[Git][security-tracker-team/security-tracker][master] Sync some Linux CVEs with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 391771c4 by Salvatore Bonaccorso at 2024-03-11T07:33:44+01:00 Sync some Linux CVEs with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -750,9 +750,11 @@ CVE-2024-26623 (In the Linux kernel, the following vulnerability has been resolv NOTE: https://git.kernel.org/linus/7e82a8745b951b1e794cc780d46f3fbee5e93447 (6.8-rc3) CVE-2023-52607 (In the Linux kernel, the following vulnerability has been resolved: p ...) - linux 6.7.7-1 + [buster] - linux (powerpc not supported in LTS) NOTE: https://git.kernel.org/linus/f46c8a75263f97bda13c739ba1c90aced0d3b071 (6.8-rc1) CVE-2023-52606 (In the Linux kernel, the following vulnerability has been resolved: p ...) - linux 6.7.7-1 + [buster] - linux (powerpc not supported in LTS) NOTE: https://git.kernel.org/linus/8f9abaa6d7de0a70fc68acaedce290c1f96e2e59 (6.8-rc1) CVE-2023-52605 (In the Linux kernel, the following vulnerability has been resolved: A ...) - linux 6.7.7-1 @@ -777,9 +779,11 @@ CVE-2023-52599 (In the Linux kernel, the following vulnerability has been resolv NOTE: https://git.kernel.org/linus/49f9637aafa6e63ba686c13cb8549bf5e6920402 (6.8-rc1) CVE-2023-52598 (In the Linux kernel, the following vulnerability has been resolved: s ...) - linux 6.7.7-1 + [buster] - linux (s390 not supported in LTS) NOTE: https://git.kernel.org/linus/8b13601d19c541158a6e18b278c00ba69ae37829 (6.8-rc1) CVE-2023-52597 (In the Linux kernel, the following vulnerability has been resolved: K ...) - linux 6.7.7-1 + [buster] - linux (s390 not supported in LTS) NOTE: https://git.kernel.org/linus/b988b1bb0053c0dcd26187d29ef07566a565cf55 (6.8-rc1) CVE-2023-52596 (In the Linux kernel, the following vulnerability has been resolved: s ...) - linux 6.7.7-1 @@ -1748,6 +1752,8 @@ CVE-2023-52507 (In the Linux kernel, the following vulnerability has been resolv CVE-2023-52506 (In the Linux kernel, the following vulnerability has been resolved: L ...) - linux 6.5.6-1 [bookworm] - linux 6.1.64-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/b795fb9f5861ee256070d59e33130980a01fadd7 (6.6-rc3) CVE-2023-52505 (In the Linux kernel, the following vulnerability has been resolved: p ...) - linux 6.5.8-1 @@ -4450,6 +4456,7 @@ CVE-2023-52451 (In the Linux kernel, the following vulnerability has been resolv - linux 6.6.15-1 [bookworm] - linux 6.1.76-1 [bullseye] - linux 5.10.209-1 + [buster] - linux (powerpc not supported in LTS) NOTE: https://git.kernel.org/linus/bd68ffce69f6cf8ddd3a3c32549d1d2275e49fc5 (6.8-rc1) CVE-2023-52452 (In the Linux kernel, the following vulnerability has been resolved: b ...) - linux 6.6.15-1 @@ -9727,7 +9734,7 @@ CVE-2023-52340 [ipv6: remove max_size check inline with ipv4] [bullseye] - linux 5.10.209-1 NOTE: https://git.kernel.org/linus/af6d10345ca76670c1b7c37799f0d5576ccef277 (6.3-rc1) CVE-2024-0841 (A null pointer dereference flaw was found in the hugetlbfs_fill_super ...) - - linux + - linux 6.6.7-1 [buster] - linux (Vulnerable code not present) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2256490 NOTE: https://lore.kernel.org/all/20240130210418.3771-1-osalva...@suse.de/T/#u @@ -10621,10 +10628,10 @@ CVE-2024-0804 (Insufficient policy enforcement in iOS Security UI in Google Chro CVE-2024-23854 REJECTED CVE-2024-23851 (copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 ...) - - linux + - linux 6.6.7-1 NOTE: https://www.spinics.net/lists/dm-devel/msg56574.html CVE-2024-23850 (In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel throug ...) - - linux + - linux 6.6.7-1 [buster] - linux (Vulnerable code not present) NOTE: https://lore.kernel.org/all/6a80cb4b32af89787dadee728310e5e2ca85343f.1705741883.git.wqu%40suse.com/ CVE-2024-23849 (In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel thro ...) @@ -19263,13 +19270,17 @@ CVE-2023- [RCE vulnerability in WP_HTML_Token class] NOTE: https://wordpress.org/documentation/wordpress-version/version-6-4-2/#installation-update-information NOTE: https://www.wordfence.com/blog/2023/12/psa-critical-pop-chain-allowing-remote-code-execution-patched-in-wordpress-6-4-2/ CVE-2023-6536 (A flaw was found in the Linux kernel's NVMe driver. This issue may all ...) - - linux + - linux 6.6.15-1 + [bookworm] - linux 6.1.76-1 + [bullseye] - linux 5.10.209-1 NOTE: https://bugzilla.r
[Git][security-tracker-team/security-tracker][master] 3 commits: The PoC given is not reproducible in buster but this CVE is an
Abhijith PA pushed to branch master at Debian Security Tracker / security-tracker Commits: 376c6d8e by Abhijith PA at 2024-03-11T10:41:16+05:30 The PoC given is not reproducible in buster but this CVE is an general issue from an incomplete fix from 4.0.10. But too invasive patch for a minor issue. - - - - - 61509b66 by Abhijith PA at 2024-03-11T10:47:10+05:30 Backporting CVE-2023-6277 can introduce regression in libimager-perl - - - - - ae62c233 by Abhijith PA at 2024-03-11T10:51:24+05:30 Upstream fixed this issue by providing an update to doc. tiff in buster have html docs and upstream in .rst. Not worth converting docs. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10250,7 +10250,7 @@ CVE-2023-52355 (An out-of-memory flaw was found in libtiff that could be trigger - tiff 4.5.1+git230720-4 [bookworm] - tiff (Minor issue) [bullseye] - tiff (Minor issue) - [buster] - tiff (Minor issue, DoS) + [buster] - tiff (Minor issue, DoS) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/621 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/553 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/335947359ce2dd3862cd9f7c49f92eba065dfed4 @@ -21875,7 +21875,7 @@ CVE-2023-6277 (An out-of-memory flaw was found in libtiff. Passing a crafted tif - tiff 4.5.1+git230720-2 (bug #1056751) [bookworm] - tiff (Minor issue; will cause compatibility issue with libimager-perl, cf #1057270) [bullseye] - tiff (Minor issue; will cause compatibility issue with libimager-perl, cf #1057270) - [buster] - tiff (Minor issue; OOM DoS) + [buster] - tiff (Minor issue; OOM DoS) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/614 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/545 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/5320c9d89c054fa805d037d84c57da874470b01a @@ -106015,7 +106015,7 @@ CVE-2022-40091 (Online Tours & Travels Management System v1.0 was discovered to CVE-2022-40090 (An issue was discovered in function TIFFReadDirectory libtiff before 4 ...) - tiff 4.5.0-2 [bullseye] - tiff (Minor issue) - [buster] - tiff (Minor issue, DoS) + [buster] - tiff (Minor issue, DoS) NOTE: https://gitlab.com/libtiff/libtiff/-/issues/455 NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/386 NOTE: https://gitlab.com/libtiff/libtiff/-/commit/d093eb5d961e21ba51420bc22382c514683a4d91 (v4.5.0rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f95d3ce82bb4c126f1895a4fc26d26e068cd8ccb...ae62c23362ed648db3ff8b56ca0d38aedf975d58 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/f95d3ce82bb4c126f1895a4fc26d26e068cd8ccb...ae62c23362ed648db3ff8b56ca0d38aedf975d58 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Removed sendmail from dla-needed since there is no CVE marked as need for a fix for buster.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: f95d3ce8 by Ola Lundqvist at 2024-03-10T23:20:12+01:00 Removed sendmail from dla-needed since there is no CVE marked as need for a fix for buster. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -220,11 +220,6 @@ ruby-rack (Adrian Bunk) samba NOTE: 20230918: Added by Front-Desk (apo) -- -sendmail - NOTE: 20231224: Added by Front-Desk (ta) - NOTE: 20240213: Patch need to be extracted (rouca). Upstream does not publish patches - NOTE: 20240217: Patch extracted and being reviewed (rouca) --- shim NOTE: 20240306: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f95d3ce82bb4c126f1895a4fc26d26e068cd8ccb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f95d3ce82bb4c126f1895a4fc26d26e068cd8ccb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Removed runc from dla-needed since no CVEs remain to be fixed.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: f20876c2 by Ola Lundqvist at 2024-03-10T23:07:51+01:00 Removed runc from dla-needed since no CVEs remain to be fixed. - - - - - e722a127 by Ola Lundqvist at 2024-03-10T23:09:22+01:00 Reverted decision to remove qemu from dla-needed. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -9128,6 +9128,8 @@ CVE-2024-21626 (runc is a CLI tool for spawning and running containers on Linux NOTE: https://github.com/opencontainers/runc/commit/89c93ddf289437d5c8558b37047c54af6a0edb48 NOTE: https://github.com/opencontainers/runc/commit/ee73091a8d28692fa4868bac81aa40a0b05f9780 NOTE: https://github.com/opencontainers/runc/commit/d8edada9f252873b88043279a71099db71941dea + NOTE: For buster DLA-3735-1 do not completely fix the issue. The rest requires + NOTE: backport that is hard to do so that will not be done. CVE-2024-24579 (stereoscope is a go library for processing container images and simula ...) NOT-FOR-US: stereoscope CVE-2024-24566 (Lobe Chat is a chatbot framework that supports speech synthesis, multi ...) @@ -44668,7 +44670,7 @@ CVE-2023-3354 (A flaw was found in the QEMU built-in VNC server. When a client c - qemu 1:8.0.4+dfsg-1 [bookworm] - qemu 1:7.2+dfsg-7+deb12u2 [bullseye] - qemu 1:5.2+dfsg-11+deb11u3 - [buster] - qemu (Minor issue) + [buster] - qemu (Minor issue) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2216478 NOTE: https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg01014.html NOTE: Fixed by: https://gitlab.com/qemu-project/qemu/-/commit/5300472ec0990c61742d89b5eea1c1e6941f6d62 (v8.0.4) = data/dla-needed.txt = @@ -192,6 +192,10 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- +qemu (Adrian Bunk) + NOTE: 20240119: Added by Front-Desk (lamby) + NOTE: 20240119: CVE-2023-1544 and CVE-2023-3354 already fixed in bullseye via DSA or point releases; to be fixed or . (lamby) +-- rails NOTE: 20220909: Re-added due to regression (abhijith) NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith) @@ -213,13 +217,6 @@ ring ruby-rack (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) -- -runc - NOTE: 20240204: Added by Front-Desk (ta) - NOTE: 20240219: Complete fix for CVE-2024-21626 would require backport of - NOTE: 20240219: https://github.com/opencontainers/runc/commit/284ba3057e428f8d6c7afcc3b0ac752e525957df and - NOTE: 20240219: https://github.com/opencontainers/runc/commit/e9665f4d606b64bf9c4652ab2510da368bfbd951. - NOTE: 20240219: But it uses a link to internal/poll.IsPollDescriptor, introduced in Go 1.12, which I cannot backport (dleidert). --- samba NOTE: 20230918: Added by Front-Desk (apo) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/82315a7e28b28c15b606431bf909fe71a023f769...e722a12799f2fe393d12ee0eccee2fc385d6da2b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/82315a7e28b28c15b606431bf909fe71a023f769...e722a12799f2fe393d12ee0eccee2fc385d6da2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 82315a7e by Salvatore Bonaccorso at 2024-03-10T21:24:22+01:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2024-2355 (A vulnerability has been found in keerti1924 Secret-Coder-PHP-Project ...) - TODO: check + NOT-FOR-US: keerti1924 Secret-Coder-PHP-Project CVE-2024-2354 (A vulnerability, which was classified as problematic, was found in Dre ...) - TODO: check + NOT-FOR-US: Dreamer CMS CVE-2024-2353 (A vulnerability, which was classified as critical, has been found in T ...) NOT-FOR-US: Totolink CVE-2024-2352 (A vulnerability, which was classified as critical, has been found in 1 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82315a7e28b28c15b606431bf909fe71a023f769 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/82315a7e28b28c15b606431bf909fe71a023f769 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9d71cfe5 by security tracker role at 2024-03-10T20:12:25+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024-2355 (A vulnerability has been found in keerti1924 Secret-Coder-PHP-Project ...) + TODO: check +CVE-2024-2354 (A vulnerability, which was classified as problematic, was found in Dre ...) + TODO: check CVE-2024-2353 (A vulnerability, which was classified as critical, has been found in T ...) NOT-FOR-US: Totolink CVE-2024-2352 (A vulnerability, which was classified as critical, has been found in 1 ...) @@ -7601,7 +7605,7 @@ CVE-2024-25146 (Liferay Portal 7.2.0 through 7.4.1, and older unsupported versio CVE-2024-25144 (The IFrame widget in Liferay Portal 7.2.0 through 7.4.3.26, and older ...) NOT-FOR-US: Liferay Portal CVE-2024-24806 (libuv is a multi-platform support library with a focus on asynchronous ...) - {DLA-3752-1} + {DSA-5638-1 DLA-3752-1} - libuv1 1.48.0-1 (bug #1063484) NOTE: https://github.com/libuv/libuv/security/advisories/GHSA-f74f-cvh7-c6q6 NOTE: Introduced by: https://github.com/libuv/libuv/commit/6dd44caa35b4697d7e8c1b9fa0ba8e95d73355de (v1.24.0) @@ -10788,6 +10792,7 @@ CVE-2024-0744 (In some circumstances, JIT compiled code could have dereferenced - firefox 122.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0744 CVE-2024-0743 (An unchecked return value in TLS handshake code could have caused a po ...) + {DLA-3757-1} - firefox 122.0-1 - nss 2:3.96.1-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/#CVE-2024-0743 @@ -27493,6 +27498,7 @@ CVE-2023-39333 NOTE: https://nodejs.org/en/blog/vulnerability/october-2023-security-releases#code-injection-via-webassembly-export-names-low---cve-2023-39333 NOTE: https://github.com/nodejs/node/commit/eaf9083cf1e43bd897ac8244dcc0f4e3500150ca CVE-2023-5388 + {DLA-3757-1} - nss 2:3.98-1 (bug #1056284) [bookworm] - nss (Minor issue) [bullseye] - nss (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d71cfe56a5fd8e600a1a4319c02f3fe50e2d6e1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9d71cfe56a5fd8e600a1a4319c02f3fe50e2d6e1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for azure-uamqp-python issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: da44f932 by Salvatore Bonaccorso at 2024-03-10T20:48:25+01:00 Track fixed version for azure-uamqp-python issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3361,7 +3361,7 @@ CVE-2024-27507 (libLAS 1.8.1 contains a memory leak vulnerability in /libLAS/app - liblas [buster] - liblas (Minor issue) CVE-2024-27099 (The uAMQP is a C library for AMQP 1.0 communication to Azure Cloud Ser ...) - - azure-uamqp-python (bug #1064996) + - azure-uamqp-python 1.6.8-2 (bug #1064996) NOTE: https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-6rh4-fj44-v4jj NOTE: https://github.com/Azure/azure-uamqp-c/commit/2ca42b6e4e098af2d17e487814a91d05f6ae4987 CVE-2024-26473 (A reflected cross-site scripting (XSS) vulnerability in SocialMediaWeb ...) @@ -6843,7 +6843,7 @@ CVE-2024-25112 (Exiv2 is a command-line utility and C++ library for reading, wri NOTE: it was removed and later reintroduced. The 0.27-maintenance branch _does_ include NOTE: the Quicktime decoder CVE-2024-25110 (The UAMQP is a general purpose C library for AMQP 1.0. During a call t ...) - - azure-uamqp-python (bug #1064051) + - azure-uamqp-python 1.6.8-2 (bug #1064051) NOTE: https://github.com/Azure/azure-uamqp-c/commit/30865c9ccedaa32ddb036e87a8ebb52c3f18f695 NOTE: https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-c646-4whf-r67v NOTE: https://github.com/Azure/azure-uamqp-python/issues/380 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da44f93230cfef191f29f2e2d2a6fd8972f05ce0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da44f93230cfef191f29f2e2d2a6fd8972f05ce0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version via unstable for CVE-2024-28757/expat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ec7fda0 by Salvatore Bonaccorso at 2024-03-10T20:44:30+01:00 Track fixed version via unstable for CVE-2024-28757/expat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,7 +7,7 @@ CVE-2024-2351 (A vulnerability classified as critical was found in CodeAstro Eco CVE-2024-27698 REJECTED CVE-2024-28757 (libexpat through 2.6.1 allows an XML Entity Expansion attack when ther ...) - - expat (bug #1065868) + - expat 2.6.1-2 (bug #1065868) NOTE: https://github.com/libexpat/libexpat/pull/842 NOTE: https://github.com/libexpat/libexpat/issues/839 NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ec7fda0ff477ed3cf2a9b7fe985341a62239a9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ec7fda0ff477ed3cf2a9b7fe985341a62239a9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: claim expat in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 60343264 by Tobias Frost at 2024-03-10T20:13:31+01:00 LTS: claim expat in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -74,7 +74,7 @@ edk2 NOTE: 20231230: Added by Front-Desk (lamby) NOTE: 20231230: CVE-2019-11098 fixed in bullseye via DSA or point release (lamby) -- -expat +expat (tobi) NOTE: 20240306: Added by Front-Desk (opal) -- freeipa (Chris Lamb) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60343264de9b5ae2294112b1a1605b5fa3e4f495 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/60343264de9b5ae2294112b1a1605b5fa3e4f495 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] LTS: release claim on nss in dla-needed.txt
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: 62d36b43 by Tobias Frost at 2024-03-10T18:59:30+01:00 LTS: release claim on nss in dla-needed.txt - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -164,7 +164,7 @@ nova NOTE: 20230302: zigo currently has no time and requests the LTS team to do it (IRC #debian-lts 2023-03-02). (Beuc/front-desk) NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, python-os-brick, nova and cinder. (lamby) -- -nss (tobi) +nss NOTE: 20240121: Added by Front-Desk (apo) NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there. NOTE: 20230310: see also: Message-ID: View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62d36b4369c4fa2b2d3d7076c9a9d534a2b5b01d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62d36b4369c4fa2b2d3d7076c9a9d534a2b5b01d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3757-1 for nss.
Tobias Frost pushed to branch master at Debian Security Tracker / security-tracker Commits: e494cd25 by Tobias Frost at 2024-03-10T18:58:45+01:00 Reserve DLA-3757-1 for nss. - - - - - 3 changed files: - data/CVE/list - data/DLA/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -27496,7 +27496,6 @@ CVE-2023-5388 - nss 2:3.98-1 (bug #1056284) [bookworm] - nss (Minor issue) [bullseye] - nss (Minor issue) - [buster] - nss (Minor issue) NOTE: https://people.redhat.com/~hkario/marvin/ NOTE: Vendor patch (Rocky Linux, not upstreamed): https://git.rockylinux.org/staging/rpms/nss/-/commit/1f7f7523b61a2ada2f461548c4160fbbf979c5dd NOTE: Fixed by: https://hg.mozilla.org/projects/nss/rev/196716d8377ab427e326f20bff2d026e90ac69e2 = data/DLA/list = @@ -1,3 +1,6 @@ +[10 Mar 2024] DLA-3757-1 nss - security update + {CVE-2023-5388 CVE-2024-0743} + [buster] - nss 2:3.42.1-1+deb10u8 [10 Mar 2024] DLA-3756-1 wordpress - security update [buster] - wordpress 5.0.21+dfsg1-0+deb10u1 [09 Mar 2024] DLA-3755-1 tar - security update = data/dla-needed.txt = @@ -166,12 +166,8 @@ nova -- nss (tobi) NOTE: 20240121: Added by Front-Desk (apo) - NOTE: 20240209: There is currently no (public) patch for CVE-2023-5388 - RedHat seems to have one in privateā¦ (tobi) - NOTE: 20240209: Tried to backport patches for CVE-2023-6135, however it is unclear which bits are required or if the - NOTE: 20240209: fix would be to backport nss to utilize HACL*. The version in buster does not have the NIST ciphers - NOTE: 20240209: in the files touched by the upstream patch. TL;DR: I'm unsure if the prepared patches are fixing the vulnerabilty. - NOTE: 20240209: The backported patches are in the LTS repository, CVE-2023-6135*.patch - NOTE: 20230227: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there. + NOTE: 20240310: CVE-2023-6135: Upstream suggests to wait until they have a patch for 3.90 (their LTS version) available and backport from there. + NOTE: 20230310: see also: Message-ID: -- nvidia-graphics-drivers NOTE: 20240303: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e494cd253be892f0ab8bd86e86074788f6b9cc01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e494cd253be892f0ab8bd86e86074788f6b9cc01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3756-1 for wordpress
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: 2c79e5d0 by Markus Koschany at 2024-03-10T18:21:29+01:00 Reserve DLA-3756-1 for wordpress - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[10 Mar 2024] DLA-3756-1 wordpress - security update + [buster] - wordpress 5.0.21+dfsg1-0+deb10u1 [09 Mar 2024] DLA-3755-1 tar - security update {CVE-2023-39804} [buster] - tar 1.30+dfsg-6+deb10u1 = data/dla-needed.txt = @@ -275,9 +275,6 @@ varnish NOTE: 20240122: Still fixing tests (abhijith) NOTE: 20240213: Fixing tests.(abhijith) -- -wordpress - NOTE: 20240306: Added by Front-Desk (opal) --- zabbix NOTE: 20240212: Added by Front-Desk (utkarsh) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c79e5d0ef7bbd6375a027256d758712b443960b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c79e5d0ef7bbd6375a027256d758712b443960b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-28757/expat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a003d1a5 by Salvatore Bonaccorso at 2024-03-10T16:05:46+01:00 Add Debian bug reference for CVE-2024-28757/expat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,7 +7,7 @@ CVE-2024-2351 (A vulnerability classified as critical was found in CodeAstro Eco CVE-2024-27698 REJECTED CVE-2024-28757 (libexpat through 2.6.1 allows an XML Entity Expansion attack when ther ...) - - expat + - expat (bug #1065868) NOTE: https://github.com/libexpat/libexpat/pull/842 NOTE: https://github.com/libexpat/libexpat/issues/839 NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a003d1a5ec8a63cffc67258b21e3a527c8108f89 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a003d1a5ec8a63cffc67258b21e3a527c8108f89 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-22749/gpac
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 077a4509 by Salvatore Bonaccorso at 2024-03-10T15:56:45+01:00 Add Debian bug reference for CVE-2024-22749/gpac - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -10156,7 +10156,7 @@ CVE-2024-23656 (Dex is an identity service that uses OpenID Connect to drive aut CVE-2024-23655 (Tuta is an encrypted email service. Starting in version 3.118.12 and p ...) NOT-FOR-US: Tuta CVE-2024-22749 (GPAC v2.3 was detected to contain a buffer overflow via the function g ...) - - gpac + - gpac (bug #1065861) [buster] - gpac (EOL in buster LTS) NOTE: https://github.com/gpac/gpac/issues/2713 NOTE: https://github.com/gpac/gpac/commit/7aef8038c6bdd310e65000704e39afaa0e721048 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/077a45092c01441e4705ddb43d60cac68feb3b23 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/077a45092c01441e4705ddb43d60cac68feb3b23 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2023-5685/jboss-xnio
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 050d95d3 by Salvatore Bonaccorso at 2024-03-10T15:24:53+01:00 Add Debian bug reference for CVE-2023-5685/jboss-xnio - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -851,7 +851,7 @@ CVE-2024-24783 (Verifying a certificate chain which contains a certificate with CVE-2024-1979 NOT-FOR-US: Quarkus CVE-2023-5685 [StackOverflowException when the chain of notifier states becomes problematically big] - - jboss-xnio + - jboss-xnio (bug #1065847) [bookworm] - jboss-xnio (Minor issue) [bullseye] - jboss-xnio (Minor issue) [buster] - jboss-xnio (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/050d95d3bdf3dc62058204806cc2ff1630c215d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/050d95d3bdf3dc62058204806cc2ff1630c215d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Note that debdiff for php-dompdf-svg-lib is ready for review
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 172a53b7 by Salvatore Bonaccorso at 2024-03-10T15:03:43+01:00 Note that debdiff for php-dompdf-svg-lib is ready for review - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -50,6 +50,7 @@ openvswitch (jmm) php-cas/oldstable -- php-dompdf-svg-lib/stable + William Desportes is proposing an update needing review (6883e24c-b53d-4dcd-ad27-b944dbd68...@wdes.fr) -- php-horde-mime-viewer/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/172a53b7ecfc2bb32a2f12d4e8c9d28530baab48 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/172a53b7ecfc2bb32a2f12d4e8c9d28530baab48 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DSA number for libuv1 update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0be146b2 by Salvatore Bonaccorso at 2024-03-10T13:53:00+01:00 Reserve DSA number for libuv1 update - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[10 Mar 2024] DSA-5638-1 libuv1 - security update + {CVE-2024-24806} + [bullseye] - libuv1 1.40.0-2+deb11u1 + [bookworm] - libuv1 1.44.2-1+deb12u1 [08 Mar 2024] DSA-5637-1 squid - security update {CVE-2023-46724 CVE-2023-46846 CVE-2023-46847 CVE-2023-49285 CVE-2023-49286 CVE-2023-50269 CVE-2024-23638 CVE-2024-25617} [bullseye] - squid 4.13-10+deb11u3 = data/dsa-needed.txt = @@ -33,9 +33,6 @@ jetty9 libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- -libuv1 (carnil) - Maintainer proposed debdiff for bookworm, asking back for bullseye as well --- linux (carnil) Wait until more issues have piled up, though try to regulary rebase for point releases to more recent v5.10.y and 6.1.y versions View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0be146b2d007b1445203dfe45c4e6ee23f898cb5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0be146b2d007b1445203dfe45c4e6ee23f898cb5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c658dd07 by Salvatore Bonaccorso at 2024-03-10T13:45:30+01:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,9 +1,9 @@ CVE-2024-2353 (A vulnerability, which was classified as critical, has been found in T ...) - TODO: check + NOT-FOR-US: Totolink CVE-2024-2352 (A vulnerability, which was classified as critical, has been found in 1 ...) - TODO: check + NOT-FOR-US: 1Panel CVE-2024-2351 (A vulnerability classified as critical was found in CodeAstro Ecommerc ...) - TODO: check + NOT-FOR-US: CodeAstro Ecommerce Site CVE-2024-27698 REJECTED CVE-2024-28757 (libexpat through 2.6.1 allows an XML Entity Expansion attack when ther ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c658dd07f6f6602b5385f284c4ce3bfe9d1398eb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c658dd07f6f6602b5385f284c4ce3bfe9d1398eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 970c9078 by security tracker role at 2024-03-10T08:11:50+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,12 @@ -CVE-2024-28757 +CVE-2024-2353 (A vulnerability, which was classified as critical, has been found in T ...) + TODO: check +CVE-2024-2352 (A vulnerability, which was classified as critical, has been found in 1 ...) + TODO: check +CVE-2024-2351 (A vulnerability classified as critical was found in CodeAstro Ecommerc ...) + TODO: check +CVE-2024-27698 + REJECTED +CVE-2024-28757 (libexpat through 2.6.1 allows an XML Entity Expansion attack when ther ...) - expat NOTE: https://github.com/libexpat/libexpat/pull/842 NOTE: https://github.com/libexpat/libexpat/issues/839 @@ -19257,6 +19265,7 @@ CVE-2023-6356 (A flaw was found in the Linux kernel's NVMe driver. This issue ma - linux NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2254054 CVE-2023-39804 [Incorrectly handled extension attributes in PAX archives can lead to a crash] + {DLA-3755-1} - tar 1.34+dfsg-1.3 (bug #1058079) [bookworm] - tar 1.34+dfsg-1.2+deb12u1 [bullseye] - tar 1.34+dfsg-1+deb11u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/970c907868aebcca148fa18ac9aad0aee5fac07b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/970c907868aebcca148fa18ac9aad0aee5fac07b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-28757/expat
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e71f4193 by Salvatore Bonaccorso at 2024-03-10T09:00:19+01:00 Add CVE-2024-28757/expat - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024-28757 + - expat + NOTE: https://github.com/libexpat/libexpat/pull/842 + NOTE: https://github.com/libexpat/libexpat/issues/839 + NOTE: Fixed by: https://github.com/libexpat/libexpat/commit/1d50b80cf31de87750103656f6eb693746854aa8 + NOTE: Tests: https://github.com/libexpat/libexpat/commit/072eca0b72373da103ce15f8f62d1d7b52695454 CVE-2024-2333 (A vulnerability classified as critical has been found in CodeAstro Mem ...) NOT-FOR-US: CodeAstro Membership Management System CVE-2024-2332 (A vulnerability was found in SourceCodester Online Mobile Management S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e71f4193d879194972aa3d25c496f24b60153752 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e71f4193d879194972aa3d25c496f24b60153752 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits