[Git][security-tracker-team/security-tracker][master] Add php to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c2165849 by Salvatore Bonaccorso at 2024-04-12T06:32:35+02:00 Add php to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -49,6 +49,10 @@ opennds/stable -- org-mode -- +php7.4 +-- +php8.2 +-- php-cas/oldstable -- php-horde-mime-viewer/oldstable View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c21658498297e3ae2b90fb274af82f3b6449db7c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c21658498297e3ae2b90fb274af82f3b6449db7c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add todo items for php issues as the filling was just an initial tracking
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b4b2e1b by Salvatore Bonaccorso at 2024-04-12T06:30:32+02:00 Add todo items for php issues as the filling was just an initial tracking - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,21 +3,25 @@ CVE-2024-1874 - php7.4 - php7.3 NOTE: Fixed in: 8.2.18 + TODO: fill in with GHSA security advisory references and further details CVE-2024-2756 - php8.2 8.2.18-1 - php7.4 - php7.3 NOTE: Fixed in: 8.2.18 + TODO: fill in with GHSA security advisory references and further details CVE-2024-3096 - php8.2 8.2.18-1 - php7.4 - php7.3 NOTE: Fixed in: 8.2.18 + TODO: fill in with GHSA security advisory references and further details CVE-2024-2757 - php8.2 8.2.18-1 - php7.4 - php7.3 NOTE: Fixed in: 8.2.18 + TODO: fill in with GHSA security advisory references and further details CVE-2024-27309 - kafka (bug #786460) CVE-2024-3344 (The Otter Blocks \u2013 Gutenberg Blocks, Page Builder for Gutenberg E ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b4b2e1b8fe1f7eaa475c651d6d52ed1a5acfdb9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b4b2e1b8fe1f7eaa475c651d6d52ed1a5acfdb9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new set of PHP issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 68f2674b by Salvatore Bonaccorso at 2024-04-12T06:15:26+02:00 Add new set of PHP issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,23 @@ +CVE-2024-1874 + - php8.2 8.2.18-1 + - php7.4 + - php7.3 + NOTE: Fixed in: 8.2.18 +CVE-2024-2756 + - php8.2 8.2.18-1 + - php7.4 + - php7.3 + NOTE: Fixed in: 8.2.18 +CVE-2024-3096 + - php8.2 8.2.18-1 + - php7.4 + - php7.3 + NOTE: Fixed in: 8.2.18 +CVE-2024-2757 + - php8.2 8.2.18-1 + - php7.4 + - php7.3 + NOTE: Fixed in: 8.2.18 CVE-2024-27309 - kafka (bug #786460) CVE-2024-3344 (The Otter Blocks \u2013 Gutenberg Blocks, Page Builder for Gutenberg E ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68f2674b73251c5d9277fb6333ad40966a790f71 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/68f2674b73251c5d9277fb6333ad40966a790f71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-27309/kafka
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9b6bee22 by Salvatore Bonaccorso at 2024-04-12T06:01:12+02:00 Add CVE-2024-27309/kafka - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2024-27309 + - kafka (bug #786460) CVE-2024-3344 (The Otter Blocks \u2013 Gutenberg Blocks, Page Builder for Gutenberg E ...) NOT-FOR-US: WordPress plugin CVE-2024-3343 (The Otter Blocks \u2013 Gutenberg Blocks, Page Builder for Gutenberg E ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b6bee22a4d6e115721b62a1474e22163dbd84cf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9b6bee22a4d6e115721b62a1474e22163dbd84cf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add the wpewebkit versions that fix the CVEs from WSA-2024-0002
Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker Commits: c0e3e59c by Alberto Garcia at 2024-04-12T01:23:47+02:00 Add the wpewebkit versions that fix the CVEs from WSA-2024-0002 See also commit bcbc48122cd575b0d938c82183ab1e8b384bf5d1 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6688,7 +6688,7 @@ CVE-2024-0957 (The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and S CVE-2023-42956 (The issue was addressed with improved memory handling. This issue is f ...) - webkit2gtk 2.44.0-1 [buster] - webkit2gtk (EOL in buster LTS) - - wpewebkit + - wpewebkit 2.44.1-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) NOTE: https://webkitgtk.org/security/WSA-2024-0002.html @@ -6697,7 +6697,7 @@ CVE-2023-42954 (A privilege escalation issue existed in FileMaker Server, potent CVE-2023-42950 (A use after free issue was addressed with improved memory management. ...) - webkit2gtk 2.44.0-1 [buster] - webkit2gtk (EOL in buster LTS) - - wpewebkit + - wpewebkit 2.44.1-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) NOTE: https://webkitgtk.org/security/WSA-2024-0002.html @@ -10178,7 +10178,7 @@ CVE-2024-23285 (This issue was addressed with improved handling of symlinks. Thi CVE-2024-23284 (A logic issue was addressed with improved state management. This issue ...) - webkit2gtk 2.44.0-1 [buster] - webkit2gtk (EOL in buster LTS) - - wpewebkit + - wpewebkit 2.44.1-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) NOTE: https://webkitgtk.org/security/WSA-2024-0002.html @@ -10189,7 +10189,7 @@ CVE-2024-23281 (This issue was addressed with improved state management. This is CVE-2024-23280 (An injection issue was addressed with improved validation. This issue ...) - webkit2gtk 2.44.0-1 [buster] - webkit2gtk (EOL in buster LTS) - - wpewebkit + - wpewebkit 2.44.1-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) NOTE: https://webkitgtk.org/security/WSA-2024-0002.html @@ -10226,7 +10226,7 @@ CVE-2024-23264 (A validation issue was addressed with improved input sanitizatio CVE-2024-23263 (A logic issue was addressed with improved validation. This issue is fi ...) - webkit2gtk 2.44.0-1 [buster] - webkit2gtk (EOL in buster LTS) - - wpewebkit + - wpewebkit 2.44.1-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) NOTE: https://webkitgtk.org/security/WSA-2024-0002.html @@ -10245,7 +10245,7 @@ CVE-2024-23255 (An authentication issue was addressed with improved state manage CVE-2024-23254 (The issue was addressed with improved UI handling. This issue is fixed ...) - webkit2gtk 2.44.0-1 [buster] - webkit2gtk (EOL in buster LTS) - - wpewebkit + - wpewebkit 2.44.1-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) NOTE: https://webkitgtk.org/security/WSA-2024-0002.html @@ -14884,7 +14884,7 @@ CVE-2023-42848 (The issue was addressed with improved bounds checks. This issue CVE-2023-42843 (An inconsistent user interface issue was addressed with improved state ...) - webkit2gtk 2.44.0-1 [buster] - webkit2gtk (EOL in buster LTS) - - wpewebkit + - wpewebkit 2.44.1-1 [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) NOTE: https://webkitgtk.org/security/WSA-2024-0002.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0e3e59c020065868649e86bd7e58f1386352f42 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0e3e59c020065868649e86bd7e58f1386352f42 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net
[Git][security-tracker-team/security-tracker][master] Removing claim since I will likely not have the time to work on the package for a few days.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 6b2c0ac9 by Ola Lundqvist at 2024-04-11T23:15:47+02:00 Removing claim since I will likely not have the time to work on the package for a few days. Do not want to prevent anyone from doing useful work. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -76,12 +76,14 @@ emacs (Sean Whitton) NOTE: 20240403: for example, CVE-2024-30202. But I think it is vulnerable NOTE: 20240403: to CVE-2024-30203. (lamby) -- -freeimage (Ola Lundqvist) +freeimage NOTE: 20240320: Added by Front-Desk (ta) NOTE: 20240320: lots of postponed issue could be fixed as well NOTE: 20240325: Lack of upstream activity, NOTE: 20240325: postponed issues are "Revisit when fixed upstream (bunk) NOTE: 20240410: See discussion at: https://lists.debian.org/debian-lts/2024/04/threads.html#00012 + NOTE: 20240411: Added some postpone tags for DoS class and removed some where + NOTE: 20240411: patch is available and has arbitrary code exec class. (ola) -- frr NOTE: 20231119: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2c0ac91ebc6dfa945bd9f5997c9d98e87c9dae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6b2c0ac91ebc6dfa945bd9f5997c9d98e87c9dae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7905b86f by Salvatore Bonaccorso at 2024-04-11T22:52:19+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -63,41 +63,41 @@ CVE-2024-29454 (An issue discovered in packages or nodes in ROS2 Humble Hawksbil CVE-2024-25852 (Linksys RE7000 v2.0.9, v2.0.11, and v2.0.15 have a command execution v ...) NOT-FOR-US: Linksys CVE-2024-22722 (Server Side Template Injection (SSTI) vulnerability in Form Tools 3.1. ...) - TODO: check + NOT-FOR-US: Form Tools CVE-2024-22721 (Cross Site Request Forgery (CSRF) vulnerability in Form Tools 3.1.1 al ...) - TODO: check + NOT-FOR-US: Form Tools CVE-2024-22719 (SQL Injection vulnerability in Form Tools 3.1.1 allows attackers to ru ...) - TODO: check + NOT-FOR-US: Form Tools CVE-2024-22718 (Cross Site Scripting (XSS) vulnerability in Form Tools 3.1.1 allows at ...) - TODO: check + NOT-FOR-US: Form Tools CVE-2024-22717 (Cross Site Scripting (XSS) vulnerability in Form Tools 3.1.1 allows at ...) - TODO: check + NOT-FOR-US: Form Tools CVE-2024-20798 (Illustrator versions 28.3, 27.9.2 and earlier are affected by an out-o ...) - TODO: check + NOT-FOR-US: Adobe CVE-2024-20797 (Animate versions 23.0.4, 24.0.1 and earlier are affected by an out-of- ...) - TODO: check + NOT-FOR-US: Adobe CVE-2024-20796 (Animate versions 23.0.4, 24.0.1 and earlier are affected by an out-of- ...) - TODO: check + NOT-FOR-US: Adobe CVE-2024-20795 (Animate versions 23.0.4, 24.0.1 and earlier are affected by an Integer ...) - TODO: check + NOT-FOR-US: Adobe CVE-2024-20794 (Animate versions 23.0.4, 24.0.1 and earlier are affected by a NULL Poi ...) - TODO: check + NOT-FOR-US: Adobe CVE-2024-20771 (Bridge versions 13.0.6, 14.0.2 and earlier are affected by an out-of-b ...) - TODO: check + NOT-FOR-US: Adobe CVE-2024-0881 (The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Block ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-5394 (Server receiving a malformed message that where the GCL message hostna ...) - TODO: check + NOT-FOR-US: Honeywell CVE-2023-5393 (Server receiving a malformed message that causes a disconnect to a hos ...) - TODO: check + NOT-FOR-US: Honeywell CVE-2023-5392 (C300 information leak due to an analysis feature which allows extracti ...) - TODO: check + NOT-FOR-US: Honeywell CVE-2023-50949 (IBM QRadar SIEM 7.5 could allow an unauthorized user to perform unauth ...) NOT-FOR-US: IBM CVE-2023-32295 (Missing Authorization vulnerability in Alex Tselegidis Easy!Appointmen ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-32228 (A firmware bug which may lead to misinterpretation of data in the AMC2 ...) - TODO: check + NOT-FOR-US: Bosch CVE-2024-3092 - gitlab CVE-2024-2279 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7905b86f94116e26ad9407c0605b211a3cacc508 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7905b86f94116e26ad9407c0605b211a3cacc508 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1f892d80 by Salvatore Bonaccorso at 2024-04-11T22:43:21+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,67 +1,67 @@ CVE-2024-3344 (The Otter Blocks \u2013 Gutenberg Blocks, Page Builder for Gutenberg E ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3343 (The Otter Blocks \u2013 Gutenberg Blocks, Page Builder for Gutenberg E ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32112 (Cross-Site Request Forgery (CSRF) vulnerability in Leadinfo leadinfo. ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32109 (Cross-Site Request Forgery (CSRF) vulnerability in Julien Berthelot / ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32108 (Cross-Site Request Forgery (CSRF) vulnerability in Stephanie Leary Con ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32107 (Cross-Site Request Forgery (CSRF) vulnerability in XLPlugins Finale Li ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32106 (Cross-Site Request Forgery (CSRF) vulnerability in WP Compress WP Comp ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32105 (Cross-Site Request Forgery (CSRF) vulnerability in ELEXtensions ELEX W ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32083 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32080 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31937 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31936 (Cross-Site Request Forgery (CSRF) vulnerability in AyeCode Ltd UsersWP ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31935 (Cross-Site Request Forgery (CSRF) vulnerability in BracketSpace Simple ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31934 (Cross-Site Request Forgery (CSRF) vulnerability in Link Whisper Link W ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31932 (Cross-Site Request Forgery (CSRF) vulnerability in CreativeThemes Bloc ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31931 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31930 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31929 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31928 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31927 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31926 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31925 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31861 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...) - TODO: check + NOT-FOR-US: Apache Zeppelin CVE-2024-31678 (Sourcecodester Loan Management System v1.0 is vulnerable to SQL Inject ...) - TODO: check + NOT-FOR-US: Sourcecodester Loan Management System CVE-2024-31387 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31361 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-31285 (Cross-Site Request Forgery (CSRF) vulnerability in Tooltip WordPress T ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-30273 (Illustrator versions 28.3, 27.9.2 and earlier are affected by a Stack- ...) - TODO: check + NOT-FOR-US: Adobe CVE-2024-30272 (Illustrator versions 28.3, 27.9.2 and earlier are affected by an out-o ...) - TODO: check + NOT-FOR-US: Adobe CVE-2024-30271 (Illustrator versions 28.3, 27.9.2 and earlier are affected by an out-o ...) - TODO: check + NOT-FOR-US: Adobe CVE-2024-29454 (An issue discovered in packages or nodes in ROS2 Humble Hawksbill with ...) TODO: check CVE-2024-25852
[Git][security-tracker-team/security-tracker][master] 2 commits: Changed wording since the term tool can be misunderstood.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f1d2047 by Ola Lundqvist at 2024-04-11T22:34:48+02:00 Changed wording since the term tool can be misunderstood. - - - - - 4a0e4e2a by Ola Lundqvist at 2024-04-11T22:34:50+02:00 Changed a some CVEs from no-dsa to postponed for freeimage. At the same time clarified that they can be fixed when uploading a correction for other vulnerabilities since there are patches available. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7204,7 +7204,7 @@ CVE-2024-28584 (Null Pointer Dereference vulnerability in open source FreeImage - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in user interactive software) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28583 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) @@ -7230,7 +7230,7 @@ CVE-2024-28579 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in user interactive software) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28578 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) @@ -7241,37 +7241,37 @@ CVE-2024-28577 (Null Pointer Dereference vulnerability in open source FreeImage - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in user interactive software) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28576 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in user interactive software) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28575 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in user interactive software) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28574 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in user interactive software) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28573 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) + [buster] - freeimage (Revisit when fixed upstream, low severity DoS in user interactive software) NOTE: https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 CVE-2024-28572 (Buffer Overflow vulnerability in open source FreeImage v.3.19.0 [r1909 ...) - freeimage (bug #1068461) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream, low severity DoS in tool) +
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d93f96a1 by Salvatore Bonaccorso at 2024-04-11T22:30:23+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -93,7 +93,7 @@ CVE-2023-5393 (Server receiving a malformed message that causes a disconnect to CVE-2023-5392 (C300 information leak due to an analysis feature which allows extracti ...) TODO: check CVE-2023-50949 (IBM QRadar SIEM 7.5 could allow an unauthorized user to perform unauth ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-32295 (Missing Authorization vulnerability in Alex Tselegidis Easy!Appointmen ...) TODO: check CVE-2023-32228 (A firmware bug which may lead to misinterpretation of data in the AMC2 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d93f96a1e23adfbcc4e7a9a203fba352bac171e9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d93f96a1e23adfbcc4e7a9a203fba352bac171e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Removed postpone tag for buster freeimage CVEs since patches are available in fedora.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 7d965e06 by Ola Lundqvist at 2024-04-11T22:26:16+02:00 Removed postpone tag for buster freeimage CVEs since patches are available in fedora. The postpone tag should probably be removed for later releases as well but that is not up to the LTS team to decide so keeping them. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23543,7 +23543,6 @@ CVE-2023-47997 (An issue discovered in BitmapAccess.cpp::FreeImage_AllocateBitma - freeimage (bug #1060691) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47997 NOTE: Patch in Fedora (not upstream'ed): https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-47997.patch CVE-2023-47996 (An integer overflow vulnerability in Exif.cpp::jpeg_read_exif_dir in F ...) @@ -23556,7 +23555,6 @@ CVE-2023-47995 (Memory Allocation with Excessive Size Value discovered in Bitmap - freeimage (bug #1060862) [bookworm] - freeimage (Revisit when fixed upstream) [bullseye] - freeimage (Revisit when fixed upstream) - [buster] - freeimage (Revisit when fixed upstream) NOTE: https://github.com/thelastede/FreeImage-cve-poc/tree/master/CVE-2023-47995 NOTE: Patch in Fedora (not upstream'ed): https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2023-47995.patch CVE-2023-47994 (An integer overflow vulnerability in LoadPixelDataRLE4 function in Plu ...) @@ -262889,7 +262887,6 @@ CVE-2020-24295 (Buffer Overflow vulnerability in PSDParser.cpp::ReadImageLine() - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) - [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ NOTE: Patch in Fedora (not upstream'ed): https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24295.patch CVE-2020-24294 (Buffer Overflow vulnerability in psdParser::UnpackRLE function in PSDP ...) @@ -262902,7 +262899,6 @@ CVE-2020-24293 (Buffer Overflow vulnerability in psdThumbnail::Read in PSDParser - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) - [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ NOTE: Patch in Fedora (not upstream'ed): https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24293.patch CVE-2020-24292 (Buffer Overflow vulnerability in load function in PluginICO.cpp in Fre ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d965e06c8c87c4f7c9f6b01122b193881971cc5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7d965e06c8c87c4f7c9f6b01122b193881971cc5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2024-2866
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f7e88bf4 by Salvatore Bonaccorso at 2024-04-11T22:22:57+02:00 Remove notes from CVE-2024-2866 Got rejected by the assigning CNA as it was an accidential reservation for same issue as covered by CVE-2024-2509. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -908,7 +908,6 @@ CVE-2024-2871 (The Media Library Assistant plugin for WordPress is vulnerable to NOT-FOR-US: WordPress plugin CVE-2024-2866 REJECTED - NOT-FOR-US: WordPress plugin CVE-2024-2847 (The WordPress File Upload plugin for WordPress is vulnerable to Stored ...) NOT-FOR-US: WordPress plugin CVE-2024-2845 (The BetterDocs \u2013 Best Documentation, FAQ & Knowledge Base Plugin ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7e88bf475db77bba385a665191c2300d0f0b494 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7e88bf475db77bba385a665191c2300d0f0b494 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 95461784 by security tracker role at 2024-04-11T20:20:12+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,103 @@ +CVE-2024-3344 (The Otter Blocks \u2013 Gutenberg Blocks, Page Builder for Gutenberg E ...) + TODO: check +CVE-2024-3343 (The Otter Blocks \u2013 Gutenberg Blocks, Page Builder for Gutenberg E ...) + TODO: check +CVE-2024-32112 (Cross-Site Request Forgery (CSRF) vulnerability in Leadinfo leadinfo. ...) + TODO: check +CVE-2024-32109 (Cross-Site Request Forgery (CSRF) vulnerability in Julien Berthelot / ...) + TODO: check +CVE-2024-32108 (Cross-Site Request Forgery (CSRF) vulnerability in Stephanie Leary Con ...) + TODO: check +CVE-2024-32107 (Cross-Site Request Forgery (CSRF) vulnerability in XLPlugins Finale Li ...) + TODO: check +CVE-2024-32106 (Cross-Site Request Forgery (CSRF) vulnerability in WP Compress WP Comp ...) + TODO: check +CVE-2024-32105 (Cross-Site Request Forgery (CSRF) vulnerability in ELEXtensions ELEX W ...) + TODO: check +CVE-2024-32083 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32080 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-31937 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-31936 (Cross-Site Request Forgery (CSRF) vulnerability in AyeCode Ltd UsersWP ...) + TODO: check +CVE-2024-31935 (Cross-Site Request Forgery (CSRF) vulnerability in BracketSpace Simple ...) + TODO: check +CVE-2024-31934 (Cross-Site Request Forgery (CSRF) vulnerability in Link Whisper Link W ...) + TODO: check +CVE-2024-31932 (Cross-Site Request Forgery (CSRF) vulnerability in CreativeThemes Bloc ...) + TODO: check +CVE-2024-31931 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-31930 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-31929 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-31928 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-31927 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-31926 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-31925 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-31861 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...) + TODO: check +CVE-2024-31678 (Sourcecodester Loan Management System v1.0 is vulnerable to SQL Inject ...) + TODO: check +CVE-2024-31387 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-31361 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-31285 (Cross-Site Request Forgery (CSRF) vulnerability in Tooltip WordPress T ...) + TODO: check +CVE-2024-30273 (Illustrator versions 28.3, 27.9.2 and earlier are affected by a Stack- ...) + TODO: check +CVE-2024-30272 (Illustrator versions 28.3, 27.9.2 and earlier are affected by an out-o ...) + TODO: check +CVE-2024-30271 (Illustrator versions 28.3, 27.9.2 and earlier are affected by an out-o ...) + TODO: check +CVE-2024-29454 (An issue discovered in packages or nodes in ROS2 Humble Hawksbill with ...) + TODO: check +CVE-2024-25852 (Linksys RE7000 v2.0.9, v2.0.11, and v2.0.15 have a command execution v ...) + TODO: check +CVE-2024-22722 (Server Side Template Injection (SSTI) vulnerability in Form Tools 3.1. ...) + TODO: check +CVE-2024-22721 (Cross Site Request Forgery (CSRF) vulnerability in Form Tools 3.1.1 al ...) + TODO: check +CVE-2024-22719 (SQL Injection vulnerability in Form Tools 3.1.1 allows attackers to ru ...) + TODO: check +CVE-2024-22718 (Cross Site Scripting (XSS) vulnerability in Form Tools 3.1.1 allows at ...) + TODO: check +CVE-2024-22717 (Cross Site Scripting (XSS) vulnerability in Form Tools 3.1.1 allows at ...) + TODO: check +CVE-2024-20798 (Illustrator versions 28.3, 27.9.2 and earlier are affected by an out-o ...) + TODO: check +CVE-2024-20797 (Animate versions 23.0.4, 24.0.1 and earlier are affected by an out-of- ...) + TODO: check +CVE-2024-20796 (Animate versions 23.0.4, 24.0.1 and earlier are affected by an out-of- ...) + TODO: check +CVE-2024-20795 (Animate versions 23.0.4, 24.0.1 and earlier are affected by an Integer
[Git][security-tracker-team/security-tracker][master] Removed postpone tag for buster freeimage CVE since patch is available in fedora.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 30068ece by Ola Lundqvist at 2024-04-11T22:11:20+02:00 Removed postpone tag for buster freeimage CVE since patch is available in fedora. The postpone tag should probably be removed for later releases as well but that is not up to the LTS team to decide so keeping them. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -262807,7 +262807,6 @@ CVE-2020-24292 (Buffer Overflow vulnerability in load function in PluginICO.cpp - freeimage (bug #1059152) [bookworm] - freeimage (Revisit when patches are available) [bullseye] - freeimage (Revisit when patches are available) - [buster] - freeimage (Revisit when patches are available) NOTE: https://sourceforge.net/p/freeimage/discussion/36111/thread/afb98701eb/ NOTE: Patch in Fedora (not upstream'ed): https://src.fedoraproject.org/rpms/freeimage/blob/f39/f/CVE-2020-24292.patch CVE-2020-24291 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30068ece2273e922e99bed42fdc80af1d470d01f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/30068ece2273e922e99bed42fdc80af1d470d01f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new gitlab issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ab4d582 by Salvatore Bonaccorso at 2024-04-11T21:18:44+02:00 Add new gitlab issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2024-3092 + - gitlab +CVE-2024-2279 + - gitlab +CVE-2023-6489 + - gitlab +CVE-2023-6678 + - gitlab CVE-2024-3652 (The Libreswan Project was notified of an issue causing libreswan to re ...) - libreswan NOTE: https://libreswan.org/security/CVE-2024-3652 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ab4d58207469dedfa38d0af98090b241c19743d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ab4d58207469dedfa38d0af98090b241c19743d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium DSA
Andres Salomon pushed to branch master at Debian Security Tracker / security-tracker Commits: d3100743 by Andres Salomon at 2024-04-11T14:00:56-04:00 chromium DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[11 Apr 2024] DSA-5656-1 chromium - security update + {CVE-2024-3157 CVE-2024-3515 CVE-2024-3516} + [bookworm] - chromium 123.0.6312.122-1~deb12u1 [04 Apr 2024] DSA-5655-1 cockpit - security update {CVE-2024-2947} [bookworm] - cockpit 287.1-0+deb12u1 = data/dsa-needed.txt = @@ -13,8 +13,6 @@ If needed, specify the release by adding a slash after the name of the source pa apache2 -- -chromium (dilinger) --- cryptojs -- dav1d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d310074313df4be39d98f0bb2a8d14ca17100859 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d310074313df4be39d98f0bb2a8d14ca17100859 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 518daeec by Moritz Muehlenhoff at 2024-04-11T17:49:05+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -120,7 +120,7 @@ CVE-2024-3569 (A Denial of Service (DoS) vulnerability exists in the mintplex-la CVE-2024-3568 (The huggingface/transformers library is vulnerable to arbitrary code e ...) NOT-FOR-US: huggingface/transformers CVE-2024-3567 (A flaw was found in QEMU. An assertion failure was present in the upda ...) - - qemu + - qemu (bug #1068822) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274339 NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2273 CVE-2024-3566 (A command inject vulnerability allows an attacker to perform command i ...) @@ -535,7 +535,7 @@ CVE-2024-26815 (In the Linux kernel, the following vulnerability has been resolv [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/343041b59b7810f9cdca371f445dd43b35c740b1 (6.9-rc1) CVE-2024-3447 - - qemu + - qemu (bug #1068821) NOTE: https://patchew.org/QEMU/20240404085549.16987-1-phi...@linaro.org/ NOTE: https://patchew.org/QEMU/20240409145524.27913-1-phi...@linaro.org/ NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=58813 @@ -594,10 +594,10 @@ CVE-2024-3235 (The Essential Grid Gallery WordPress Plugin plugin for WordPress CVE-2024-3210 (The Paid Membership Plugin, Ecommerce, User Registration Form, Login F ...) NOT-FOR-US: WordPress plugin CVE-2024-3120 (A stack-buffer overflow vulnerability exists in all versions of sngrep ...) - - sngrep + - sngrep (bug #1068818) NOTE: https://github.com/irontec/sngrep/commit/f3f8ed8ef38748e6d61044b39b0dabd7e37c6809 (v1.8.1) CVE-2024-3119 (A buffer overflow vulnerability exists in all versions of sngrep since ...) - - sngrep + - sngrep (bug #1068818) NOTE: https://github.com/irontec/sngrep/commit/dd5fec92730562af6f96891291cd4e102b80bfcc (v1.8.1) CVE-2024-3020 (The plugin is vulnerable to PHP Object Injection in versions up to and ...) NOT-FOR-US: WordPress plugin @@ -696,7 +696,7 @@ CVE-2024-3514 (The Responsive Tabs plugin for WordPress is vulnerable to Stored CVE-2024-3512 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for WordPre ...) NOT-FOR-US: WordPress plugin CVE-2024-3446 (A double free vulnerability was found in QEMU virtio devices (virtio-g ...) - - qemu + - qemu (bug #1068820) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2274211 NOTE: https://patchew.org/QEMU/20240409105537.18308-1-phi...@linaro.org/ CVE-2024-3281 (A vulnerability was discovered in the firmware builds after 8.0.2.3267 ...) @@ -15356,7 +15356,7 @@ CVE-2023-44308 (Open redirect vulnerability in adaptive media administration pag CVE-2022-48625 (Yealink Config Encrypt Tool add RSA before 1.2 has a built-in RSA key ...) NOT-FOR-US: Yealink CVE-2024-1635 (A vulnerability was found in Undertow. This vulnerability impacts a se ...) - - undertow + - undertow (bug #1068817) NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2264928 CVE-2024-25983 (Insufficient checks in a web service made it possible to add comments ...) - moodle @@ -15431,14 +15431,14 @@ CVE-2024-23114 (Deserialization of Untrusted Data vulnerability in Apache Camel CVE-2024-22369 (Deserialization of Untrusted Data vulnerability in Apache Camel SQL Co ...) NOT-FOR-US: Apache Camel CVE-2024-26328 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) - - qemu + - qemu (bug #1068819) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Vulnerable code introduced later) [buster] - qemu (Vulnerable code introduced later) NOTE: Introduced by: https://gitlab.com/qemu-project/qemu/-/commit/7c0fa8dff811b5648964630a1334c3bb97e1e1c6 (v7.0.0-rc0) NOTE: https://lore.kernel.org/all/20240213055345-mutt-send-email-mst%40kernel.org CVE-2024-26327 (An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in h ...) - - qemu + - qemu (bug #1068819) [bookworm] - qemu (Minor issue) [bullseye] - qemu (Vulnerable code introduced later) [buster] - qemu (Vulnerable code introduced later) @@ -16938,7 +16938,7 @@ CVE-2022-48623 (The Cpanel::JSON::XS package before 4.33 for Perl performs out-o CVE-2021-4437 (A vulnerability, which was classified as problematic, has been found i ...) NOT-FOR-US: lambda-middleware frameguard CVE-2024-1459 (A path traversal vulnerability was found in Undertow. This issue may a ...) - - undertow + - undertow (bug #1068816) NOTE:
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 609f5e65 by Moritz Muehlenhoff at 2024-04-11T16:42:45+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -50,7 +50,7 @@ CVE-2024-30916 (An issue was discovered in eProsima FastDDS v.2.14.0 and before, [bullseye] - fastdds (Minor issue) NOTE: https://github.com/eProsima/Fast-DDS/issues/4609 CVE-2024-30915 (An issue was discovered in OpenDDS commit b1c534032bb62ad4ae32609778de ...) - TODO: check + NOT-FOR-US: OpenDDS CVE-2024-30885 (Reflected Cross-Site Scripting (XSS) vulnerability in HadSky v7.6.3, a ...) NOT-FOR-US: HadSky CVE-2024-30884 (Reflected Cross-Site Scripting (XSS) vulnerability in Discuz! version ...) @@ -304,9 +304,9 @@ CVE-2024-23735 (Cross Site Scripting (XSS) vulnerability in in the S/MIME certif CVE-2024-23734 (Cross Site Request Forgery vulnerability in in the upload functionalit ...) NOT-FOR-US: savignano S/Notify CVE-2024-23083 (Time4J Base v5.9.3 was discovered to contain a NullPointerException vi ...) - TODO: check + NOT-FOR-US: Time4J Base CVE-2024-23080 (Joda Time v2.12.5 was discovered to contain a NullPointerException via ...) - TODO: check + NOT-FOR-US: Joda Time CVE-2024-23077 (JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBo ...) - libjfreechart-java CVE-2024-23076 (FreeChart v1.5.4 was discovered to contain a NullPointerException via ...) @@ -338,19 +338,19 @@ CVE-2024-1740 (In lunary-ai/lunary version 1.0.1, a vulnerability exists where a CVE-2024-1728 (gradio-app/gradio is vulnerable to a local file inclusion vulnerabilit ...) NOT-FOR-US: Gradio CVE-2024-1643 (By knowing an organization's ID, an attacker can join the organization ...) - TODO: check + NOT-FOR-US: lunary-ai/lunary CVE-2024-1625 (An Insecure Direct Object Reference (IDOR) vulnerability exists in the ...) - TODO: check + NOT-FOR-US: lunary-ai/lunary CVE-2024-1602 (parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XS ...) - TODO: check + NOT-FOR-US: parisneo/lollms-webui CVE-2024-1600 (A Local File Inclusion (LFI) vulnerability exists in the parisneo/loll ...) - TODO: check + NOT-FOR-US: parisneo/lollms-webui CVE-2024-1599 (lunary-ai/lunary version 0.3.0 is vulnerable to unauthorized project c ...) NOT-FOR-US: lunary-ai/lunary CVE-2024-1520 (An OS Command Injection vulnerability exists in the '/open_code_folder ...) - TODO: check + NOT-FOR-US: parisneo/lollms-webui CVE-2024-1511 (The parisneo/lollms-webui repository is susceptible to a path traversa ...) - TODO: check + NOT-FOR-US: parisneo/lollms-webui CVE-2024-0218 (A Denial of Service (Dos) vulnerability in Nozomi Networks Guardian, c ...) NOT-FOR-US: Nozomi Networks Guardian CVE-2023-6916 (Audit records for OpenAPI requests may include sensitive information. ...) @@ -1532,7 +1532,7 @@ CVE-2024-23584 (The NMAP Importer service may expose data store credentials to a CVE-2024-23084 (Apfloat v1.10.1 was discovered to contain an ArrayIndexOutOfBoundsExce ...) - libapfloat-java CVE-2024-23081 (ThreeTen Backport v1.6.8 was discovered to contain a NullPointerExcept ...) - TODO: check + NOT-FOR-US: ThreeTen Backport CVE-2024-23079 (JGraphT Core v1.5.2 was discovered to contain a NullPointerException v ...) - jgrapht CVE-2024-22949 (JFreeChart v1.5.4 was discovered to contain a NullPointerException via ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/609f5e65ca7929de8337764f58d4a44ce3cf7b8f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/609f5e65ca7929de8337764f58d4a44ce3cf7b8f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new fastdds issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c21857ae by Moritz Muehlenhoff at 2024-04-11T14:21:24+02:00 new fastdds issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -40,9 +40,15 @@ CVE-2024-31986 (XWiki Platform is a generic wiki platform. Starting in version 3 CVE-2024-31985 (XWiki Platform is a generic wiki platform. Starting in version 3.1 and ...) NOT-FOR-US: XWiki CVE-2024-30917 (An issue was discovered in eProsima FastDDS v.2.14.0 and before, allow ...) - TODO: check + - fastdds + [bookworm] - fastdds (Minor issue) + [bullseye] - fastdds (Minor issue) + NOTE: https://github.com/eProsima/Fast-DDS/issues/4609 CVE-2024-30916 (An issue was discovered in eProsima FastDDS v.2.14.0 and before, allow ...) - TODO: check + - fastdds + [bookworm] - fastdds (Minor issue) + [bullseye] - fastdds (Minor issue) + NOTE: https://github.com/eProsima/Fast-DDS/issues/4609 CVE-2024-30915 (An issue was discovered in OpenDDS commit b1c534032bb62ad4ae32609778de ...) TODO: check CVE-2024-30885 (Reflected Cross-Site Scripting (XSS) vulnerability in HadSky v7.6.3, a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c21857ae359daefde36369e4104d24e97bc8388a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c21857ae359daefde36369e4104d24e97bc8388a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f8f5eb9 by Moritz Muehlenhoff at 2024-04-11T13:38:21+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22,15 +22,15 @@ CVE-2024-3612 (A vulnerability was found in SourceCodester Warehouse Management CVE-2024-3285 (The Slider, Gallery, and Carousel by MetaSlider \u2013 Responsive Word ...) NOT-FOR-US: WordPress plugin CVE-2024-32001 (SpiceDB is a graph database purpose-built for storing and evaluating a ...) - TODO: check + NOT-FOR-US: SpiceDB CVE-2024-31999 (@festify/secure-session creates a secure stateless cookie session for ...) - TODO: check + NOT-FOR-US: @festify/secure-session CVE-2024-31997 (XWiki Platform is a generic wiki platform. Prior to versions 4.10.19, ...) NOT-FOR-US: XWiki CVE-2024-31996 (XWiki Platform is a generic wiki platform. Starting in version 3.0.1 a ...) NOT-FOR-US: XWiki CVE-2024-31995 (`@digitalbazaar/zcap` provides JavaScript reference implementation for ...) - TODO: check + NOT-FOR-US: @digitalbazaar/zcap CVE-2024-31988 (XWiki Platform is a generic wiki platform. Starting in version 13.9-rc ...) NOT-FOR-US: XWiki CVE-2024-31987 (XWiki Platform is a generic wiki platform. Starting in version 6.4-mil ...) @@ -46,73 +46,73 @@ CVE-2024-30916 (An issue was discovered in eProsima FastDDS v.2.14.0 and before, CVE-2024-30915 (An issue was discovered in OpenDDS commit b1c534032bb62ad4ae32609778de ...) TODO: check CVE-2024-30885 (Reflected Cross-Site Scripting (XSS) vulnerability in HadSky v7.6.3, a ...) - TODO: check + NOT-FOR-US: HadSky CVE-2024-30884 (Reflected Cross-Site Scripting (XSS) vulnerability in Discuz! version ...) - TODO: check + NOT-FOR-US: Discuz! CVE-2024-30883 (Reflected Cross Site Scripting (XSS) vulnerability in RageFrame2 v2.6. ...) - TODO: check + NOT-FOR-US: RageFrame2 CVE-2024-30880 (Reflected Cross Site Scripting (XSS) vulnerability in RageFrame2 v2.6. ...) - TODO: check + NOT-FOR-US: RageFrame2 CVE-2024-30879 (Reflected Cross Site Scripting (XSS) vulnerability in RageFrame2 v2.6. ...) - TODO: check + NOT-FOR-US: RageFrame2 CVE-2024-30878 (A cross-site scripting (XSS) vulnerability in RageFrame2 v2.6.43, allo ...) - TODO: check + NOT-FOR-US: RageFrame2 CVE-2024-30728 (An issue was discovered in the default configurations of ROS (Robot Op ...) - TODO: check + NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-2966 (The Element Pack Elementor Addons (Header Footer, Template Library, Dy ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-29903 (Cosign provides code signing and transparency for containers and binar ...) - TODO: check + NOT-FOR-US: Cosign CVE-2024-29902 (Cosign provides code signing and transparency for containers and binar ...) - TODO: check + NOT-FOR-US: Cosign CVE-2024-29504 (Cross Site Scripting vulnerability in Summernote v.0.8.18 and before a ...) - TODO: check + NOT-FOR-US: Summernote CVE-2024-29460 (An issue in PX4 Autopilot v.1.14.0 allows an attacker to manipulate th ...) - TODO: check + NOT-FOR-US: PX4 Autopilot CVE-2024-29455 (An arbitrary file upload vulnerability has been discovered in ROS2 Hum ...) - TODO: check + NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29452 (An insecure deserialization vulnerability has been identified in ROS2 ...) - TODO: check + NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29450 (An issue has been discovered in the permission and access control comp ...) - TODO: check + NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29449 (An issue was discovered in ROS2 Humble Hawksbill in ROS_VERSION 2 and ...) - TODO: check + NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29448 (A buffer overflow vulnerability has been discovered in the C++ compone ...) - TODO: check + NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29447 (An issue was discovered in the default configurations of ROS2 Humble H ...) - TODO: check + NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29445 (An issue was discovered in ROS2 (Robot Operating System 2) Humble Hawk ...) - TODO: check + NOTE: Bogus report on ROS, lacks all details and apparently never reported either CVE-2024-29444 (An OS command injection vulnerability has been discovered in ROS2 (Rob ...) -
[Git][security-tracker-team/security-tracker][master] Revert "Tinymce is not affected in buster, removing from dla-needed."
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab1af125 by Adrian Bunk at 2024-04-11T13:52:29+03:00 Revert Tinymce is not affected in buster, removing from dla-needed. This reverts commit 21503da906963c312a371bf78d64f3c95b8ec67a. not-affected annotations were without justification. Also add a link to upstream CVE-2023-48219 fix. - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -24635,17 +24635,14 @@ CVE-2024-0222 (Use after free in ANGLE in Google Chrome prior to 120.0.6099.199 [buster] - chromium (see DSA 5046) CVE-2024-21911 (TinyMCE versions before 5.6.0 are affected by a stored cross-site scri ...) - tinymce - [buster] - tinymce (Vulnerable code not present) NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-w7jx-j77m-wp65 CVE-2024-21910 (TinyMCE versions before 5.10.0 are affected by a cross-site scripting ...) - tinymce - [buster] - tinymce (Vulnerable code not present) NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-r8hm-w5f7-wj39 CVE-2024-21909 (PeterO.Cbor versions 4.0.0 through 4.5.0 are vulnerable to a denial of ...) NOT-FOR-US: PeterO.Cbor CVE-2024-21908 (TinyMCE versions before 5.9.0 are affected by a stored cross-site scri ...) - tinymce - [buster] - tinymce (Vulnerable code not present) NOTE: https://github.com/tinymce/tinymce/security/advisories/GHSA-5h9g-x5rv-25wg CVE-2024-21907 (Newtonsoft.Json before version 13.0.1 is affected by a mishandling of ...) NOT-FOR-US: Newtonsoft.Json @@ -33298,7 +33295,7 @@ CVE-2023-4602 (The Namaste! LMS plugin for WordPress is vulnerable to Reflected NOT-FOR-US: WordPress plugin CVE-2023-48219 (TinyMCE is an open source rich text editor. A mutation cross-site scri ...) - tinymce - [buster] - tinymce (Vulnerable code not present) + NOTE: https://github.com/tinymce/tinymce/commit/751e35f1419a6a060ded397dda1b2945bacaa711 CVE-2023-48089 (xxl-job-admin 2.4.0 is vulnerable to Remote Code Execution (RCE) via / ...) NOT-FOR-US: XXL-Job CVE-2023-48088 (xxl-job-admin 2.4.0 is vulnerable to Cross Site Scripting (XSS) via /x ...) = data/dla-needed.txt = @@ -275,9 +275,11 @@ tiff (Thorsten Alteholz) NOTE: 20240314: bookworm. Uploads to spu and ospu should be coordinated. (roberto) -- tinymce - NOTE: 20240404: Added by Front-Desk (lamby) - NOTE: 20240404: May be v. difficult to backport and/or not even vulnerable. (lamby) - NOTE: 20240404: Check Ola's commit message in 21503da906. (lamby) + NOTE: 20231123: Added by Front-Desk (ola) + NOTE: 20231216: Someone with more XSS experience needed to assess the + NOTE: 20231216: severity of CVE-2023-48219. Also not clear to me that + NOTE: 20231216: upstream's patch is backportable, as the code has changed a + NOTE: 20231216: lot. (spwhitton) -- tzdata (Emilio) NOTE: 20240327: Added by pochu View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab1af1251027036c394e2320ad98cf7370b953ee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab1af1251027036c394e2320ad98cf7370b953ee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Revert "Remove runc from dla-needed"
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abad8cee by Adrian Bunk at 2024-04-11T13:42:21+03:00 Revert Remove runc from dla-needed This reverts commit 6c41e578160845c9f84e1a335d5266011e542869. https://lists.debian.org/debian-lts/2024/04/msg00014.html - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -232,6 +232,11 @@ ruby-rack (Adrian Bunk) NOTE: 20240306: Added by Front-Desk (opal) NOTE: 20240408: waiting for feedback from Debian maintainer (bunk) -- +runc + NOTE: 20240312: Added by coordinator (roberto) + NOTE: 20240314: Several CVEs fixed in LTS remain unfixed (no-dsa) in bullseye. + NOTE: 20240314: Uploads to ospu should be coordinated. (roberto) +-- samba (Santiago) NOTE: 20230918: Added by Front-Desk (apo) NOTE: 20240406: Update should be ready. Will upload this Monday. (Santiago) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abad8ceef7ae5e224cdb4f931d68112b0f0ca587 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abad8ceef7ae5e224cdb4f931d68112b0f0ca587 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add references for Linux and ATS
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b8e1ec48 by Moritz Muehlenhoff at 2024-04-11T12:41:45+02:00 add references for Linux and ATS - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2554,6 +2554,7 @@ CVE-2024-31309 (HTTP/2 CONTINUATIONDoS attack can cause Apache Traffic Server to NOTE: https://github.com/apache/trafficserver/commit/d8cb125e55ad7f9cc043e655f7ef25acbbbe0a2c (8.1.10-rc0) NOTE: https://github.com/apache/trafficserver/pull/11206 NOTE: https://github.com/apache/trafficserver/commit/b8c6a23b74af1772e5cb0de25b38c234a418cb1d (9.2.4-rc0) + NOTE: https://www.openwall.com/lists/oss-security/2024/04/10/7 CVE-2024-30255 (Envoy is a cloud-native, open source edge and service proxy. The HTTP/ ...) - envoyproxy (bug #987544) CVE-2024-28182 (nghttp2 is an implementation of the Hypertext Transfer Protocol versio ...) @@ -19165,6 +19166,7 @@ CVE-2024-1086 (A use-after-free vulnerability in the Linux kernel's netfilter: n NOTE: https://pwning.tech/nftables/ NOTE: https://kernel.dance/f342de4e2f33e0e39165d8639387aa6c19dff660 NOTE: https://git.kernel.org/linus/f342de4e2f33e0e39165d8639387aa6c19dff660 (6.8-rc2) + NOTE: https://github.com/Notselwyn/CVE-2024-1086 CVE-2024-1085 (A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab ...) - linux 6.6.15-1 [bookworm] - linux 6.1.76-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8e1ec486e7bb3ebc93140b7f9aa8669655816a9 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b8e1ec486e7bb3ebc93140b7f9aa8669655816a9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f3fad16b by Salvatore Bonaccorso at 2024-04-11T10:30:00+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2,43 +2,43 @@ CVE-2024-3652 (The Libreswan Project was notified of an issue causing libreswan - libreswan NOTE: https://libreswan.org/security/CVE-2024-3652 CVE-2024-3621 (A vulnerability was found in SourceCodester Kortex Lite Advocate Offic ...) - TODO: check + NOT-FOR-US: SourceCodester Kortex Lite Advocate Office Management System CVE-2024-3620 (A vulnerability was found in SourceCodester Kortex Lite Advocate Offic ...) - TODO: check + NOT-FOR-US: SourceCodester Kortex Lite Advocate Office Management System CVE-2024-3619 (A vulnerability has been found in SourceCodester Kortex Lite Advocate ...) - TODO: check + NOT-FOR-US: SourceCodester Kortex Lite Advocate Office Management System CVE-2024-3618 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Kortex Lite Advocate Office Management System CVE-2024-3617 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Kortex Lite Advocate Office Management System CVE-2024-3616 (A vulnerability classified as problematic was found in SourceCodester ...) - TODO: check + NOT-FOR-US: SourceCodester Warehouse Management System CVE-2024-3614 (A vulnerability classified as problematic has been found in SourceCode ...) - TODO: check + NOT-FOR-US: SourceCodester Warehouse Management System CVE-2024-3613 (A vulnerability was found in SourceCodester Warehouse Management Syste ...) - TODO: check + NOT-FOR-US: SourceCodester Warehouse Management System CVE-2024-3612 (A vulnerability was found in SourceCodester Warehouse Management Syste ...) - TODO: check + NOT-FOR-US: SourceCodester Warehouse Management System CVE-2024-3285 (The Slider, Gallery, and Carousel by MetaSlider \u2013 Responsive Word ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32001 (SpiceDB is a graph database purpose-built for storing and evaluating a ...) TODO: check CVE-2024-31999 (@festify/secure-session creates a secure stateless cookie session for ...) TODO: check CVE-2024-31997 (XWiki Platform is a generic wiki platform. Prior to versions 4.10.19, ...) - TODO: check + NOT-FOR-US: XWiki CVE-2024-31996 (XWiki Platform is a generic wiki platform. Starting in version 3.0.1 a ...) - TODO: check + NOT-FOR-US: XWiki CVE-2024-31995 (`@digitalbazaar/zcap` provides JavaScript reference implementation for ...) TODO: check CVE-2024-31988 (XWiki Platform is a generic wiki platform. Starting in version 13.9-rc ...) - TODO: check + NOT-FOR-US: XWiki CVE-2024-31987 (XWiki Platform is a generic wiki platform. Starting in version 6.4-mil ...) - TODO: check + NOT-FOR-US: XWiki CVE-2024-31986 (XWiki Platform is a generic wiki platform. Starting in version 3.1 and ...) - TODO: check + NOT-FOR-US: XWiki CVE-2024-31985 (XWiki Platform is a generic wiki platform. Starting in version 3.1 and ...) - TODO: check + NOT-FOR-US: XWiki CVE-2024-30917 (An issue was discovered in eProsima FastDDS v.2.14.0 and before, allow ...) TODO: check CVE-2024-30916 (An issue was discovered in eProsima FastDDS v.2.14.0 and before, allow ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3fad16b19dbcce47863edf14ddd29a648ceac78 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f3fad16b19dbcce47863edf14ddd29a648ceac78 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-3652/libreswan
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5cfa909f by Salvatore Bonaccorso at 2024-04-11T10:29:06+02:00 Add CVE-2024-3652/libreswan Note that the only reference URL is for now not reachable, so its unclear which versions are affected upstream. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,6 @@ CVE-2024-3652 (The Libreswan Project was notified of an issue causing libreswan to re ...) - TODO: check + - libreswan + NOTE: https://libreswan.org/security/CVE-2024-3652 CVE-2024-3621 (A vulnerability was found in SourceCodester Kortex Lite Advocate Offic ...) TODO: check CVE-2024-3620 (A vulnerability was found in SourceCodester Kortex Lite Advocate Offic ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cfa909f06e2b75e501067ff7d09da237ffdcc05 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cfa909f06e2b75e501067ff7d09da237ffdcc05 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a813895 by security tracker role at 2024-04-11T08:12:13+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,111 @@ +CVE-2024-3652 (The Libreswan Project was notified of an issue causing libreswan to re ...) + TODO: check +CVE-2024-3621 (A vulnerability was found in SourceCodester Kortex Lite Advocate Offic ...) + TODO: check +CVE-2024-3620 (A vulnerability was found in SourceCodester Kortex Lite Advocate Offic ...) + TODO: check +CVE-2024-3619 (A vulnerability has been found in SourceCodester Kortex Lite Advocate ...) + TODO: check +CVE-2024-3618 (A vulnerability, which was classified as critical, was found in Source ...) + TODO: check +CVE-2024-3617 (A vulnerability, which was classified as critical, has been found in S ...) + TODO: check +CVE-2024-3616 (A vulnerability classified as problematic was found in SourceCodester ...) + TODO: check +CVE-2024-3614 (A vulnerability classified as problematic has been found in SourceCode ...) + TODO: check +CVE-2024-3613 (A vulnerability was found in SourceCodester Warehouse Management Syste ...) + TODO: check +CVE-2024-3612 (A vulnerability was found in SourceCodester Warehouse Management Syste ...) + TODO: check +CVE-2024-3285 (The Slider, Gallery, and Carousel by MetaSlider \u2013 Responsive Word ...) + TODO: check +CVE-2024-32001 (SpiceDB is a graph database purpose-built for storing and evaluating a ...) + TODO: check +CVE-2024-31999 (@festify/secure-session creates a secure stateless cookie session for ...) + TODO: check +CVE-2024-31997 (XWiki Platform is a generic wiki platform. Prior to versions 4.10.19, ...) + TODO: check +CVE-2024-31996 (XWiki Platform is a generic wiki platform. Starting in version 3.0.1 a ...) + TODO: check +CVE-2024-31995 (`@digitalbazaar/zcap` provides JavaScript reference implementation for ...) + TODO: check +CVE-2024-31988 (XWiki Platform is a generic wiki platform. Starting in version 13.9-rc ...) + TODO: check +CVE-2024-31987 (XWiki Platform is a generic wiki platform. Starting in version 6.4-mil ...) + TODO: check +CVE-2024-31986 (XWiki Platform is a generic wiki platform. Starting in version 3.1 and ...) + TODO: check +CVE-2024-31985 (XWiki Platform is a generic wiki platform. Starting in version 3.1 and ...) + TODO: check +CVE-2024-30917 (An issue was discovered in eProsima FastDDS v.2.14.0 and before, allow ...) + TODO: check +CVE-2024-30916 (An issue was discovered in eProsima FastDDS v.2.14.0 and before, allow ...) + TODO: check +CVE-2024-30915 (An issue was discovered in OpenDDS commit b1c534032bb62ad4ae32609778de ...) + TODO: check +CVE-2024-30885 (Reflected Cross-Site Scripting (XSS) vulnerability in HadSky v7.6.3, a ...) + TODO: check +CVE-2024-30884 (Reflected Cross-Site Scripting (XSS) vulnerability in Discuz! version ...) + TODO: check +CVE-2024-30883 (Reflected Cross Site Scripting (XSS) vulnerability in RageFrame2 v2.6. ...) + TODO: check +CVE-2024-30880 (Reflected Cross Site Scripting (XSS) vulnerability in RageFrame2 v2.6. ...) + TODO: check +CVE-2024-30879 (Reflected Cross Site Scripting (XSS) vulnerability in RageFrame2 v2.6. ...) + TODO: check +CVE-2024-30878 (A cross-site scripting (XSS) vulnerability in RageFrame2 v2.6.43, allo ...) + TODO: check +CVE-2024-30728 (An issue was discovered in the default configurations of ROS (Robot Op ...) + TODO: check +CVE-2024-2966 (The Element Pack Elementor Addons (Header Footer, Template Library, Dy ...) + TODO: check +CVE-2024-29903 (Cosign provides code signing and transparency for containers and binar ...) + TODO: check +CVE-2024-29902 (Cosign provides code signing and transparency for containers and binar ...) + TODO: check +CVE-2024-29504 (Cross Site Scripting vulnerability in Summernote v.0.8.18 and before a ...) + TODO: check +CVE-2024-29460 (An issue in PX4 Autopilot v.1.14.0 allows an attacker to manipulate th ...) + TODO: check +CVE-2024-29455 (An arbitrary file upload vulnerability has been discovered in ROS2 Hum ...) + TODO: check +CVE-2024-29452 (An insecure deserialization vulnerability has been identified in ROS2 ...) + TODO: check +CVE-2024-29450 (An issue has been discovered in the permission and access control comp ...) + TODO: check +CVE-2024-29449 (An issue was discovered in ROS2 Humble Hawksbill in ROS_VERSION 2 and ...) + TODO: check +CVE-2024-29448 (A buffer overflow vulnerability has been discovered in the C++ compone ...) + TODO: check +CVE-2024-29447 (An issue was discovered in the default configurations of ROS2 Humble H ...) +
[Git][security-tracker-team/security-tracker][master] Add some more libjfreechart-java CVEs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 326c3d64 by Salvatore Bonaccorso at 2024-04-11T08:35:04+02:00 Add some more libjfreechart-java CVEs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -193,9 +193,9 @@ CVE-2024-23083 (Time4J Base v5.9.3 was discovered to contain a NullPointerExcept CVE-2024-23080 (Joda Time v2.12.5 was discovered to contain a NullPointerException via ...) TODO: check CVE-2024-23077 (JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBo ...) - TODO: check + - libjfreechart-java CVE-2024-23076 (FreeChart v1.5.4 was discovered to contain a NullPointerException via ...) - TODO: check + - libjfreechart-java CVE-2024-20780 (Adobe Experience Manager versions 6.5.19 and earlier are affected by a ...) NOT-FOR-US: Adobe CVE-2024-20779 (Adobe Experience Manager versions 6.5.19 and earlier are affected by a ...) @@ -241,7 +241,7 @@ CVE-2024-0218 (A Denial of Service (Dos) vulnerability in Nozomi Networks Guardi CVE-2023-6916 (Audit records for OpenAPI requests may include sensitive information. ...) NOT-FOR-US: Nozomi Networks CVE-2023-52070 (JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBo ...) - TODO: check + - libjfreechart-java CVE-2023-2794 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - ofono NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255387 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/326c3d645bc384038a669c8cc3fc63fcb5b90260 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/326c3d645bc384038a669c8cc3fc63fcb5b90260 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7ee298b2 by Salvatore Bonaccorso at 2024-04-11T08:16:57+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19,7 +19,7 @@ CVE-2024-3515 (Use after free in Dawn in Google Chrome prior to 123.0.6312.122 a [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-3448 (Users with low privileges can perform certain AJAX actions. In this v ...) - TODO: check + NOT-FOR-US: Mautic CVE-2024-3388 (A vulnerability in the GlobalProtect Gateway in Palo Alto Networks PAN ...) NOT-FOR-US: Palo Alto Networks CVE-2024-3387 (A weak (low bit strength) device certificate in Palo Alto Networks Pan ...) @@ -133,11 +133,11 @@ CVE-2024-31214 (Traccar is an open source GPS tracking system. Traccar versions CVE-2024-2952 (BerriAI/litellm is vulnerable to Server-Side Template Injection (SSTI) ...) TODO: check CVE-2024-2731 (Users with low privileges (all permissions deselected in the administr ...) - TODO: check + NOT-FOR-US: Mautic CVE-2024-2730 (Mautic uses predictable page indices for unpublished landing pages, th ...) NOT-FOR-US: Mautic CVE-2024-2221 (qdrant/qdrant is vulnerable to a path traversal and arbitrary file upl ...) - TODO: check + NOT-FOR-US: qdrant CVE-2024-2217 (gaizhenbiao/chuanhuchatgpt is vulnerable to improper access control, a ...) TODO: check CVE-2024-2196 (aimhubio/aim is vulnerable to Cross-Site Request Forgery (CSRF), allow ...) @@ -221,7 +221,7 @@ CVE-2024-1741 (lunary-ai/lunary version 1.0.1 is vulnerable to improper authoriz CVE-2024-1740 (In lunary-ai/lunary version 1.0.1, a vulnerability exists where a user ...) TODO: check CVE-2024-1728 (gradio-app/gradio is vulnerable to a local file inclusion vulnerabilit ...) - TODO: check + NOT-FOR-US: Gradio CVE-2024-1643 (By knowing an organization's ID, an attacker can join the organization ...) TODO: check CVE-2024-1625 (An Insecure Direct Object Reference (IDOR) vulnerability exists in the ...) @@ -237,9 +237,9 @@ CVE-2024-1520 (An OS Command Injection vulnerability exists in the '/open_code_f CVE-2024-1511 (The parisneo/lollms-webui repository is susceptible to a path traversa ...) TODO: check CVE-2024-0218 (A Denial of Service (Dos) vulnerability in Nozomi Networks Guardian, c ...) - TODO: check + NOT-FOR-US: Nozomi Networks Guardian CVE-2023-6916 (Audit records for OpenAPI requests may include sensitive information. ...) - TODO: check + NOT-FOR-US: Nozomi Networks CVE-2023-52070 (JFreeChart v1.5.4 was discovered to be vulnerable to ArrayIndexOutOfBo ...) TODO: check CVE-2023-2794 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ee298b24c7dda946b4432c03a9ced3ae2d87738 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7ee298b24c7dda946b4432c03a9ced3ae2d87738 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits