date:20240313

[Git][security-tracker-team/security-tracker][master] LTS: claim spip in dla-needed.txt

2024-03-13 Thread Guilhem Moulin (@guilhem)



Guilhem Moulin pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
41ffec06 by Guilhem Moulin at 2024-03-14T00:52:04+01:00
LTS: claim spip in dla-needed.txt

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -266,7 +266,7 @@ sendmail
 shim
   NOTE: 20240306: Added by Front-Desk (opal)
 --
-spip
+spip (guilhem)
   NOTE: 20240313: Added by Front-Desk (Beuc)
   NOTE: 20240313: Follow fix from bullseye 11.9 (CVE-2023-52322) 
(Beuc/front-desk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41ffec0696299400ebeadf5fe4d899e3a70007f9

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/41ffec0696299400ebeadf5fe4d899e3a70007f9
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla: take node-xml2js

2024-03-13 Thread Adrian Bunk (@bunk)



Adrian Bunk pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
aba66277 by Adrian Bunk at 2024-03-13T23:43:32+02:00
dla: take node-xml2js

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -170,7 +170,7 @@ linux-5.10
 lucene-solr
   NOTE: 20240213: Added by Front-Desk (lamby)
 --
-node-xml2js
+node-xml2js (Adrian Bunk)
   NOTE: 20240313: Added by Front-Desk (Beuc)
   NOTE: 20240313: Follow fix from bullseye 11.9 (CVE-2023-0842) 
(Beuc/front-desk)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aba66277c60de01158e2aa5f4caaf227e85ba3a3

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aba66277c60de01158e2aa5f4caaf227e85ba3a3
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-27305

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b8749c22 by Salvatore Bonaccorso at 2024-03-13T22:35:53+01:00
Add Debian bug reference for CVE-2024-27305

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -422,7 +422,7 @@ CVE-2024-28236 (Vela is a Pipeline Automation (CI/CD) 
framework built on Linux c
 CVE-2024-27440 (The Toyoko Inn official App for iOS versions prior to 1.13.0 
and Toyok ...)
NOT-FOR-US: Toyoko Inn official App
 CVE-2024-27305 (aiosmtpd is a reimplementation of the Python stdlib smtpd.py 
based on  ...)
-   - python-aiosmtpd 
+   - python-aiosmtpd  (bug #1066820)
NOTE: 
https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65
NOTE: 
https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb
 (1.4.5)
 CVE-2024-26529 (An issue in mz-automation libiec61850 v.1.5.3 and before, 
allows a rem ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8749c22f30a5aa1c033cb038c5d8e482937e6c2

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8749c22f30a5aa1c033cb038c5d8e482937e6c2
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add two new tomcat issues

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6376bd9c by Salvatore Bonaccorso at 2024-03-13T22:16:53+01:00
Add two new tomcat issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -132,9 +132,19 @@ CVE-2024-24693 (Improper access control in the installer 
for Zoom Rooms Client f
 CVE-2024-24692 (Race condition in the installer for Zoom Rooms Client for 
Windows befo ...)
NOT-FOR-US: Zoom
 CVE-2024-24549 (Denial of Service due to improper input validation 
vulnerability for H ...)
-   TODO: check
+   - tomcat10 
+   - tomcat9 9.0.70-2
+   NOTE: https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
+   NOTE: 
https://github.com/apache/tomcat/commit/d07c82194edb69d99b438828fe2cbfadbb207843
 (10.1.19)
+   NOTE: 
https://github.com/apache/tomcat/commit/8e03be9f2698f2da9027d40b9e9c0c9429b74dc0
 (9.0.86)
+   NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, 
using that as the fixed version
 CVE-2024-23672 (Denial of Service via incomplete cleanup vulnerability in 
Apache Tomca ...)
-   TODO: check
+   - tomcat10 
+   - tomcat9 9.0.70-2
+   NOTE: https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f
+   NOTE: 
https://github.com/apache/tomcat/commit/0052b374684b613b0c849899b325ebe334ac6501
 (10.1.19)
+   NOTE: 
https://github.com/apache/tomcat/commit/52d6650e062d880704898d7d8c1b2b7a3efe8068
 (9.0.86)
+   NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, 
using that as the fixed version
 CVE-2024-20327 (A vulnerability in the PPP over Ethernet (PPPoE) termination 
feature o ...)
NOT-FOR-US: Cisco
 CVE-2024-20322 (A vulnerability in the access control list (ACL) processing on 
Pseudow ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6376bd9cf7c0be78317e7be3049808079830aeac

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6376bd9cf7c0be78317e7be3049808079830aeac
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
8587b959 by Salvatore Bonaccorso at 2024-03-13T22:00:44+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,53 +1,53 @@
 CVE-2024-2433 (An improper authorization vulnerability in Palo Alto Networks 
Panorama ...)
-   TODO: check
+   NOT-FOR-US: Palo Alto Networks
 CVE-2024-2432 (A privilege escalation (PE) vulnerability in the Palo Alto 
Networks Gl ...)
-   TODO: check
+   NOT-FOR-US: Palo Alto Networks
 CVE-2024-2431 (An issue in the Palo Alto Networks GlobalProtect app enables a 
non-pri ...)
-   TODO: check
+   NOT-FOR-US: Palo Alto Networks
 CVE-2024-2418 (A vulnerability was found in SourceCodester Best POS Management 
System ...)
-   TODO: check
+   NOT-FOR-US: SourceCodester Best POS Management System
 CVE-2024-2416 (Cross-Site Request Forgery vulnerability in Movistar's 4G 
router affec ...)
-   TODO: check
+   NOT-FOR-US: Movistar
 CVE-2024-2415 (Command injection vulnerability in Movistar 4G router affecting 
versio ...)
-   TODO: check
+   NOT-FOR-US: Movistar
 CVE-2024-2414 (The primary channel is unprotected on Movistar 4G router 
affecting E v ...)
-   TODO: check
+   NOT-FOR-US: Movistar
 CVE-2024-2403 (Improper cleanup in temporary file handling component in 
Devolutions R ...)
-   TODO: check
+   NOT-FOR-US: Devolutions
 CVE-2024-2293 (The Site Reviews plugin for WordPress is vulnerable to Stored 
Cross-Si ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2286 (The Sky Addons for Elementor (Free Templates Library, Live 
Copy, Anima ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2252 (The Droit Elementor Addons \u2013 Widgets, Blocks, Templates 
Library F ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2247 (JFrog Artifactory versions below 7.77.7, are vulnerable to 
DOM-based c ...)
-   TODO: check
+   NOT-FOR-US: JFrog Artifactory
 CVE-2024-2239 (The Premium Addons PRO plugin for WordPress is vulnerable to 
Stored Cr ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2238 (The Premium Addons PRO plugin for WordPress is vulnerable to 
Stored Cr ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2237 (The Premium Addons PRO plugin for WordPress is vulnerable to 
Stored Cr ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2194 (The WP Statistics plugin for WordPress is vulnerable to Stored 
Cross-S ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2172 (The Malware Scanner plugin and the Web Application Firewall 
plugin for ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2126 (The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable 
to Store ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2123 (The Ultimate Member \u2013 User Profile, Registration, Login, 
Member D ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2106 (The MasterStudy LMS WordPress Plugin \u2013 for Online Courses 
and Edu ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2030 (The Database for Contact Form 7, WPforms, Elementor forms 
plugin for W ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2028 (The Exclusive Addons for Elementor plugin for WordPress is 
vulnerable  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2020 (The Calculated Fields Form plugin for WordPress is vulnerable 
to Store ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2006 (The Post Grid, Slider & Carousel Ultimate \u2013 with 
Shortcode, Guten ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2000 (The Premium Addons PRO plugin for WordPress is vulnerable to 
Stored Cr ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-28684 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
NOT-FOR-US: DedeCMS
 CVE-2024-28683 (DedeCMS v5.7 was discovered to contain a cross-site scripting 
(XSS) vu ...)
@@ -95,15 +95,15 @@ CVE-2024-28430 (DedeCMS v5.7 was discovered to contain a 
Cross-Site Request Forg
 CVE-2024-28429 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
NOT-FOR-US: DedeCMS
 CVE-2024-28196 (your_spotify is an open source, self hosted Spotify tracking 
dashboard ...)
-   TODO: check
+   NOT-FOR-US: your_spotify
 CVE-2024-28195 (your_spotify is an open source, self hosted Spotify tracking 
dashboard ...)
-   TODO: check
+   NOT-FOR-US: your_spotify
 CVE-2024-28194 (your_spotify is an open source, self hosted Spotify tracking 
dashboard ...)
-   TODO: check
+   NOT-FOR-US: your_spotify

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-32282 as NFU

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a9754f80 by Salvatore Bonaccorso at 2024-03-13T21:42:42+01:00
Add CVE-2023-32282 as NFU

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -7434,6 +7434,8 @@ CVE-2023-32642 (Insufficient adherence to expected 
conventions for some Intel(R)
NOTE: Fixed upstream in linux-firmware/20231211
 CVE-2023-32618 (Uncontrolled search path in some Intel(R) oneAPI Toolkit and 
component ...)
NOT-FOR-US: Intel
+CVE-2023-32282
+   NOT-FOR-US: Intel
 CVE-2023-32280 (Insufficiently protected credentials in some Intel(R) Server 
Product O ...)
NOT-FOR-US: Intel
 CVE-2023-31271 (Improper access control in some Intel(R) VROC software before 
version  ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9754f8094185006f4f73d3fd543c93be9e132ea

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9754f8094185006f4f73d3fd543c93be9e132ea
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-28180 via unstable

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
d25ee3c1 by Salvatore Bonaccorso at 2024-03-13T21:40:14+01:00
Track fixed version for CVE-2024-28180 via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1085,7 +1085,7 @@ CVE-2024-28753 (RaspAP (aka raspap-webgui) through 3.0.9 
allows remote attackers
 CVE-2024-28184 (WeasyPrint helps web developers to create PDF documents. Since 
version ...)
NOT-FOR-US: WeasyPrint
 CVE-2024-28180 (Package jose aims to provide an implementation of the 
Javascript Objec ...)
-   - golang-github-go-jose-go-jose  (bug #1065814)
+   - golang-github-go-jose-go-jose 4.0.1-1 (bug #1065814)
NOTE: 
https://github.com/go-jose/go-jose/security/advisories/GHSA-c5q2-7r4c-mv6g
NOTE: 
https://github.com/go-jose/go-jose/commit/0dd4dd541c665fb292d664f77604ba694726f298
 (v2.6.3)
NOTE: 
https://github.com/go-jose/go-jose/commit/add6a284ea0f844fd6628cba637be5451fe4b28a
 (v3.0.3)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d25ee3c1b77ec22bb7ff10373500d11e868afbc7

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d25ee3c1b77ec22bb7ff10373500d11e868afbc7
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-32666

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b54e7382 by Salvatore Bonaccorso at 2024-03-13T21:38:16+01:00
Add CVE-2023-32666

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -24853,6 +24853,8 @@ CVE-2023-33304 (A use of hard-coded credentials 
vulnerability in Fortinet FortiC
NOT-FOR-US: FortiGuard
 CVE-2023-32701 (Improper Input Validation in the Networking Stack of QNX SDP 
version(s ...)
NOT-FOR-US: QNX SDP
+CVE-2023-32666
+   NOT-FOR-US: Intel
 CVE-2023-32662 (Improper authorization in some Intel Battery Life Diagnostic 
Tool inst ...)
NOT-FOR-US: Intel
 CVE-2023-32661 (Improper authentication in some Intel(R) NUC Kits NUC7PJYH and 
NUC7CJY ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b54e738252a5a32ce2eaf304b9185bbadcf41030

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b54e738252a5a32ce2eaf304b9185bbadcf41030
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b753d1cd by Salvatore Bonaccorso at 2024-03-13T21:28:47+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -49,51 +49,51 @@ CVE-2024-2006 (The Post Grid, Slider & Carousel Ultimate 
\u2013 with Shortcode,
 CVE-2024-2000 (The Premium Addons PRO plugin for WordPress is vulnerable to 
Stored Cr ...)
TODO: check
 CVE-2024-28684 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28683 (DedeCMS v5.7 was discovered to contain a cross-site scripting 
(XSS) vu ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28682 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28681 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28680 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28679 (DedeCMS v5.7 was discovered to contain a cross-site scripting 
(XSS) vu ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28678 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28677 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28676 (DedeCMS v5.7 was discovered to contain a cross-site scripting 
(XSS) vu ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28675 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28673 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28672 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28671 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28670 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28669 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28668 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28667 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28666 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28665 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28432 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28431 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28430 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28429 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
-   TODO: check
+   NOT-FOR-US: DedeCMS
 CVE-2024-28196 (your_spotify is an open source, self hosted Spotify tracking 
dashboard ...)
TODO: check
 CVE-2024-28195 (your_spotify is an open source, self hosted Spotify tracking 
dashboard ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b753d1cd271f15ad5e874d1326e8998efc9d05a1

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b753d1cd271f15ad5e874d1326e8998efc9d05a1
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
7aa5b794 by Salvatore Bonaccorso at 2024-03-13T21:19:36+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -377,11 +377,11 @@ CVE-2023-52608 (In the Linux kernel, the following 
vulnerability has been resolv
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/437a310b22244d4e0b78665c3042e5d1c0f45306 (6.8-rc2)
 CVE-2023-43043 (IBM Maximo Application Suite - Maximo Mobile for EAM 8.10 and 
8.11 cou ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2023-38723 (IBM Maximo Application Suite 7.6.1.3 is vulnerable to stored 
cross-sit ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2023-32335 (IBM Maximo Application Suite 8.10, 8.11 and IBM Maximo Asset 
Managemen ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2018-25090 (An unauthenticated remote attacker can use an XSS attack due 
to improp ...)
TODO: check
 CVE-2015-10123 (An unautheticated remote attacker could send specifically 
crafted pack ...)
@@ -60021,7 +60021,7 @@ CVE-2023-28519
 CVE-2023-28518
RESERVED
 CVE-2023-28517 (IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 
6.2.2 is vul ...)
-   TODO: check
+   NOT-FOR-US: IBM
 CVE-2023-28516
RESERVED
 CVE-2023-28515



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7aa5b7941189ea6eca48b16bfd0fe48ee3d5a153

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7aa5b7941189ea6eca48b16bfd0fe48ee3d5a153
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Merge Linux CVEs from kernel-sec

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
212d13a9 by Salvatore Bonaccorso at 2024-03-13T21:16:32+01:00
Merge Linux CVEs from kernel-sec

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -107,9 +107,14 @@ CVE-2024-27952 (Improper Neutralization of Input During 
Web Page Generation ('Cr
 CVE-2024-27441
REJECTED
 CVE-2024-26630 (In the Linux kernel, the following vulnerability has been 
resolved:  m ...)
-   TODO: check
+   - linux 6.7.9-1
+   [bookworm] - linux  (Vulnerable code not present)
+   [bullseye] - linux  (Vulnerable code not present)
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/3a75cb05d53f4a6823a32deb078de1366954a804 (6.8-rc7)
 CVE-2024-26629 (In the Linux kernel, the following vulnerability has been 
resolved:  n ...)
-   TODO: check
+   - linux 6.6.15-1
+   NOTE: 
https://git.kernel.org/linus/edcf9725150e42beeca42d085149f4c88fa97afd (6.8-rc2)
 CVE-2024-25155 (In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the 
web server ...)
TODO: check
 CVE-2024-25154 (Improper URL validation leads to path traversal in 
FileCatalyst Direct ...)
@@ -367,7 +372,10 @@ CVE-2023-6785 (The Download Manager plugin for WordPress 
is vulnerable to unauth
 CVE-2023-5663 (The News Announcement Scroll plugin for WordPress is vulnerable 
to SQL ...)
TODO: check
 CVE-2023-52608 (In the Linux kernel, the following vulnerability has been 
resolved:  f ...)
-   TODO: check
+   - linux 6.6.15-1
+   [bookworm] - linux 6.1.76-1
+   [buster] - linux  (Vulnerable code not present)
+   NOTE: 
https://git.kernel.org/linus/437a310b22244d4e0b78665c3042e5d1c0f45306 (6.8-rc2)
 CVE-2023-43043 (IBM Maximo Application Suite - Maximo Mobile for EAM 8.10 and 
8.11 cou ...)
TODO: check
 CVE-2023-38723 (IBM Maximo Application Suite 7.6.1.3 is vulnerable to stored 
cross-sit ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/212d13a99bd6a20810a479c12588c07f24c82666

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/212d13a99bd6a20810a479c12588c07f24c82666
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a18b60e5 by security tracker role at 2024-03-13T20:11:58+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,383 @@
+CVE-2024-2433 (An improper authorization vulnerability in Palo Alto Networks 
Panorama ...)
+   TODO: check
+CVE-2024-2432 (A privilege escalation (PE) vulnerability in the Palo Alto 
Networks Gl ...)
+   TODO: check
+CVE-2024-2431 (An issue in the Palo Alto Networks GlobalProtect app enables a 
non-pri ...)
+   TODO: check
+CVE-2024-2418 (A vulnerability was found in SourceCodester Best POS Management 
System ...)
+   TODO: check
+CVE-2024-2416 (Cross-Site Request Forgery vulnerability in Movistar's 4G 
router affec ...)
+   TODO: check
+CVE-2024-2415 (Command injection vulnerability in Movistar 4G router affecting 
versio ...)
+   TODO: check
+CVE-2024-2414 (The primary channel is unprotected on Movistar 4G router 
affecting E v ...)
+   TODO: check
+CVE-2024-2403 (Improper cleanup in temporary file handling component in 
Devolutions R ...)
+   TODO: check
+CVE-2024-2293 (The Site Reviews plugin for WordPress is vulnerable to Stored 
Cross-Si ...)
+   TODO: check
+CVE-2024-2286 (The Sky Addons for Elementor (Free Templates Library, Live 
Copy, Anima ...)
+   TODO: check
+CVE-2024-2252 (The Droit Elementor Addons \u2013 Widgets, Blocks, Templates 
Library F ...)
+   TODO: check
+CVE-2024-2247 (JFrog Artifactory versions below 7.77.7, are vulnerable to 
DOM-based c ...)
+   TODO: check
+CVE-2024-2239 (The Premium Addons PRO plugin for WordPress is vulnerable to 
Stored Cr ...)
+   TODO: check
+CVE-2024-2238 (The Premium Addons PRO plugin for WordPress is vulnerable to 
Stored Cr ...)
+   TODO: check
+CVE-2024-2237 (The Premium Addons PRO plugin for WordPress is vulnerable to 
Stored Cr ...)
+   TODO: check
+CVE-2024-2194 (The WP Statistics plugin for WordPress is vulnerable to Stored 
Cross-S ...)
+   TODO: check
+CVE-2024-2172 (The Malware Scanner plugin and the Web Application Firewall 
plugin for ...)
+   TODO: check
+CVE-2024-2126 (The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable 
to Store ...)
+   TODO: check
+CVE-2024-2123 (The Ultimate Member \u2013 User Profile, Registration, Login, 
Member D ...)
+   TODO: check
+CVE-2024-2106 (The MasterStudy LMS WordPress Plugin \u2013 for Online Courses 
and Edu ...)
+   TODO: check
+CVE-2024-2030 (The Database for Contact Form 7, WPforms, Elementor forms 
plugin for W ...)
+   TODO: check
+CVE-2024-2028 (The Exclusive Addons for Elementor plugin for WordPress is 
vulnerable  ...)
+   TODO: check
+CVE-2024-2020 (The Calculated Fields Form plugin for WordPress is vulnerable 
to Store ...)
+   TODO: check
+CVE-2024-2006 (The Post Grid, Slider & Carousel Ultimate \u2013 with 
Shortcode, Guten ...)
+   TODO: check
+CVE-2024-2000 (The Premium Addons PRO plugin for WordPress is vulnerable to 
Stored Cr ...)
+   TODO: check
+CVE-2024-28684 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-28683 (DedeCMS v5.7 was discovered to contain a cross-site scripting 
(XSS) vu ...)
+   TODO: check
+CVE-2024-28682 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-28681 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-28680 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-28679 (DedeCMS v5.7 was discovered to contain a cross-site scripting 
(XSS) vu ...)
+   TODO: check
+CVE-2024-28678 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-28677 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-28676 (DedeCMS v5.7 was discovered to contain a cross-site scripting 
(XSS) vu ...)
+   TODO: check
+CVE-2024-28675 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-28673 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-28672 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-28671 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-28670 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-28669 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO: check
+CVE-2024-28668 (DedeCMS v5.7 was discovered to contain a Cross-Site Request 
Forgery (C ...)
+   TODO:

[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2024-26609

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
85de3d1b by Salvatore Bonaccorso at 2024-03-13T21:00:33+01:00
Remove notes from CVE-2024-26609

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -2967,9 +2967,6 @@ CVE-2024-26610 (In the Linux kernel, the following 
vulnerability has been resolv
NOTE: 
https://git.kernel.org/linus/cf4a0d840ecc72fcf16198d5e9c505ab7d5a5e4d (6.8-rc2)
 CVE-2024-26609
REJECTED
-   - linux 6.6.15-1
-   [bookworm] - linux 6.1.76-1
-   NOTE: 
https://git.kernel.org/linus/f342de4e2f33e0e39165d8639387aa6c19dff660 (6.8-rc2)
 CVE-2024-26608 (In the Linux kernel, the following vulnerability has been 
resolved:  k ...)
- linux 6.6.15-1
[bookworm] - linux 6.1.76-1



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85de3d1b1e955de7f9ea184c5b0da2f7fa62e54d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85de3d1b1e955de7f9ea184c5b0da2f7fa62e54d
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-27297/nix

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f0bb3de9 by Salvatore Bonaccorso at 2024-03-13T20:49:04+01:00
Add Debian bug reference for CVE-2024-27297/nix

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -420,7 +420,7 @@ CVE-2024-27900 (Due to missing authorization check, 
attacker with business user
NOT-FOR-US: SAP
 CVE-2024-27297 (Nix is a package manager for Linux and other Unix systems. A 
fixed-out ...)
- guix  (bug #1066113)
-   - nix 
+   - nix  (bug #1066812)
NOTE: Fixed by: 
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=8f4ffb3fae133bb21d7991e97c2f19a7108b1143
NOTE: 
https://guix.gnu.org/en/blog/2024/fixed-output-derivation-sandbox-bypass-cve-2024-27297/
NOTE: 
https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0bb3de91d9b8428a96aef4c45f51292acbded49

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0bb3de91d9b8428a96aef4c45f51292acbded49
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2023-46586/weborf: buster no-dsa -> not-affected

2024-03-13 Thread Sylvain Beucler (@beuc)



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2b670457 by Sylvain Beucler at 2024-03-13T19:31:37+01:00
CVE-2023-46586/weborf: buster no-dsa - not-affected

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -28064,9 +28064,10 @@ CVE-2023-46586
- weborf 1.0-1 (bug #1054417)
[bookworm] - weborf 0.19-2.1+deb12u1
[bullseye] - weborf 0.17-3+deb11u1
-   [buster] - weborf  (Minor issue)
+   [buster] - weborf  (Vulnerable code introduced later)
NOTE: https://github.com/ltworf/weborf/pull/88
NOTE: Fixed by: 
https://github.com/ltworf/weborf/commit/49824204add55aab0568d90a6b1e7c822d32120d
 (1.0)
+   NOTE: Introduced by: 
https://github.com/ltworf/weborf/commit/6f83c3e9ceed8b0d93608fd5d42b53c081057991
 (0.16)
 CVE-2023-5702 (A vulnerability was found in Viessmann Vitogate 300 up to 
2.1.3.0 and  ...)
NOT-FOR-US: Viessmann Vitogate 300
 CVE-2023-5701 (A vulnerability has been found in vnotex vnote up to 3.17.0 and 
classi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b67045720715f1a7021086c9204de61bcf6c52f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b67045720715f1a7021086c9204de61bcf6c52f
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla: add node-xml2js

2024-03-13 Thread Sylvain Beucler (@beuc)



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
20855786 by Sylvain Beucler at 2024-03-13T19:26:21+01:00
dla: add node-xml2js

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -170,6 +170,10 @@ linux-5.10
 lucene-solr
   NOTE: 20240213: Added by Front-Desk (lamby)
 --
+node-xml2js
+  NOTE: 20240313: Added by Front-Desk (Beuc)
+  NOTE: 20240313: Follow fix from bullseye 11.9 (CVE-2023-0842) 
(Beuc/front-desk)
+--
 nodejs (guilhem)
   NOTE: 20240218: Added by Front-Desk (lamby)
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/208557865ef18ac02e72e0fe16930c37ffae8e92

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/208557865ef18ac02e72e0fe16930c37ffae8e92
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] chromium DSA

2024-03-13 Thread Andres Salomon (@dilinger)



Andres Salomon pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a2e8d57a by Andres Salomon at 2024-03-13T14:09:10-04:00
chromium DSA

- - - - -


2 changed files:

- data/DSA/list
- data/dsa-needed.txt


Changes:

=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[13 Mar 2024] DSA-5639-1 chromium - security update
+   {CVE-2024-2400}
+   [bookworm] - chromium 122.0.6261.128-1~deb12u1
 [10 Mar 2024] DSA-5638-1 libuv1 - security update
{CVE-2024-24806}
[bullseye] - libuv1 1.40.0-2+deb11u1


=
data/dsa-needed.txt
=
@@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the 
name of the source pa
 --
 cacti
 --
-chromium (dilinger)
---
 cryptojs
 --
 dav1d



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2e8d57af44b79d69938a1a8a055922314a50bc0

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2e8d57af44b79d69938a1a8a055922314a50bc0
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla: add spip

2024-03-13 Thread Sylvain Beucler (@beuc)



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
9e4597ae by Sylvain Beucler at 2024-03-13T19:05:38+01:00
dla: add spip

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -262,6 +262,10 @@ sendmail
 shim
   NOTE: 20240306: Added by Front-Desk (opal)
 --
+spip
+  NOTE: 20240313: Added by Front-Desk (Beuc)
+  NOTE: 20240313: Follow fix from bullseye 11.9 (CVE-2023-52322) 
(Beuc/front-desk)
+--
 squid
   NOTE: 20240109: Added by Front-Desk (apo)
   NOTE: 20240109: I ask for another pair of eyes for CVE-2023-5824. The fix



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e4597ae423d44aa7cc8c48406e7c66a170c1baf

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e4597ae423d44aa7cc8c48406e7c66a170c1baf
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-2314/bpfcc: buster not-affected

2024-03-13 Thread Sylvain Beucler (@beuc)



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
3c29b571 by Sylvain Beucler at 2024-03-13T18:43:37+01:00
CVE-2024-2314/bpfcc: buster not-affected

- - - - -
e2f4acec by Sylvain Beucler at 2024-03-13T18:50:56+01:00
CVE-2024-2313/bpftrace: buster not-affected

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -643,12 +643,16 @@ CVE-2024-2314 (If kernel headers need to be extracted, 
bcc will attempt to load
- bpfcc 
[bookworm] - bpfcc  (Minor issue)
[bullseye] - bpfcc  (Minor issue)
+   [buster] - bpfcc  (Vulnerable code introduced later)
NOTE: 
https://github.com/iovisor/bcc/commit/008ea09e891194c072f2a9305a3c872a241dc342
+   NOTE: Introduced by: 
https://github.com/iovisor/bcc/commit/ae92f3ddb6aa5b81c750abf3540b99f24d219e67 
(v0.10.0)
 CVE-2024-2313 (If kernel headers need to be extracted, bpftrace will attempt 
to load  ...)
- bpftrace 
[bookworm] - bpftrace  (Minor issue)
[bullseye] - bpftrace  (Minor issue)
+   [buster] - bpftrace  (Vulnerable code introduced later)
NOTE: 
https://github.com/bpftrace/bpftrace/commit/4be4b7191acb8218240e6b7178c30fa8c9b59998
+   NOTE: Introduced by: 
https://github.com/bpftrace/bpftrace/commit/896fafbe925385500c6626b19348739142944b88
 (v0.9.3)
 CVE-2024-2184 (Buffer overflow in identifier field of WSD probe request 
process of Sm ...)
NOT-FOR-US: Small Office Multifunction Printers and Laser Printers 
(Canon)
 CVE-2024-28823 (Amazon AWS aws-js-s3-explorer (aka AWS JavaScript S3 Explorer) 
1.0.0 a ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a80cc6f01ee022017c37086b6a7560f157824556...e2f4acec090ac5abdce821e7f81b95f05996c267

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/a80cc6f01ee022017c37086b6a7560f157824556...e2f4acec090ac5abdce821e7f81b95f05996c267
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2021-42343/dask.distributed: precise buster triage

2024-03-13 Thread Sylvain Beucler (@beuc)



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
a80cc6f0 by Sylvain Beucler at 2024-03-13T18:26:26+01:00
CVE-2021-42343/dask.distributed: precise buster triage

ignored since guilhem reviewed and explicitly dropped the entry in
72180b0eadf7b78f7b8a78087c4578ea2c589730

Now out of lts-cve-triage.py radar.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -175017,10 +175017,10 @@ CVE-2021-42344
 CVE-2021-42343 (An issue was discovered in the Dask distributed package before 
2021.10 ...)
- dask.distributed 2021.09.1+ds.1-2
[bullseye] - dask.distributed 2021.01.0+ds.1-2.1+deb11u1
-   [buster] - dask.distributed  (Minor issue; unreproducible with 
<2.0)
+   [buster] - dask.distributed  (Minor issue; unreproducible with 
<2.0)
NOTE: https://github.com/dask/distributed/pull/5427
NOTE: 
https://github.com/dask/distributed/security/advisories/GHSA-hwqr-f3v9-hwxr
-   NOTE: Likely introduced in 
https://github.com/quasiben/distributed/commit/fd31ecca8017bae845a73d468de0376c02363fab
+   NOTE: Likely introduced in 
https://github.com/quasiben/distributed/commit/fd31ecca8017bae845a73d468de0376c02363fab
 (2.0.0)
 CVE-2021-42342 (An issue was discovered in GoAhead 4.x and 5.x before 5.1.5. 
In the fi ...)
NOT-FOR-US: Embedthis GoAhead
 CVE-2021-42341 (checkpath in OpenRC before 0.44.7 uses the direct output of 
strlen() t ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a80cc6f01ee022017c37086b6a7560f157824556

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a80cc6f01ee022017c37086b6a7560f157824556
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] CVE-2024-1441/libvirt: buster postponed

2024-03-13 Thread Sylvain Beucler (@beuc)



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
70d498bd by Sylvain Beucler at 2024-03-13T17:54:27+01:00
CVE-2024-1441/libvirt: buster postponed

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -587,6 +587,7 @@ CVE-2024-1441 (An off-by-one error flaw was found in the 
udevListInterfacesBySta
- libvirt  (bug #1066058)
[bookworm] - libvirt  (Minor issue)
[bullseye] - libvirt  (Minor issue)
+   [buster] - libvirt  (Minor issue; very rare crash before 
v5.10)
NOTE: Introduced by: 
https://gitlab.com/libvirt/libvirt/-/commit/5a33366f5c0b18c93d161bd144f9f079de4ac8ca
 (v1.0.0-rc1)
NOTE: Introduced by: 
https://gitlab.com/libvirt/libvirt/-/commit/d6064e2759a24e0802f363e3a810dc5a7d7ebb15
 (v5.10.0-rc1)
NOTE: Fixed by: 
https://gitlab.com/libvirt/libvirt/-/commit/c664015fe3a7bf59db26686e9ed69af011c6ebb8
 (v10.1.0)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70d498bd33956182bf4c08c80eda2c0f52e702cf

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/70d498bd33956182bf4c08c80eda2c0f52e702cf
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add note for CVE-2023-51767

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b3e20589 by Salvatore Bonaccorso at 2024-03-13T16:49:31+01:00
Add note for CVE-2023-51767

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -16681,11 +16681,12 @@ CVE-2023-31455 (Pexip Infinity before 31.2 has 
Improper Input Validation for RTC
 CVE-2023-31297 (An issue was discovered in SESAMI planfocus CPTO (Cash Point & 
Transpo ...)
NOT-FOR-US: SESAMI planfocus CPTO (Cash Point & Transport Optimizer)
 CVE-2023-51767 (OpenSSH through 9.6, when common types of DRAM are used, might 
allow r ...)
-   - openssh  (bug #1059393)
-   [bookworm] - openssh  (Revisit once hardening/mitigation for 
Rowhammer type of attack exists)
-   [bullseye] - openssh  (Revisit once hardening/mitigation for 
Rowhammer type of attack exists)
-   [buster] - openssh  (Revisit once hardening/mitigation for 
Rowhammer type of attack exists)
+   - openssh  (bug #1059393; unimportant)
NOTE: https://arxiv.org/abs/2309.02545
+   NOTE: Upstream does not consider CVE-2023-51767 a bug underlying in 
OpenSSH and
+   NOTE: does not intent to address it in OpenSSH. To todays knowledge 
(2024-03-13)
+   NOTE: it has not been  demostrated that the issue is exploitable in any 
real
+   NOTE: software configuration.
 CVE-2023-51766 (Exim before 4.97.1 allows SMTP smuggling in certain 
PIPELINING/CHUNKIN ...)
{DSA-5597-1 DLA-3708-1}
- exim4 4.97-3 (bug #1059387)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3e2058999ae1ff1464ef7c7559eb546509c8e56

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3e2058999ae1ff1464ef7c7559eb546509c8e56
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] dla: fix syntax

2024-03-13 Thread Sylvain Beucler (@beuc)



Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
fa253efd by Sylvain Beucler at 2024-03-13T16:11:06+01:00
dla: fix syntax

- - - - -


1 changed file:

- data/dla-needed.txt


Changes:

=
data/dla-needed.txt
=
@@ -225,7 +225,7 @@ python-os-brick
   NOTE: 20230525: Added by Front-Desk (lamby)
   NOTE: 20230525: NB. CVE-2023-2088 filed against python-glance-store, 
python-os-brick, nova and cinder.
   NOTE: 20240311: Reverted decision to remove from this file since 
CVE-2020-10755 is fixed in bullseye.

+--
 rails
   NOTE: 20220909: Re-added due to regression (abhijith)
   NOTE: 20220909: Regression on 2:5.2.2.1+dfsg-1+deb10u4 (abhijith)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa253efd7ec824d84b982570e5697765be10c54e

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fa253efd7ec824d84b982570e5697765be10c54e
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-28746/linux

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
6b986741 by Salvatore Bonaccorso at 2024-03-13T12:25:06+01:00
Track fixed version for CVE-2023-28746/linux

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -389,7 +389,7 @@ CVE-2023-28746 [RFDS: Register File Data Sampling]
- intel-microcode 3.20240312.1 (bug #1066108)
[bookworm] - intel-microcode  (Decide after exposure on 
unstable for update)
[bullseye] - intel-microcode  (Decide after exposure on 
unstable for update)
-   - linux 
+   - linux 6.7.9-2
- xen 
[bullseye] - xen  (EOLed in Bullseye)
[buster] - xen  (DSA 4677-1)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b986741d9a0a428812b89e1fc28f1a07a42fefa

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b986741d9a0a428812b89e1fc28f1a07a42fefa
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Correct tracking for CVE-2023-52447

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2a48b84b by Salvatore Bonaccorso at 2024-03-13T11:59:57+01:00
Correct tracking for CVE-2023-52447

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5146,7 +5146,6 @@ CVE-2023-52449 (In the Linux kernel, the following 
vulnerability has been resolv
 CVE-2023-52447 (In the Linux kernel, the following vulnerability has been 
resolved:  b ...)
- linux 6.6.15-1
[bookworm] - linux 6.1.76-1
-   [bullseye] - linux  (Vulnerable code not present)
[buster] - linux  (Vulnerable code not present)
NOTE: 
https://git.kernel.org/linus/876673364161da50eed6b472d746ef88242b2368 (6.8-rc1)
 CVE-2023-52445 (In the Linux kernel, the following vulnerability has been 
resolved:  m ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a48b84b6e150b126b1ff0efcc255d5e845d1c32

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a48b84b6e150b126b1ff0efcc255d5e845d1c32
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
67f37536 by Salvatore Bonaccorso at 2024-03-13T10:52:42+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -11,7 +11,7 @@ CVE-2024-2400 (Use after free in Performance Manager in 
Google Chrome prior to 1
 CVE-2024-2395 (The Bulgarisation for WooCommerce plugin for WordPress is 
vulnerable t ...)
NOT-FOR-US: WordPress plugin
 CVE-2024-2107 (The Blossom Spa theme for WordPress is vulnerable to Sensitive 
Informa ...)
-   TODO: check
+   NOT-FOR-US: WordPress theme
 CVE-2024-28623 (RiteCMS v3.0.0 was discovered to contain a cross-site 
scripting (XSS)  ...)
NOT-FOR-US: RiteCMS
 CVE-2024-28239 (Directus is a real-time API and App dashboard for managing SQL 
databas ...)
@@ -27,7 +27,7 @@ CVE-2024-27305 (aiosmtpd is a reimplementation of the Python 
stdlib smtpd.py bas
NOTE: 
https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65
NOTE: 
https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb
 (1.4.5)
 CVE-2024-26529 (An issue in mz-automation libiec61850 v.1.5.3 and before, 
allows a rem ...)
-   TODO: check
+   NOT-FOR-US: libIEC61850
 CVE-2024-24101 (Code-projects Scholars Tracking System 1.0 is vulnerable to 
SQL Inject ...)
NOT-FOR-US: Code-projects Scholars Tracking System
 CVE-2024-24097 (Cross Site Scripting (XSS) vulnerability in Code-projects 
Scholars Tra ...)
@@ -37,47 +37,47 @@ CVE-2024-24093 (SQL Injection vulnerability in 
Code-projects Scholars Tracking S
 CVE-2024-24092 (SQL Injection vulnerability in Code-projects.org Scholars 
Tracking Sys ...)
NOT-FOR-US: Code-projects Scholars Tracking System
 CVE-2024-23300 (A use-after-free issue was addressed with improved memory 
management.  ...)
-   TODO: check
+   NOT-FOR-US: GarageBand
 CVE-2024-1582 (The WP Go Maps (formerly WP Google Maps) plugin for WordPress 
is vulne ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1503 (The Tutor LMS \u2013 eLearning and online course solution 
plugin for W ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1502 (The Tutor LMS \u2013 eLearning and online course solution 
plugin for W ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1450 (The Shariff Wrapper plugin for WordPress is vulnerable to 
Stored Cross ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1421 (The HT Mega \u2013 Absolute Addons For Elementor plugin for 
WordPress  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1397 (The HT Mega \u2013 Absolute Addons For Elementor plugin for 
WordPress  ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1326 (The Jeg Elementor Kit plugin for WordPress is vulnerable to 
Stored Cro ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1278 (The Easy Social Feed \u2013 Social Photos Gallery \u2013 Post 
Feed \u2 ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1214 (The Easy Social Feed \u2013 Social Photos Gallery \u2013 Post 
Feed \u2 ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-1213 (The Easy Social Feed \u2013 Social Photos Gallery \u2013 Post 
Feed \u2 ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-0966 (The Shariff Wrapper plugin for WordPress is vulnerable to 
Stored Cross ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-0386 (The weForms plugin for WordPress is vulnerable to Stored 
Cross-Site Sc ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-7072 (The Post Grid Combo \u2013 36+ Gutenberg Blocks plugin for 
WordPress i ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-6500 (The Shariff Wrapper plugin for WordPress is vulnerable to 
Stored Cross ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-4839 (The WP Go Maps for WordPress is vulnerable to Stored Cross-Site 
Script ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2023-43292 (Cross Site Scripting vulnerability in My Food Recipe Using PHP 
with So ...)
-   TODO: check
+   NOT-FOR-US: My Food Recipe Using PHP with Source Code
 CVE-2023-43279 (Null Pointer Dereference in mask_cidr6 component at cidr.c in 
Tcprepla ...)
TODO: check
 CVE-2023-42308 (Cross Site Scripting (XSS) vulnerability in Manage Fastrack 
Subjects i ...)
-   TODO: check
+   NOT-FOR-US: Code-Projects Exam Form Submission
 CVE-2023-42307 (Cross Site Scripting (XSS) vulnerability in Code-Projects Exam 
Form Su ...)
-   TODO: check
+   NOT-FOR-US: Code-Projects Exam Form Submission
 CVE-2015-10130 (The Team Circle Image Slider With Lightbox plugin for 
WordPress is vul ...)
-

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-27305/python-aiosmtpd

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
025787ca by Salvatore Bonaccorso at 2024-03-13T10:23:38+01:00
Add CVE-2024-27305/python-aiosmtpd

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -23,7 +23,9 @@ CVE-2024-28236 (Vela is a Pipeline Automation (CI/CD) 
framework built on Linux c
 CVE-2024-27440 (The Toyoko Inn official App for iOS versions prior to 1.13.0 
and Toyok ...)
NOT-FOR-US: Toyoko Inn official App
 CVE-2024-27305 (aiosmtpd is a reimplementation of the Python stdlib smtpd.py 
based on  ...)
-   TODO: check
+   - python-aiosmtpd 
+   NOTE: 
https://github.com/aio-libs/aiosmtpd/security/advisories/GHSA-pr2m-px7j-xg65
+   NOTE: 
https://github.com/aio-libs/aiosmtpd/commit/24b6c79c8921cf1800e27ca144f4f37023982bbb
 (1.4.5)
 CVE-2024-26529 (An issue in mz-automation libiec61850 v.1.5.3 and before, 
allows a rem ...)
TODO: check
 CVE-2024-24101 (Code-projects Scholars Tracking System 1.0 is vulnerable to 
SQL Inject ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/025787ca3d993f1a829a402401eba3d85a48345c

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/025787ca3d993f1a829a402401eba3d85a48345c
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Update information on fontforge

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
dd93eea2 by Salvatore Bonaccorso at 2024-03-13T10:15:47+01:00
Update information on fontforge

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -27,6 +27,7 @@ dnsmasq
 expat (carnil)
 --
 fontforge
+  Adrian Bunk posted proposal to prepare the update (cf. 
https://bugs.debian.org/1064967#14)
 --
 frr
 --



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd93eea275691b24ba5d89ed7b7429e4e0c8d5af

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/dd93eea275691b24ba5d89ed7b7429e4e0c8d5af
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

2024-03-13 Thread Moritz Muehlenhoff (@jmm)



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
2a8f25ba by Moritz Mühlenhoff at 2024-03-13T09:58:16+01:00
bookworm/bullseye triage

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=
data/CVE/list
=
@@ -583,6 +583,8 @@ CVE-2024-1487 (The Photos and Files Contest Gallery 
WordPress plugin before 21.3
NOT-FOR-US: WordPress plugin
 CVE-2024-1441 (An off-by-one error flaw was found in the 
udevListInterfacesByStatus() ...)
- libvirt  (bug #1066058)
+   [bookworm] - libvirt  (Minor issue)
+   [bullseye] - libvirt  (Minor issue)
NOTE: Introduced by: 
https://gitlab.com/libvirt/libvirt/-/commit/5a33366f5c0b18c93d161bd144f9f079de4ac8ca
 (v1.0.0-rc1)
NOTE: Introduced by: 
https://gitlab.com/libvirt/libvirt/-/commit/d6064e2759a24e0802f363e3a810dc5a7d7ebb15
 (v5.10.0-rc1)
NOTE: Fixed by: 
https://gitlab.com/libvirt/libvirt/-/commit/c664015fe3a7bf59db26686e9ed69af011c6ebb8
 (v10.1.0)
@@ -636,9 +638,13 @@ CVE-2024-2363 (** UNSUPPORTED WHEN ASSIGNED ** A 
vulnerability was found in AOL
NOT-FOR-US: AOL AIM Triton
 CVE-2024-2314 (If kernel headers need to be extracted, bcc will attempt to 
load them  ...)
- bpfcc 
+   [bookworm] - bpfcc  (Minor issue)
+   [bullseye] - bpfcc  (Minor issue)
NOTE: 
https://github.com/iovisor/bcc/commit/008ea09e891194c072f2a9305a3c872a241dc342
 CVE-2024-2313 (If kernel headers need to be extracted, bpftrace will attempt 
to load  ...)
- bpftrace 
+   [bookworm] - bpftrace  (Minor issue)
+   [bullseye] - bpftrace  (Minor issue)
NOTE: 
https://github.com/bpftrace/bpftrace/commit/4be4b7191acb8218240e6b7178c30fa8c9b59998
 CVE-2024-2184 (Buffer overflow in identifier field of WSD probe request 
process of Sm ...)
NOT-FOR-US: Small Office Multifunction Printers and Laser Printers 
(Canon)
@@ -1478,7 +1484,9 @@ CVE-2024-24785 (If errors returned from MarshalJSON 
methods contain user control
- golang-1.22 1.22.1-1
- golang-1.21 1.21.8-1
- golang-1.19 
+   [bookworm] - golang-1.19  (Minor issue)
- golang-1.15 
+   [bullseye] - golang-1.15  (Minor issue)
- golang-1.11 
[buster] - golang-1.11  (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
NOTE: https://github.com/golang/go/issues/65697
@@ -1488,7 +1496,9 @@ CVE-2024-24784 (The ParseAddressList function incorrectly 
handles comments (text
- golang-1.22 1.22.1-1
- golang-1.21 1.21.8-1
- golang-1.19 
+   [bookworm] - golang-1.19  (Minor issue)
- golang-1.15 
+   [bullseye] - golang-1.15  (Minor issue)
- golang-1.11 
[buster] - golang-1.11  (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
NOTE: https://github.com/golang/go/issues/65083
@@ -1498,7 +1508,9 @@ CVE-2024-24783 (Verifying a certificate chain which 
contains a certificate with
- golang-1.22 1.22.1-1
- golang-1.21 1.21.8-1
- golang-1.19 
+   [bookworm] - golang-1.19  (Minor issue)
- golang-1.15 
+   [bullseye] - golang-1.15  (Minor issue)
- golang-1.11 
[buster] - golang-1.11  (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
NOTE: https://github.com/golang/go/issues/65390
@@ -1516,7 +1528,9 @@ CVE-2023-45290 (When parsing a multipart form (either 
explicitly with Request.Pa
- golang-1.22 1.22.1-1
- golang-1.21 1.21.8-1
- golang-1.19 
+   [bookworm] - golang-1.19  (Minor issue)
- golang-1.15 
+   [bullseye] - golang-1.15  (Minor issue)
- golang-1.11 
[buster] - golang-1.11  (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
NOTE: https://github.com/golang/go/issues/65383
@@ -1526,7 +1540,9 @@ CVE-2023-45289 (When following an HTTP redirect to a 
domain which is not a subdo
- golang-1.22 1.22.1-1
- golang-1.21 1.21.8-1
- golang-1.19 
+   [bookworm] - golang-1.19  (Minor issue)
- golang-1.15 
+   [bullseye] - golang-1.15  (Minor issue)
- golang-1.11 
[buster] - golang-1.11  (Limited support, minor issue, 
follow bullseye DSAs/point-releases)
NOTE: https://github.com/golang/go/issues/65065
@@ -7405,6 +7421,7 @@ CVE-2023-50387 (Certain DNSSEC aspects of the DNS 
protocol (in RFC 4033, 4034, 4
[bullseye] - knot-resolver  (Too intrusive to backport, if 
DNSSEC is used Bookworm can be used)
[buster] - knot-resolver  (Too intrusive to backport)
- pdns-recursor 4.9.3-1 (bug #1063852)
+   [bullseye] - pdns-recursor  (Too intrusive to backport, if 
DNSSEC is used Bookworm can be used)
- unbound 1.19.1-1 (bug #1063845)
- systemd 255.4-1
[bookworm] - systemd  (DNSSEC is disabled by default in

[Git][security-tracker-team/security-tracker][master] Process some NFUs

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
84074748 by Salvatore Bonaccorso at 2024-03-13T09:30:45+01:00
Process some NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,39 +1,39 @@
 CVE-2024-2413 (Intumit SmartRobot uses a fixed encryption key for 
authentication. Rem ...)
-   TODO: check
+   NOT-FOR-US: Intumit SmartRobot
 CVE-2024-2412 (The disabling function of the user registration page for 
Heimavista Rp ...)
-   TODO: check
+   NOT-FOR-US: Heimavista Rpage and Epage
 CVE-2024-2406 (A vulnerability, which was classified as critical, was found in 
Gacjie ...)
-   TODO: check
+   NOT-FOR-US: Gacjie Server
 CVE-2024-2400 (Use after free in Performance Manager in Google Chrome prior to 
122.0. ...)
- chromium 122.0.6261.128-1
[bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-2395 (The Bulgarisation for WooCommerce plugin for WordPress is 
vulnerable t ...)
-   TODO: check
+   NOT-FOR-US: WordPress plugin
 CVE-2024-2107 (The Blossom Spa theme for WordPress is vulnerable to Sensitive 
Informa ...)
TODO: check
 CVE-2024-28623 (RiteCMS v3.0.0 was discovered to contain a cross-site 
scripting (XSS)  ...)
-   TODO: check
+   NOT-FOR-US: RiteCMS
 CVE-2024-28239 (Directus is a real-time API and App dashboard for managing SQL 
databas ...)
-   TODO: check
+   NOT-FOR-US: Directus
 CVE-2024-28238 (Directus is a real-time API and App dashboard for managing SQL 
databas ...)
-   TODO: check
+   NOT-FOR-US: Directus
 CVE-2024-28236 (Vela is a Pipeline Automation (CI/CD) framework built on Linux 
contain ...)
TODO: check
 CVE-2024-27440 (The Toyoko Inn official App for iOS versions prior to 1.13.0 
and Toyok ...)
-   TODO: check
+   NOT-FOR-US: Toyoko Inn official App
 CVE-2024-27305 (aiosmtpd is a reimplementation of the Python stdlib smtpd.py 
based on  ...)
TODO: check
 CVE-2024-26529 (An issue in mz-automation libiec61850 v.1.5.3 and before, 
allows a rem ...)
TODO: check
 CVE-2024-24101 (Code-projects Scholars Tracking System 1.0 is vulnerable to 
SQL Inject ...)
-   TODO: check
+   NOT-FOR-US: Code-projects Scholars Tracking System
 CVE-2024-24097 (Cross Site Scripting (XSS) vulnerability in Code-projects 
Scholars Tra ...)
-   TODO: check
+   NOT-FOR-US: Code-projects Scholars Tracking System
 CVE-2024-24093 (SQL Injection vulnerability in Code-projects Scholars Tracking 
System  ...)
-   TODO: check
+   NOT-FOR-US: Code-projects Scholars Tracking System
 CVE-2024-24092 (SQL Injection vulnerability in Code-projects.org Scholars 
Tracking Sys ...)
-   TODO: check
+   NOT-FOR-US: Code-projects Scholars Tracking System
 CVE-2024-23300 (A use-after-free issue was addressed with improved memory 
management.  ...)
TODO: check
 CVE-2024-1582 (The WP Go Maps (formerly WP Google Maps) plugin for WordPress 
is vulne ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84074748af68726611fbb86cb7056bfdd8f25afc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/84074748af68726611fbb86cb7056bfdd8f25afc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-2400/chromium via unstable

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
562a8d1c by Salvatore Bonaccorso at 2024-03-13T09:27:46+01:00
Track fixed version for CVE-2024-2400/chromium via unstable

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5,7 +5,7 @@ CVE-2024-2412 (The disabling function of the user registration 
page for Heimavis
 CVE-2024-2406 (A vulnerability, which was classified as critical, was found in 
Gacjie ...)
TODO: check
 CVE-2024-2400 (Use after free in Performance Manager in Google Chrome prior to 
122.0. ...)
-   - chromium 
+   - chromium 122.0.6261.128-1
[bullseye] - chromium  (see #1061268)
[buster] - chromium  (see DSA 5046)
 CVE-2024-2395 (The Bulgarisation for WooCommerce plugin for WordPress is 
vulnerable t ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/562a8d1ced08f63034f937b63f2ef448fa8a9684

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/562a8d1ced08f63034f937b63f2ef448fa8a9684
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f7501469 by Salvatore Bonaccorso at 2024-03-13T09:26:07+01:00
Add chromium to dsa-needed list

- - - - -


1 changed file:

- data/dsa-needed.txt


Changes:

=
data/dsa-needed.txt
=
@@ -14,6 +14,8 @@ If needed, specify the release by adding a slash after the 
name of the source pa
 --
 cacti
 --
+chromium (dilinger)
+--
 cryptojs
 --
 dav1d



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7501469dcf47bdb9b3ab9acd8f7a68b2085b5fc

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7501469dcf47bdb9b3ab9acd8f7a68b2085b5fc
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-2400/chromium

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
037206a3 by Salvatore Bonaccorso at 2024-03-13T09:25:15+01:00
Add CVE-2024-2400/chromium

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -5,7 +5,9 @@ CVE-2024-2412 (The disabling function of the user registration 
page for Heimavis
 CVE-2024-2406 (A vulnerability, which was classified as critical, was found in 
Gacjie ...)
TODO: check
 CVE-2024-2400 (Use after free in Performance Manager in Google Chrome prior to 
122.0. ...)
-   TODO: check
+   - chromium 
+   [bullseye] - chromium  (see #1061268)
+   [buster] - chromium  (see DSA 5046)
 CVE-2024-2395 (The Bulgarisation for WooCommerce plugin for WordPress is 
vulnerable t ...)
TODO: check
 CVE-2024-2107 (The Blossom Spa theme for WordPress is vulnerable to Sensitive 
Informa ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/037206a35d4bed83eb92f9c0cabccd7ed9de527a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/037206a35d4bed83eb92f9c0cabccd7ed9de527a
You're receiving this email because of your account on salsa.debian.org.


___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] automatic update

2024-03-13 Thread Salvatore Bonaccorso (@carnil)



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
f607e06c by security tracker role at 2024-03-13T08:11:43+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=
data/CVE/list
=
@@ -1,3 +1,79 @@
+CVE-2024-2413 (Intumit SmartRobot uses a fixed encryption key for 
authentication. Rem ...)
+   TODO: check
+CVE-2024-2412 (The disabling function of the user registration page for 
Heimavista Rp ...)
+   TODO: check
+CVE-2024-2406 (A vulnerability, which was classified as critical, was found in 
Gacjie ...)
+   TODO: check
+CVE-2024-2400 (Use after free in Performance Manager in Google Chrome prior to 
122.0. ...)
+   TODO: check
+CVE-2024-2395 (The Bulgarisation for WooCommerce plugin for WordPress is 
vulnerable t ...)
+   TODO: check
+CVE-2024-2107 (The Blossom Spa theme for WordPress is vulnerable to Sensitive 
Informa ...)
+   TODO: check
+CVE-2024-28623 (RiteCMS v3.0.0 was discovered to contain a cross-site 
scripting (XSS)  ...)
+   TODO: check
+CVE-2024-28239 (Directus is a real-time API and App dashboard for managing SQL 
databas ...)
+   TODO: check
+CVE-2024-28238 (Directus is a real-time API and App dashboard for managing SQL 
databas ...)
+   TODO: check
+CVE-2024-28236 (Vela is a Pipeline Automation (CI/CD) framework built on Linux 
contain ...)
+   TODO: check
+CVE-2024-27440 (The Toyoko Inn official App for iOS versions prior to 1.13.0 
and Toyok ...)
+   TODO: check
+CVE-2024-27305 (aiosmtpd is a reimplementation of the Python stdlib smtpd.py 
based on  ...)
+   TODO: check
+CVE-2024-26529 (An issue in mz-automation libiec61850 v.1.5.3 and before, 
allows a rem ...)
+   TODO: check
+CVE-2024-24101 (Code-projects Scholars Tracking System 1.0 is vulnerable to 
SQL Inject ...)
+   TODO: check
+CVE-2024-24097 (Cross Site Scripting (XSS) vulnerability in Code-projects 
Scholars Tra ...)
+   TODO: check
+CVE-2024-24093 (SQL Injection vulnerability in Code-projects Scholars Tracking 
System  ...)
+   TODO: check
+CVE-2024-24092 (SQL Injection vulnerability in Code-projects.org Scholars 
Tracking Sys ...)
+   TODO: check
+CVE-2024-23300 (A use-after-free issue was addressed with improved memory 
management.  ...)
+   TODO: check
+CVE-2024-1582 (The WP Go Maps (formerly WP Google Maps) plugin for WordPress 
is vulne ...)
+   TODO: check
+CVE-2024-1503 (The Tutor LMS \u2013 eLearning and online course solution 
plugin for W ...)
+   TODO: check
+CVE-2024-1502 (The Tutor LMS \u2013 eLearning and online course solution 
plugin for W ...)
+   TODO: check
+CVE-2024-1450 (The Shariff Wrapper plugin for WordPress is vulnerable to 
Stored Cross ...)
+   TODO: check
+CVE-2024-1421 (The HT Mega \u2013 Absolute Addons For Elementor plugin for 
WordPress  ...)
+   TODO: check
+CVE-2024-1397 (The HT Mega \u2013 Absolute Addons For Elementor plugin for 
WordPress  ...)
+   TODO: check
+CVE-2024-1326 (The Jeg Elementor Kit plugin for WordPress is vulnerable to 
Stored Cro ...)
+   TODO: check
+CVE-2024-1278 (The Easy Social Feed \u2013 Social Photos Gallery \u2013 Post 
Feed \u2 ...)
+   TODO: check
+CVE-2024-1214 (The Easy Social Feed \u2013 Social Photos Gallery \u2013 Post 
Feed \u2 ...)
+   TODO: check
+CVE-2024-1213 (The Easy Social Feed \u2013 Social Photos Gallery \u2013 Post 
Feed \u2 ...)
+   TODO: check
+CVE-2024-0966 (The Shariff Wrapper plugin for WordPress is vulnerable to 
Stored Cross ...)
+   TODO: check
+CVE-2024-0386 (The weForms plugin for WordPress is vulnerable to Stored 
Cross-Site Sc ...)
+   TODO: check
+CVE-2023-7072 (The Post Grid Combo \u2013 36+ Gutenberg Blocks plugin for 
WordPress i ...)
+   TODO: check
+CVE-2023-6500 (The Shariff Wrapper plugin for WordPress is vulnerable to 
Stored Cross ...)
+   TODO: check
+CVE-2023-4839 (The WP Go Maps for WordPress is vulnerable to Stored Cross-Site 
Script ...)
+   TODO: check
+CVE-2023-43292 (Cross Site Scripting vulnerability in My Food Recipe Using PHP 
with So ...)
+   TODO: check
+CVE-2023-43279 (Null Pointer Dereference in mask_cidr6 component at cidr.c in 
Tcprepla ...)
+   TODO: check
+CVE-2023-42308 (Cross Site Scripting (XSS) vulnerability in Manage Fastrack 
Subjects i ...)
+   TODO: check
+CVE-2023-42307 (Cross Site Scripting (XSS) vulnerability in Code-Projects Exam 
Form Su ...)
+   TODO: check
+CVE-2015-10130 (The Team Circle Image Slider With Lightbox plugin for 
WordPress is vul ...)
+   TODO: check
 CVE-2024-2394 (A vulnerability was found in SourceCodester Employee Management 
System ...)
NOT-FOR-US: SourceCodester Employee Management System
 CVE-2024-2393 (A vulnerability was found in SourceCodester CRUD without Page 
Reload 1 ...)
@@ -5140,11 +5216,11 @@ CVE-2024-23125 (A maliciously crafted SLDPRT file when 
parsed

[Git][security-tracker-team/security-tracker][master] LTS: claim spip in dla-needed.txt

[Git][security-tracker-team/security-tracker][master] dla: take node-xml2js

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-27305

[Git][security-tracker-team/security-tracker][master] Add two new tomcat issues

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-32282 as NFU

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-28180 via unstable

[Git][security-tracker-team/security-tracker][master] Add CVE-2023-32666

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Git][security-tracker-team/security-tracker][master] Merge Linux CVEs from kernel-sec

[Git][security-tracker-team/security-tracker][master] automatic update

[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2024-26609

[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-27297/nix

[Git][security-tracker-team/security-tracker][master] CVE-2023-46586/weborf: buster no-dsa -> not-affected

[Git][security-tracker-team/security-tracker][master] dla: add node-xml2js

[Git][security-tracker-team/security-tracker][master] chromium DSA

[Git][security-tracker-team/security-tracker][master] dla: add spip

[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-2314/bpfcc: buster not-affected

[Git][security-tracker-team/security-tracker][master] CVE-2021-42343/dask.distributed: precise buster triage

[Git][security-tracker-team/security-tracker][master] CVE-2024-1441/libvirt: buster postponed

[Git][security-tracker-team/security-tracker][master] Add note for CVE-2023-51767

[Git][security-tracker-team/security-tracker][master] dla: fix syntax

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-28746/linux

[Git][security-tracker-team/security-tracker][master] Correct tracking for CVE-2023-52447

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-27305/python-aiosmtpd

[Git][security-tracker-team/security-tracker][master] Update information on fontforge

[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage

[Git][security-tracker-team/security-tracker][master] Process some NFUs

[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-2400/chromium via unstable

[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list

[Git][security-tracker-team/security-tracker][master] Add CVE-2024-2400/chromium

[Git][security-tracker-team/security-tracker][master] automatic update

34 matches

Site Navigation

Mail list logo

Footer information