/pcp/pull/1873 CVE-2023-52226 (Cross-Site Request Forgery (CSRF) vulnerability in Advanced Flamingo.T ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa87e4a02c53a187addf99c0ee06b8338a25e666 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aa87e4a02c53a187addf99c0ee06b8338a25e666 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Marked CVE-2020-36774 as no-dsa for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: a684666c by Ola Lundqvist at 2024-03-04T23:40:54+01:00 Marked CVE-2020-36774 as no-dsa for buster. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4411,6 +4411,7 @@ CVE-2022-48624 (close_altfile in filename.c in less before 606 omits shell_quote NOTE: https://github.com/gwsw/less/commit/c6ac6de49698be84d264a0c4c0c40bb870b10144 (v606) CVE-2020-36774 (plugins/gtk+/glade-gtk-box.c in GNOME Glade before 3.38.1 and 3.39.x b ...) - glade 3.38.2-1 + [buster] - glade (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/glade/-/issues/479 NOTE: https://gitlab.gnome.org/GNOME/glade/-/commit/7acdd3c6f6934f47b8974ebc2190a59ea5d2ed17 (GLADE_3_40_0) NOTE: https://gitlab.gnome.org/GNOME/glade/-/commit/2e2475bb27f891d3ad71cbd5b7152b4751da5874 (GLADE_3_38_1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a684666c01b5a64a6e0dde1c7b2321febd2134fd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a684666c01b5a64a6e0dde1c7b2321febd2134fd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] yard DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c25dfa5d by Moritz Mühlenhoff at 2024-03-04T21:43:49+01:00
yard DSA
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[04 Mar 2024] DSA-5635-1 yard - security update
+ {CVE-2024-27285}
+ [bullseye] - yard 0.9.24-1+deb11u1
+ [bookworm] - yard 0.9.28-2+deb12u2
[28 Feb 2024] DSA-5634-1 chromium - security update
{CVE-2024-1938 CVE-2024-1939}
[bookworm] - chromium 122.0.6261.94-1~deb12u1
=
data/dsa-needed.txt
=
@@ -98,7 +98,5 @@ varnish
--
wpa
--
-yard (jmm)
---
zabbix
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c25dfa5da84d187b82d96b82677a880a93e05018
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c25dfa5da84d187b82d96b82677a880a93e05018
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-28084/iwd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 02d0c292 by Salvatore Bonaccorso at 2024-03-04T21:36:32+01:00 Add Debian bug reference for CVE-2024-28084/iwd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -229,7 +229,7 @@ CVE-2024-2151 (A vulnerability classified as problematic was found in SourceCode CVE-2024-28088 (LangChain through 0.1.10 allows ../ directory traversal by an actor wh ...) NOT-FOR-US: LanChain-ai Langchain CVE-2024-28084 (p2putil.c in iNet wireless daemon (IWD) through 2.15 allows attackers ...) - - iwd + - iwd (bug #1065443) NOTE: https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=52a47c9fd428904de611a90cbf8b223af879684d (2.16) NOTE: https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=d34b4e16e045142590ed7cb653e01ed0ae5362eb (2.16) CVE-2024-21826 (in OpenHarmony v3.2.4 and prior versions allow a local attacker cause ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02d0c2925bfdf3dc513ac69cdf40a768820a04a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/02d0c2925bfdf3dc513ac69cdf40a768820a04a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f788af44 by Salvatore Bonaccorso at 2024-03-04T21:20:22+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,87 +1,87 @@ CVE-2024-2167 REJECTED CVE-2024-2048 (Vault and Vault Enterprise (\u201cVault\u201d) TLS certificate auth me ...) - TODO: check + NOT-FOR-US: HashiCorp Vault CVE-2024-27889 (Multiple SQL Injection vulnerabilities exist in the reporting applicat ...) - TODO: check + NOT-FOR-US: Arista CVE-2024-27694 (FlyCms v1.0 was discovered to contain a Cross-Site Request Forgery (CS ...) - TODO: check + NOT-FOR-US: FlyCms CVE-2024-27684 (A Cross-site scripting (XSS) vulnerability in dlapn.cgi, dldongle.cgi, ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-27680 (Flusity-CMS v2.33 is vulnerable to Cross Site Scripting (XSS) in the " ...) - TODO: check + NOT-FOR-US: Flusity-CMS CVE-2024-27668 (Flusity-CMS v2.33 is affected by: Cross Site Scripting (XSS) in 'Custo ...) - TODO: check + NOT-FOR-US: Flusity-CMS CVE-2024-27199 (In JetBrains TeamCity before 2023.11.4 path traversal allowing to perf ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2024-27198 (In JetBrains TeamCity before 2023.11.4 authentication bypass allowing ...) - TODO: check + NOT-FOR-US: JetBrains TeamCity CVE-2024-24901 (Dell PowerScale OneFS 8.2.x through 9.6.0.x contain an insufficient lo ...) - TODO: check + NOT-FOR-US: Dell PowerScale OneFS CVE-2024-22463 (Dell PowerScale OneFS 8.2.x through 9.6.0.x contains a use of a broken ...) - TODO: check + NOT-FOR-US: Dell PowerScale OneFS CVE-2024-22452 (Dell Display and Peripheral Manager for macOS prior to 1.3 contains an ...) - TODO: check + NOT-FOR-US: Dell CVE-2024-1788 REJECTED CVE-2024-0686 REJECTED CVE-2024-0156 (Dell Digital Delivery, versions prior to 5.0.86.0, contain a Buffer Ov ...) - TODO: check + NOT-FOR-US: Dell CVE-2024-0155 (Dell Digital Delivery, versions prior to 5.0.86.0, contain a Use After ...) - TODO: check + NOT-FOR-US: Dell CVE-2023-6241 (Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver, Arm ...) TODO: check CVE-2023-6143 (Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver, Arm ...) TODO: check CVE-2023-6068 (On affected 7130 Series FPGA platforms running MOS and recent versions ...) - TODO: check + NOT-FOR-US: Arista CVE-2023-5451 (Forcepoint NGFW Security Management Center Management Server has SMC ...) - TODO: check + NOT-FOR-US: Forcepoint CVE-2023-43553 (Memory corruption while parsing beacon/probe response frame when AP se ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-43552 (Memory corruption while processing MBSSID beacon containing several su ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-43550 (Memory corruption while processing a QMI request for allocating memory ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-43549 (Memory corruption while processing TPC target power table in FTM TPC.) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-43548 (Memory corruption while parsing qcp clip with invalid chunk data size.) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-43547 (Memory corruption while invoking IOCTLs calls in Automotive Multimedia ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-43546 (Memory corruption while invoking HGSL IOCTL context create.) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-43541 (Memory corruption while invoking the SubmitCommands call on Gfx engine ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-43540 (Memory corruption while processing the IOCTL FM HCI WRITE request.) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-43539 (Transient DOS while processing an improperly formatted 802.11az Fine T ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-38362 (IBM CICS TX Advanced 10.1 could disclose sensitive information to a re ...) NOT-FOR-US: IBM CVE-2023-38360 (IBM CICS TX Advanced 10.1 is vulnerable to cross-site scripting. This ...) NOT-FOR-US: IBM CVE-2023-33105 (Transient DOS in WLAN Host and Firmware when large number of open auth ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-33104 (Transient DOS while processing PDU Release command with a parameter PD ...) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-33103 (Transient DOS while processing CAG info IE received from NW.) - TODO: check + NOT-FOR-US: Qualcomm CVE-2023-33096 (Transient DOS while processing DL NAS Transport message, as specified ...) -
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a7155e33 by Salvatore Bonaccorso at 2024-03-04T21:16:35+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -59,9 +59,9 @@ CVE-2023-43540 (Memory corruption while processing the IOCTL FM HCI WRITE reques CVE-2023-43539 (Transient DOS while processing an improperly formatted 802.11az Fine T ...) TODO: check CVE-2023-38362 (IBM CICS TX Advanced 10.1 could disclose sensitive information to a re ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-38360 (IBM CICS TX Advanced 10.1 is vulnerable to cross-site scripting. This ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-33105 (Transient DOS in WLAN Host and Firmware when large number of open auth ...) TODO: check CVE-2023-33104 (Transient DOS while processing PDU Release command with a parameter PD ...) @@ -83,7 +83,7 @@ CVE-2023-33078 (Information Disclosure while processing IOCTL request in FastRPC CVE-2023-33066 (Memory corruption in Audio while processing RT proxy port register dri ...) TODO: check CVE-2023-32331 (IBM Connect:Express for UNIX 1.5.0 is vulnerable to a buffer overflow ...) - TODO: check + NOT-FOR-US: IBM CVE-2021-47108 (In the Linux kernel, the following vulnerability has been resolved: d ...) - linux 5.15.15-1 [bullseye] - linux (Vulnerable code not present) @@ -94336,7 +94336,7 @@ CVE-2022-43892 (IBM Security Verify Privilege On-Premises 11.5 does not validate CVE-2022-43891 (IBM Security Verify Privilege On-Premises 11.5 could allow a remote at ...) NOT-FOR-US: IBM CVE-2022-43890 (IBM Security Verify Privilege On-Premises 11.5 could disclose sensitiv ...) - TODO: check + NOT-FOR-US: IBM CVE-2022-43889 (IBM Security Verify Privilege On-Premises 11.5 could disclose sensitiv ...) NOT-FOR-US: IBM CVE-2022-43888 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7155e3370463e7f9493d6abdb8e498c85a3d5c9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a7155e3370463e7f9493d6abdb8e498c85a3d5c9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 71bb9f02 by security tracker role at 2024-03-04T20:11:52+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,129 +1,215 @@ -CVE-2021-47108 [drm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf] +CVE-2024-2167 + REJECTED +CVE-2024-2048 (Vault and Vault Enterprise (\u201cVault\u201d) TLS certificate auth me ...) + TODO: check +CVE-2024-27889 (Multiple SQL Injection vulnerabilities exist in the reporting applicat ...) + TODO: check +CVE-2024-27694 (FlyCms v1.0 was discovered to contain a Cross-Site Request Forgery (CS ...) + TODO: check +CVE-2024-27684 (A Cross-site scripting (XSS) vulnerability in dlapn.cgi, dldongle.cgi, ...) + TODO: check +CVE-2024-27680 (Flusity-CMS v2.33 is vulnerable to Cross Site Scripting (XSS) in the " ...) + TODO: check +CVE-2024-27668 (Flusity-CMS v2.33 is affected by: Cross Site Scripting (XSS) in 'Custo ...) + TODO: check +CVE-2024-27199 (In JetBrains TeamCity before 2023.11.4 path traversal allowing to perf ...) + TODO: check +CVE-2024-27198 (In JetBrains TeamCity before 2023.11.4 authentication bypass allowing ...) + TODO: check +CVE-2024-24901 (Dell PowerScale OneFS 8.2.x through 9.6.0.x contain an insufficient lo ...) + TODO: check +CVE-2024-22463 (Dell PowerScale OneFS 8.2.x through 9.6.0.x contains a use of a broken ...) + TODO: check +CVE-2024-22452 (Dell Display and Peripheral Manager for macOS prior to 1.3 contains an ...) + TODO: check +CVE-2024-1788 + REJECTED +CVE-2024-0686 + REJECTED +CVE-2024-0156 (Dell Digital Delivery, versions prior to 5.0.86.0, contain a Buffer Ov ...) + TODO: check +CVE-2024-0155 (Dell Digital Delivery, versions prior to 5.0.86.0, contain a Use After ...) + TODO: check +CVE-2023-6241 (Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver, Arm ...) + TODO: check +CVE-2023-6143 (Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver, Arm ...) + TODO: check +CVE-2023-6068 (On affected 7130 Series FPGA platforms running MOS and recent versions ...) + TODO: check +CVE-2023-5451 (Forcepoint NGFW Security Management Center Management Server has SMC ...) + TODO: check +CVE-2023-43553 (Memory corruption while parsing beacon/probe response frame when AP se ...) + TODO: check +CVE-2023-43552 (Memory corruption while processing MBSSID beacon containing several su ...) + TODO: check +CVE-2023-43550 (Memory corruption while processing a QMI request for allocating memory ...) + TODO: check +CVE-2023-43549 (Memory corruption while processing TPC target power table in FTM TPC.) + TODO: check +CVE-2023-43548 (Memory corruption while parsing qcp clip with invalid chunk data size.) + TODO: check +CVE-2023-43547 (Memory corruption while invoking IOCTLs calls in Automotive Multimedia ...) + TODO: check +CVE-2023-43546 (Memory corruption while invoking HGSL IOCTL context create.) + TODO: check +CVE-2023-43541 (Memory corruption while invoking the SubmitCommands call on Gfx engine ...) + TODO: check +CVE-2023-43540 (Memory corruption while processing the IOCTL FM HCI WRITE request.) + TODO: check +CVE-2023-43539 (Transient DOS while processing an improperly formatted 802.11az Fine T ...) + TODO: check +CVE-2023-38362 (IBM CICS TX Advanced 10.1 could disclose sensitive information to a re ...) + TODO: check +CVE-2023-38360 (IBM CICS TX Advanced 10.1 is vulnerable to cross-site scripting. This ...) + TODO: check +CVE-2023-33105 (Transient DOS in WLAN Host and Firmware when large number of open auth ...) + TODO: check +CVE-2023-33104 (Transient DOS while processing PDU Release command with a parameter PD ...) + TODO: check +CVE-2023-33103 (Transient DOS while processing CAG info IE received from NW.) + TODO: check +CVE-2023-33096 (Transient DOS while processing DL NAS Transport message, as specified ...) + TODO: check +CVE-2023-33095 (Transient DOS while processing multiple payload container type with in ...) + TODO: check +CVE-2023-33090 (Transient DOS while processing channel information for speaker protect ...) + TODO: check +CVE-2023-33086 (Transient DOS while processing multiple IKEV2 Informational Request to ...) + TODO: check +CVE-2023-33084 (Transient DOS while processing IE fragments from server during DTLS ha ...) + TODO: check +CVE-2023-33078 (Information Disclosure while processing IOCTL request in FastRPC.) + TODO: check +CVE-2023-33066 (Memory corruption in Audio while processing RT proxy port register dri ...) + TODO: check +CVE-2023-32331 (IBM Connect:Express for UNIX 1.5.0 is vulnerable to a buffer
[Git][security-tracker-team/security-tracker][master] Merge Linux CVEs from kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4496ffc1 by Salvatore Bonaccorso at 2024-03-04T20:48:22+01:00 Merge Linux CVEs from kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,133 @@ +CVE-2021-47108 [drm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf] + - linux 5.15.15-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/3b8e19a0aa3933a785be9f1541afd8d398c4ec69 (5.16-rc7) +CVE-2021-47107 [NFSD: Fix READDIR buffer overflow] + - linux 5.15.15-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/53b1119a6e5028b125f431a0116ba73510d82a72 (5.16-rc7) +CVE-2021-47106 [netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy()] + - linux 5.15.15-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/0f7d9b31ce7abdbb29bf018131ac920c9f698518 (5.16-rc7) +CVE-2021-47105 [ice: xsk: return xsk buffers back to pool when cleaning the ring] + - linux 5.15.15-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/afe8a3ba85ec2a6b6849367e25c06a2f8e0ddd05 (5.16-rc7) +CVE-2021-47104 [IB/qib: Fix memory leak in qib_user_sdma_queue_pkts()] + - linux 5.15.15-1 + [bullseye] - linux 5.10.92-1 + [buster] - linux 4.19.232-1 + NOTE: https://git.kernel.org/linus/bee90911e0138c76ee67458ac0d58b38a3190f65 (5.16-rc7) +CVE-2021-47103 [inet: fully convert sk->sk_rx_dst to RCU rules] + - linux 5.15.15-1 + [bullseye] - linux 5.10.158-1 + [buster] - linux 4.19.269-1 + NOTE: https://git.kernel.org/linus/8f905c0e7354ef261360fb7535ea079b1082c105 (5.16-rc7) +CVE-2021-47102 [net: marvell: prestera: fix incorrect structure access] + - linux 5.15.15-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/2efc2256febf214e7b2bdaa21fe6c3c3146acdcb (5.16-rc7) +CVE-2021-47101 [asix: fix uninit-value in asix_mdio_read()] + - linux 5.15.15-1 + NOTE: https://git.kernel.org/linus/8035b1a2a37a29d8c717ef84fca8fe7278bc9f03 (5.16-rc7) +CVE-2021-47100 [ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module] + - linux 5.15.15-1 + [bullseye] - linux 5.10.92-1 + [buster] - linux 4.19.232-1 + NOTE: https://git.kernel.org/linus/ffb76a86f8096a8206be03b14adda6092e18e275 (5.16-rc7) +CVE-2021-47099 [veth: ensure skb entering GRO are not cloned.] + - linux 5.15.15-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/9695b7de5b4760ed22132aca919570c0190cb0ce (5.16-rc7) +CVE-2021-47098 [hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations] + - linux 5.15.15-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/55840b9eae5367b5d5b29619dc2fb7e4596dba46 (5.16-rc7) +CVE-2021-47097 [Input: elantech - fix stack out of bound access in elantech_change_report_id()] + - linux 5.15.15-1 + [bullseye] - linux 5.10.92-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/1d72d9f960ccf1052a0630a68c3d358791dbdaaa (5.16-rc7) +CVE-2021-47096 [ALSA: rawmidi - fix the uninitalized user_pversion] + - linux 5.15.15-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/39a8fc4971a00d22536aeb7d446ee4a97810611b (5.16-rc7) +CVE-2021-47095 [ipmi: ssif: initialize ssif_info->client early] + - linux 5.15.15-1 + [bullseye] - linux 5.10.92-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/34f35f8f14bc406efc06ee4ff73202c6fd245d15 (5.16-rc7) +CVE-2021-47094 [KVM: x86/mmu: Don't advance iterator after restart due to yielding] + - linux 5.15.15-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/3a0f64de479cae75effb630a2e0a237ca0d0623c (5.16-rc7) +CVE-2021-47093 [platform/x86: intel_pmc_core: fix memleak on registration failure] + - linux 5.15.15-1 + [bullseye] - linux 5.10.92-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/26a8b09437804fabfb1db080d676b96c0de68e7c (5.16-rc7) +CVE-2021-47092 [KVM: VMX: Always clear
[Git][security-tracker-team/security-tracker][master] boomworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cc8fdb0 by Moritz Muehlenhoff at 2024-03-04T19:07:23+01:00 boomworm/bullseye triage - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -868,6 +868,8 @@ CVE-2024-24818 (EspoCRM is an Open Source Customer Relationship Management softw NOT-FOR-US: EspoCRM CVE-2024-24246 (Heap Buffer Overflow vulnerability in qpdf 11.9.0 allows attackers to ...) - qpdf 11.9.0-1 + [bookworm] - qpdf (Minor issue) + [bullseye] - qpdf (Vulnerable code not present) [buster] - qpdf (Vulnerable code was introduced later) NOTE: https://github.com/qpdf/qpdf/issues/1123 NOTE: https://github.com/qpdf/qpdf/commit/cb0f390cc1f98a8e82b27259f8f3cd5f162992eb (v11.9.0) @@ -1446,6 +1448,8 @@ CVE-2023-6922 (The Under Construction / Maintenance Mode from Acurax plugin for NOT-FOR-US: WordPress plugin CVE-2023-6917 (A vulnerability has been identified in the Performance Co-Pilot (PCP) ...) - pcp 6.2.0-1 + [bookworm] - pcp (Minor issue) + [bullseye] - pcp (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/02/28/1 NOTE: https://github.com/performancecopilot/pcp/pull/1873 CVE-2023-52226 (Cross-Site Request Forgery (CSRF) vulnerability in Advanced Flamingo.T ...) @@ -2577,7 +2581,7 @@ CVE-2024-26606 (In the Linux kernel, the following vulnerability has been resolv - linux 6.7.7-1 NOTE: https://git.kernel.org/linus/97830f3c3088638ff90b20dfba2eb4d487bf14d7 (6.8-rc3) CVE-2024-27456 (rack-cors (aka Rack CORS Middleware) 2.0.1 has 0666 permissions for th ...) - - ruby-rack-cors (bug #1064862) + - ruby-rack-cors (Only affects the upstream build, permissions are correct for the deb) NOTE: https://github.com/cyu/rack-cors/issues/274 CVE-2024-27455 (In the Bentley ALIM Web application, certain configuration settings ca ...) NOT-FOR-US: Bentley @@ -4167,12 +4171,14 @@ CVE-2024-22369 (Deserialization of Untrusted Data vulnerability in Apache Camel NOT-FOR-US: Apache Camel CVE-2024-26328 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) - qemu + [bookworm] - qemu (Minor issue) [bullseye] - qemu (Vulnerable code introduced later) [buster] - qemu (Vulnerable code introduced later) NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0) NOTE: https://lore.kernel.org/all/20240213055345-mutt-send-email-mst%40kernel.org CVE-2024-26327 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) - qemu + [bookworm] - qemu (Minor issue) [bullseye] - qemu (Vulnerable code introduced later) [buster] - qemu (Vulnerable code introduced later) NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0) @@ -7028,7 +7034,7 @@ CVE-2024-0953 (When a user scans a QR Code with the QR Code Scanner feature, the CVE-2024-0323 (Use of a Broken or Risky Cryptographic Algorithm vulnerability in B ...) NOT-FOR-US: B Industrial Automation Automation Runtime (SDM modules) CVE-2023-7216 (A path traversal vulnerability was found in the CPIO utility. This iss ...) - - cpio + NOTE: Disputed cpio issue, probably going to be rejected NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2249901 NOTE: Upstream considers it normal behavior: NOTE: https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg0.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cc8fdb048ba81319bc478250278b597e95c692d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cc8fdb048ba81319bc478250278b597e95c692d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2023-52579
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 251224f4 by Salvatore Bonaccorso at 2024-03-04T17:11:18+01:00 Remove notes from CVE-2023-52579 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -150,12 +150,8 @@ CVE-2023-52580 (In the Linux kernel, the following vulnerability has been resolv [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/75ad80ed88a182ab2ad5513e448cf07b403af5c3 (6.6-rc3) -CVE-2023-52579 (In the Linux kernel, the following vulnerability has been resolved: i ...) - - linux 6.5.6-1 - [bookworm] - linux 6.1.64-1 - [bullseye] - linux 5.10.205-1 - [buster] - linux 4.19.304-1 - NOTE: https://git.kernel.org/linus/0113d9c9d1ccc07f5a3710dac4aa24b6d711278c (6.6-rc3) +CVE-2023-52579 + REJECTED CVE-2023-52578 (In the Linux kernel, the following vulnerability has been resolved: n ...) - linux 6.5.6-1 [bookworm] - linux 6.1.64-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/251224f43a95c4c75a6ea2b75170b39ee06e257b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/251224f43a95c4c75a6ea2b75170b39ee06e257b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take yard
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab15d47a by Adrian Bunk at 2024-03-04T17:51:38+02:00 dla: take yard - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -326,7 +326,7 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -yard +yard (Adrian Bunk) NOTE: 20240303: Added by Front-Desk (apo) -- zabbix View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab15d47ae59bda9b49422ca7d6eb7a76433adc5c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab15d47ae59bda9b49422ca7d6eb7a76433adc5c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Retake composer
Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker Commits: 777c00a0 by Bastien Roucariès at 2024-03-04T15:34:16+00:00 Retake composer - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -60,8 +60,9 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -composer +composer (rouca) NOTE: 20240209: Added by Front-Desk (utkarsh) + NOTE: 20240304: Need to backport bullseye -- cpio NOTE: 20240303: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/777c00a04218cd5f0d7999b9acfaac038a1605b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/777c00a04218cd5f0d7999b9acfaac038a1605b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim php-phpseclib and phpseclib in dla-needed.txt
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker Commits: c28f7d06 by Guilhem Moulin at 2024-03-04T16:26:58+01:00 LTS: claim php-phpseclib and phpseclib in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -227,10 +227,10 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. -- -php-phpseclib +php-phpseclib (guilhem) NOTE: 20240303: Added by Front-Desk (apo) -- -phpseclib +phpseclib (guilhem) NOTE: 20240303: Added by Front-Desk (apo) -- putty View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c28f7d06494ebacb21c2a9356789d55ff266e8a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c28f7d06494ebacb21c2a9356789d55ff266e8a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take libuv1
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: fb4d7cfe by Adrian Bunk at 2024-03-04T16:52:04+02:00 dla: take libuv1 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -175,7 +175,7 @@ libstb NOTE: 20221119: and in the past CVE fixes have caused regressions. NOTE: 20221119: Wait for upstream merge of fixes (and fixing in unstable). (bunk) -- -libuv1 +libuv1 (Adrian Bunk) NOTE: 20240303: Added by Front-Desk (apo) -- linux (Ben Hutchings) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb4d7cfea71ff176f97e8eda9584a44483c392ff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fb4d7cfea71ff176f97e8eda9584a44483c392ff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] semi-automatic unclaim after 2 weeks of inactivity
Roberto C. Sánchez pushed to branch master at Debian Security Tracker / security-tracker Commits: 709ac131 by Roberto C. Sánchez at 2024-03-04T09:38:20-05:00 semi-automatic unclaim after 2 weeks of inactivity Signed-off-by: Roberto C. Sánchez robe...@connexer.com - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -60,7 +60,7 @@ cinder NOTE: 20230525: Added by Front-Desk (lamby) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. -- -composer (rouca) +composer NOTE: 20240209: Added by Front-Desk (utkarsh) -- cpio @@ -283,7 +283,7 @@ runc samba NOTE: 20230918: Added by Front-Desk (apo) -- -sendmail (rouca) +sendmail NOTE: 20231224: Added by Front-Desk (ta) NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches NOTE: 20240217: Patch extracted and being reviewed (rouca) @@ -317,7 +317,7 @@ tinymce tomcat9 NOTE: 20240121: Added by Front-Desk (apo) -- -varnish (Abhijith PA) +varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 NOTE: 20231219: Continuing work View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/709ac131b56f3c19e0baa0eb900fbfe9ef45999c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/709ac131b56f3c19e0baa0eb900fbfe9ef45999c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2023-7216/cpio: upstream considers it normal behavior
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab006b54 by Adrian Bunk at 2024-03-04T14:52:44+02:00 CVE-2023-7216/cpio: upstream considers it normal behavior I am leaving the final assessment/decision about this CVE to the security team. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -7034,7 +7034,8 @@ CVE-2024-0323 (Use of a Broken or Risky Cryptographic Algorithm vulnerability in CVE-2023-7216 (A path traversal vulnerability was found in the CPIO utility. This iss ...) - cpio NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2249901 - NOTE: https://lists.gnu.org/archive/html/bug-cpio/2024-02/msg0.html + NOTE: Upstream considers it normal behavior: + NOTE: https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg0.html CVE-2023-6874 (Prior to v7.4.0, Ember ZNet is vulnerable to a denial of service attac ...) NOT-FOR-US: Ember ZNet CVE-2023-6028 (A reflected cross-site scripting (XSS) vulnerability exists in the SVG ...) = data/dla-needed.txt = @@ -65,6 +65,7 @@ composer (rouca) -- cpio NOTE: 20240303: Added by Front-Desk (apo) + NOTE: 20240304: Likely no work to do since upstream considers CVE-2023-7216 normal behavior. (bunk) -- curl NOTE: 20231229: Added by Front-Desk (lamby) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab006b54bd62ef52555abed33f92c94fbf1817fc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab006b54bd62ef52555abed33f92c94fbf1817fc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 24 commits: CVE-2024-22201,jetty9: link to fixing commits for 9.x branch
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cadf7f5 by Markus Koschany at 2024-03-04T13:06:38+01:00 CVE-2024-22201,jetty9: link to fixing commits for 9.x branch - - - - - 488675e6 by Markus Koschany at 2024-03-04T13:06:38+01:00 Add jetty9 to dla-needed.txt - - - - - dda9149f by Markus Koschany at 2024-03-04T13:06:38+01:00 Add libuv1 to dla-needed.txt - - - - - 10cd94f3 by Markus Koschany at 2024-03-04T13:06:38+01:00 Add yard to dla-needed.txt - - - - - f7c91a4b by Markus Koschany at 2024-03-04T13:06:39+01:00 CVE-2024-21742,apache-mime4j: buster is no-dsa Minor issue - - - - - eb5598a8 by Markus Koschany at 2024-03-04T13:06:41+01:00 CVE-2023-49100,arm-trusted-firmware: buster is no-dsa Minor issue - - - - - bf920f98 by Markus Koschany at 2024-03-04T13:06:42+01:00 CVE-2024-25629,c-ares: buster is no-dsa Minor issue - - - - - 25af6d89 by Markus Koschany at 2024-03-04T13:06:43+01:00 CVE-2024-24258,CVE-2024-24259,freeglut: buster is no-dsa Minor issue - - - - - 372269cb by Markus Koschany at 2024-03-04T13:06:44+01:00 Triage krb5 memory leaks as no-dsa for buster Minor issues. - - - - - 7b0caec9 by Markus Koschany at 2024-03-04T13:06:46+01:00 CVE-2022-48624,less: buster is no-dsa Minor issue. Can be fixed when more important issues arise. - - - - - 32b6a875 by Markus Koschany at 2024-03-04T13:06:46+01:00 Add libcommons-compress-java to dla-needed.txt - - - - - afd34344 by Markus Koschany at 2024-03-04T13:06:47+01:00 CVE-2023-45918,ncurses: buster is no-dsa Minor NULL pointer dereference bug. - - - - - 23a5576e by Markus Koschany at 2024-03-04T13:06:48+01:00 CVE-2024-27088,node-es5-ext: buster is no-dsa Minor issue - - - - - 1c70cc2b by Markus Koschany at 2024-03-04T13:06:48+01:00 Add nvidia-graphics-drivers to dla-needed.txt - - - - - 59de8769 by Markus Koschany at 2024-03-04T13:06:49+01:00 Add php-phpseclib to dla-needed.txt - - - - - e4f2317e by Markus Koschany at 2024-03-04T13:06:49+01:00 Add phpseclib to dla-needed.txt - - - - - 86daa2d7 by Markus Koschany at 2024-03-04T13:06:50+01:00 CVE-2024-1433,plasma-workspace: buster is no-dsa Minor issue - - - - - 4b93f9ea by Markus Koschany at 2024-03-04T13:06:51+01:00 CVE-2024-26130,python-cryptography: buster is no-dsa Minor issue - - - - - 294142c4 by Markus Koschany at 2024-03-04T13:06:52+01:00 CVE-2024-1892,python-scrapy: buster is no-dsa Minor issue - - - - - 8e6542f2 by Markus Koschany at 2024-03-04T13:06:54+01:00 CVE-2023-50868,CVE-2023-50387,systemd: buster is no-dsa DNSSEC is disabled by default and an experimental feature. - - - - - ab2db50c by Markus Koschany at 2024-03-04T13:06:55+01:00 CVE-2024-25262,texlive-bin: buster is no-dsa Minor issue - - - - - f7b7db95 by Markus Koschany at 2024-03-04T13:06:55+01:00 Add cpio to dla-needed.txt - - - - - e38cce11 by Markus Koschany at 2024-03-04T13:06:55+01:00 Add dnsmasq to dla-needed.txt - - - - - 336ad067 by Markus Koschany at 2024-03-04T13:06:56+01:00 CVE-2024-24246,qpdf: buster is not-affected The vulnerable code was introduced later, creating a PDF from an input source that contains JSON. https://github.com/qpdf/qpdf/commit/4fe2e06b4787ffb639f965ac840b51018308ec07#diff-8e435b97a9914d4318cc5829a9400e1e49c5b9bc16799de9aef9ef04c4b3f5c0 - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -872,6 +872,7 @@ CVE-2024-24818 (EspoCRM is an Open Source Customer Relationship Management softw NOT-FOR-US: EspoCRM CVE-2024-24246 (Heap Buffer Overflow vulnerability in qpdf 11.9.0 allows attackers to ...) - qpdf 11.9.0-1 + [buster] - qpdf (Vulnerable code was introduced later) NOTE: https://github.com/qpdf/qpdf/issues/1123 NOTE: https://github.com/qpdf/qpdf/commit/cb0f390cc1f98a8e82b27259f8f3cd5f162992eb (v11.9.0) CVE-2024-24110 (SQL Injection vulnerability in crmeb_java before v1.3.4 allows attacke ...) @@ -1843,6 +1844,7 @@ CVE-2024-1892 (Parts of the Scrapy API were found to be vulnerable to a ReDoS at - python-scrapy 2.11.1-1 (bug #1065111) [bookworm] - python-scrapy (Minor issue) [bullseye] - python-scrapy (Minor issue) + [buster] - python-scrapy (Minor issue) NOTE: https://huntr.com/bounties/271f94f2-1e05-4616-ac43-41752389e26b/ NOTE: https://github.com/scrapy/scrapy/commit/479619b340f197a8f24c5db45bc068fb8755f2c5 (2.11.1) CVE-2024-1866 @@ -2068,6 +2070,7 @@ CVE-2024-21742 (Improper input validation allows for header injection in MIME4J - apache-mime4j 0.8.10-1 (bug #1064966) [bookworm] - apache-mime4j (Minor issue) [bullseye] - apache-mime4j (Minor issue) + [buster] - apache-mime4j (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/02/27/5 NOTE: https://github.com/apache/james-mime4j/commit/9dec5df2a588fed8027839815daefa79ee66efd1
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c30dda8b by Moritz Muehlenhoff at 2024-03-04T11:50:59+01:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -21,57 +21,57 @@ CVE-2024-21826 (in OpenHarmony v3.2.4 and prior versions allow a local attacker CVE-2024-21816 (in OpenHarmony v4.0.0 and prior versions allow a local attacker cause ...) NOT-FOR-US: OpenHarmony CVE-2024-20038 (In pq, there is a possible out of bounds read due to an incorrect boun ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20037 (In pq, there is a possible write-what-where condition due to an incorr ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20036 (In vdec, there is a possible permission bypass due to a permissions by ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20034 (In battery, there is a possible escalation of privilege due to a missi ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20033 (In nvram, there is a possible information disclosure due to a missing ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20032 (In aee, there is a possible permission bypass due to a missing permiss ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20031 (In da, there is a possible out of bounds write due to lack of valudati ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20030 (In da, there is a possible information disclosure due to improper inpu ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20029 (In wlan firmware, there is a possible out of bounds write due to impro ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20028 (In da, there is a possible out of bounds write due to lack of valudati ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20027 (In da, there is a possible out of bounds write due to improper input v ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20026 (In da, there is a possible information disclosure due to improper inpu ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20025 (In da, there is a possible out of bounds write due to an integer overf ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20024 (In flashc, there is a possible out of bounds write due to lack of valu ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20023 (In flashc, there is a possible out of bounds write due to lack of valu ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20022 (In lk, there is a possible escalation of privilege due to a missing bo ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20020 (In OPTEE, there is a possible out of bounds write due to an incorrect ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20019 (In wlan driver, there is a possible memory leak due to improper input ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20018 (In wlan driver, there is a possible out of bounds write due to imprope ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20017 (In wlan service, there is a possible out of bounds write due to improp ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2024-20005 (In da, there is a possible permission bypass due to a missing permissi ...) - TODO: check + NOT-FOR-US: MediaTek CVE-2023-4479 (Stored XSS Vulnerability in M-Files Web versions before 23.8 allows at ...) - TODO: check + NOT-FOR-US: M-Files Web CVE-2023-49602 (in OpenHarmony v3.2.4 and prior versions allow a local attacker cause ...) - TODO: check + NOT-FOR-US: OpenHarmony CVE-2023-46708 (in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitr ...) - TODO: check + NOT-FOR-US: OpenHarmony CVE-2023-25176 (in OpenHarmony v3.2.4 and prior versions allow a local attacker cause ...) - TODO: check + NOT-FOR-US: OpenHarmony CVE-2019-25210 (An issue was discovered in Cloud Native Computing Foundation (CNCF) He ...) - TODO: check + - helm-kubernetes (bug #910799) CVE-2024-26622 (In the Linux kernel, the following vulnerability has been resolved: t ...) - linux NOTE: https://git.kernel.org/linus/2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 (6.8-rc7) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c30dda8b322d2d70ad80b9389a76ab0759f147ab -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c30dda8b322d2d70ad80b9389a76ab0759f147ab You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] resolve two TODOs, not really actionable with Intel advisories
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
60aaff08 by Moritz Muehlenhoff at 2024-03-04T10:19:42+01:00
resolve two TODOs, not really actionable with Intel advisories
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -55959,7 +55959,6 @@ CVE-2023-27517 (Improper access control in some
Intel(R) Optane(TM) PMem softwar
[bookworm] - ipmctl (Minor issue)
[bullseye] - ipmctl (Minor issue)
NOTE:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00948.html
- TODO: full details not clear but affects the "Intel Optane Pmem
{1,2,3}00Series management software (ipmctl)
CVE-2023-26589 (Use after free in some Intel(R) Aptio* V UEFI Firmware
Integrator Tool ...)
NOT-FOR-US: Intel
CVE-2023-25949 (Uncontrolled resource consumption in some Intel(R) Aptio* V
UEFI Firmw ...)
@@ -69587,7 +69586,6 @@ CVE-2023-22431
CVE-2023-22311 (Improper access control in some Intel(R) Optane(TM) PMem 100
Series Ma ...)
- ipmctl (Only affects the Intel Optane PMem 100 Series
Managment Software)
NOTE:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00948.html
- TODO: full details not clear but affects the "Intel Optane Pmem
{1,2,3}00Series management software (ipmctl)
CVE-2023-0525 (Weak Encoding for Password vulnerability in Mitsubishi Electric
Corpor ...)
NOT-FOR-US: PyroCMS
CVE-2023-0524 (As part of our Security Development Lifecycle, a potential
privilege e ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60aaff08d89b19bcef2d7f20e1ac1ead770cabc6
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60aaff08d89b19bcef2d7f20e1ac1ead770cabc6
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] older jline versions n/a
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c52ad7e by Moritz Muehlenhoff at 2024-03-04T09:43:37+01:00 older jline versions n/a - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13937,9 +13937,10 @@ CVE-2023-50572 (An issue in the component GroovyEngine.execute of jline-groovy v - jline3 (bug #1059726) [bookworm] - jline3 (Minor issue) [bullseye] - jline3 (Minor issue) + - jline2 (Only affects 3.x) + - jline (Only affects 3.x) NOTE: https://github.com/jline/jline3/issues/909 NOTE: https://github.com/jline/jline3/commit/f3c60a3e6255e8e0c20d5043a4fe248446f292bb (jline-parent-3.25.0) - TODO: check if jline 3.x specific or affects as well src:jline2, src:jline CVE-2023-50571 (easy-rules-mvel v4.1.0 was discovered to contain a remote code executi ...) NOT-FOR-US: easy-rules-mvel CVE-2023-50570 (An issue in the component IPAddressBitsDivision of IPAddress v5.1.0 le ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c52ad7ec8bf321c3e1a483615498788338dcc44 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c52ad7ec8bf321c3e1a483615498788338dcc44 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-28084/iwd
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b0f50c17 by Salvatore Bonaccorso at 2024-03-04T09:35:35+01:00 Add CVE-2024-28084/iwd - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -13,7 +13,9 @@ CVE-2024-2151 (A vulnerability classified as problematic was found in SourceCode CVE-2024-28088 (LangChain through 0.1.10 allows ../ directory traversal by an actor wh ...) NOT-FOR-US: LanChain-ai Langchain CVE-2024-28084 (p2putil.c in iNet wireless daemon (IWD) through 2.15 allows attackers ...) - TODO: check + - iwd + NOTE: https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=52a47c9fd428904de611a90cbf8b223af879684d (2.16) + NOTE: https://git.kernel.org/pub/scm/network/wireless/iwd.git/commit/?id=d34b4e16e045142590ed7cb653e01ed0ae5362eb (2.16) CVE-2024-21826 (in OpenHarmony v3.2.4 and prior versions allow a local attacker cause ...) NOT-FOR-US: OpenHarmony CVE-2024-21816 (in OpenHarmony v4.0.0 and prior versions allow a local attacker cause ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0f50c179efc60ac6480fc5a3de8c554db2f3fc3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b0f50c179efc60ac6480fc5a3de8c554db2f3fc3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 69b94cb0 by Salvatore Bonaccorso at 2024-03-04T09:32:48+01:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,23 +1,23 @@ CVE-2024-2156 (A vulnerability was found in SourceCodester Best POS Management System ...) - TODO: check + NOT-FOR-US: SourceCodester Best POS Management System CVE-2024-2155 (A vulnerability was found in SourceCodester Best POS Management System ...) - TODO: check + NOT-FOR-US: SourceCodester Best POS Management System CVE-2024-2154 (A vulnerability has been found in SourceCodester Online Mobile Managem ...) - TODO: check + NOT-FOR-US: SourceCodester Online Mobile Management Store CVE-2024-2153 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Online Mobile Management Store CVE-2024-2152 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Online Mobile Management Store CVE-2024-2151 (A vulnerability classified as problematic was found in SourceCodester ...) - TODO: check + NOT-FOR-US: SourceCodester Online Mobile Management Store CVE-2024-28088 (LangChain through 0.1.10 allows ../ directory traversal by an actor wh ...) - TODO: check + NOT-FOR-US: LanChain-ai Langchain CVE-2024-28084 (p2putil.c in iNet wireless daemon (IWD) through 2.15 allows attackers ...) TODO: check CVE-2024-21826 (in OpenHarmony v3.2.4 and prior versions allow a local attacker cause ...) - TODO: check + NOT-FOR-US: OpenHarmony CVE-2024-21816 (in OpenHarmony v4.0.0 and prior versions allow a local attacker cause ...) - TODO: check + NOT-FOR-US: OpenHarmony CVE-2024-20038 (In pq, there is a possible out of bounds read due to an incorrect boun ...) TODO: check CVE-2024-20037 (In pq, there is a possible write-what-where condition due to an incorr ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69b94cb08a263a212a953a33ae5a1e96a6449629 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/69b94cb08a263a212a953a33ae5a1e96a6449629 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a857a967 by security tracker role at 2024-03-04T08:11:49+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,76 @@ -CVE-2024-26622 [tomoyo: fix UAF write bug in tomoyo_write_control()] +CVE-2024-2156 (A vulnerability was found in SourceCodester Best POS Management System ...) + TODO: check +CVE-2024-2155 (A vulnerability was found in SourceCodester Best POS Management System ...) + TODO: check +CVE-2024-2154 (A vulnerability has been found in SourceCodester Online Mobile Managem ...) + TODO: check +CVE-2024-2153 (A vulnerability, which was classified as critical, was found in Source ...) + TODO: check +CVE-2024-2152 (A vulnerability, which was classified as critical, has been found in S ...) + TODO: check +CVE-2024-2151 (A vulnerability classified as problematic was found in SourceCodester ...) + TODO: check +CVE-2024-28088 (LangChain through 0.1.10 allows ../ directory traversal by an actor wh ...) + TODO: check +CVE-2024-28084 (p2putil.c in iNet wireless daemon (IWD) through 2.15 allows attackers ...) + TODO: check +CVE-2024-21826 (in OpenHarmony v3.2.4 and prior versions allow a local attacker cause ...) + TODO: check +CVE-2024-21816 (in OpenHarmony v4.0.0 and prior versions allow a local attacker cause ...) + TODO: check +CVE-2024-20038 (In pq, there is a possible out of bounds read due to an incorrect boun ...) + TODO: check +CVE-2024-20037 (In pq, there is a possible write-what-where condition due to an incorr ...) + TODO: check +CVE-2024-20036 (In vdec, there is a possible permission bypass due to a permissions by ...) + TODO: check +CVE-2024-20034 (In battery, there is a possible escalation of privilege due to a missi ...) + TODO: check +CVE-2024-20033 (In nvram, there is a possible information disclosure due to a missing ...) + TODO: check +CVE-2024-20032 (In aee, there is a possible permission bypass due to a missing permiss ...) + TODO: check +CVE-2024-20031 (In da, there is a possible out of bounds write due to lack of valudati ...) + TODO: check +CVE-2024-20030 (In da, there is a possible information disclosure due to improper inpu ...) + TODO: check +CVE-2024-20029 (In wlan firmware, there is a possible out of bounds write due to impro ...) + TODO: check +CVE-2024-20028 (In da, there is a possible out of bounds write due to lack of valudati ...) + TODO: check +CVE-2024-20027 (In da, there is a possible out of bounds write due to improper input v ...) + TODO: check +CVE-2024-20026 (In da, there is a possible information disclosure due to improper inpu ...) + TODO: check +CVE-2024-20025 (In da, there is a possible out of bounds write due to an integer overf ...) + TODO: check +CVE-2024-20024 (In flashc, there is a possible out of bounds write due to lack of valu ...) + TODO: check +CVE-2024-20023 (In flashc, there is a possible out of bounds write due to lack of valu ...) + TODO: check +CVE-2024-20022 (In lk, there is a possible escalation of privilege due to a missing bo ...) + TODO: check +CVE-2024-20020 (In OPTEE, there is a possible out of bounds write due to an incorrect ...) + TODO: check +CVE-2024-20019 (In wlan driver, there is a possible memory leak due to improper input ...) + TODO: check +CVE-2024-20018 (In wlan driver, there is a possible out of bounds write due to imprope ...) + TODO: check +CVE-2024-20017 (In wlan service, there is a possible out of bounds write due to improp ...) + TODO: check +CVE-2024-20005 (In da, there is a possible permission bypass due to a missing permissi ...) + TODO: check +CVE-2023-4479 (Stored XSS Vulnerability in M-Files Web versions before 23.8 allows at ...) + TODO: check +CVE-2023-49602 (in OpenHarmony v3.2.4 and prior versions allow a local attacker cause ...) + TODO: check +CVE-2023-46708 (in OpenHarmony v3.2.4 and prior versions allow a local attacker arbitr ...) + TODO: check +CVE-2023-25176 (in OpenHarmony v3.2.4 and prior versions allow a local attacker cause ...) + TODO: check +CVE-2019-25210 (An issue was discovered in Cloud Native Computing Foundation (CNCF) He ...) + TODO: check +CVE-2024-26622 (In the Linux kernel, the following vulnerability has been resolved: t ...) - linux NOTE: https://git.kernel.org/linus/2f03fc340cac9ea1dc63cbf8c93dd2eb0f227815 (6.8-rc7) CVE-2024-2150 (A vulnerability, which was classified as critical, has been found in S ...) @@ -3666,7 +3738,7 @@ CVE-2024-1554 (The `fetch()` API and navigation incorrectly shared the same cach - firefox 123.0-1 NOTE:
