[Git][security-tracker-team/security-tracker][master] Track proposed update for libapache2-mod-auth-openidc via {bullseye,bookworm}-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9238c678 by Salvatore Bonaccorso at 2024-04-18T23:54:43+02:00 Track proposed update for libapache2-mod-auth-openidc via {bullseye,bookworm}-pu - - - - - 3 changed files: - data/CVE/list - data/next-oldstable-point-update.txt - data/next-point-update.txt Changes: = data/CVE/list = @@ -19255,6 +19255,8 @@ CVE-2024-24920 (A vulnerability has been identified in Simcenter Femap (All vers CVE-2024-24814 (mod_auth_openidc is an OpenID Certified\u2122 authentication and autho ...) {DLA-3751-1} - libapache2-mod-auth-openidc 2.4.15.7-1 (bug #1064183) + [bookworm] - libapache2-mod-auth-openidc (Minor issue) + [bullseye] - libapache2-mod-auth-openidc (Minor issue) NOTE: https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv NOTE: https://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d (v2.4.15.2) CVE-2024-24782 (An unauthenticated attacker can send a ping request from one network t ...) = data/next-oldstable-point-update.txt = @@ -85,3 +85,5 @@ CVE-2023-1370 [bullseye] - json-smart 2.2-2+deb11u1 CVE-2024-2398 [bullseye] - curl 7.74.0-1.3+deb11u12 +CVE-2024-24814 + [bullseye] - libapache2-mod-auth-openidc 2.4.9.4-0+deb11u4 = data/next-point-update.txt = @@ -110,3 +110,5 @@ CVE-2023-1370 [bookworm] - json-smart 2.2-2+deb12u1 CVE-2024-23944 [bookworm] - zookeeper 3.8.0-11+deb12u2 +CVE-2024-24814: + [bookworm] - libapache2-mod-auth-openidc 2.4.12.3-2+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9238c678df8a8ee199c43ce7be8c44fd475ad3ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9238c678df8a8ee199c43ce7be8c44fd475ad3ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add explicit additional reference for CVE-2024-2961 for php impact
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b84a23e7 by Salvatore Bonaccorso at 2024-04-18T23:46:57+02:00 Add explicit additional reference for CVE-2024-2961 for php impact - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -568,6 +568,7 @@ CVE-2023-36505 (Improper Input Validation vulnerability in Saturday Drive Ninja CVE-2024-2961 (The iconv() function in the GNU C Library versions 2.39 and older may ...) - glibc (bug #1069191) NOTE: https://www.openwall.com/lists/oss-security/2024/04/17/9 + NOTE: https://www.openwall.com/lists/oss-security/2024/04/18/4 NOTE: https://sourceware.org/git/?p=glibc.git;a=blob;f=advisories/GLIBC-SA-2024-0004 NOTE: Introducecd by: https://sourceware.org/git?p=glibc.git;a=commit;h=755104edc75c53f4a0e7440334e944ad3c6b32fc (cvs/libc-2_1_94) NOTE: Fixed by: https://sourceware.org/git?p=glibc.git;a=commit;h=f9dc609e06b1136bb0408be9605ce7973a767ada View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b84a23e7da87b987f146ad22eda31ca565caf7ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b84a23e7da87b987f146ad22eda31ca565caf7ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag information for some ffmpeg references
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 32ae551d by Salvatore Bonaccorso at 2024-04-18T23:45:11+02:00 Add upstream tag information for some ffmpeg references - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -444,7 +444,7 @@ CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper valida - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) - NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ce0c178a408d43e71085c28a47d50dc939b60196 + NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ce0c178a408d43e71085c28a47d50dc939b60196 (n7.0) CVE-2024-31580 (PyTorch before v2.2.0 was discovered to contain a heap buffer overflow ...) - pytorch NOTE: https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81 @@ -453,7 +453,7 @@ CVE-2024-31578 (FFmpeg version n6.1.1 was discovered to contain a heap use-after - ffmpeg [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) - NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83c6fafee30270d69622ccad7 + NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83c6fafee30270d69622ccad7 (n7.0) CVE-2024-31463 (Ironic-image is an OpenStack Ironic deployment packaged and configured ...) TODO: check CVE-2024-31041 (Null Pointer Dereference vulnerability in topic_filtern function in mq ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32ae551d8aeb5ede1a834951a057e3011ade994d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32ae551d8aeb5ede1a834951a057e3011ade994d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Move oss-security reference for flatpak and drop entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 26a59189 by Salvatore Bonaccorso at 2024-04-18T23:11:15+02:00 Move oss-security reference for flatpak and drop entry - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -118,6 +118,7 @@ CVE-2024-32466 (Tolgee is an open-source localization platform. For the `/v2/pro TODO: check CVE-2024-32462 (Flatpak is a system for building, distributing, and running sandboxed ...) - flatpak 1.14.6-1 + NOTE: https://www.openwall.com/lists/oss-security/2024/04/18/5 NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj NOTE: Fixed by: https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 (1.15.8) NOTE: Fixed by: https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e (1.14.6) @@ -199,10 +200,6 @@ CVE-2024- [tryton zipbomb DoS] [bullseye] - tryton-server (Minor issue) NOTE: https://discuss.tryton.org/t/security-release-for-issue-13142/7196 NOTE: https://foss.heptapod.net/tryton/tryton/-/issues/13142 -CVE-2024-3246 - - flatpak - NOTE: https://www.openwall.com/lists/oss-security/2024/04/18/5 - NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj CVE-2024-26921 (In the Linux kernel, the following vulnerability has been resolved: i ...) - linux [bookworm] - linux 6.1.85-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26a59189b118b7261a0ade37480a34527ed17d9c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/26a59189b118b7261a0ade37480a34527ed17d9c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream commit tag for CVE-2024-0690
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ddd5288 by Salvatore Bonaccorso at 2024-04-18T23:10:19+02:00 Reference upstream commit tag for CVE-2024-0690 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24237,7 +24237,7 @@ CVE-2024-0690 (An information disclosure flaw was found in ansible-core due to a NOTE: ansible-core was split off from src:ansible with 4.6.0-1 in experimental/5.4.0-1 in sid NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2259013 NOTE: https://github.com/ansible/ansible/pull/82565 - NOTE: https://github.com/ansible/ansible/commit/beb04bc2642c208447c5a936f94310528a1946b1 (stable-2.14) + NOTE: https://github.com/ansible/ansible/commit/beb04bc2642c208447c5a936f94310528a1946b1 (v2.14.14rc1) CVE-2024-0684 (A flaw was found in the GNU coreutils "split" program. A heap overflow ...) - coreutils (bug #1061138) [bookworm] - coreutils (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ddd5288cd5b68a43b8482afac04f52d8009c9ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ddd5288cd5b68a43b8482afac04f52d8009c9ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2024-2511,openssl: buster is postponed
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker Commits: c90b39d0 by Markus Koschany at 2024-04-18T22:55:40+02:00 CVE-2024-2511,openssl: buster is postponed because this is a minor issue and prevented in default configurations. - - - - - af013b74 by Markus Koschany at 2024-04-18T23:07:52+02:00 Add less to dla-needed.txt - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -4392,6 +4392,7 @@ CVE-2024-2511 (Issue summary: Some non-default TLS server configurations can cau - openssl (bug #1068658) [bookworm] - openssl (Minor issue, fix along with next update round) [bullseye] - openssl (Minor issue, fix along with next update round) + [buster] - openssl (Minor issue, fix along with next update round) NOTE: https://www.openssl.org/news/secadv/20240408.txt NOTE: https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08 (openssl-3.2.y) NOTE: https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce (openssl-3.1.y) = data/dla-needed.txt = @@ -121,6 +121,9 @@ knot-resolver (Markus Koschany) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- +less + NOTE: 20240418: Added by Front-Desk (apo) +-- libpgjava (Markus Koschany) NOTE: 20240308: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fe9060aaad459b6b25898d26453ccaab552caec5...af013b7456d90da40faa7d46e23271cd66c7254c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fe9060aaad459b6b25898d26453ccaab552caec5...af013b7456d90da40faa7d46e23271cd66c7254c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-31031/libcoap
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fe9060aa by Salvatore Bonaccorso at 2024-04-18T22:51:01+02:00 Add CVE-2024-31031/libcoap - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -464,7 +464,10 @@ CVE-2024-31041 (Null Pointer Dereference vulnerability in topic_filtern function CVE-2024-31040 (Buffer Overflow vulnerability in the get_var_integer function in mqtt_ ...) NOT-FOR-US: NanoMQ CVE-2024-31031 (An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to cause un ...) - TODO: check + - libcoap + - libcoap2 + - libcoap3 + NOTE: https://github.com/obgm/libcoap/issues/1351 CVE-2024-30990 (SQL Injection vulnerability in the "Invoices" page in phpgurukul Clien ...) NOT-FOR-US: phpgurukul Client Management System CVE-2024-30989 (Cross Site Scripting vulnerability in /edit-client-details.php of phpg ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe9060aaad459b6b25898d26453ccaab552caec5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/fe9060aaad459b6b25898d26453ccaab552caec5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5d8b48c3 by Salvatore Bonaccorso at 2024-04-18T22:47:45+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,117 +1,117 @@ CVE-2024-3948 (A vulnerability was found in SourceCodester Home Clean Service System ...) - TODO: check + NOT-FOR-US: SourceCodester Home Clean Service System CVE-2024-32689 (Missing Authorization vulnerability in GenialSouls WP Social Comments. ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32686 (Insertion of Sensitive Information into Log File vulnerability in Inis ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32604 (Authorization Bypass Through User-Controlled Key vulnerability in Plec ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32603 (Deserialization of Untrusted Data vulnerability in ThemeKraft WooBuddy ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32602 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32601 (Missing Authorization vulnerability in WP OnlineSupport, Essential Plu ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32600 (Deserialization of Untrusted Data vulnerability in Averta Master Slide ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32599 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32598 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32597 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32596 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32595 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32594 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32593 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32592 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32591 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32590 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32588 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32587 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32586 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32585 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32584 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32583 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32582 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32581 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32580 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32579 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32578 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32577 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-32576 (Improper Neutralization of Input During Web Page Generation ('Cross-si
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-32475/envoyproxy
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e60c4fd6 by Salvatore Bonaccorso at 2024-04-18T22:46:54+02:00 Add CVE-2024-32475/envoyproxy - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -109,7 +109,7 @@ CVE-2024-32551 (Improper Neutralization of Special Elements used in an SQL Comma CVE-2024-32477 (Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure ...) TODO: check CVE-2024-32475 (Envoy is a cloud-native, open source edge and service proxy. When an u ...) - TODO: check + - envoyproxy (bug #987544) CVE-2024-32474 (Sentry is an error tracking and performance monitoring platform. Prior ...) TODO: check CVE-2024-32470 (Tolgee is an open-source localization platform. When API key created b ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e60c4fd6e39dee73831aa1307a4710c36b2fe16d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e60c4fd6e39dee73831aa1307a4710c36b2fe16d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from some rejected CVES withrawn by the CNA
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cd2ec86c by Salvatore Bonaccorso at 2024-04-18T22:31:37+02:00 Remove notes from some rejected CVES withrawn by the CNA - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1220,7 +1220,6 @@ CVE-2024-22329 (IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Appl NOT-FOR-US: IBM CVE-2024-21676 REJECTED - NOT-FOR-US: Atlassian CVE-2024-21121 (Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualiza ...) - virtualbox 7.0.16-dfsg-1 CVE-2024-21120 (Vulnerability in the Oracle Outside In Technology product of Oracle Fu ...) @@ -4594,7 +4593,6 @@ CVE-2023-52713 (Vulnerability of improper permission control in the window manag NOT-FOR-US: Huawei CVE-2023-52382 REJECTED - NOT-FOR-US: Huawei CVE-2021-4438 (A vulnerability, which was classified as critical, has been found in k ...) NOT-FOR-US: react-native-sms-user-consent CVE-2024-3417 (A vulnerability, which was classified as critical, has been found in S ...) @@ -21890,7 +21888,6 @@ CVE-2023-51446 (GLPI is a Free Asset and IT Management Software package. When au NOTE: https://github.com/glpi-project/glpi/commit/58c67d78f2e3ad08264213e9aaf56eab3c9ded35 CVE-2023-37621 REJECTED - NOT-FOR-US: Fronius Datalogger Web CVE-2024-24747 (MinIO is a High Performance Object Storage. When someone creates an ac ...) - minio (bug #859207) CVE-2024-24573 (facileManager is a modular suite of web apps built with the sysadmin i ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd2ec86ce74b4676d9bfb237b5ca9cabae641984 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd2ec86ce74b4676d9bfb237b5ca9cabae641984 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream commit references for flatpak issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 87fb2686 by Salvatore Bonaccorso at 2024-04-18T22:24:38+02:00 Add upstream commit references for flatpak issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -119,6 +119,10 @@ CVE-2024-32466 (Tolgee is an open-source localization platform. For the `/v2/pro CVE-2024-32462 (Flatpak is a system for building, distributing, and running sandboxed ...) - flatpak 1.14.6-1 NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj + NOTE: Fixed by: https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 (1.15.8) + NOTE: Fixed by: https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e (1.14.6) + NOTE: Fixed by: https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97 (1.12.9) + NOTE: Fixed by: https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d (1.10.9) CVE-2024-32335 (TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scri ...) TODO: check CVE-2024-32334 (TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scri ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87fb2686685366431b921743a4fbe0a9b047c2e5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87fb2686685366431b921743a4fbe0a9b047c2e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for flatpak via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c3948369 by Salvatore Bonaccorso at 2024-04-18T22:19:52+02:00 Add fixed version for flatpak via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117,7 +117,7 @@ CVE-2024-32470 (Tolgee is an open-source localization platform. When API key cre CVE-2024-32466 (Tolgee is an open-source localization platform. For the `/v2/projects/ ...) TODO: check CVE-2024-32462 (Flatpak is a system for building, distributing, and running sandboxed ...) - - flatpak + - flatpak 1.14.6-1 NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj CVE-2024-32335 (TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scri ...) TODO: check View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c394836929383f5396af6d425d591164877f2cff -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c394836929383f5396af6d425d591164877f2cff You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add note for glibc in dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 354256ef by Salvatore Bonaccorso at 2024-04-18T22:18:13+02:00 Add note for glibc in dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -31,6 +31,7 @@ flatpak (jmm) frr -- glibc + Maintainer is preparing updates but waiting for exposure in unstable -- gpac/oldstable -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/354256ef7a809f1b7e71e74ba40b9e8cf2b7f57d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/354256ef7a809f1b7e71e74ba40b9e8cf2b7f57d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-32462/flatpak
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50039466 by Salvatore Bonaccorso at 2024-04-18T22:17:07+02:00 Add CVE-2024-32462/flatpak - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117,7 +117,8 @@ CVE-2024-32470 (Tolgee is an open-source localization platform. When API key cre CVE-2024-32466 (Tolgee is an open-source localization platform. For the `/v2/projects/ ...) TODO: check CVE-2024-32462 (Flatpak is a system for building, distributing, and running sandboxed ...) - TODO: check + - flatpak + NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj CVE-2024-32335 (TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scri ...) TODO: check CVE-2024-32334 (TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scri ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50039466615d9488827c0afeb2a26bc23aff664c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50039466615d9488827c0afeb2a26bc23aff664c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0e9c20f4 by security tracker role at 2024-04-18T20:11:51+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,193 @@ +CVE-2024-3948 (A vulnerability was found in SourceCodester Home Clean Service System ...) + TODO: check +CVE-2024-32689 (Missing Authorization vulnerability in GenialSouls WP Social Comments. ...) + TODO: check +CVE-2024-32686 (Insertion of Sensitive Information into Log File vulnerability in Inis ...) + TODO: check +CVE-2024-32604 (Authorization Bypass Through User-Controlled Key vulnerability in Plec ...) + TODO: check +CVE-2024-32603 (Deserialization of Untrusted Data vulnerability in ThemeKraft WooBuddy ...) + TODO: check +CVE-2024-32602 (Improper Neutralization of Special Elements used in an SQL Command ('S ...) + TODO: check +CVE-2024-32601 (Missing Authorization vulnerability in WP OnlineSupport, Essential Plu ...) + TODO: check +CVE-2024-32600 (Deserialization of Untrusted Data vulnerability in Averta Master Slide ...) + TODO: check +CVE-2024-32599 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...) + TODO: check +CVE-2024-32598 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32597 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32596 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32595 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32594 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32593 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32592 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32591 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32590 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32588 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32587 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32586 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32585 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32584 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32583 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32582 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32581 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32580 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32579 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32578 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32577 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32576 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32575 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32574 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32573 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32572 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32571 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32570 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32569 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32568 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32567 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) + TODO: check +CVE-2024-32566 (Improper Neutralization of Input During Web Page Generation ('Cross-si
[Git][security-tracker-team/security-tracker][master] new tryton issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 639a8e6b by Moritz Muehlenhoff at 2024-04-18T20:57:09+02:00 new tryton issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024- [tryton zipbomb DoS] + - tryton-server 6.0.45-1 + [bookworm] - tryton-server (Minor issue) + [bullseye] - tryton-server (Minor issue) + NOTE: https://discuss.tryton.org/t/security-release-for-issue-13142/7196 + NOTE: https://foss.heptapod.net/tryton/tryton/-/issues/13142 CVE-2024-3246 - flatpak NOTE: https://www.openwall.com/lists/oss-security/2024/04/18/5 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/639a8e6b8d57ab9a8cc7a57d2202c0419eb3e122 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/639a8e6b8d57ab9a8cc7a57d2202c0419eb3e122 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new flatpak issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 32a8a8bd by Moritz Muehlenhoff at 2024-04-18T20:54:45+02:00 new flatpak issue - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024-3246 + - flatpak + NOTE: https://www.openwall.com/lists/oss-security/2024/04/18/5 + NOTE: https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj CVE-2024-26921 [inet: inet_defrag: prevent sk release while still in use] - linux [bookworm] - linux 6.1.85-1 = data/dsa-needed.txt = @@ -26,6 +26,8 @@ emacs -- expat (carnil) -- +flatpak (jmm) +-- frr -- glibc View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32a8a8bdd1eb26d710b71642c344b54144093cbd -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32a8a8bdd1eb26d710b71642c344b54144093cbd You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Patch prepared for bind9 and unclaim to allow someone else to complete it.
Ola Lundqvist pushed to branch master at Debian Security Tracker / security-tracker Commits: 17e946dc by Ola Lundqvist at 2024-04-18T20:48:30+02:00 Patch prepared for bind9 and unclaim to allow someone else to complete it. - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -39,12 +39,12 @@ atril NOTE: 20240319: package ready at: https://people.debian.org/~utkarsh/lts/atril/ NOTE: 20240319: needs testing as the backport was a bit sensitive. (utkarsh) -- -bind9 (Ola Lundqvist) +bind9 NOTE: 20240218: Added by Front-Desk (lamby) NOTE: 20240218: CVE-2023-4408 CVE-2023-50387 CVE-2023-50868 CVE-2023-5517 CVE-2023-5679 already fixed in bullseye. (lamby) - NOTE: 20240417: Patch created for CVE-2023-50387 and CVE-2023-50868 but it fail to build. - NOTE: 20240417: https://inguza.com/reportdoc/debian-lts/0041-CVE-2023-50387-CVE-2023-50868.patch - NOTE: 20240417: task.c needs to be reworked more for it to build. + NOTE: 20240418: Patch created for CVE-2023-50387 and CVE-2023-50868 and package builds fine. + NOTE: 20240418: https://salsa.debian.org/lts-team/packages/bind9/-/commit/135e46d2e43b6e499454385c2228338c6a72ba96 + NOTE: 20240418: All testing activities remains. -- dnsmasq (dleidert) NOTE: 20240303: Added by Front-Desk (apo) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17e946dc4b1984ff07ea5cc1ea70332391f5ce1c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/17e946dc4b1984ff07ea5cc1ea70332391f5ce1c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from two Linux kernel CVEs which are rejected
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cc6edbbd by Salvatore Bonaccorso at 2024-04-18T17:18:40+02:00 Remove notes from two Linux kernel CVEs which are rejected - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -810,12 +810,8 @@ CVE-2024-26828 (In the Linux kernel, the following vulnerability has been resolv - linux 6.7.7-1 [bookworm] - linux 6.1.82-1 NOTE: https://git.kernel.org/linus/cffe487026be13eaf37ea28b783d9638ab147204 (6.8-rc5) -CVE-2024-26827 (In the Linux kernel, the following vulnerability has been resolved: i ...) - - linux 6.7.7-1 - [bookworm] - linux 6.1.82-1 - [bullseye] - linux (Vulnerable code not present) - [buster] - linux (Vulnerable code not present) - NOTE: https://git.kernel.org/linus/83ef106fa732aea8558253641cd98e8a895604d7 (6.8-rc5) +CVE-2024-26827 + REJECTED CVE-2024-26826 (In the Linux kernel, the following vulnerability has been resolved: m ...) - linux 6.7.7-1 [bookworm] - linux 6.1.82-1 @@ -851,10 +847,8 @@ CVE-2024-26820 (In the Linux kernel, the following vulnerability has been resolv - linux 6.7.7-1 [bookworm] - linux 6.1.82-1 NOTE: https://git.kernel.org/linus/9cae43da9867412f8bd09aee5c8a8dc5e8dc3dc2 (6.8-rc4) -CVE-2024-26819 (In the Linux kernel, the following vulnerability has been resolved: d ...) - - linux 6.7.7-1 - [bookworm] - linux 6.1.82-1 - NOTE: https://git.kernel.org/linus/bd504bcfec41a503b32054da5472904b404341a4 (6.8-rc3) +CVE-2024-26819 + REJECTED CVE-2024-26818 (In the Linux kernel, the following vulnerability has been resolved: t ...) - linux 6.7.7-1 [bookworm] - linux (Vulnerable code not present) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc6edbbd5b1cb2db678934780d7fafde30c9f6f2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cc6edbbd5b1cb2db678934780d7fafde30c9f6f2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take openjdk-11
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 98107aaa by Emilio Pozuelo Monfort at 2024-04-18T16:46:31+02:00 lts: take openjdk-11 - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -204,6 +204,9 @@ nvidia-graphics-drivers-legacy-390xx NOTE: 20240303: Added by Front-Desk (apo) NOTE: 20240303: See comment for nvidia-graphics-drivers. (apo/front-desk) -- +openjdk-11 (Emilio) + NOTE: 20240418: Added by pochu +-- org-mode (Sean Whitton) NOTE: 20240405: Added by Front-Desk (lamby) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98107aaaea779a8a1f67ed0581373771c4c2649d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/98107aaaea779a8a1f67ed0581373771c4c2649d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] libapache2-mod-auth-openidc fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: c3b9f671 by Moritz Muehlenhoff at 2024-04-18T16:45:21+02:00 libapache2-mod-auth-openidc fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -19054,7 +19054,7 @@ CVE-2024-24920 (A vulnerability has been identified in Simcenter Femap (All vers NOT-FOR-US: Siemens CVE-2024-24814 (mod_auth_openidc is an OpenID Certified\u2122 authentication and autho ...) {DLA-3751-1} - - libapache2-mod-auth-openidc (bug #1064183) + - libapache2-mod-auth-openidc 2.4.15.7-1 (bug #1064183) NOTE: https://github.com/OpenIDC/mod_auth_openidc/security/advisories/GHSA-hxr6-w4gc-7vvv NOTE: https://github.com/OpenIDC/mod_auth_openidc/commit/4022c12f314bd89d127d1be008b1a80a08e1203d (v2.4.15.2) CVE-2024-24782 (An unauthenticated attacker can send a ping request from one network t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3b9f671ac7631f8573de411f4cdef7636651f6b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3b9f671ac7631f8573de411f4cdef7636651f6b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new pytorch issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: af55eea0 by Moritz Muehlenhoff at 2024-04-18T16:44:35+02:00 new pytorch issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -229,7 +229,8 @@ CVE-2024-31585 (FFmpeg version n5.1 to n6.1 was discovered to contain an Off-by- NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06 (n7.0) NOTE: Introduced by https://github.com/FFmpeg/FFmpeg/commit/81df787b53eb5c6433731f6eaaf7f2a94d8a8c80 (n5.1) CVE-2024-31583 (Pytorch before version v2.2.0 was discovered to contain a use-after-fr ...) - TODO: check + - pytorch + NOTE: https://github.com/pytorch/pytorch/commit/9c7071b0e324f9fb68ab881283d6b8d388a4bcd2 CVE-2024-31582 (FFmpeg version n6.1 was discovered to contain a heap buffer overflow v ...) [experimental] - ffmpeg 7:7.0-1 - ffmpeg @@ -243,7 +244,8 @@ CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper valida [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ce0c178a408d43e71085c28a47d50dc939b60196 CVE-2024-31580 (PyTorch before v2.2.0 was discovered to contain a heap buffer overflow ...) - TODO: check + - pytorch + NOTE: https://github.com/pytorch/pytorch/commit/b5c3a17c2c207ebefcb85043f0cf94be9b2fef81 CVE-2024-31578 (FFmpeg version n6.1.1 was discovered to contain a heap use-after-free ...) [experimental] - ffmpeg 7:7.0-1 - ffmpeg View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af55eea0987f8adcaa93fb57751916b0a3365535 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/af55eea0987f8adcaa93fb57751916b0a3365535 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add one CVE assigned by Linux kernel CNA
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2f577ef1 by Salvatore Bonaccorso at 2024-04-18T14:11:48+02:00 Add one CVE assigned by Linux kernel CNA - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024-26921 [inet: inet_defrag: prevent sk release while still in use] + - linux + [bookworm] - linux 6.1.85-1 + NOTE: https://git.kernel.org/linus/18685451fc4e546fc0e718580d32df3c0e5c8272 (6.9-rc2) CVE-2024-3177 - kubernetes 1.20.5+really1.20.2-1 NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed version View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f577ef18455f4bf0fe6d797cbe941af912952d8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2f577ef18455f4bf0fe6d797cbe941af912952d8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new ffmpeg issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0cc056ba by Moritz Muehlenhoff at 2024-04-18T13:51:59+02:00 new ffmpeg issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -217,17 +217,35 @@ CVE-2024-32161 (jizhiCMS 2.5 suffers from a File upload vulnerability.) CVE-2024-32130 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: WordPress plugin CVE-2024-31585 (FFmpeg version n5.1 to n6.1 was discovered to contain an Off-by-one Er ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Vulnerable code not present) + [buster] - ffmpeg (Vulnerable code not present) + NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ab0fdaedd1e7224f7e84ea22fcbfaa4ca75a6c06 (n7.0) + NOTE: Introduced by https://github.com/FFmpeg/FFmpeg/commit/81df787b53eb5c6433731f6eaaf7f2a94d8a8c80 (n5.1) CVE-2024-31583 (Pytorch before version v2.2.0 was discovered to contain a use-after-fr ...) TODO: check CVE-2024-31582 (FFmpeg version n6.1 was discovered to contain a heap buffer overflow v ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/99debe5f823f45a482e1dc08de35879aa9c74bd2 (n7.0) CVE-2024-31581 (FFmpeg version n6.1 was discovered to contain an improper validation o ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/ce0c178a408d43e71085c28a47d50dc939b60196 CVE-2024-31580 (PyTorch before v2.2.0 was discovered to contain a heap buffer overflow ...) TODO: check CVE-2024-31578 (FFmpeg version n6.1.1 was discovered to contain a heap use-after-free ...) - TODO: check + [experimental] - ffmpeg 7:7.0-1 + - ffmpeg + [bookworm] - ffmpeg (Pick up when fixed in 5.1.x) + [bullseye] - ffmpeg (Pick up when fixed in 4.3.x) + NOTE: Fixed by https://github.com/ffmpeg/ffmpeg/commit/3bb00c0a420c3ce83c6fafee30270d69622ccad7 CVE-2024-31463 (Ironic-image is an OpenStack Ironic deployment packaged and configured ...) TODO: check CVE-2024-31041 (Null Pointer Dereference vulnerability in topic_filtern function in mq ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cc056baf3e1754446afa5144ad328417e850041 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0cc056baf3e1754446afa5144ad328417e850041 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] additional unclear xpdf issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 92b648f5 by Moritz Muehlenhoff at 2024-04-18T13:10:39+02:00 additional unclear xpdf issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -81,7 +81,8 @@ CVE-2024-3906 (A vulnerability was found in Tenda AC500 2.0.1.9(1307). It has be CVE-2024-3905 (A vulnerability was found in Tenda AC500 2.0.1.9(1307). It has been cl ...) NOT-FOR-US: Tenda CVE-2024-3900 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by long ...) - TODO: check + - poppler + NOTE: Might possibly affect poppler, pdf in Debian uses it CVE-2024-3825 (Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a flaw ...) NOT-FOR-US: Jenkins plugin CVE-2024-3817 (HashiCorp\u2019s go-getter library is vulnerable to argument injection ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92b648f51af971e8b75b3ae1a7a42fd2ab4ee4c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92b648f51af971e8b75b3ae1a7a42fd2ab4ee4c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: da7f04e4 by Moritz Muehlenhoff at 2024-04-18T12:51:06+02:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -1521,6 +1521,8 @@ CVE-2024-1183 (An SSRF (Server-Side Request Forgery) vulnerability exists in the NOT-FOR-US: Gradio CVE-2024-1135 (Gunicorn fails to properly validate Transfer-Encoding headers, leading ...) - gunicorn (bug #1069126) + [bookworm] - gunicorn (Minor issue) + [bullseye] - gunicorn (Minor issue) NOTE: https://huntr.com/bounties/22158e34-cfd5-41ad-97e0-a780773d96c1 NOTE: https://github.com/benoitc/gunicorn/commit/ac29c9b0a758d21f1e0fb3b3457239e523fa9f1d CVE-2024-0549 (mintplex-labs/anything-llm is vulnerable to a relative path traversal ...) @@ -10440,8 +10442,10 @@ CVE-2024-20745 (Premiere Pro versions 24.1, 23.6.2 and earlier are affected by a NOT-FOR-US: Adobe CVE-2024-1753 (A flaw was found in Buildah (and subsequently Podman Build) which allo ...) - golang-github-containers-buildah 1.33.7+ds1-1 (bug #1067800) + [bookworm] - golang-github-containers-buildah (Minor issue) + [bullseye] - golang-github-containers-buildah (Minor issue) NOTE: https://github.com/containers/buildah/security/advisories/GHSA-pmf3-c36m-g5cf - TODO: check, at least podman will need a rebuild with a fixed buildah + NOTE: at least podman will need a rebuild with a fixed buildah CVE-2024-1658 (The Grid Shortcodes WordPress plugin before 1.1.1 does not validate an ...) NOT-FOR-US: WordPress plugin CVE-2024-1606 (Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.2 ...) = data/dsa-needed.txt = @@ -28,6 +28,8 @@ expat (carnil) -- frr -- +glibc +-- gpac/oldstable -- guix (jmm) @@ -35,6 +37,8 @@ guix (jmm) -- h2o (jmm) -- +less +-- libreswan (jmm) Maintainer prepared bookworm-security update, but needs work on bullseye-security backports -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da7f04e4e2160a8f5b96c8c0610a2ff264c539da -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da7f04e4e2160a8f5b96c8c0610a2ff264c539da You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 650b9c8f by Salvatore Bonaccorso at 2024-04-18T12:31:18+02:00 Process two NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -230,9 +230,9 @@ CVE-2024-31578 (FFmpeg version n6.1.1 was discovered to contain a heap use-after CVE-2024-31463 (Ironic-image is an OpenStack Ironic deployment packaged and configured ...) TODO: check CVE-2024-31041 (Null Pointer Dereference vulnerability in topic_filtern function in mq ...) - TODO: check + NOT-FOR-US: NanoMQ CVE-2024-31040 (Buffer Overflow vulnerability in the get_var_integer function in mqtt_ ...) - TODO: check + NOT-FOR-US: NanoMQ CVE-2024-31031 (An issue in `coap_pdu.c` in libcoap 4.3.4 allows attackers to cause un ...) TODO: check CVE-2024-30990 (SQL Injection vulnerability in the "Invoices" page in phpgurukul Clien ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/650b9c8ff693ad4e62ad53672d20dd60ab063f5b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/650b9c8ff693ad4e62ad53672d20dd60ab063f5b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add initial tracking for new ofono issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fc31fd6 by Salvatore Bonaccorso at 2024-04-18T12:30:08+02:00 Add initial tracking for new ofono issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -53,13 +53,17 @@ CVE-2024-1426 (The Element Pack Elementor Addons (Header Footer, Free Template L CVE-2023-4509 (It is possible for an API key to be logged in clear text in the audit ...) NOT-FOR-US: Octopus Deploy CVE-2023-4235 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - TODO: check + - ofono + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255402 CVE-2023-4234 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - TODO: check + - ofono + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255399 CVE-2023-4233 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - TODO: check + - ofono + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255396 CVE-2023-4232 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) - TODO: check + - ofono + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2255394 CVE-2024-3914 (Use after free in V8 in Google Chrome prior to 124.0.6367.60 allowed a ...) - chromium [bullseye] - chromium (see #1061268) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fc31fd6767386f9817bdb0f9919c91375308121 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fc31fd6767386f9817bdb0f9919c91375308121 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3789-1 for libdatetime-timezone-perl
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 86677589 by Emilio Pozuelo Monfort at 2024-04-18T12:28:48+02:00 Reserve DLA-3789-1 for libdatetime-timezone-perl - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[18 Apr 2024] DLA-3789-1 libdatetime-timezone-perl - security update + [buster] - libdatetime-timezone-perl 1:2.23-1+2024a [18 Apr 2024] DLA-3788-1 tzdata - new timezone database [buster] - tzdata 2024a-0+deb10u1 [15 Apr 2024] DLA-3787-1 xorg-server - security update = data/dla-needed.txt = @@ -121,10 +121,6 @@ knot-resolver (Markus Koschany) NOTE: 20240310: Dropped from dla-needed.txt (ola/front-desk) NOTE: 20240311: Reverted decision to remove from dla-needed since four CVEs has been fixed in bullseye. (ola) -- -libdatetime-timezone-perl (Emilio) - NOTE: 20240327: Added by pochu - NOTE: 20240417: Blocked by tzdata update (Emilio) --- libpgjava (Markus Koschany) NOTE: 20240308: Added by Front-Desk (opal) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86677589113dd97fbf0559e7e0173ee9efa087ce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86677589113dd97fbf0559e7e0173ee9efa087ce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reserve DLA-3788-1 for tzdata
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: f0451d4c by Emilio Pozuelo Monfort at 2024-04-18T12:25:06+02:00 Reserve DLA-3788-1 for tzdata - - - - - 2 changed files: - data/DLA/list - data/dla-needed.txt Changes: = data/DLA/list = @@ -1,3 +1,5 @@ +[18 Apr 2024] DLA-3788-1 tzdata - new timezone database + [buster] - tzdata 2024a-0+deb10u1 [15 Apr 2024] DLA-3787-1 xorg-server - security update {CVE-2024-31080 CVE-2024-31081 CVE-2024-31083} [buster] - xorg-server 2:1.20.4-1+deb10u14 = data/dla-needed.txt = @@ -298,10 +298,6 @@ tinymce NOTE: 20231216: upstream's patch is backportable, as the code has changed a NOTE: 20231216: lot. (spwhitton) -- -tzdata (Emilio) - NOTE: 20240327: Added by pochu - NOTE: 20240417: updating to latest upstream instead of cherry-picking (Emilio) --- varnish NOTE: 20231117: Added by Front-Desk (apo) NOTE: 20231204: Working on pre commits for CVE-2023-44487, https://github.com/varnishcache/varnish-cache/pull/4004 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0451d4c01050da25abbebb401d583bc7d2f9a0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f0451d4c01050da25abbebb401d583bc7d2f9a0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] ansible-core fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 2007fd23 by Moritz Muehlenhoff at 2024-04-18T12:21:00+02:00 ansible-core fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23996,7 +23996,7 @@ CVE-2023-35020 (IBM Sterling Control Center 6.3.0 could allow a remote attacker CVE-2023-32337 (IBM Maximo Spatial Asset Management 8.10 is vulnerable to server-side ...) NOT-FOR-US: IBM CVE-2024-0690 (An information disclosure flaw was found in ansible-core due to a fail ...) - - ansible-core (bug #1061156) + - ansible-core 2.16.5-1 (bug #1061156) [bookworm] - ansible-core (Minor issue) - ansible 5.4.0-1 [bullseye] - ansible (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2007fd230d3f647898ae2cd69e015341aa017818 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2007fd230d3f647898ae2cd69e015341aa017818 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] fastdds fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1ac3e867 by Moritz Muehlenhoff at 2024-04-18T12:19:37+02:00 fastdds fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9509,7 +9509,7 @@ CVE-2024-28286 (In mz-automation libiec61850 v1.4.0, a NULL Pointer Dereference NOT-FOR-US: libIEC61850 CVE-2024-28231 (eprosima Fast DDS is a C++ implementation of the Data Distribution Ser ...) [experimental] - fastdds 2.14.0+ds-1 - - fastdds (bug #1067393) + - fastdds 2.14.0+ds-2 (bug #1067393) NOTE: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-9m2j-qw67-ph4w NOTE: https://github.com/eProsima/Fast-DDS/commit/355706386f4af9ce74125eeec3c449b06113112b (v2.14.0) CVE-2024-28179 (Jupyter Server Proxy allows users to run arbitrary external processes ...) @@ -10173,7 +10173,7 @@ CVE-2024-28237 (OctoPrint provides a web interface for controlling consumer 3D p NOT-FOR-US: OctoPrint CVE-2024-26369 (An issue in the HistoryQosPolicy component of FastDDS v2.12.x, v2.11.x ...) [experimental] - fastdds 2.14.0+ds-1 - - fastdds (bug #1067180) + - fastdds 2.14.0+ds-2 (bug #1067180) NOTE: https://github.com/eProsima/Fast-DDS/issues/4365 NOTE: https://github.com/eProsima/Fast-DDS/pull/4375 CVE-2024-25942 (Dell PowerEdge Server BIOS contains an Improper SMM communication buff ...) @@ -13065,7 +13065,7 @@ CVE-2024-1142 (Path Traversal in Sonatype IQ Server from version 143 allows remo NOT-FOR-US: Sonatype CVE-2023-50716 (eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the ...) [experimental] - fastdds 2.14.0+ds-1 - - fastdds (bug #1066119) + - fastdds 2.14.0+ds-2 (bug #1066119) NOTE: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-5m2f-hvj2-cx2h CVE-2023-50167 (Pega Platform from 7.1.7 to 23.1.1 is affected by an XSS issue with ed ...) NOT-FOR-US: Pega Platform @@ -18054,7 +18054,7 @@ CVE-2024-1343 (A weak permission was found in the backup directory in LaborOffic NOT-FOR-US: LaborOfficeFree CVE-2023-50257 (eProsima Fast DDS (formerly Fast RTPS) is a C++ implementation of the ...) [experimental] - fastdds 2.14.0+ds-1 - - fastdds (bug #1064515) + - fastdds 2.14.0+ds-2 (bug #1064515) [bookworm] - fastdds (Minor issue) [bullseye] - fastdds (Minor issue) NOTE: https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-v5r6-8mvh-cp98 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ac3e867d79cd59e5e8997b92273e4abd3db3a5e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1ac3e867d79cd59e5e8997b92273e4abd3db3a5e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a876ec28 by Moritz Muehlenhoff at 2024-04-18T11:33:26+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,55 +3,55 @@ CVE-2024-3177 NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed version NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here CVE-2024-3932 (A vulnerability classified as problematic has been found in Totara LMS ...) - TODO: check + NOT-FOR-US: Totara LMS CVE-2024-3931 (A vulnerability was found in Totara LMS 18.0.1 Build 20231128.01. It h ...) - TODO: check + NOT-FOR-US: Totara LMS CVE-2024-3928 (A vulnerability was found in Dromara open-capacity-platform 2.0.1. It ...) - TODO: check + NOT-FOR-US: Dromara open-capacity-platform CVE-2024-32746 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32745 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32744 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32743 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32472 (excalidraw is an open source virtual hand-drawn style whiteboard. A st ...) - TODO: check + NOT-FOR-US: excalidraw CVE-2024-32345 (A cross-site scripting (XSS) vulnerability in the Settings menu of CMS ...) - TODO: check + NOT-FOR-US: CMSimple CVE-2024-32344 (A cross-site scripting (XSS) vulnerability in the Settings menu of CMS ...) - TODO: check + NOT-FOR-US: CMSimple CVE-2024-32343 (A cross-site scripting (XSS) vulnerability in the Create Page of Boid ...) - TODO: check + NOT-FOR-US: Boid CMS CVE-2024-32342 (A cross-site scripting (XSS) vulnerability in the Create Page of Boid ...) - TODO: check + NOT-FOR-US: Boid CMS CVE-2024-32341 (Multiple cross-site scripting (XSS) vulnerabilities in the Home page o ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32340 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32339 (Multiple cross-site scripting (XSS) vulnerabilities in the HOW TO page ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32338 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-32337 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) - TODO: check + NOT-FOR-US: WonderCMS CVE-2024-31869 (Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows ...) - TODO: check + - airflow (bug #819700) CVE-2024-2729 (The Otter Blocks WordPress plugin before 2.6.6 does not properly esca ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-29956 (A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints the ...) - TODO: check + NOT-FOR-US: Brocade CVE-2024-29955 (A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a could allo ...) - TODO: check + NOT-FOR-US: Brocade CVE-2024-29952 (A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a could allo ...) - TODO: check + NOT-FOR-US: Brocade CVE-2024-1429 (The Element Pack Elementor Addons (Header Footer, Free Template Librar ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1426 (The Element Pack Elementor Addons (Header Footer, Free Template Librar ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-4509 (It is possible for an API key to be logged in clear text in the audit ...) - TODO: check + NOT-FOR-US: Octopus Deploy CVE-2023-4235 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) TODO: check CVE-2023-4234 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) @@ -79,7 +79,7 @@ CVE-2024-3905 (A vulnerability was found in Tenda AC500 2.0.1.9(1307). It has be CVE-2024-3900 (Out-of-bounds array write in Xpdf 4.05 and earlier, triggered by long ...) TODO: check CVE-2024-3825 (Versions of the BlazeMeter Jenkins plugin prior to 4.22 contain a flaw ...) - TODO: check + NOT-FOR-US: Jenkins plugin CVE-2024-3817 (HashiCorp\u2019s go-getter library is vulnerable to argument injection ...) - golang-github-hashicorp-go-getter NOTE:
[Git][security-tracker-team/security-tracker][master] ansible fixed in sid
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 87c93034 by Moritz Muehlenhoff at 2024-04-18T11:05:12+02:00 ansible fixed in sid - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -46045,7 +46045,7 @@ CVE-2023-38255 (A potential attacker with or without (cookie theft) access to th CVE-2023-37611 (Cross Site Scripting (XSS) vulnerability in Neos CMS 8.3.3 allows a re ...) NOT-FOR-US: Neos CMS CVE-2023-4237 (A flaw was found in the Ansible Automation Platform. When creating a n ...) - - ansible (bug #1055300) + - ansible 9.4.0+dfsg-1 (bug #1055300) [bookworm] - ansible (Minor issue) [bullseye] - ansible (Minor issue) [buster] - ansible (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87c930349e0764906cfaca20b4f38076a63e84a0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/87c930349e0764906cfaca20b4f38076a63e84a0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new k8s issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 54d66d6f by Moritz Muehlenhoff at 2024-04-18T10:22:30+02:00 new k8s issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024-3177 + - kubernetes 1.20.5+really1.20.2-1 + NOTE: Server components no longer built since 1.20.5+really1.20.2-1, marking that as fixed version + NOTE: The source package itself it still vulnerable, but custom rebuilds are not really a usecase here CVE-2024-3932 (A vulnerability classified as problematic has been found in Totara LMS ...) TODO: check CVE-2024-3931 (A vulnerability was found in Totara LMS 18.0.1 Build 20231128.01. It h ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54d66d6f173401115c7f00844a101c9c642e6258 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54d66d6f173401115c7f00844a101c9c642e6258 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3fd6e59a by security tracker role at 2024-04-18T08:11:47+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,61 @@ +CVE-2024-3932 (A vulnerability classified as problematic has been found in Totara LMS ...) + TODO: check +CVE-2024-3931 (A vulnerability was found in Totara LMS 18.0.1 Build 20231128.01. It h ...) + TODO: check +CVE-2024-3928 (A vulnerability was found in Dromara open-capacity-platform 2.0.1. It ...) + TODO: check +CVE-2024-32746 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) + TODO: check +CVE-2024-32745 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) + TODO: check +CVE-2024-32744 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) + TODO: check +CVE-2024-32743 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) + TODO: check +CVE-2024-32472 (excalidraw is an open source virtual hand-drawn style whiteboard. A st ...) + TODO: check +CVE-2024-32345 (A cross-site scripting (XSS) vulnerability in the Settings menu of CMS ...) + TODO: check +CVE-2024-32344 (A cross-site scripting (XSS) vulnerability in the Settings menu of CMS ...) + TODO: check +CVE-2024-32343 (A cross-site scripting (XSS) vulnerability in the Create Page of Boid ...) + TODO: check +CVE-2024-32342 (A cross-site scripting (XSS) vulnerability in the Create Page of Boid ...) + TODO: check +CVE-2024-32341 (Multiple cross-site scripting (XSS) vulnerabilities in the Home page o ...) + TODO: check +CVE-2024-32340 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) + TODO: check +CVE-2024-32339 (Multiple cross-site scripting (XSS) vulnerabilities in the HOW TO page ...) + TODO: check +CVE-2024-32338 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) + TODO: check +CVE-2024-32337 (A cross-site scripting (XSS) vulnerability in the Settings section of ...) + TODO: check +CVE-2024-31869 (Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows ...) + TODO: check +CVE-2024-2729 (The Otter Blocks WordPress plugin before 2.6.6 does not properly esca ...) + TODO: check +CVE-2024-29956 (A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a prints the ...) + TODO: check +CVE-2024-29955 (A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a could allo ...) + TODO: check +CVE-2024-29952 (A vulnerability in Brocade SANnav before v2.3.1 and v2.3.0a could allo ...) + TODO: check +CVE-2024-1429 (The Element Pack Elementor Addons (Header Footer, Free Template Librar ...) + TODO: check +CVE-2024-1426 (The Element Pack Elementor Addons (Header Footer, Free Template Librar ...) + TODO: check +CVE-2023-4509 (It is possible for an API key to be logged in clear text in the audit ...) + TODO: check +CVE-2023-4235 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) + TODO: check +CVE-2023-4234 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) + TODO: check +CVE-2023-4233 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) + TODO: check +CVE-2023-4232 (A flaw was found in ofono, an Open Source Telephony on Linux. A stack ...) + TODO: check CVE-2024-3914 (Use after free in V8 in Google Chrome prior to 124.0.6367.60 allowed a ...) - chromium [bullseye] - chromium (see #1061268) @@ -11452,7 +11510,7 @@ CVE-2024-24693 (Improper access control in the installer for Zoom Rooms Client f CVE-2024-24692 (Race condition in the installer for Zoom Rooms Client for Windows befo ...) NOT-FOR-US: Zoom CVE-2024-24549 (Denial of Service due to improper input validation vulnerability for H ...) - {DLA-3779-1} + {DSA-5665-1 DLA-3779-1} - tomcat10 10.1.20-1 (bug #1066878) - tomcat9 9.0.70-2 NOTE: https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg @@ -11460,7 +11518,7 @@ CVE-2024-24549 (Denial of Service due to improper input validation vulnerability NOTE: https://github.com/apache/tomcat/commit/8e03be9f2698f2da9027d40b9e9c0c9429b74dc0 (9.0.86) NOTE: Starting with 9.0.70-2 Tomcat9 no longer ships the server stack, using that as the fixed version CVE-2024-23672 (Denial of Service via incomplete cleanup vulnerability in Apache Tomca ...) - {DLA-3779-1} + {DSA-5665-1 DLA-3779-1} - tomcat10 10.1.20-1 (bug #1066877) - tomcat9 9.0.70-2 NOTE: https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f @@ -16334,7 +16392,7 @@ CVE-2024-23496 (A
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: de741f76 by Salvatore Bonaccorso at 2024-04-18T08:30:39+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -220,9 +220,9 @@ CVE-2024-21989 (ONTAP Select Deploy administration utility versions 9.12.1.x, 9 CVE-2024-1350 (Missing Authorization vulnerability in Prasidhda Malla Honeypot for WP ...) TODO: check CVE-2024-1249 (A flaw was found in Keycloak's OIDC component in the "checkLoginIframe ...) - TODO: check + NOT-FOR-US: Keycloak CVE-2024-1132 (A flaw was found in Keycloak, where it does not properly validate URLs ...) - TODO: check + NOT-FOR-US: Keycloak CVE-2024-0257 (RoboDK v5.5.4 is vulnerable to heap-based buffer overflow while proc ...) TODO: check CVE-2023-6805 (The RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News & ...) @@ -82366,8 +82366,13 @@ CVE-2023-25020 (Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Kibok NOT-FOR-US: WordPress plugin CVE-2023-25019 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Premio C ...) NOT-FOR-US: WordPress plugin +CVE-2023-6717 + NOT-FOR-US: Keycloak +CVE-2023-6544 + NOT-FOR-US: Keycloak CVE-2023-0657 RESERVED + NOT-FOR-US: Keycloak CVE-2023-0656 (A Stack-based buffer overflow vulnerability in the SonicOS allows a re ...) NOT-FOR-US: SonicOS CVE-2023-0655 (SonicWall Email Security contains a vulnerability that could permit a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de741f764659165c2376dce4e9d11025e9faf7c6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/de741f764659165c2376dce4e9d11025e9faf7c6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits