[Git][security-tracker-team/security-tracker][master] Add new gitlab issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e04de21 by Salvatore Bonaccorso at 2024-05-23T08:39:25+02:00 Add new gitlab issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,18 @@ +CVE-2024-1947 + - gitlab + NOTE: https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/ +CVE-2023-6502 + - gitlab + NOTE: https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/ +CVE-2023-7045 + - gitlab + NOTE: https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/ +CVE-2024-2874 + - gitlab + NOTE: https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/ +CVE-2024-4835 + - gitlab + NOTE: https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/ CVE-2024-5196 (A vulnerability classified as critical has been found in Arris VAP2500 ...) NOT-FOR-US: Arris VAP2500 CVE-2024-5195 (A vulnerability was found in Arris VAP2500 08.50. It has been rated as ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e04de211693b610f329e2b47e1a9a5eddba1706 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e04de211693b610f329e2b47e1a9a5eddba1706 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
b19b64ea by Moritz Muehlenhoff at 2024-05-22T23:26:56+02:00
bookworm/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -7625,6 +7625,8 @@ CVE-2024-33120 (Roothub v2.5 was discovered to contain an
arbitrary file upload
NOT-FOR-US: Roothub
CVE-2024-32867 (Suricata is a network Intrusion Detection System, Intrusion
Prevention ...)
- suricata 1:7.0.5-1
+ [bookworm] - suricata (Minor issue)
+ [bullseye] - suricata (Minor issue)
NOTE:
https://github.com/OISF/suricata/security/advisories/GHSA-xvrx-88mv-xcq5
NOTE:
https://github.com/OISF/suricata/commit/2f39ba75f153ba9bdf8eedc2a839cc973dbaea66
(suricata-7.0.5)
NOTE:
https://github.com/OISF/suricata/commit/1e110d0a71db46571040b937e17a4bc9f91d6de9
(suricata-7.0.5)
@@ -7637,11 +7639,15 @@ CVE-2024-32867 (Suricata is a network Intrusion
Detection System, Intrusion Prev
NOTE: https://redmine.openinfosecfoundation.org/issues/6677
CVE-2024-32664 (Suricata is a network Intrusion Detection System, Intrusion
Prevention ...)
- suricata 1:7.0.5-1
+ [bookworm] - suricata (Minor issue)
+ [bullseye] - suricata (Minor issue)
NOTE:
https://github.com/OISF/suricata/security/advisories/GHSA-79vh-hpwq-3jh7
NOTE:
https://github.com/OISF/suricata/commit/311002baf288a225f62cf18a90c5fdd294447379
(suricata-7.0.5)
NOTE:
https://github.com/OISF/suricata/commit/d5ffecf11ad2c6fe89265e518f5d7443caf26ba4
(suricata-6.0.19)
CVE-2024-32663 (Suricata is a network Intrusion Detection System, Intrusion
Prevention ...)
- suricata 1:7.0.5-1
+ [bookworm] - suricata (Minor issue)
+ [bullseye] - suricata (Minor issue)
NOTE:
https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r
NOTE:
https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64
(suricata-6.0.19)
NOTE:
https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019
(suricata-6.0.19)
@@ -60244,6 +60250,7 @@ CVE-2023-40930 (An issue in the directory
/system/bin/blkid of Skyworth v3.0 all
CVE-2023-40619 (phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization
of untr ...)
{DLA-3644-1}
- phppgadmin 7.14.7+dfsg-1 (bug #1053004)
+ [bookworm] - phppgadmin (Package in stable is broken and will
be removed)
NOTE: https://github.com/phppgadmin/phppgadmin/issues/174
NOTE: https://github.com/hestiacp/phppgadmin/pull/4
CVE-2023-40618 (A reflected cross-site scripting (XSS) vulnerability in
OpenKnowledgeM ...)
@@ -367772,7 +367779,7 @@ CVE-2019-10785 (dojox is vulnerable to Cross-site
Scripting in all versions befo
NOTE: https://github.com/dojo/dojox/pull/315
CVE-2019-10784 (phppgadmin through 7.12.1 allows sensitive actions to be
performed wit ...)
- phppgadmin 7.14.7+dfsg-1 (bug #953945)
- [bookworm] - phppgadmin (Minor issue)
+ [bookworm] - phppgadmin (Package in stable is broken and will
be removed)
[bullseye] - phppgadmin (Minor issue)
[buster] - phppgadmin (Minor issue)
[stretch] - phppgadmin (Minor issue)
=
data/dsa-needed.txt
=
@@ -47,8 +47,6 @@ php-horde-mime-viewer/oldstable
--
php-horde-turba/oldstable
--
-phppgadmin
---
pillow (jmm)
--
pymatgen/stable
@@ -79,5 +77,7 @@ ruby-tzinfo/oldstable
--
squid
--
+tinyproxy (jmm)
+--
zabbix
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b19b64ea0d11cd197069ae5064698348846af1dc
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b19b64ea0d11cd197069ae5064698348846af1dc
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce7c83bd by Salvatore Bonaccorso at 2024-05-22T22:49:20+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33,65 +33,65 @@ CVE-2024-4153 (A vulnerability in lunary-ai/lunary version 1.2.2 allows attacker CVE-2024-3926 (The Element Pack Elementor Addons (Header Footer, Template Library, Dy ...) NOT-FOR-US: WordPress plugin CVE-2024-3495 (The Country State City Dropdown CF7 plugin for WordPress is vulnerable ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-36077 (Qlik Sense Enterprise for Windows before 14.187.4 allows a remote atta ...) - TODO: check + NOT-FOR-US: Qlik Sense Enterprise for Windows CVE-2024-35627 (tileserver-gl up to v4.4.10 was discovered to contain a cross-site scr ...) TODO: check CVE-2024-35561 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35560 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35559 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35558 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35557 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35556 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-3 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35554 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35553 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35552 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35551 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35550 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35475 (A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Op ...) TODO: check CVE-2024-35409 (WeBid 1.1.2 is vulnerable to SQL Injection via admin/tax.php.) TODO: check CVE-2024-35362 (Ecshop 3.6 is vulnerable to Cross Site Scripting (XSS) via ecshop/arti ...) - TODO: check + NOT-FOR-US: Ecshop CVE-2024-34448 (Ghost before 5.82.0 allows CSV Injection during a member CSV export.) - TODO: check + NOT-FOR-US: Ghost CMS CVE-2024-33228 (An issue in the component segwindrvx64.sys of Insyde Software Corp SEG ...) - TODO: check + NOT-FOR-US: Insyde CVE-2024-33227 (An issue in the component ddcdrv.sys of Nicomsoft WinI2C/DDC v3.7.4.0 ...) - TODO: check + NOT-FOR-US: Nicomsoft WinI2C/DDC CVE-2024-33226 (An issue in the component Access64.sys of Wistron Corporation TBT Forc ...) - TODO: check + NOT-FOR-US: Wistron Corporation TBT Force Power Control CVE-2024-33225 (An issue in the component RTKVHD64.sys of Realtek Semiconductor Corp R ...) - TODO: check + NOT-FOR-US: Realtek Semiconductor Corp Realtek High Definition Audio Function Driver CVE-2024-33224 (An issue in the component rtkio64.sys of Realtek Semiconductor Corp Re ...) - TODO: check + NOT-FOR-US: Realtek Semiconductor Corp Realtek lO Driver CVE-2024-33223 (An issue in the component IOMap64.sys of ASUSTeK Computer Inc ASUS GPU ...) - TODO: check + NOT-FOR-US: ASUSTeK CVE-2024-33222 (An issue in the component ATSZIO64.sys of ASUSTeK Computer Inc ASUS AT ...) - TODO: check + NOT-FOR-US: ASUSTeK CVE-2024-33221 (An issue in the component AsusBSItf.sys of ASUSTeK Computer Inc ASUS B ...) - TODO: check + NOT-FOR-US: ASUSTeK CVE-2024-33220 (An issue in the component AslO3_64.sys of ASUSTeK Computer Inc AISuite ...) - TODO: check + NOT-FOR-US: ASUSTeK CVE-2024-33219 (An issue in the component AsIO64.sys of ASUSTeK Computer Inc ASUS SABE ...) - TODO: check + NOT-FOR-US: ASUSTeK CVE-2024-33218 (An issue in the component AsUpIO64.sys of ASUSTeK Computer Inc ASUS US ...) - TODO: check + NOT-FOR-US: ASUSTeK CVE-2024-31904 (IBM App Connect Enterprise 11.0.0.1 through 11.0.0.25 and 12.0.1.0 thr ...) NO
[Git][security-tracker-team/security-tracker][master] 2 commits: Revert "Reference fix for CVE-2024-4068/node-braces"
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 92ff20ed by Salvatore Bonaccorso at 2024-05-22T22:40:14+02:00 Revert "Reference fix for CVE-2024-4068/node-braces" This reverts commit ceeb6abf3bc08c2c81e86de151967575d3014f5a. For now revert this reference. It is not fully clear following upstream issue #35. - - - - - 28e43f48 by Salvatore Bonaccorso at 2024-05-22T22:44:35+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,37 +1,37 @@ CVE-2024-5196 (A vulnerability classified as critical has been found in Arris VAP2500 ...) - TODO: check + NOT-FOR-US: Arris VAP2500 CVE-2024-5195 (A vulnerability was found in Arris VAP2500 08.50. It has been rated as ...) - TODO: check + NOT-FOR-US: Arris VAP2500 CVE-2024-5194 (A vulnerability was found in Arris VAP2500 08.50. It has been declared ...) - TODO: check + NOT-FOR-US: Arris VAP2500 CVE-2024-5193 (A vulnerability was found in Ritlabs TinyWeb Server 1.94. It has been ...) - TODO: check + NOT-FOR-US: Ritlabs TinyWeb Server CVE-2024-5166 (An Insecure Direct Object Reference in Google Cloud's Looker allowed m ...) TODO: check CVE-2024-5031 (The Memberpress plugin for WordPress is vulnerable to Blind Server-Sid ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-5025 (The Memberpress plugin for WordPress is vulnerable to Stored Cross-Sit ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4896 (The WPB Elementor Addons plugin for WordPress is vulnerable to Stored ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4563 (The Progress MOVEit Automation configuration export function prior to ...) - TODO: check + NOT-FOR-US: Progress MOVEit CVE-2024-4454 (WithSecure Elements Endpoint Protection Link Following Local Privilege ...) - TODO: check + NOT-FOR-US: WithSecure Elements Endpoint Protection CVE-2024-4453 (GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution ...) TODO: check CVE-2024-4362 (The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to St ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4267 (A remote code execution (RCE) vulnerability exists in the parisneo/lol ...) - TODO: check + NOT-FOR-US: parisneo/lollms-webui CVE-2024-4262 (The Piotnet Addons For Elementor plugin for WordPress is vulnerable to ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4261 (The Responsive Contact Form Builder & Lead Generation Plugin plugin fo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4153 (A vulnerability in lunary-ai/lunary version 1.2.2 allows attackers to ...) - TODO: check + NOT-FOR-US: lunary-ai/lunary CVE-2024-3926 (The Element Pack Elementor Addons (Header Footer, Template Library, Dy ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3495 (The Country State City Dropdown CF7 plugin for WordPress is vulnerable ...) TODO: check CVE-2024-36077 (Qlik Sense Enterprise for Windows before 14.187.4 allows a remote atta ...) @@ -6062,7 +6062,6 @@ CVE-2024-4068 (The NPM package `braces`, versions prior to 3.0.3, fails to limit [bullseye] - node-braces (Minor issue) [buster] - node-braces (Minor issue) NOTE: https://github.com/micromatch/braces/issues/35 - NOTE: Fixed by: https://github.com/micromatch/braces/commit/9f5b4cf47329351bcb64287223ffb6ecc9a5e6d3 (3.0.3) CVE-2024-4067 (The NPM package `micromatch` is vulnerable to Regular Expression Denia ...) - node-micromatch (bug #1071631) [bookworm] - node-micromatch (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c3cd6eea96a9394cdebf3d0676b09441fb9b757b...28e43f48d5033bc8741d5dc9fe7e923925be27b4 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c3cd6eea96a9394cdebf3d0676b09441fb9b757b...28e43f48d5033bc8741d5dc9fe7e923925be27b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c3cd6eea by Salvatore Bonaccorso at 2024-05-22T22:30:19+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -93,13 +93,13 @@ CVE-2024-33219 (An issue in the component AsIO64.sys of ASUSTeK Computer Inc ASU CVE-2024-33218 (An issue in the component AsUpIO64.sys of ASUSTeK Computer Inc ASUS US ...) TODO: check CVE-2024-31904 (IBM App Connect Enterprise 11.0.0.1 through 11.0.0.25 and 12.0.1.0 thr ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-31895 (IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an a ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-31894 (IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an a ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-31893 (IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an a ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-31617 (OpenLiteSpeed before 1.8.1 mishandles chunked encoding.) TODO: check CVE-2024-2036 (The ApplyOnline \u2013 Application Form Builder and Manager plugin for ...) @@ -109,7 +109,7 @@ CVE-2024-29421 (xmedcon 0.23.0 and fixed in v.0.24.0 is vulnerable to Buffer Ove CVE-2024-29392 (Silverpeas Core 6.3 is vulnerable to Cross Site Scripting (XSS) via Cl ...) TODO: check CVE-2024-27264 (IBM Performance Tools for i 7.2, 7.3, 7.4, and 7.5 could allow a local ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-25738 (A Server-Side Request Forgery (SSRF) vulnerability in the /Upgrade/Fix ...) TODO: check CVE-2024-25737 (A Server-Side Request Forgery (SSRF) vulnerability in the /Cover/Show ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3cd6eea96a9394cdebf3d0676b09441fb9b757b -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3cd6eea96a9394cdebf3d0676b09441fb9b757b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2024-4642
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 753ce9f1 by Salvatore Bonaccorso at 2024-05-22T22:26:31+02:00 Remove notes from CVE-2024-4642 CVE got rejected byt the assigning CNA (but without specific reason mentioned). - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4917,7 +4917,6 @@ CVE-2024-4733 (The ShiftController Employee Shift Scheduling plugin is vulnerabl NOT-FOR-US: WordPress plugin CVE-2024-4642 REJECTED - NOT-FOR-US: wandb CVE-2024-4635 (The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stor ...) NOT-FOR-US: WordPress plugin CVE-2024-4634 (The Elementor Header & Footer Builder plugin for WordPress is vulnerab ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/753ce9f1aa7db7499b940476bf6e37b20cdbd0e5 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/753ce9f1aa7db7499b940476bf6e37b20cdbd0e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2024-4068/node-braces
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ceeb6abf by Salvatore Bonaccorso at 2024-05-22T22:24:10+02:00 Reference fix for CVE-2024-4068/node-braces Note this is in upstream 3.0.3. Checking 3.0.3+~3.0.4-1 though the code is not inclued. What is 3.0.3+~3.0.4 refering to? This needs double-checking to see if the issue was fixed in the last upload to unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6063,6 +6063,7 @@ CVE-2024-4068 (The NPM package `braces`, versions prior to 3.0.3, fails to limit [bullseye] - node-braces (Minor issue) [buster] - node-braces (Minor issue) NOTE: https://github.com/micromatch/braces/issues/35 + NOTE: Fixed by: https://github.com/micromatch/braces/commit/9f5b4cf47329351bcb64287223ffb6ecc9a5e6d3 (3.0.3) CVE-2024-4067 (The NPM package `micromatch` is vulnerable to Regular Expression Denia ...) - node-micromatch (bug #1071631) [bookworm] - node-micromatch (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceeb6abf3bc08c2c81e86de151967575d3014f5a -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceeb6abf3bc08c2c81e86de151967575d3014f5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3dd5fc42 by security tracker role at 2024-05-22T20:12:09+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,138 @@ -CVE-2024-36010 [igb: Fix string truncation warnings in igb_set_fw_version] +CVE-2024-5196 (A vulnerability classified as critical has been found in Arris VAP2500 ...) + TODO: check +CVE-2024-5195 (A vulnerability was found in Arris VAP2500 08.50. It has been rated as ...) + TODO: check +CVE-2024-5194 (A vulnerability was found in Arris VAP2500 08.50. It has been declared ...) + TODO: check +CVE-2024-5193 (A vulnerability was found in Ritlabs TinyWeb Server 1.94. It has been ...) + TODO: check +CVE-2024-5166 (An Insecure Direct Object Reference in Google Cloud's Looker allowed m ...) + TODO: check +CVE-2024-5031 (The Memberpress plugin for WordPress is vulnerable to Blind Server-Sid ...) + TODO: check +CVE-2024-5025 (The Memberpress plugin for WordPress is vulnerable to Stored Cross-Sit ...) + TODO: check +CVE-2024-4896 (The WPB Elementor Addons plugin for WordPress is vulnerable to Stored ...) + TODO: check +CVE-2024-4563 (The Progress MOVEit Automation configuration export function prior to ...) + TODO: check +CVE-2024-4454 (WithSecure Elements Endpoint Protection Link Following Local Privilege ...) + TODO: check +CVE-2024-4453 (GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution ...) + TODO: check +CVE-2024-4362 (The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to St ...) + TODO: check +CVE-2024-4267 (A remote code execution (RCE) vulnerability exists in the parisneo/lol ...) + TODO: check +CVE-2024-4262 (The Piotnet Addons For Elementor plugin for WordPress is vulnerable to ...) + TODO: check +CVE-2024-4261 (The Responsive Contact Form Builder & Lead Generation Plugin plugin fo ...) + TODO: check +CVE-2024-4153 (A vulnerability in lunary-ai/lunary version 1.2.2 allows attackers to ...) + TODO: check +CVE-2024-3926 (The Element Pack Elementor Addons (Header Footer, Template Library, Dy ...) + TODO: check +CVE-2024-3495 (The Country State City Dropdown CF7 plugin for WordPress is vulnerable ...) + TODO: check +CVE-2024-36077 (Qlik Sense Enterprise for Windows before 14.187.4 allows a remote atta ...) + TODO: check +CVE-2024-35627 (tileserver-gl up to v4.4.10 was discovered to contain a cross-site scr ...) + TODO: check +CVE-2024-35561 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35560 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35559 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35558 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35557 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35556 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-3 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35554 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35553 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35552 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35551 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35550 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35475 (A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Op ...) + TODO: check +CVE-2024-35409 (WeBid 1.1.2 is vulnerable to SQL Injection via admin/tax.php.) + TODO: check +CVE-2024-35362 (Ecshop 3.6 is vulnerable to Cross Site Scripting (XSS) via ecshop/arti ...) + TODO: check +CVE-2024-34448 (Ghost before 5.82.0 allows CSV Injection during a member CSV export.) + TODO: check +CVE-2024-33228 (An issue in the component segwindrvx64.sys of Insyde Software Corp SEG ...) + TODO: check +CVE-2024-33227 (An issue in the component ddcdrv.sys of Nicomsoft WinI2C/DDC v3.7.4.0 ...) + TODO: check +CVE-2024-33226 (An issue in the component Access64.sys of Wistron Corporation TBT Forc ...) + TODO: check +CVE-2024-33225 (An issue in the component RTKVHD64.sys of Realtek Semiconductor Corp R ...) + TODO: check +CVE-2024-33224 (An issue in the component rtkio64
[Git][security-tracker-team/security-tracker][master] redmine commit refs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b9feb2a by Moritz Muehlenhoff at 2024-05-22T19:54:58+02:00 redmine commit refs - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -52110,12 +52110,15 @@ CVE-2017-20187 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Mag CVE-2023-47260 (Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS via thumbnails ...) - redmine (bug #1055474) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories + NOTE: https://github.com/redmine/redmine/commit/15d0ea8c596f306131de2bd7edd1ae28ff122103 (5.0-stable) CVE-2023-47259 (Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in the Textile ...) - redmine (bug #1055474) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories + NOTE: https://github.com/redmine/redmine/commit/ea4bf1eba4b680159a873aa468364826f4d13385 (5.0-stable) CVE-2023-47258 (Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown ...) - redmine (bug #1055474) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories + NOTE: https://github.com/redmine/redmine/commit/03bcf782463c9b84c6fe53b17cb1b781df6d8771 (5.0-stable) CVE-2023-47249 (In International Color Consortium DemoIccMAX 79ecb74, a CIccXmlArrayTy ...) NOT-FOR-US: International Color Consortium DemoIccMAX CVE-2023-46981 (SQL injection vulnerability in Novel-Plus v.4.2.0 allows a remote atta ...) = data/dsa-needed.txt = @@ -57,7 +57,7 @@ python-asyncssh -- python-pymysql -- -redmine/stable +redmine/stable (jmm) -- ring/oldstable might make sense to rebase to current version View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b9feb2adf04ec53a14af19e652124be8e6045b5 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b9feb2adf04ec53a14af19e652124be8e6045b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium dsa
Andres Salomon pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c0373deb by Andres Salomon at 2024-05-22T12:24:09-04:00
chromium dsa
- - - - -
2 changed files:
- data/DSA/list
- data/dsa-needed.txt
Changes:
=
data/DSA/list
=
@@ -1,3 +1,6 @@
+[22 May 2024] DSA-5696-1 chromium - security update
+ {CVE-2024-5157 CVE-2024-5158 CVE-2024-5159 CVE-2024-5160}
+ [bookworm] - chromium 125.0.6422.76-1~deb12u1
[22 May 2024] DSA-5695-1 webkit2gtk - security update
{CVE-2024-27834}
[bullseye] - webkit2gtk 2.44.2-1~deb11u1
=
data/dsa-needed.txt
=
@@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the
name of the source pa
--
cacti
--
-chromium (dilinger)
---
dnsdist (jmm)
--
dnsmasq
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0373deb6669f118f726e8039d3a83e489ff8350
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0373deb6669f118f726e8039d3a83e489ff8350
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
d0e106d4 by Moritz Muehlenhoff at 2024-05-22T17:23:03+02:00
bugnums
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -447,7 +447,7 @@ CVE-2024-3268 (The YouTube Video Gallery by YouTube
Showcase \u2013 Video Galler
CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows, allows attackers to
spoof the s ...)
NOT-FOR-US: WinRAR
CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with
untrusted JSON ...)
- - python-pymysql
+ - python-pymysql (bug #1071628)
NOTE: https://github.com/advisories/GHSA-v9hf-5j83-6xpp
NOTE:
https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c
(v1.1.1)
CVE-2024-35386 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to
cause a den ...)
@@ -4869,8 +4869,8 @@ CVE-2024-35184 (Paperless-ngx is a document management
system that transforms ph
CVE-2024-35183 (wolfictl is a command line tool for working with Wolfi. A git
authenti ...)
TODO: check
CVE-2024-35176 (REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6
has a den ...)
- - ruby3.2
- - ruby3.1
+ - ruby3.2 (bug #1071627)
+ - ruby3.1 (bug #1071626)
[bookworm] - ruby3.1 (Minor issue)
- ruby2.7
- ruby2.5
@@ -5919,13 +5919,13 @@ CVE-2024-4813 (A vulnerability classified as critical
has been found in Ruijie R
CVE-2024-4747 (Improper Neutralization of Input During Web Page Generation
('Cross-si ...)
NOT-FOR-US: WordPress plugin
CVE-2024-4068 (The NPM package `braces` fails to limit the number of
characters it ca ...)
- - node-braces
+ - node-braces (bug #1071632)
[bookworm] - node-braces (Minor issue)
[bullseye] - node-braces (Minor issue)
[buster] - node-braces (Minor issue)
NOTE: https://github.com/micromatch/braces/issues/35
CVE-2024-4067 (The NPM package `micromatch` is vulnerable to Regular
Expression Denia ...)
- - node-micromatch
+ - node-micromatch (bug #1071631)
[bookworm] - node-micromatch (Minor issue)
[bullseye] - node-micromatch (Minor issue)
[buster] - node-micromatch (Minor issue)
@@ -7146,7 +7146,7 @@ CVE-2024-34257 (TOTOLINK EX1800T V9.1.0cu.2112_B20220316
has a vulnerability in
CVE-2024-34255 (jizhicms v2.5.1 contains a Cross-Site Scripting(XSS)
vulnerability in ...)
NOT-FOR-US: jizhicms
CVE-2024-34244 (libmodbus v3.1.10 is vulnerable to Buffer Overflow via the
modbus_writ ...)
- - libmodbus
+ - libmodbus (bug #1071633)
[bookworm] - libmodbus (Minor issue)
[bullseye] - libmodbus (Minor issue)
[buster] - libmodbus (Minor issue; out-of-bounds read, DoS)
@@ -8048,7 +8048,7 @@ CVE-2024-4492 (A vulnerability, which was classified as
critical, has been found
CVE-2024-4491 (A vulnerability classified as critical was found in Tenda i21
1.0.0.14 ...)
NOT-FOR-US: Tenda
CVE-2024-34490 (In Maxima through 5.47.0 before 51704c, the plotting
facilities make u ...)
- - maxima
+ - maxima (bug #1071630)
[bookworm] - maxima (Minor issue)
[bullseye] - maxima (Minor issue)
[buster] - maxima (Minor issue)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0e106d41947da7c67df7bbf0fd5f85c734f459c
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0e106d41947da7c67df7bbf0fd5f85c734f459c
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] maxima commit reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: afab11fd by Moritz Muehlenhoff at 2024-05-22T17:17:52+02:00 maxima commit reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8053,6 +8053,7 @@ CVE-2024-34490 (In Maxima through 5.47.0 before 51704c, the plotting facilities [bullseye] - maxima (Minor issue) [buster] - maxima (Minor issue) NOTE: https://sourceforge.net/p/maxima/bugs/3755/ + NOTE: https://sourceforge.net/p/maxima/code/ci/51704ccb090f6f971b641e4e0b7c1c22c4828bf7/ CVE-2024-34489 (OFPHello in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause ...) NOT-FOR-US: Faucet SDN Ryu CVE-2024-34488 (OFPMultipartReply in parser.py in Faucet SDN Ryu 4.34 allows attackers ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afab11fdeeb79805bc75a7eda8c470e3d83540c2 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afab11fdeeb79805bc75a7eda8c470e3d83540c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
a5e371d0 by Moritz Muehlenhoff at 2024-05-22T16:57:21+02:00
bookworm/bullseye triage
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=
data/CVE/list
=
@@ -2335,6 +2335,8 @@ CVE-2024-3155 (The Post Grid, Form Maker, Popup Maker,
WooCommerce Blocks, Post
NOT-FOR-US: WordPress plugin
CVE-2024-35195 (Requests is a HTTP library. Prior to 2.32.0, when making
requests thro ...)
- requests (bug #1071593)
+ [bookworm] - requests (Minor issue)
+ [bullseye] - requests (Minor issue)
NOTE:
https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56
NOTE: https://github.com/psf/requests/pull/6655
NOTE:
https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356
(v2.32.0)
@@ -4493,6 +4495,8 @@ CVE-2023-47282 (Out-of-bounds write in Intel(R) Media SDK
all versions and some
NOT-FOR-US: Intel
CVE-2023-47210 (Improper input validation for some Intel(R) PROSet/Wireless
WiFi softw ...)
- firmware-nonfree
+ [bookworm] - firmware-nonfree (Minor issue)
+ [bullseye] - firmware-nonfree (Minor issue)
NOTE:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html
TODO: check, likely fixed in 20240513 tag update
CVE-2023-47169 (Improper buffer restrictions in Intel(R) Media SDK software
all versio ...)
@@ -4577,6 +4581,8 @@ CVE-2023-38420 (Improper conditions check in Intel(R)
Power Gadget software for
NOT-FOR-US: Intel
CVE-2023-38417 (Improper input validation for some Intel(R) PROSet/Wireless
WiFi softw ...)
- firmware-nonfree
+ [bookworm] - firmware-nonfree (Minor issue)
+ [bullseye] - firmware-nonfree (Minor issue)
NOTE:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html
TODO: check, likely fixed in 20240513 tag update
CVE-2023-38399 (Improper Limitation of a Pathname to a Restricted Directory
('Path Tra ...)
@@ -4865,6 +4871,7 @@ CVE-2024-35183 (wolfictl is a command line tool for
working with Wolfi. A git au
CVE-2024-35176 (REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6
has a den ...)
- ruby3.2
- ruby3.1
+ [bookworm] - ruby3.1 (Minor issue)
- ruby2.7
- ruby2.5
NOTE:
https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh
@@ -5743,22 +5750,24 @@ CVE-2024-4764 (Multiple WebRTC threads could have
claimed a newly connected audi
- firefox 126.0-1
NOTE:
https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4764
CVE-2024-4855 (Use after free issue in editcap could cause denial of service
via craf ...)
- - wireshark 4.2.5-1
- [buster] - wireshark (can be piggyback'd with the next
update)
+ - wireshark 4.2.5-1 (unimportant)
+ NOTE: Crash in CLI tool, no security impact
NOTE: https://www.wireshark.org/security/wnpa-sec-2024-09.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19782
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19783
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19784
CVE-2024-4854 (MONGO and ZigBee TLV dissector infinite loops in Wireshark
4.2.0 to 4. ...)
- wireshark 4.2.5-1
+ [bookworm] - wireshark (Minor issue)
+ [bullseye] - wireshark (Minor issue)
[buster] - wireshark (can be piggyback'd with the next
update)
NOTE: https://www.wireshark.org/security/wnpa-sec-2024-07.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19726
NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15047
NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15499
CVE-2024-4853 (Memory handling issue in editcap could cause denial of service
via cra ...)
- - wireshark 4.2.5-1
- [buster] - wireshark (can be piggyback'd with the next
update)
+ - wireshark 4.2.5-1 (unimportant)
+ NOTE: Crash in CLI tool, no security impact
NOTE: https://www.wireshark.org/security/wnpa-sec-2024-08.html
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19724
CVE-2024-4840 (An flaw was found in the OpenStack Platform (RHOSP) director, a
toolse ...)
@@ -6081,7 +6090,10 @@ CVE-2024-28866 (GoCD is a continuous delivery server.
GoCD versions from 19.4.0
NOT-FOR-US: GoCD
CVE-2024-28285 (A Fault Injection vulnerability in the SymmetricDecrypt
function in cr ...)
- libcrypto++
- TODO: check details
+ [bookworm] - libcrypto++ (Minor issue)
+ [bullseye] - libcrypto++ (Minor issue)
+ NOTE: https://groups.google.com/g/cryptopp-users/c/UkVcH2IWR2M?pli=1
+ NOTE: https://github.com/weidai11/cryptopp/issues/1262
CVE-2024-28279 (Co
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-36010/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 56d06d90 by Salvatore Bonaccorso at 2024-05-22T16:15:50+02:00 Add CVE-2024-36010/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024-36010 [igb: Fix string truncation warnings in igb_set_fw_version] + - linux 6.8.9-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/c56d055893cbe97848611855d1c97d0ab171eccc (6.8-rc5) CVE-2024- [Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes] - roundcube 1.6.7+dfsg-1 (bug #1071474) NOTE: https://github.com/roundcube/roundcubemail/commit/ba252dc5e2946506cb8d0b50b2b7bf95ab51876f View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56d06d909d0f477fed3534b2df72e836f1e37652 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56d06d909d0f477fed3534b2df72e836f1e37652 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2023-52830
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3bccdeab by Salvatore Bonaccorso at 2024-05-22T16:06:15+02:00 Remove notes from CVE-2023-52830 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -811,12 +811,8 @@ CVE-2023-52831 (In the Linux kernel, the following vulnerability has been resolv - linux 6.6.8-1 [bookworm] - linux 6.1.64-1 NOTE: https://git.kernel.org/linus/38685e2a0476127db766f81b1c06019ddc4c9ffa (6.7-rc1) -CVE-2023-52830 (In the Linux kernel, the following vulnerability has been resolved: B ...) - - linux 6.6.8-1 - [bookworm] - linux 6.1.64-1 - [bullseye] - linux 5.10.205-1 - [buster] - linux 4.19.304-1 - NOTE: https://git.kernel.org/linus/a85fb91e3d728bdfc80833167e8162cce8bc7004 (6.7-rc1) +CVE-2023-52830 + REJECTED CVE-2023-52829 (In the Linux kernel, the following vulnerability has been resolved: w ...) - linux 6.6.8-1 NOTE: https://git.kernel.org/linus/b302dce3d9edea5b93d1902a541684a967f3c63c (6.7-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bccdeabf87ca182b40fc0934c5fc412e667dbf2 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bccdeabf87ca182b40fc0934c5fc412e667dbf2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two tempoary entries for roundcube
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ab8509b by Salvatore Bonaccorso at 2024-05-22T13:59:07+02:00 Add two tempoary entries for roundcube I excluded the windows only one. If there will be CVEs assigned for all three we can then track as well the last one. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024- [Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes] + - roundcube 1.6.7+dfsg-1 (bug #1071474) + NOTE: https://github.com/roundcube/roundcubemail/commit/ba252dc5e2946506cb8d0b50b2b7bf95ab51876f +CVE-2024- [Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences] + - roundcube 1.6.7+dfsg-1 (bug #1071474) + NOTE: https://github.com/roundcube/roundcubemail/commit/9ca8aa6680c579132e0d1fa59447df8d524ec91c CVE-2021-47498 [dm rq: don't queue request to blk-mq during DM suspend] - linux 5.14.16-1 NOTE: https://git.kernel.org/linus/b4459b11e84092658fa195a2587aff3b9637f0e7 (5.15-rc6) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ab8509bb8e129d120a84dca6d97d7f21c390fb7 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ab8509bb8e129d120a84dca6d97d7f21c390fb7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1d96f0d5 by Moritz Muehlenhoff at 2024-05-22T13:27:12+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -433,7 +433,7 @@ CVE-2024-3345 (The ShopLentor plugin for WordPress is
vulnerable to Stored Cross
CVE-2024-3268 (The YouTube Video Gallery by YouTube Showcase \u2013 Video
Gallery Plu ...)
NOT-FOR-US: WordPress plugin
CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows, allows attackers to
spoof the s ...)
- TODO: check
+ NOT-FOR-US: WinRAR
CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with
untrusted JSON ...)
- python-pymysql
NOTE: https://github.com/advisories/GHSA-v9hf-5j83-6xpp
@@ -2390,7 +2390,7 @@ CVE-2024-34193 (smanga 3.2.7 does not filter the file
parameter at the PHP/get f
CVE-2024-31714 (Buffer Overflow vulnerability in Waxlab wax v.0.9-3 and before
allows ...)
NOT-FOR-US: Waxlab wax
CVE-2024-2835 (A Stored Cross-Site Scripting (XSS) vulnerability has been
identified ...)
- TODO: check
+ NOT-FOR-US: ArcSight Enterprise Security Manager
CVE-2024-29651 (A Prototype Pollution issue in API Dev Tools
json-schema-ref-parser v. ...)
NOT-FOR-US: Node json-schema-ref-parser
CVE-2024-29000 (The SolarWinds Platform was determined to be affected by a
reflected c ...)
@@ -2398,9 +2398,9 @@ CVE-2024-29000 (The SolarWinds Platform was determined to
be affected by a refle
CVE-2024-27312 (Zoho ManageEngine PAM360 version 6601 is vulnerable to
authorization v ...)
NOT-FOR-US: Zoho ManageEngine
CVE-2024-24294 (A Prototype Pollution issue in Blackprint @blackprint/engine
v.0.9.0 a ...)
- TODO: check
+ NOT-FOR-US: @blackprint/engine
CVE-2024-24293 (A Prototype Pollution issue in MiguelCastillo @bit/loader
v.10.0.3 all ...)
- TODO: check
+ NOT-FOR-US: @bit/loader
CVE-2024-1968 (In scrapy/scrapy, an issue was identified where the
Authorization head ...)
- python-scrapy 2.11.2-1
NOTE: https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a
@@ -2812,7 +2812,7 @@ CVE-2024-36078 (In Zammad before 6.3.1, a Ruby gem
bundled by Zammad is installe
CVE-2024-36076 (Cross-Site WebSocket Hijacking in SysReptor from version
2024.28 to ve ...)
NOT-FOR-US: Syslifters SysReptor
CVE-2024-36070 (tine before 2023.11.8, when an LDAP backend is used, allows
anonymous ...)
- TODO: check
+ NOT-FOR-US: Tine groupware
CVE-2024-36053 (In the mintupload package through 4.2.0 for Linux Mint,
service-name m ...)
NOT-FOR-US: mintupload
CVE-2024-35947 (In the Linux kernel, the following vulnerability has been
resolved: d ...)
@@ -3322,7 +3322,7 @@ CVE-2024-23556 (SSL/TLS Renegotiation functionality
potentially leading to DoS a
CVE-2024-23554 (Cross-Site Request Forgery (CSRF) on Session Token
vulnerability that ...)
NOT-FOR-US: HCL
CVE-2023-52424 (The IEEE 802.11 standard sometimes enables an adversary to
trick a vic ...)
- TODO: check
+ NOT-FOR-US: IEEE 802.11 standard
CVE-2024-5072 (Improper input validation in PAM JIT elevation feature in
Devolutions ...)
NOT-FOR-US: Devolutions Server
CVE-2024-5066 (A vulnerability classified as critical was found in PHPGurukul
Online ...)
@@ -3810,7 +3810,7 @@ CVE-2024-34370 (Improper Privilege Management
vulnerability in WPFactory EAN for
CVE-2024-34241 (A cross-site scripting (XSS) vulnerability in Rocketsoft
Rocket LMS 1. ...)
NOT-FOR-US: Rocketsoft Rocket LMS
CVE-2024-34058 (The WebTop package for NethServer 7 and 8 allows stored XSS
(for examp ...)
- TODO: check
+ NOT-FOR-US: WebTop package for NethServer
CVE-2024-33917 (Authentication Bypass by Spoofing vulnerability in
webtechideas WTI Li ...)
NOT-FOR-US: WordPress plugin
CVE-2024-33644 (Improper Control of Generation of Code ('Code Injection')
vulnerabilit ...)
@@ -4556,7 +4556,7 @@ CVE-2023-40071 (Improper access control in some Intel(R)
GPA software installers
CVE-2023-40070 (Improper access control in some Intel(R) Power Gadget software
for mac ...)
NOT-FOR-US: Intel
CVE-2023-39929 (Uncontrolled search path in some Libva software maintained by
Intel(R) ...)
- TODO: check
+ NOT-FOR-US: Intel
CVE-2023-39433 (Improper access control for some Intel(R) CST software before
version ...)
NOT-FOR-US: Intel
CVE-2023-39163 (Improper Limitation of a Pathname to a Restricted Directory
('Path Tra ...)
@@ -4564,49 +4564,49 @@ CVE-2023-39163 (Improper Limitation of a Pathname to a
Restricted Directory ('Pa
CVE-2023-38654 (Improper input validation for some some Intel(R)
PROSet/Wireless WiFi ...)
TODO: check
CVE-2023-38581 (Buffer overflow in Intel(R) Power Gadget software for Windows
all vers ...)
- TODO: check
+
[Git][security-tracker-team/security-tracker][master] Track chromium fixes via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e25cc9c2 by Salvatore Bonaccorso at 2024-05-22T12:36:07+02:00 Track chromium fixes via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -387,19 +387,19 @@ CVE-2024-5148 - gnome-remote-desktop (Vulnerable code only in 46 series) NOTE: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/196 CVE-2024-5160 - - chromium + - chromium 125.0.6422.76-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-5159 - - chromium + - chromium 125.0.6422.76-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-5158 - - chromium + - chromium 125.0.6422.76-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-5157 - - chromium + - chromium 125.0.6422.76-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-4988 (The mobile application (com.transsion.videocallenhancer) interface has ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e25cc9c2391b5c20f244b74f68048ec68408d0eb -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e25cc9c2391b5c20f244b74f68048ec68408d0eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new python-pymysql issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 96c8f1ae by Moritz Muehlenhoff at 2024-05-22T12:31:00+02:00 new python-pymysql issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -435,7 +435,9 @@ CVE-2024-3268 (The YouTube Video Gallery by YouTube Showcase \u2013 Video Galler CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows, allows attackers to spoof the s ...) TODO: check CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON ...) - TODO: check + - python-pymysql + NOTE: https://github.com/advisories/GHSA-v9hf-5j83-6xpp + NOTE: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c (v1.1.1) CVE-2024-35386 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) NOT-FOR-US: Cesenta MJS CVE-2024-35385 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96c8f1aeef079f3787562ae0786b19a535ff260b -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96c8f1aeef079f3787562ae0786b19a535ff260b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Merge Linux CVEs from kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ecfc3181 by Salvatore Bonaccorso at 2024-05-22T10:59:02+02:00 Merge Linux CVEs from kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,119 @@ +CVE-2021-47498 [dm rq: don't queue request to blk-mq during DM suspend] + - linux 5.14.16-1 + NOTE: https://git.kernel.org/linus/b4459b11e84092658fa195a2587aff3b9637f0e7 (5.15-rc6) +CVE-2021-47497 [nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells] + - linux 5.14.16-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux 4.19.232-1 + NOTE: https://git.kernel.org/linus/5d388fa01fa6eb310ac023a363a6cb216d9d8fe9 (5.15-rc6) +CVE-2021-47496 [net/tls: Fix flipped sign in tls_err_abort() calls] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + NOTE: https://git.kernel.org/linus/da353fac65fede6b8b4cfe207f0d9408e3121105 (5.15) +CVE-2021-47495 [usbnet: sanity check for maxpacket] + - linux 5.14.16-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux 4.19.232-1 + NOTE: https://git.kernel.org/linus/397430b50a363d8b7bdda00522123f82df6adc5e (5.15-rc7) +CVE-2021-47494 [cfg80211: fix management registrations locking] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/09b1d5dc6ce1c9151777f6c4e128a59457704c97 (5.15) +CVE-2021-47493 [ocfs2: fix race between searching chunks and release journal_head from buffer_head] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + NOTE: https://git.kernel.org/linus/6f1b228529ae49b0f85ab89bcdb6c365df401558 (5.15) +CVE-2021-47492 [mm, thp: bail out early in collapse_file for writeback page] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/74c42e1baacf206338b1dd6b6199ac964512b5bb (5.15) +CVE-2021-47491 [mm: khugepaged: skip huge page collapse for special files] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/a4aeaa06d45e90f9b279f0b09de84bd6e733 (5.15) +CVE-2021-47490 [drm/ttm: fix memleak in ttm_transfered_destroy] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + NOTE: https://git.kernel.org/linus/0db55f9a1bafbe3dac750ea669de9134922389b5 (5.15) +CVE-2021-47489 [drm/amdgpu: Fix even more out of bound writes from debugfs] + - linux 5.15.3-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/3f4e54bd312d3dafb59daf2b97ffa08abebe60f5 (5.15) +CVE-2021-47488 [cgroup: Fix memory leak caused by missing cgroup_bpf_offline] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/04f8ef5643bcd8bcde25dfdebef998aea480b2ba (5.15) +CVE-2021-47487 [drm/amdgpu: fix out of bounds write] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + NOTE: https://git.kernel.org/linus/5afa7898ab7a0ec9c28556a91df714bf3c2f725e (5.15) +CVE-2021-47486 [riscv, bpf: Fix potential NULL dereference] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/27de809a3d83a6199664479ebb19712533d6fd9b (5.15) +CVE-2021-47485 [IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux 4.19.232-1 + NOTE: https://git.kernel.org/linus/d39bf40e55e666b5905fdbd46a0dced030ce87be (5.15) +CVE-2021-47484 [octeontx2-af: Fix possible null pointer dereference.] + - linux 5.15.3-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/c2d4c543f74c90f883e8ec62a31973ae8807d354 (5.15) +CVE-2021-47483 [regmap: Fix possible double-free in regcache_rbtree_exit()] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux 4.19.232-1 + NOTE: https://git.kernel.org/linus/55e6d8037805b3400096d621091dfbf713f97e83 (5.15) +CVE-2021-47482 [net: batman-adv: fix error handling] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux 4.19.232-1 + NOTE: https://git.kernel.org/linus/6f68cd634856f8ca93bafd623ba5357e0f648c68 (5.15) +CVE-2021-47481 [RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR] + - linux 5.15.3-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/5508546631a0f555d7088203dec2614e41b5106e (5.15) +CVE-20
[Git][security-tracker-team/security-tracker][master] webkit2gtk DSA-5695-1
Alberto Garcia pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
68466000 by Alberto Garcia at 2024-05-22T10:46:45+02:00
webkit2gtk DSA-5695-1
- - - - -
1 changed file:
- data/DSA/list
Changes:
=
data/DSA/list
=
@@ -1,3 +1,7 @@
+[22 May 2024] DSA-5695-1 webkit2gtk - security update
+ {CVE-2024-27834}
+ [bullseye] - webkit2gtk 2.44.2-1~deb11u1
+ [bookworm] - webkit2gtk 2.44.2-1~deb12u1
[17 May 2024] DSA-5694-1 chromium - security update
{CVE-2024-4947 CVE-2024-4948 CVE-2024-4949 CVE-2024-4950}
[bookworm] - chromium 125.0.6422.60-1~deb12u1
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/684660003d51e89048881befe303a749b6f07152
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/684660003d51e89048881befe303a749b6f07152
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 619e7ca5 by Moritz Muehlenhoff at 2024-05-22T10:39:49+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -287,7 +287,7 @@ CVE-2024-5157 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-4988 (The mobile application (com.transsion.videocallenhancer) interface has ...) - TODO: check + NOT-FOR-US: com.transsion.videocallenhancer CVE-2024-4876 (The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress ...) NOT-FOR-US: WordPress plugin CVE-2024-4875 (The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress ...) @@ -305,107 +305,107 @@ CVE-2024-4553 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for Wo CVE-2024-4452 (The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross ...) NOT-FOR-US: WordPress plugin CVE-2024-4435 (When storing unbounded types in a BTreeMap, a node is represented as a ...) - TODO: check + NOT-FOR-US: ic-stable-structures CVE-2024-4420 (There exists a Denial of service vulnerability in Tink-cc in versions ...) - TODO: check + NOT-FOR-US: Tink-cc CVE-2024-4361 (The Page Builder by SiteOrigin plugin for WordPress is vulnerable to S ...) NOT-FOR-US: WordPress plugin CVE-2024-4154 (In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulner ...) NOT-FOR-US: lunary-ai/lunary CVE-2024-3345 (The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3268 (The YouTube Video Gallery by YouTube Showcase \u2013 Video Gallery Plu ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows, allows attackers to spoof the s ...) TODO: check CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON ...) TODO: check CVE-2024-35386 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2024-35385 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2024-35384 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2024-35361 (MTab Bookmark v1.9.5 has an SQL injection vulnerability in /LinkStore/ ...) - TODO: check + NOT-FOR-US: MTab Bookmark CVE-2024-35218 (Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stor ...) NOT-FOR-US: Umbraco CMS CVE-2024-35180 (OMERO.web provides a web based client and plugin infrastructure. There ...) - TODO: check + NOT-FOR-US: OMERO.web CVE-2024-35061 (NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exc ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35060 (An issue in the YAML Python library of NASA AIT-Core v2.5.2 allows att ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35059 (An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows a ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35058 (An issue in the API wait function of NASA AIT-Core v2.5.2 allows attac ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35057 (An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35056 (NASA AIT-Core v2.5.2 was discovered to contain multiple SQL injection ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-34274 (OpenBD 20210306203917-6cbe797 is vulnerable to Deserialization of Untr ...) - TODO: check + NOT-FOR-US: OpenBD CVE-2024-34240 (QDOCS Smart School 7.0.0 is vulnerable to Cross Site Scripting (XSS) r ...) - TODO: check + NOT-FOR-US: QDOCS Smart School CVE-2024-34071 (Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco ...) - TODO: check + NOT-FOR-US: Umbraco CVE-2024-33529 (ILIAS 7 before 7.30 and ILIAS 8 before 8.11 as well as ILIAS 9.0 allow ...) - TODO: check + NOT-FOR-US: ILIAS CVE-2024-33528 (A Stored Cross-site Scripting (XSS) vulnerability in ILIAS 7 before 7. ...) - TODO: check + NOT-FOR-US: ILIAS CVE-2024-33527 (A Stored Cross-site Scripting (XSS) vulnerability in the "Import of Us ...) - TODO: check + NOT-FOR-US: ILIAS CVE-2024-33526 (A Stored Cross-site Scripting (XSS) vulnerability in the "Import of us ...) - TODO: check + NOT-FOR-US: ILIAS CVE-2024-33525 (A Stored Cross-site Scripting (XSS) vulnerability in the "Import of or ...) - TODO: chec
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
6d16cff1 by Moritz Muehlenhoff at 2024-05-22T10:23:47+02:00
NFUs
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,79 +1,79 @@
CVE-2024-5190
REJECTED
CVE-2024-5147 (The WPZOOM Addons for Elementor (Templates, Widgets) plugin for
WordPr ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-5092 (The Elegant Addons for elementor plugin for WordPress is
vulnerable to ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-5040 (There are multiple ways in LCDS LAquis SCADA for an attacker
to acces ...)
- TODO: check
+ NOT-FOR-US: LCDS LAquis SCADA
CVE-2024-4980 (The WPKoi Templates for Elementor plugin for WordPress is
vulnerable t ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-4971 (The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress
is vul ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-4443 (The Business Directory Plugin \u2013 Easy Listing Directories
for Word ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-4157 (The Contact Form Plugin by Fluent Forms for Quiz, Survey, and
Drag & D ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3927 (The Element Pack Elementor Addons (Header Footer, Template
Library, Dy ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3671 (The Print-O-Matic plugin for WordPress is vulnerable to Stored
Cross-S ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3666 (The Opal Estate Pro \u2013 Property Management and Submission
plugin f ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3663 (The WP Scraper plugin for WordPress is vulnerable to
unauthorized acce ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3611 (The Toolbar Extras for Elementor & More \u2013 WordPress Admin
Bar Enh ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3519 (The Media Library Assistant plugin for WordPress is vulnerable
to Refl ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3518 (The Media Library Assistant plugin for WordPress is vulnerable
to SQL ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3198 (The WP Font Awesome Share Icons plugin for WordPress is
vulnerable to ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-3066 (The Elegant Addons for elementor plugin for WordPress is
vulnerable to ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-35220 (@fastify/session is a session plugin for fastify. Requires the
@fastif ...)
- TODO: check
+ NOT-FOR-US: @fastify/session
CVE-2024-35162 (Path traversal vulnerability exists in Download Plugins and
Themes fro ...)
- TODO: check
+ NOT-FOR-US: @fastify/session
CVE-2024-32988 ('OfferBox' App for Android versions 2.0.0 to 2.3.17 and
'OfferBox' App ...)
- TODO: check
+ NOT-FOR-US: OffBox
CVE-2024-31396 (Code injection vulnerability exists in a-blog cms Ver.3.1.x
series ver ...)
- TODO: check
+ NOT-FOR-US: a-blog cms
CVE-2024-31395 (Cross-site scripting vulnerability exists in a-blog cms
Ver.3.1.x seri ...)
- TODO: check
+ NOT-FOR-US: a-blog cms
CVE-2024-31394 (Directory traversal vulnerability exists in a-blog cms
Ver.3.1.x serie ...)
- TODO: check
+ NOT-FOR-US: a-blog cms
CVE-2024-31340 (TP-Link Tether versions prior to 4.5.13 and TP-Link Tapo
versions prio ...)
- TODO: check
+ NOT-FOR-US: TP-Link
CVE-2024-30420 (Server-side request forgery (SSRF) vulnerability exists in
a-blog cms ...)
- TODO: check
+ NOT-FOR-US: a-blog cms
CVE-2024-30419 (Cross-site scripting vulnerability exists in a-blog cms
Ver.3.1.x seri ...)
- TODO: check
+ NOT-FOR-US: a-blog cms
CVE-2024-2953 (The LuckyWP Table of Contents plugin for WordPress is
vulnerable to St ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-2163 (The Ninja Beaver Add-ons for Beaver Builder plugin for
WordPress is vu ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-2119 (The LuckyWP Table of Contents plugin for WordPress is
vulnerable to Re ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-2088 (The NextScripts: Social Networks Auto-Poster plugin for
WordPress is v ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-21683 (This High severity RCE (Remote Code Execution) vulnerability
was intro ...)
- TODO: check
+ NOT-FOR-US: Atlassian
CVE-2024-1762 (The NextScripts: Social Networks Auto-Poster plugin for
WordPress is v ...)
- TODO: check
+ NOT-FOR-US: WordPress plugin
CVE-2024-1446 (The NextScri
[Git][security-tracker-team/security-tracker][master] Triage CVE-2023-45733, CVE-2023-45745, CVE-2023-46103 & CVE-2023-47855 in...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker
Commits:
a0cd2a32 by Chris Lamb at 2024-05-22T09:12:31+01:00
Triage CVE-2023-45733, CVE-2023-45745, CVE-2023-46103 & CVE-2023-47855 in
intel-microcode for buster LTS.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -4499,24 +4499,28 @@ CVE-2023-47855 (Improper input validation in some
Intel(R) TDX module software b
- intel-microcode 3.20240514.1
[bookworm] - intel-microcode (Minor issue; can be fixed in
point release)
[bullseye] - intel-microcode (Minor issue; can be fixed in
point release)
+ [buster] - intel-microcode (Minor issue; can be fixed in
next update)
NOTE:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01036.html
NOTE:
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514
CVE-2023-45745 (Improper input validation in some Intel(R) TDX module software
before ...)
- intel-microcode 3.20240514.1
[bookworm] - intel-microcode (Minor issue; can be fixed in
point release)
[bullseye] - intel-microcode (Minor issue; can be fixed in
point release)
+ [buster] - intel-microcode (Minor issue; can be fixed in
next update)
NOTE:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01036.html
NOTE:
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514
CVE-2023-46103 (Sequence of processor instructions leads to unexpected
behavior in Int ...)
- intel-microcode 3.20240514.1
[bookworm] - intel-microcode (Minor issue; can be fixed in
point release)
[bullseye] - intel-microcode (Minor issue; can be fixed in
point release)
+ [buster] - intel-microcode (Minor issue; can be fixed in
next update)
NOTE:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01052.html
NOTE:
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514
CVE-2023-45733 (Hardware logic contains race conditions in some Intel(R)
Processors ma ...)
- intel-microcode 3.20240514.1
[bookworm] - intel-microcode (Minor issue; can be fixed in
point release)
[bullseye] - intel-microcode (Minor issue; can be fixed in
point release)
+ [buster] - intel-microcode (Minor issue; can be fixed in
next update)
NOTE:
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01051.html
NOTE:
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514
CVE-2024-5023 (Improper Neutralization of Special Elements used in a Command
('Comman ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0cd2a32bc4f5d0de27aa95b531c8b3c237a76e9
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0cd2a32bc4f5d0de27aa95b531c8b3c237a76e9
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1876ffd6 by security tracker role at 2024-05-22T08:12:20+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -1,192 +1,268 @@
-CVE-2021-47473 [scsi: qla2xxx: Fix a memory leak in an error path of
qla2x00_process_els()]
+CVE-2024-5190
+ REJECTED
+CVE-2024-5147 (The WPZOOM Addons for Elementor (Templates, Widgets) plugin for
WordPr ...)
+ TODO: check
+CVE-2024-5092 (The Elegant Addons for elementor plugin for WordPress is
vulnerable to ...)
+ TODO: check
+CVE-2024-5040 (There are multiple ways in LCDS LAquis SCADA for an attacker
to acces ...)
+ TODO: check
+CVE-2024-4980 (The WPKoi Templates for Elementor plugin for WordPress is
vulnerable t ...)
+ TODO: check
+CVE-2024-4971 (The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress
is vul ...)
+ TODO: check
+CVE-2024-4443 (The Business Directory Plugin \u2013 Easy Listing Directories
for Word ...)
+ TODO: check
+CVE-2024-4157 (The Contact Form Plugin by Fluent Forms for Quiz, Survey, and
Drag & D ...)
+ TODO: check
+CVE-2024-3927 (The Element Pack Elementor Addons (Header Footer, Template
Library, Dy ...)
+ TODO: check
+CVE-2024-3671 (The Print-O-Matic plugin for WordPress is vulnerable to Stored
Cross-S ...)
+ TODO: check
+CVE-2024-3666 (The Opal Estate Pro \u2013 Property Management and Submission
plugin f ...)
+ TODO: check
+CVE-2024-3663 (The WP Scraper plugin for WordPress is vulnerable to
unauthorized acce ...)
+ TODO: check
+CVE-2024-3611 (The Toolbar Extras for Elementor & More \u2013 WordPress Admin
Bar Enh ...)
+ TODO: check
+CVE-2024-3519 (The Media Library Assistant plugin for WordPress is vulnerable
to Refl ...)
+ TODO: check
+CVE-2024-3518 (The Media Library Assistant plugin for WordPress is vulnerable
to SQL ...)
+ TODO: check
+CVE-2024-3198 (The WP Font Awesome Share Icons plugin for WordPress is
vulnerable to ...)
+ TODO: check
+CVE-2024-3066 (The Elegant Addons for elementor plugin for WordPress is
vulnerable to ...)
+ TODO: check
+CVE-2024-35220 (@fastify/session is a session plugin for fastify. Requires the
@fastif ...)
+ TODO: check
+CVE-2024-35162 (Path traversal vulnerability exists in Download Plugins and
Themes fro ...)
+ TODO: check
+CVE-2024-32988 ('OfferBox' App for Android versions 2.0.0 to 2.3.17 and
'OfferBox' App ...)
+ TODO: check
+CVE-2024-31396 (Code injection vulnerability exists in a-blog cms Ver.3.1.x
series ver ...)
+ TODO: check
+CVE-2024-31395 (Cross-site scripting vulnerability exists in a-blog cms
Ver.3.1.x seri ...)
+ TODO: check
+CVE-2024-31394 (Directory traversal vulnerability exists in a-blog cms
Ver.3.1.x serie ...)
+ TODO: check
+CVE-2024-31340 (TP-Link Tether versions prior to 4.5.13 and TP-Link Tapo
versions prio ...)
+ TODO: check
+CVE-2024-30420 (Server-side request forgery (SSRF) vulnerability exists in
a-blog cms ...)
+ TODO: check
+CVE-2024-30419 (Cross-site scripting vulnerability exists in a-blog cms
Ver.3.1.x seri ...)
+ TODO: check
+CVE-2024-2953 (The LuckyWP Table of Contents plugin for WordPress is
vulnerable to St ...)
+ TODO: check
+CVE-2024-2163 (The Ninja Beaver Add-ons for Beaver Builder plugin for
WordPress is vu ...)
+ TODO: check
+CVE-2024-2119 (The LuckyWP Table of Contents plugin for WordPress is
vulnerable to Re ...)
+ TODO: check
+CVE-2024-2088 (The NextScripts: Social Networks Auto-Poster plugin for
WordPress is v ...)
+ TODO: check
+CVE-2024-21683 (This High severity RCE (Remote Code Execution) vulnerability
was intro ...)
+ TODO: check
+CVE-2024-1762 (The NextScripts: Social Networks Auto-Poster plugin for
WordPress is v ...)
+ TODO: check
+CVE-2024-1446 (The NextScripts: Social Networks Auto-Poster plugin for
WordPress is v ...)
+ TODO: check
+CVE-2024-0632 (The Automatic Translator with Google Translate plugin for
WordPress is ...)
+ TODO: check
+CVE-2024-0453 (The AI ChatBot plugin for WordPress is vulnerable to
unauthorized modi ...)
+ TODO: check
+CVE-2024-0452 (The AI ChatBot plugin for WordPress is vulnerable to
unauthorized modi ...)
+ TODO: check
+CVE-2024-0451 (The AI ChatBot plugin for WordPress is vulnerable to
unauthorized acce ...)
+ TODO: check
+CVE-2023-6487 (The LuckyWP Table of Contents plugin for WordPress is
vulnerable to St ...)
+ TODO: check
+CVE-2021-47473 (In the Linux kernel, the following vulnerability has been
resolved: s ...)
- linux 5.14.16-1
[bullseye] - linux 5.10.84-1
NOTE:
https://git.kernel.org/linus/7fb223d0ad801f633c78cbe42b1d1b55f5d163ad (5.15-rc7)
-CVE-2021-47472 [net: mdiobus: Fix memory leak in __mdiobus_register]
+CVE-2
[Git][security-tracker-team/security-tracker][master] NFUs (concludes external check)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d7c6d543 by Moritz Muehlenhoff at 2024-05-22T09:48:47+02:00 NFUs (concludes external check) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2198,7 +2198,7 @@ CVE-2024-31714 (Buffer Overflow vulnerability in Waxlab wax v.0.9-3 and before a CVE-2024-2835 (A Stored Cross-Site Scripting (XSS) vulnerability has been identified ...) TODO: check CVE-2024-29651 (A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v. ...) - TODO: check + NOT-FOR-US: Node json-schema-ref-parser CVE-2024-29000 (The SolarWinds Platform was determined to be affected by a reflected c ...) NOT-FOR-US: SolarWinds CVE-2024-27312 (Zoho ManageEngine PAM360 version 6601 is vulnerable to authorization v ...) @@ -4972,7 +4972,7 @@ CVE-2024-3749 (The SP Project & Document Manager WordPress plugin through 4.71 l CVE-2024-3748 (The SP Project & Document Manager WordPress plugin through 4.71 is mis ...) NOT-FOR-US: WordPress plugin CVE-2024-3744 (A security issue was discovered in azure-file-csi-driver where an acto ...) - TODO: check + NOT-FOR-US: azure-file-csi-driver CVE-2024-3634 (The month name translation benaceur WordPress plugin before 2.3.8 does ...) NOT-FOR-US: WordPress plugin CVE-2024-3631 (The HL Twitter WordPress plugin through 2014.1.18 does not have CSRF c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7c6d5437cc84f9418dff32712882bf5280b331e -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7c6d5437cc84f9418dff32712882bf5280b331e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add commit reference for CVE-2024-3044/libreoffice
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
85877b1d by Salvatore Bonaccorso at 2024-05-22T09:19:09+02:00
Add commit reference for CVE-2024-3044/libreoffice
- - - - -
1 changed file:
- data/CVE/list
Changes:
=
data/CVE/list
=
@@ -5045,6 +5045,7 @@ CVE-2024-3044 (Unchecked script execution in Graphic
on-click binding in affecte
{DSA-5690-1}
- libreoffice 4:24.2.3~rc1-2
NOTE:
https://www.libreoffice.org/about-us/security/advisories/cve-2024-3044/
+ NOTE:
https://git.libreoffice.org/core/+/8b2402b16df185119c91222b33ff1b8d55e0afe4%5E%21
CVE-2024-4871 (A vulnerability was found in Satellite. When running a remote
executio ...)
NOT-FOR-US: Red Hat Satellite
CVE-2024-4860 (The 'WordPress RSS Aggregator' WordPress Plugin, versions <
4.23.9 are ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85877b1d0b35636800a4a7d5ba98671c3c694e71
--
This project does not include diff previews in email notifications.
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85877b1d0b35636800a4a7d5ba98671c3c694e71
You're receiving this email because of your account on salsa.debian.org.
___
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
