[Git][security-tracker-team/security-tracker][master] Add new gitlab issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e04de21 by Salvatore Bonaccorso at 2024-05-23T08:39:25+02:00 Add new gitlab issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,18 @@ +CVE-2024-1947 + - gitlab + NOTE: https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/ +CVE-2023-6502 + - gitlab + NOTE: https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/ +CVE-2023-7045 + - gitlab + NOTE: https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/ +CVE-2024-2874 + - gitlab + NOTE: https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/ +CVE-2024-4835 + - gitlab + NOTE: https://about.gitlab.com/releases/2024/05/22/patch-release-gitlab-17-0-1-released/ CVE-2024-5196 (A vulnerability classified as critical has been found in Arris VAP2500 ...) NOT-FOR-US: Arris VAP2500 CVE-2024-5195 (A vulnerability was found in Arris VAP2500 08.50. It has been rated as ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e04de211693b610f329e2b47e1a9a5eddba1706 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e04de211693b610f329e2b47e1a9a5eddba1706 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: b19b64ea by Moritz Muehlenhoff at 2024-05-22T23:26:56+02:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -7625,6 +7625,8 @@ CVE-2024-33120 (Roothub v2.5 was discovered to contain an arbitrary file upload NOT-FOR-US: Roothub CVE-2024-32867 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...) - suricata 1:7.0.5-1 + [bookworm] - suricata (Minor issue) + [bullseye] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-xvrx-88mv-xcq5 NOTE: https://github.com/OISF/suricata/commit/2f39ba75f153ba9bdf8eedc2a839cc973dbaea66 (suricata-7.0.5) NOTE: https://github.com/OISF/suricata/commit/1e110d0a71db46571040b937e17a4bc9f91d6de9 (suricata-7.0.5) @@ -7637,11 +7639,15 @@ CVE-2024-32867 (Suricata is a network Intrusion Detection System, Intrusion Prev NOTE: https://redmine.openinfosecfoundation.org/issues/6677 CVE-2024-32664 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...) - suricata 1:7.0.5-1 + [bookworm] - suricata (Minor issue) + [bullseye] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-79vh-hpwq-3jh7 NOTE: https://github.com/OISF/suricata/commit/311002baf288a225f62cf18a90c5fdd294447379 (suricata-7.0.5) NOTE: https://github.com/OISF/suricata/commit/d5ffecf11ad2c6fe89265e518f5d7443caf26ba4 (suricata-6.0.19) CVE-2024-32663 (Suricata is a network Intrusion Detection System, Intrusion Prevention ...) - suricata 1:7.0.5-1 + [bookworm] - suricata (Minor issue) + [bullseye] - suricata (Minor issue) NOTE: https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r NOTE: https://github.com/OISF/suricata/commit/08d93f7c3762781b743f88f9fdc4389eb9c3eb64 (suricata-6.0.19) NOTE: https://github.com/OISF/suricata/commit/d24b37a103c04bb2667e449e080ba4c8e56bb019 (suricata-6.0.19) @@ -60244,6 +60250,7 @@ CVE-2023-40930 (An issue in the directory /system/bin/blkid of Skyworth v3.0 all CVE-2023-40619 (phpPgAdmin 7.14.4 and earlier is vulnerable to deserialization of untr ...) {DLA-3644-1} - phppgadmin 7.14.7+dfsg-1 (bug #1053004) + [bookworm] - phppgadmin (Package in stable is broken and will be removed) NOTE: https://github.com/phppgadmin/phppgadmin/issues/174 NOTE: https://github.com/hestiacp/phppgadmin/pull/4 CVE-2023-40618 (A reflected cross-site scripting (XSS) vulnerability in OpenKnowledgeM ...) @@ -367772,7 +367779,7 @@ CVE-2019-10785 (dojox is vulnerable to Cross-site Scripting in all versions befo NOTE: https://github.com/dojo/dojox/pull/315 CVE-2019-10784 (phppgadmin through 7.12.1 allows sensitive actions to be performed wit ...) - phppgadmin 7.14.7+dfsg-1 (bug #953945) - [bookworm] - phppgadmin (Minor issue) + [bookworm] - phppgadmin (Package in stable is broken and will be removed) [bullseye] - phppgadmin (Minor issue) [buster] - phppgadmin (Minor issue) [stretch] - phppgadmin (Minor issue) = data/dsa-needed.txt = @@ -47,8 +47,6 @@ php-horde-mime-viewer/oldstable -- php-horde-turba/oldstable -- -phppgadmin --- pillow (jmm) -- pymatgen/stable @@ -79,5 +77,7 @@ ruby-tzinfo/oldstable -- squid -- +tinyproxy (jmm) +-- zabbix -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b19b64ea0d11cd197069ae5064698348846af1dc -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b19b64ea0d11cd197069ae5064698348846af1dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ce7c83bd by Salvatore Bonaccorso at 2024-05-22T22:49:20+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33,65 +33,65 @@ CVE-2024-4153 (A vulnerability in lunary-ai/lunary version 1.2.2 allows attacker CVE-2024-3926 (The Element Pack Elementor Addons (Header Footer, Template Library, Dy ...) NOT-FOR-US: WordPress plugin CVE-2024-3495 (The Country State City Dropdown CF7 plugin for WordPress is vulnerable ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-36077 (Qlik Sense Enterprise for Windows before 14.187.4 allows a remote atta ...) - TODO: check + NOT-FOR-US: Qlik Sense Enterprise for Windows CVE-2024-35627 (tileserver-gl up to v4.4.10 was discovered to contain a cross-site scr ...) TODO: check CVE-2024-35561 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35560 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35559 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35558 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35557 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35556 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-3 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35554 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35553 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35552 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35551 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35550 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) - TODO: check + NOT-FOR-US: idccms CVE-2024-35475 (A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Op ...) TODO: check CVE-2024-35409 (WeBid 1.1.2 is vulnerable to SQL Injection via admin/tax.php.) TODO: check CVE-2024-35362 (Ecshop 3.6 is vulnerable to Cross Site Scripting (XSS) via ecshop/arti ...) - TODO: check + NOT-FOR-US: Ecshop CVE-2024-34448 (Ghost before 5.82.0 allows CSV Injection during a member CSV export.) - TODO: check + NOT-FOR-US: Ghost CMS CVE-2024-33228 (An issue in the component segwindrvx64.sys of Insyde Software Corp SEG ...) - TODO: check + NOT-FOR-US: Insyde CVE-2024-33227 (An issue in the component ddcdrv.sys of Nicomsoft WinI2C/DDC v3.7.4.0 ...) - TODO: check + NOT-FOR-US: Nicomsoft WinI2C/DDC CVE-2024-33226 (An issue in the component Access64.sys of Wistron Corporation TBT Forc ...) - TODO: check + NOT-FOR-US: Wistron Corporation TBT Force Power Control CVE-2024-33225 (An issue in the component RTKVHD64.sys of Realtek Semiconductor Corp R ...) - TODO: check + NOT-FOR-US: Realtek Semiconductor Corp Realtek High Definition Audio Function Driver CVE-2024-33224 (An issue in the component rtkio64.sys of Realtek Semiconductor Corp Re ...) - TODO: check + NOT-FOR-US: Realtek Semiconductor Corp Realtek lO Driver CVE-2024-33223 (An issue in the component IOMap64.sys of ASUSTeK Computer Inc ASUS GPU ...) - TODO: check + NOT-FOR-US: ASUSTeK CVE-2024-33222 (An issue in the component ATSZIO64.sys of ASUSTeK Computer Inc ASUS AT ...) - TODO: check + NOT-FOR-US: ASUSTeK CVE-2024-33221 (An issue in the component AsusBSItf.sys of ASUSTeK Computer Inc ASUS B ...) - TODO: check + NOT-FOR-US: ASUSTeK CVE-2024-33220 (An issue in the component AslO3_64.sys of ASUSTeK Computer Inc AISuite ...) - TODO: check + NOT-FOR-US: ASUSTeK CVE-2024-33219 (An issue in the component AsIO64.sys of ASUSTeK Computer Inc ASUS SABE ...) - TODO: check + NOT-FOR-US: ASUSTeK CVE-2024-33218 (An issue in the component AsUpIO64.sys of ASUSTeK Computer Inc ASUS US ...) - TODO: check + NOT-FOR-US: ASUSTeK CVE-2024-31904 (IBM App Connect Enterprise 11.0.0.1 through 11.0.0.25 and 12.0.1.0 thr ...) NO
[Git][security-tracker-team/security-tracker][master] 2 commits: Revert "Reference fix for CVE-2024-4068/node-braces"
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 92ff20ed by Salvatore Bonaccorso at 2024-05-22T22:40:14+02:00 Revert "Reference fix for CVE-2024-4068/node-braces" This reverts commit ceeb6abf3bc08c2c81e86de151967575d3014f5a. For now revert this reference. It is not fully clear following upstream issue #35. - - - - - 28e43f48 by Salvatore Bonaccorso at 2024-05-22T22:44:35+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,37 +1,37 @@ CVE-2024-5196 (A vulnerability classified as critical has been found in Arris VAP2500 ...) - TODO: check + NOT-FOR-US: Arris VAP2500 CVE-2024-5195 (A vulnerability was found in Arris VAP2500 08.50. It has been rated as ...) - TODO: check + NOT-FOR-US: Arris VAP2500 CVE-2024-5194 (A vulnerability was found in Arris VAP2500 08.50. It has been declared ...) - TODO: check + NOT-FOR-US: Arris VAP2500 CVE-2024-5193 (A vulnerability was found in Ritlabs TinyWeb Server 1.94. It has been ...) - TODO: check + NOT-FOR-US: Ritlabs TinyWeb Server CVE-2024-5166 (An Insecure Direct Object Reference in Google Cloud's Looker allowed m ...) TODO: check CVE-2024-5031 (The Memberpress plugin for WordPress is vulnerable to Blind Server-Sid ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-5025 (The Memberpress plugin for WordPress is vulnerable to Stored Cross-Sit ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4896 (The WPB Elementor Addons plugin for WordPress is vulnerable to Stored ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4563 (The Progress MOVEit Automation configuration export function prior to ...) - TODO: check + NOT-FOR-US: Progress MOVEit CVE-2024-4454 (WithSecure Elements Endpoint Protection Link Following Local Privilege ...) - TODO: check + NOT-FOR-US: WithSecure Elements Endpoint Protection CVE-2024-4453 (GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution ...) TODO: check CVE-2024-4362 (The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to St ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4267 (A remote code execution (RCE) vulnerability exists in the parisneo/lol ...) - TODO: check + NOT-FOR-US: parisneo/lollms-webui CVE-2024-4262 (The Piotnet Addons For Elementor plugin for WordPress is vulnerable to ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4261 (The Responsive Contact Form Builder & Lead Generation Plugin plugin fo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4153 (A vulnerability in lunary-ai/lunary version 1.2.2 allows attackers to ...) - TODO: check + NOT-FOR-US: lunary-ai/lunary CVE-2024-3926 (The Element Pack Elementor Addons (Header Footer, Template Library, Dy ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3495 (The Country State City Dropdown CF7 plugin for WordPress is vulnerable ...) TODO: check CVE-2024-36077 (Qlik Sense Enterprise for Windows before 14.187.4 allows a remote atta ...) @@ -6062,7 +6062,6 @@ CVE-2024-4068 (The NPM package `braces`, versions prior to 3.0.3, fails to limit [bullseye] - node-braces (Minor issue) [buster] - node-braces (Minor issue) NOTE: https://github.com/micromatch/braces/issues/35 - NOTE: Fixed by: https://github.com/micromatch/braces/commit/9f5b4cf47329351bcb64287223ffb6ecc9a5e6d3 (3.0.3) CVE-2024-4067 (The NPM package `micromatch` is vulnerable to Regular Expression Denia ...) - node-micromatch (bug #1071631) [bookworm] - node-micromatch (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c3cd6eea96a9394cdebf3d0676b09441fb9b757b...28e43f48d5033bc8741d5dc9fe7e923925be27b4 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/c3cd6eea96a9394cdebf3d0676b09441fb9b757b...28e43f48d5033bc8741d5dc9fe7e923925be27b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c3cd6eea by Salvatore Bonaccorso at 2024-05-22T22:30:19+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -93,13 +93,13 @@ CVE-2024-33219 (An issue in the component AsIO64.sys of ASUSTeK Computer Inc ASU CVE-2024-33218 (An issue in the component AsUpIO64.sys of ASUSTeK Computer Inc ASUS US ...) TODO: check CVE-2024-31904 (IBM App Connect Enterprise 11.0.0.1 through 11.0.0.25 and 12.0.1.0 thr ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-31895 (IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an a ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-31894 (IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an a ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-31893 (IBM App Connect Enterprise 12.0.1.0 through 12.0.12.1 could allow an a ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-31617 (OpenLiteSpeed before 1.8.1 mishandles chunked encoding.) TODO: check CVE-2024-2036 (The ApplyOnline \u2013 Application Form Builder and Manager plugin for ...) @@ -109,7 +109,7 @@ CVE-2024-29421 (xmedcon 0.23.0 and fixed in v.0.24.0 is vulnerable to Buffer Ove CVE-2024-29392 (Silverpeas Core 6.3 is vulnerable to Cross Site Scripting (XSS) via Cl ...) TODO: check CVE-2024-27264 (IBM Performance Tools for i 7.2, 7.3, 7.4, and 7.5 could allow a local ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-25738 (A Server-Side Request Forgery (SSRF) vulnerability in the /Upgrade/Fix ...) TODO: check CVE-2024-25737 (A Server-Side Request Forgery (SSRF) vulnerability in the /Cover/Show ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3cd6eea96a9394cdebf3d0676b09441fb9b757b -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c3cd6eea96a9394cdebf3d0676b09441fb9b757b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2024-4642
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 753ce9f1 by Salvatore Bonaccorso at 2024-05-22T22:26:31+02:00 Remove notes from CVE-2024-4642 CVE got rejected byt the assigning CNA (but without specific reason mentioned). - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4917,7 +4917,6 @@ CVE-2024-4733 (The ShiftController Employee Shift Scheduling plugin is vulnerabl NOT-FOR-US: WordPress plugin CVE-2024-4642 REJECTED - NOT-FOR-US: wandb CVE-2024-4635 (The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stor ...) NOT-FOR-US: WordPress plugin CVE-2024-4634 (The Elementor Header & Footer Builder plugin for WordPress is vulnerab ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/753ce9f1aa7db7499b940476bf6e37b20cdbd0e5 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/753ce9f1aa7db7499b940476bf6e37b20cdbd0e5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2024-4068/node-braces
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ceeb6abf by Salvatore Bonaccorso at 2024-05-22T22:24:10+02:00 Reference fix for CVE-2024-4068/node-braces Note this is in upstream 3.0.3. Checking 3.0.3+~3.0.4-1 though the code is not inclued. What is 3.0.3+~3.0.4 refering to? This needs double-checking to see if the issue was fixed in the last upload to unstable. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -6063,6 +6063,7 @@ CVE-2024-4068 (The NPM package `braces`, versions prior to 3.0.3, fails to limit [bullseye] - node-braces (Minor issue) [buster] - node-braces (Minor issue) NOTE: https://github.com/micromatch/braces/issues/35 + NOTE: Fixed by: https://github.com/micromatch/braces/commit/9f5b4cf47329351bcb64287223ffb6ecc9a5e6d3 (3.0.3) CVE-2024-4067 (The NPM package `micromatch` is vulnerable to Regular Expression Denia ...) - node-micromatch (bug #1071631) [bookworm] - node-micromatch (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceeb6abf3bc08c2c81e86de151967575d3014f5a -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ceeb6abf3bc08c2c81e86de151967575d3014f5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3dd5fc42 by security tracker role at 2024-05-22T20:12:09+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,4 +1,138 @@ -CVE-2024-36010 [igb: Fix string truncation warnings in igb_set_fw_version] +CVE-2024-5196 (A vulnerability classified as critical has been found in Arris VAP2500 ...) + TODO: check +CVE-2024-5195 (A vulnerability was found in Arris VAP2500 08.50. It has been rated as ...) + TODO: check +CVE-2024-5194 (A vulnerability was found in Arris VAP2500 08.50. It has been declared ...) + TODO: check +CVE-2024-5193 (A vulnerability was found in Ritlabs TinyWeb Server 1.94. It has been ...) + TODO: check +CVE-2024-5166 (An Insecure Direct Object Reference in Google Cloud's Looker allowed m ...) + TODO: check +CVE-2024-5031 (The Memberpress plugin for WordPress is vulnerable to Blind Server-Sid ...) + TODO: check +CVE-2024-5025 (The Memberpress plugin for WordPress is vulnerable to Stored Cross-Sit ...) + TODO: check +CVE-2024-4896 (The WPB Elementor Addons plugin for WordPress is vulnerable to Stored ...) + TODO: check +CVE-2024-4563 (The Progress MOVEit Automation configuration export function prior to ...) + TODO: check +CVE-2024-4454 (WithSecure Elements Endpoint Protection Link Following Local Privilege ...) + TODO: check +CVE-2024-4453 (GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution ...) + TODO: check +CVE-2024-4362 (The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to St ...) + TODO: check +CVE-2024-4267 (A remote code execution (RCE) vulnerability exists in the parisneo/lol ...) + TODO: check +CVE-2024-4262 (The Piotnet Addons For Elementor plugin for WordPress is vulnerable to ...) + TODO: check +CVE-2024-4261 (The Responsive Contact Form Builder & Lead Generation Plugin plugin fo ...) + TODO: check +CVE-2024-4153 (A vulnerability in lunary-ai/lunary version 1.2.2 allows attackers to ...) + TODO: check +CVE-2024-3926 (The Element Pack Elementor Addons (Header Footer, Template Library, Dy ...) + TODO: check +CVE-2024-3495 (The Country State City Dropdown CF7 plugin for WordPress is vulnerable ...) + TODO: check +CVE-2024-36077 (Qlik Sense Enterprise for Windows before 14.187.4 allows a remote atta ...) + TODO: check +CVE-2024-35627 (tileserver-gl up to v4.4.10 was discovered to contain a cross-site scr ...) + TODO: check +CVE-2024-35561 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35560 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35559 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35558 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35557 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35556 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-3 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35554 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35553 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35552 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35551 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35550 (idccms v1.35 was discovered to contain a Cross-Site Request Forgery (C ...) + TODO: check +CVE-2024-35475 (A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Op ...) + TODO: check +CVE-2024-35409 (WeBid 1.1.2 is vulnerable to SQL Injection via admin/tax.php.) + TODO: check +CVE-2024-35362 (Ecshop 3.6 is vulnerable to Cross Site Scripting (XSS) via ecshop/arti ...) + TODO: check +CVE-2024-34448 (Ghost before 5.82.0 allows CSV Injection during a member CSV export.) + TODO: check +CVE-2024-33228 (An issue in the component segwindrvx64.sys of Insyde Software Corp SEG ...) + TODO: check +CVE-2024-33227 (An issue in the component ddcdrv.sys of Nicomsoft WinI2C/DDC v3.7.4.0 ...) + TODO: check +CVE-2024-33226 (An issue in the component Access64.sys of Wistron Corporation TBT Forc ...) + TODO: check +CVE-2024-33225 (An issue in the component RTKVHD64.sys of Realtek Semiconductor Corp R ...) + TODO: check +CVE-2024-33224 (An issue in the component rtkio64
[Git][security-tracker-team/security-tracker][master] redmine commit refs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b9feb2a by Moritz Muehlenhoff at 2024-05-22T19:54:58+02:00 redmine commit refs - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -52110,12 +52110,15 @@ CVE-2017-20187 (** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Mag CVE-2023-47260 (Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS via thumbnails ...) - redmine (bug #1055474) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories + NOTE: https://github.com/redmine/redmine/commit/15d0ea8c596f306131de2bd7edd1ae28ff122103 (5.0-stable) CVE-2023-47259 (Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in the Textile ...) - redmine (bug #1055474) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories + NOTE: https://github.com/redmine/redmine/commit/ea4bf1eba4b680159a873aa468364826f4d13385 (5.0-stable) CVE-2023-47258 (Redmine before 4.2.11 and 5.0.x before 5.0.6 allows XSS in a Markdown ...) - redmine (bug #1055474) NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories + NOTE: https://github.com/redmine/redmine/commit/03bcf782463c9b84c6fe53b17cb1b781df6d8771 (5.0-stable) CVE-2023-47249 (In International Color Consortium DemoIccMAX 79ecb74, a CIccXmlArrayTy ...) NOT-FOR-US: International Color Consortium DemoIccMAX CVE-2023-46981 (SQL injection vulnerability in Novel-Plus v.4.2.0 allows a remote atta ...) = data/dsa-needed.txt = @@ -57,7 +57,7 @@ python-asyncssh -- python-pymysql -- -redmine/stable +redmine/stable (jmm) -- ring/oldstable might make sense to rebase to current version View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b9feb2adf04ec53a14af19e652124be8e6045b5 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b9feb2adf04ec53a14af19e652124be8e6045b5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] chromium dsa
Andres Salomon pushed to branch master at Debian Security Tracker / security-tracker Commits: c0373deb by Andres Salomon at 2024-05-22T12:24:09-04:00 chromium dsa - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,6 @@ +[22 May 2024] DSA-5696-1 chromium - security update + {CVE-2024-5157 CVE-2024-5158 CVE-2024-5159 CVE-2024-5160} + [bookworm] - chromium 125.0.6422.76-1~deb12u1 [22 May 2024] DSA-5695-1 webkit2gtk - security update {CVE-2024-27834} [bullseye] - webkit2gtk 2.44.2-1~deb11u1 = data/dsa-needed.txt = @@ -14,8 +14,6 @@ If needed, specify the release by adding a slash after the name of the source pa -- cacti -- -chromium (dilinger) --- dnsdist (jmm) -- dnsmasq View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0373deb6669f118f726e8039d3a83e489ff8350 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c0373deb6669f118f726e8039d3a83e489ff8350 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d0e106d4 by Moritz Muehlenhoff at 2024-05-22T17:23:03+02:00 bugnums - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -447,7 +447,7 @@ CVE-2024-3268 (The YouTube Video Gallery by YouTube Showcase \u2013 Video Galler CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows, allows attackers to spoof the s ...) NOT-FOR-US: WinRAR CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON ...) - - python-pymysql + - python-pymysql (bug #1071628) NOTE: https://github.com/advisories/GHSA-v9hf-5j83-6xpp NOTE: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c (v1.1.1) CVE-2024-35386 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) @@ -4869,8 +4869,8 @@ CVE-2024-35184 (Paperless-ngx is a document management system that transforms ph CVE-2024-35183 (wolfictl is a command line tool for working with Wolfi. A git authenti ...) TODO: check CVE-2024-35176 (REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a den ...) - - ruby3.2 - - ruby3.1 + - ruby3.2 (bug #1071627) + - ruby3.1 (bug #1071626) [bookworm] - ruby3.1 (Minor issue) - ruby2.7 - ruby2.5 @@ -5919,13 +5919,13 @@ CVE-2024-4813 (A vulnerability classified as critical has been found in Ruijie R CVE-2024-4747 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: WordPress plugin CVE-2024-4068 (The NPM package `braces` fails to limit the number of characters it ca ...) - - node-braces + - node-braces (bug #1071632) [bookworm] - node-braces (Minor issue) [bullseye] - node-braces (Minor issue) [buster] - node-braces (Minor issue) NOTE: https://github.com/micromatch/braces/issues/35 CVE-2024-4067 (The NPM package `micromatch` is vulnerable to Regular Expression Denia ...) - - node-micromatch + - node-micromatch (bug #1071631) [bookworm] - node-micromatch (Minor issue) [bullseye] - node-micromatch (Minor issue) [buster] - node-micromatch (Minor issue) @@ -7146,7 +7146,7 @@ CVE-2024-34257 (TOTOLINK EX1800T V9.1.0cu.2112_B20220316 has a vulnerability in CVE-2024-34255 (jizhicms v2.5.1 contains a Cross-Site Scripting(XSS) vulnerability in ...) NOT-FOR-US: jizhicms CVE-2024-34244 (libmodbus v3.1.10 is vulnerable to Buffer Overflow via the modbus_writ ...) - - libmodbus + - libmodbus (bug #1071633) [bookworm] - libmodbus (Minor issue) [bullseye] - libmodbus (Minor issue) [buster] - libmodbus (Minor issue; out-of-bounds read, DoS) @@ -8048,7 +8048,7 @@ CVE-2024-4492 (A vulnerability, which was classified as critical, has been found CVE-2024-4491 (A vulnerability classified as critical was found in Tenda i21 1.0.0.14 ...) NOT-FOR-US: Tenda CVE-2024-34490 (In Maxima through 5.47.0 before 51704c, the plotting facilities make u ...) - - maxima + - maxima (bug #1071630) [bookworm] - maxima (Minor issue) [bullseye] - maxima (Minor issue) [buster] - maxima (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0e106d41947da7c67df7bbf0fd5f85c734f459c -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d0e106d41947da7c67df7bbf0fd5f85c734f459c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] maxima commit reference
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: afab11fd by Moritz Muehlenhoff at 2024-05-22T17:17:52+02:00 maxima commit reference - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8053,6 +8053,7 @@ CVE-2024-34490 (In Maxima through 5.47.0 before 51704c, the plotting facilities [bullseye] - maxima (Minor issue) [buster] - maxima (Minor issue) NOTE: https://sourceforge.net/p/maxima/bugs/3755/ + NOTE: https://sourceforge.net/p/maxima/code/ci/51704ccb090f6f971b641e4e0b7c1c22c4828bf7/ CVE-2024-34489 (OFPHello in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause ...) NOT-FOR-US: Faucet SDN Ryu CVE-2024-34488 (OFPMultipartReply in parser.py in Faucet SDN Ryu 4.34 allows attackers ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afab11fdeeb79805bc75a7eda8c470e3d83540c2 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/afab11fdeeb79805bc75a7eda8c470e3d83540c2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] bookworm/bullseye triage
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: a5e371d0 by Moritz Muehlenhoff at 2024-05-22T16:57:21+02:00 bookworm/bullseye triage - - - - - 2 changed files: - data/CVE/list - data/dsa-needed.txt Changes: = data/CVE/list = @@ -2335,6 +2335,8 @@ CVE-2024-3155 (The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post NOT-FOR-US: WordPress plugin CVE-2024-35195 (Requests is a HTTP library. Prior to 2.32.0, when making requests thro ...) - requests (bug #1071593) + [bookworm] - requests (Minor issue) + [bullseye] - requests (Minor issue) NOTE: https://github.com/psf/requests/security/advisories/GHSA-9wx4-h78v-vm56 NOTE: https://github.com/psf/requests/pull/6655 NOTE: https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356 (v2.32.0) @@ -4493,6 +4495,8 @@ CVE-2023-47282 (Out-of-bounds write in Intel(R) Media SDK all versions and some NOT-FOR-US: Intel CVE-2023-47210 (Improper input validation for some Intel(R) PROSet/Wireless WiFi softw ...) - firmware-nonfree + [bookworm] - firmware-nonfree (Minor issue) + [bullseye] - firmware-nonfree (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html TODO: check, likely fixed in 20240513 tag update CVE-2023-47169 (Improper buffer restrictions in Intel(R) Media SDK software all versio ...) @@ -4577,6 +4581,8 @@ CVE-2023-38420 (Improper conditions check in Intel(R) Power Gadget software for NOT-FOR-US: Intel CVE-2023-38417 (Improper input validation for some Intel(R) PROSet/Wireless WiFi softw ...) - firmware-nonfree + [bookworm] - firmware-nonfree (Minor issue) + [bullseye] - firmware-nonfree (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01039.html TODO: check, likely fixed in 20240513 tag update CVE-2023-38399 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) @@ -4865,6 +4871,7 @@ CVE-2024-35183 (wolfictl is a command line tool for working with Wolfi. A git au CVE-2024-35176 (REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a den ...) - ruby3.2 - ruby3.1 + [bookworm] - ruby3.1 (Minor issue) - ruby2.7 - ruby2.5 NOTE: https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh @@ -5743,22 +5750,24 @@ CVE-2024-4764 (Multiple WebRTC threads could have claimed a newly connected audi - firefox 126.0-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-21/#CVE-2024-4764 CVE-2024-4855 (Use after free issue in editcap could cause denial of service via craf ...) - - wireshark 4.2.5-1 - [buster] - wireshark (can be piggyback'd with the next update) + - wireshark 4.2.5-1 (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://www.wireshark.org/security/wnpa-sec-2024-09.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19782 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19783 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19784 CVE-2024-4854 (MONGO and ZigBee TLV dissector infinite loops in Wireshark 4.2.0 to 4. ...) - wireshark 4.2.5-1 + [bookworm] - wireshark (Minor issue) + [bullseye] - wireshark (Minor issue) [buster] - wireshark (can be piggyback'd with the next update) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-07.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19726 NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15047 NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/15499 CVE-2024-4853 (Memory handling issue in editcap could cause denial of service via cra ...) - - wireshark 4.2.5-1 - [buster] - wireshark (can be piggyback'd with the next update) + - wireshark 4.2.5-1 (unimportant) + NOTE: Crash in CLI tool, no security impact NOTE: https://www.wireshark.org/security/wnpa-sec-2024-08.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19724 CVE-2024-4840 (An flaw was found in the OpenStack Platform (RHOSP) director, a toolse ...) @@ -6081,7 +6090,10 @@ CVE-2024-28866 (GoCD is a continuous delivery server. GoCD versions from 19.4.0 NOT-FOR-US: GoCD CVE-2024-28285 (A Fault Injection vulnerability in the SymmetricDecrypt function in cr ...) - libcrypto++ - TODO: check details + [bookworm] - libcrypto++ (Minor issue) + [bullseye] - libcrypto++ (Minor issue) + NOTE: https://groups.google.com/g/cryptopp-users/c/UkVcH2IWR2M?pli=1 + NOTE: https://github.com/weidai11/cryptopp/issues/1262 CVE-2024-28279 (Co
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-36010/linux
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 56d06d90 by Salvatore Bonaccorso at 2024-05-22T16:15:50+02:00 Add CVE-2024-36010/linux - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024-36010 [igb: Fix string truncation warnings in igb_set_fw_version] + - linux 6.8.9-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/c56d055893cbe97848611855d1c97d0ab171eccc (6.8-rc5) CVE-2024- [Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes] - roundcube 1.6.7+dfsg-1 (bug #1071474) NOTE: https://github.com/roundcube/roundcubemail/commit/ba252dc5e2946506cb8d0b50b2b7bf95ab51876f View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56d06d909d0f477fed3534b2df72e836f1e37652 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/56d06d909d0f477fed3534b2df72e836f1e37652 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2023-52830
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3bccdeab by Salvatore Bonaccorso at 2024-05-22T16:06:15+02:00 Remove notes from CVE-2023-52830 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -811,12 +811,8 @@ CVE-2023-52831 (In the Linux kernel, the following vulnerability has been resolv - linux 6.6.8-1 [bookworm] - linux 6.1.64-1 NOTE: https://git.kernel.org/linus/38685e2a0476127db766f81b1c06019ddc4c9ffa (6.7-rc1) -CVE-2023-52830 (In the Linux kernel, the following vulnerability has been resolved: B ...) - - linux 6.6.8-1 - [bookworm] - linux 6.1.64-1 - [bullseye] - linux 5.10.205-1 - [buster] - linux 4.19.304-1 - NOTE: https://git.kernel.org/linus/a85fb91e3d728bdfc80833167e8162cce8bc7004 (6.7-rc1) +CVE-2023-52830 + REJECTED CVE-2023-52829 (In the Linux kernel, the following vulnerability has been resolved: w ...) - linux 6.6.8-1 NOTE: https://git.kernel.org/linus/b302dce3d9edea5b93d1902a541684a967f3c63c (6.7-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bccdeabf87ca182b40fc0934c5fc412e667dbf2 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3bccdeabf87ca182b40fc0934c5fc412e667dbf2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two tempoary entries for roundcube
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 3ab8509b by Salvatore Bonaccorso at 2024-05-22T13:59:07+02:00 Add two tempoary entries for roundcube I excluded the windows only one. If there will be CVEs assigned for all three we can then track as well the last one. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024- [Fix cross-site scripting (XSS) vulnerability in handling SVG animate attributes] + - roundcube 1.6.7+dfsg-1 (bug #1071474) + NOTE: https://github.com/roundcube/roundcubemail/commit/ba252dc5e2946506cb8d0b50b2b7bf95ab51876f +CVE-2024- [Fix cross-site scripting (XSS) vulnerability in handling list columns from user preferences] + - roundcube 1.6.7+dfsg-1 (bug #1071474) + NOTE: https://github.com/roundcube/roundcubemail/commit/9ca8aa6680c579132e0d1fa59447df8d524ec91c CVE-2021-47498 [dm rq: don't queue request to blk-mq during DM suspend] - linux 5.14.16-1 NOTE: https://git.kernel.org/linus/b4459b11e84092658fa195a2587aff3b9637f0e7 (5.15-rc6) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ab8509bb8e129d120a84dca6d97d7f21c390fb7 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/3ab8509bb8e129d120a84dca6d97d7f21c390fb7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 1d96f0d5 by Moritz Muehlenhoff at 2024-05-22T13:27:12+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -433,7 +433,7 @@ CVE-2024-3345 (The ShopLentor plugin for WordPress is vulnerable to Stored Cross CVE-2024-3268 (The YouTube Video Gallery by YouTube Showcase \u2013 Video Gallery Plu ...) NOT-FOR-US: WordPress plugin CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows, allows attackers to spoof the s ...) - TODO: check + NOT-FOR-US: WinRAR CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON ...) - python-pymysql NOTE: https://github.com/advisories/GHSA-v9hf-5j83-6xpp @@ -2390,7 +2390,7 @@ CVE-2024-34193 (smanga 3.2.7 does not filter the file parameter at the PHP/get f CVE-2024-31714 (Buffer Overflow vulnerability in Waxlab wax v.0.9-3 and before allows ...) NOT-FOR-US: Waxlab wax CVE-2024-2835 (A Stored Cross-Site Scripting (XSS) vulnerability has been identified ...) - TODO: check + NOT-FOR-US: ArcSight Enterprise Security Manager CVE-2024-29651 (A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v. ...) NOT-FOR-US: Node json-schema-ref-parser CVE-2024-29000 (The SolarWinds Platform was determined to be affected by a reflected c ...) @@ -2398,9 +2398,9 @@ CVE-2024-29000 (The SolarWinds Platform was determined to be affected by a refle CVE-2024-27312 (Zoho ManageEngine PAM360 version 6601 is vulnerable to authorization v ...) NOT-FOR-US: Zoho ManageEngine CVE-2024-24294 (A Prototype Pollution issue in Blackprint @blackprint/engine v.0.9.0 a ...) - TODO: check + NOT-FOR-US: @blackprint/engine CVE-2024-24293 (A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 all ...) - TODO: check + NOT-FOR-US: @bit/loader CVE-2024-1968 (In scrapy/scrapy, an issue was identified where the Authorization head ...) - python-scrapy 2.11.2-1 NOTE: https://huntr.com/bounties/27f6a021-a891-446a-ada5-0226d619dd1a @@ -2812,7 +2812,7 @@ CVE-2024-36078 (In Zammad before 6.3.1, a Ruby gem bundled by Zammad is installe CVE-2024-36076 (Cross-Site WebSocket Hijacking in SysReptor from version 2024.28 to ve ...) NOT-FOR-US: Syslifters SysReptor CVE-2024-36070 (tine before 2023.11.8, when an LDAP backend is used, allows anonymous ...) - TODO: check + NOT-FOR-US: Tine groupware CVE-2024-36053 (In the mintupload package through 4.2.0 for Linux Mint, service-name m ...) NOT-FOR-US: mintupload CVE-2024-35947 (In the Linux kernel, the following vulnerability has been resolved: d ...) @@ -3322,7 +3322,7 @@ CVE-2024-23556 (SSL/TLS Renegotiation functionality potentially leading to DoS a CVE-2024-23554 (Cross-Site Request Forgery (CSRF) on Session Token vulnerability that ...) NOT-FOR-US: HCL CVE-2023-52424 (The IEEE 802.11 standard sometimes enables an adversary to trick a vic ...) - TODO: check + NOT-FOR-US: IEEE 802.11 standard CVE-2024-5072 (Improper input validation in PAM JIT elevation feature in Devolutions ...) NOT-FOR-US: Devolutions Server CVE-2024-5066 (A vulnerability classified as critical was found in PHPGurukul Online ...) @@ -3810,7 +3810,7 @@ CVE-2024-34370 (Improper Privilege Management vulnerability in WPFactory EAN for CVE-2024-34241 (A cross-site scripting (XSS) vulnerability in Rocketsoft Rocket LMS 1. ...) NOT-FOR-US: Rocketsoft Rocket LMS CVE-2024-34058 (The WebTop package for NethServer 7 and 8 allows stored XSS (for examp ...) - TODO: check + NOT-FOR-US: WebTop package for NethServer CVE-2024-33917 (Authentication Bypass by Spoofing vulnerability in webtechideas WTI Li ...) NOT-FOR-US: WordPress plugin CVE-2024-33644 (Improper Control of Generation of Code ('Code Injection') vulnerabilit ...) @@ -4556,7 +4556,7 @@ CVE-2023-40071 (Improper access control in some Intel(R) GPA software installers CVE-2023-40070 (Improper access control in some Intel(R) Power Gadget software for mac ...) NOT-FOR-US: Intel CVE-2023-39929 (Uncontrolled search path in some Libva software maintained by Intel(R) ...) - TODO: check + NOT-FOR-US: Intel CVE-2023-39433 (Improper access control for some Intel(R) CST software before version ...) NOT-FOR-US: Intel CVE-2023-39163 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) @@ -4564,49 +4564,49 @@ CVE-2023-39163 (Improper Limitation of a Pathname to a Restricted Directory ('Pa CVE-2023-38654 (Improper input validation for some some Intel(R) PROSet/Wireless WiFi ...) TODO: check CVE-2023-38581 (Buffer overflow in Intel(R) Power Gadget software for Windows all vers ...) - TODO: check +
[Git][security-tracker-team/security-tracker][master] Track chromium fixes via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e25cc9c2 by Salvatore Bonaccorso at 2024-05-22T12:36:07+02:00 Track chromium fixes via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -387,19 +387,19 @@ CVE-2024-5148 - gnome-remote-desktop (Vulnerable code only in 46 series) NOTE: https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/issues/196 CVE-2024-5160 - - chromium + - chromium 125.0.6422.76-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-5159 - - chromium + - chromium 125.0.6422.76-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-5158 - - chromium + - chromium 125.0.6422.76-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-5157 - - chromium + - chromium 125.0.6422.76-1 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-4988 (The mobile application (com.transsion.videocallenhancer) interface has ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e25cc9c2391b5c20f244b74f68048ec68408d0eb -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e25cc9c2391b5c20f244b74f68048ec68408d0eb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] new python-pymysql issue
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 96c8f1ae by Moritz Muehlenhoff at 2024-05-22T12:31:00+02:00 new python-pymysql issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -435,7 +435,9 @@ CVE-2024-3268 (The YouTube Video Gallery by YouTube Showcase \u2013 Video Galler CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows, allows attackers to spoof the s ...) TODO: check CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON ...) - TODO: check + - python-pymysql + NOTE: https://github.com/advisories/GHSA-v9hf-5j83-6xpp + NOTE: https://github.com/PyMySQL/PyMySQL/commit/521e40050cb386a499f68f483fefd144c493053c (v1.1.1) CVE-2024-35386 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) NOT-FOR-US: Cesenta MJS CVE-2024-35385 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96c8f1aeef079f3787562ae0786b19a535ff260b -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/96c8f1aeef079f3787562ae0786b19a535ff260b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Merge Linux CVEs from kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ecfc3181 by Salvatore Bonaccorso at 2024-05-22T10:59:02+02:00 Merge Linux CVEs from kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,119 @@ +CVE-2021-47498 [dm rq: don't queue request to blk-mq during DM suspend] + - linux 5.14.16-1 + NOTE: https://git.kernel.org/linus/b4459b11e84092658fa195a2587aff3b9637f0e7 (5.15-rc6) +CVE-2021-47497 [nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells] + - linux 5.14.16-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux 4.19.232-1 + NOTE: https://git.kernel.org/linus/5d388fa01fa6eb310ac023a363a6cb216d9d8fe9 (5.15-rc6) +CVE-2021-47496 [net/tls: Fix flipped sign in tls_err_abort() calls] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + NOTE: https://git.kernel.org/linus/da353fac65fede6b8b4cfe207f0d9408e3121105 (5.15) +CVE-2021-47495 [usbnet: sanity check for maxpacket] + - linux 5.14.16-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux 4.19.232-1 + NOTE: https://git.kernel.org/linus/397430b50a363d8b7bdda00522123f82df6adc5e (5.15-rc7) +CVE-2021-47494 [cfg80211: fix management registrations locking] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/09b1d5dc6ce1c9151777f6c4e128a59457704c97 (5.15) +CVE-2021-47493 [ocfs2: fix race between searching chunks and release journal_head from buffer_head] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + NOTE: https://git.kernel.org/linus/6f1b228529ae49b0f85ab89bcdb6c365df401558 (5.15) +CVE-2021-47492 [mm, thp: bail out early in collapse_file for writeback page] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/74c42e1baacf206338b1dd6b6199ac964512b5bb (5.15) +CVE-2021-47491 [mm: khugepaged: skip huge page collapse for special files] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/a4aeaa06d45e90f9b279f0b09de84bd6e733 (5.15) +CVE-2021-47490 [drm/ttm: fix memleak in ttm_transfered_destroy] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + NOTE: https://git.kernel.org/linus/0db55f9a1bafbe3dac750ea669de9134922389b5 (5.15) +CVE-2021-47489 [drm/amdgpu: Fix even more out of bound writes from debugfs] + - linux 5.15.3-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/3f4e54bd312d3dafb59daf2b97ffa08abebe60f5 (5.15) +CVE-2021-47488 [cgroup: Fix memory leak caused by missing cgroup_bpf_offline] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/04f8ef5643bcd8bcde25dfdebef998aea480b2ba (5.15) +CVE-2021-47487 [drm/amdgpu: fix out of bounds write] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + NOTE: https://git.kernel.org/linus/5afa7898ab7a0ec9c28556a91df714bf3c2f725e (5.15) +CVE-2021-47486 [riscv, bpf: Fix potential NULL dereference] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/27de809a3d83a6199664479ebb19712533d6fd9b (5.15) +CVE-2021-47485 [IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux 4.19.232-1 + NOTE: https://git.kernel.org/linus/d39bf40e55e666b5905fdbd46a0dced030ce87be (5.15) +CVE-2021-47484 [octeontx2-af: Fix possible null pointer dereference.] + - linux 5.15.3-1 + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/c2d4c543f74c90f883e8ec62a31973ae8807d354 (5.15) +CVE-2021-47483 [regmap: Fix possible double-free in regcache_rbtree_exit()] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux 4.19.232-1 + NOTE: https://git.kernel.org/linus/55e6d8037805b3400096d621091dfbf713f97e83 (5.15) +CVE-2021-47482 [net: batman-adv: fix error handling] + - linux 5.15.3-1 + [bullseye] - linux 5.10.84-1 + [buster] - linux 4.19.232-1 + NOTE: https://git.kernel.org/linus/6f68cd634856f8ca93bafd623ba5357e0f648c68 (5.15) +CVE-2021-47481 [RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR] + - linux 5.15.3-1 + [bullseye] - linux (Vulnerable code not present) + [buster] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/5508546631a0f555d7088203dec2614e41b5106e (5.15) +CVE-20
[Git][security-tracker-team/security-tracker][master] webkit2gtk DSA-5695-1
Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker Commits: 68466000 by Alberto Garcia at 2024-05-22T10:46:45+02:00 webkit2gtk DSA-5695-1 - - - - - 1 changed file: - data/DSA/list Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[22 May 2024] DSA-5695-1 webkit2gtk - security update + {CVE-2024-27834} + [bullseye] - webkit2gtk 2.44.2-1~deb11u1 + [bookworm] - webkit2gtk 2.44.2-1~deb12u1 [17 May 2024] DSA-5694-1 chromium - security update {CVE-2024-4947 CVE-2024-4948 CVE-2024-4949 CVE-2024-4950} [bookworm] - chromium 125.0.6422.60-1~deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/684660003d51e89048881befe303a749b6f07152 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/684660003d51e89048881befe303a749b6f07152 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 619e7ca5 by Moritz Muehlenhoff at 2024-05-22T10:39:49+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -287,7 +287,7 @@ CVE-2024-5157 [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-4988 (The mobile application (com.transsion.videocallenhancer) interface has ...) - TODO: check + NOT-FOR-US: com.transsion.videocallenhancer CVE-2024-4876 (The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress ...) NOT-FOR-US: WordPress plugin CVE-2024-4875 (The HT Mega \u2013 Absolute Addons For Elementor plugin for WordPress ...) @@ -305,107 +305,107 @@ CVE-2024-4553 (The WP Shortcodes Plugin \u2014 Shortcodes Ultimate plugin for Wo CVE-2024-4452 (The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross ...) NOT-FOR-US: WordPress plugin CVE-2024-4435 (When storing unbounded types in a BTreeMap, a node is represented as a ...) - TODO: check + NOT-FOR-US: ic-stable-structures CVE-2024-4420 (There exists a Denial of service vulnerability in Tink-cc in versions ...) - TODO: check + NOT-FOR-US: Tink-cc CVE-2024-4361 (The Page Builder by SiteOrigin plugin for WordPress is vulnerable to S ...) NOT-FOR-US: WordPress plugin CVE-2024-4154 (In lunary-ai/lunary version 1.2.2, an incorrect synchronization vulner ...) NOT-FOR-US: lunary-ai/lunary CVE-2024-3345 (The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3268 (The YouTube Video Gallery by YouTube Showcase \u2013 Video Gallery Plu ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-36052 (RARLAB WinRAR before 7.00, on Windows, allows attackers to spoof the s ...) TODO: check CVE-2024-36039 (PyMySQL through 1.1.0 allows SQL injection if used with untrusted JSON ...) TODO: check CVE-2024-35386 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2024-35385 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2024-35384 (An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a den ...) - TODO: check + NOT-FOR-US: Cesenta MJS CVE-2024-35361 (MTab Bookmark v1.9.5 has an SQL injection vulnerability in /LinkStore/ ...) - TODO: check + NOT-FOR-US: MTab Bookmark CVE-2024-35218 (Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stor ...) NOT-FOR-US: Umbraco CMS CVE-2024-35180 (OMERO.web provides a web based client and plugin infrastructure. There ...) - TODO: check + NOT-FOR-US: OMERO.web CVE-2024-35061 (NASA AIT-Core v2.5.2 was discovered to use unencrypted channels to exc ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35060 (An issue in the YAML Python library of NASA AIT-Core v2.5.2 allows att ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35059 (An issue in the Pickle Python library of NASA AIT-Core v2.5.2 allows a ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35058 (An issue in the API wait function of NASA AIT-Core v2.5.2 allows attac ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35057 (An issue in NASA AIT-Core v2.5.2 allows attackers to execute arbitrary ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-35056 (NASA AIT-Core v2.5.2 was discovered to contain multiple SQL injection ...) - TODO: check + NOT-FOR-US: NASA AIT-Core CVE-2024-34274 (OpenBD 20210306203917-6cbe797 is vulnerable to Deserialization of Untr ...) - TODO: check + NOT-FOR-US: OpenBD CVE-2024-34240 (QDOCS Smart School 7.0.0 is vulnerable to Cross Site Scripting (XSS) r ...) - TODO: check + NOT-FOR-US: QDOCS Smart School CVE-2024-34071 (Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco ...) - TODO: check + NOT-FOR-US: Umbraco CVE-2024-33529 (ILIAS 7 before 7.30 and ILIAS 8 before 8.11 as well as ILIAS 9.0 allow ...) - TODO: check + NOT-FOR-US: ILIAS CVE-2024-33528 (A Stored Cross-site Scripting (XSS) vulnerability in ILIAS 7 before 7. ...) - TODO: check + NOT-FOR-US: ILIAS CVE-2024-33527 (A Stored Cross-site Scripting (XSS) vulnerability in the "Import of Us ...) - TODO: check + NOT-FOR-US: ILIAS CVE-2024-33526 (A Stored Cross-site Scripting (XSS) vulnerability in the "Import of us ...) - TODO: check + NOT-FOR-US: ILIAS CVE-2024-33525 (A Stored Cross-site Scripting (XSS) vulnerability in the "Import of or ...) - TODO: chec
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d16cff1 by Moritz Muehlenhoff at 2024-05-22T10:23:47+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,79 +1,79 @@ CVE-2024-5190 REJECTED CVE-2024-5147 (The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-5092 (The Elegant Addons for elementor plugin for WordPress is vulnerable to ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-5040 (There are multiple ways in LCDS LAquis SCADA for an attacker to acces ...) - TODO: check + NOT-FOR-US: LCDS LAquis SCADA CVE-2024-4980 (The WPKoi Templates for Elementor plugin for WordPress is vulnerable t ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4971 (The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vul ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4443 (The Business Directory Plugin \u2013 Easy Listing Directories for Word ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4157 (The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & D ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3927 (The Element Pack Elementor Addons (Header Footer, Template Library, Dy ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3671 (The Print-O-Matic plugin for WordPress is vulnerable to Stored Cross-S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3666 (The Opal Estate Pro \u2013 Property Management and Submission plugin f ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3663 (The WP Scraper plugin for WordPress is vulnerable to unauthorized acce ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3611 (The Toolbar Extras for Elementor & More \u2013 WordPress Admin Bar Enh ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3519 (The Media Library Assistant plugin for WordPress is vulnerable to Refl ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3518 (The Media Library Assistant plugin for WordPress is vulnerable to SQL ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3198 (The WP Font Awesome Share Icons plugin for WordPress is vulnerable to ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3066 (The Elegant Addons for elementor plugin for WordPress is vulnerable to ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-35220 (@fastify/session is a session plugin for fastify. Requires the @fastif ...) - TODO: check + NOT-FOR-US: @fastify/session CVE-2024-35162 (Path traversal vulnerability exists in Download Plugins and Themes fro ...) - TODO: check + NOT-FOR-US: @fastify/session CVE-2024-32988 ('OfferBox' App for Android versions 2.0.0 to 2.3.17 and 'OfferBox' App ...) - TODO: check + NOT-FOR-US: OffBox CVE-2024-31396 (Code injection vulnerability exists in a-blog cms Ver.3.1.x series ver ...) - TODO: check + NOT-FOR-US: a-blog cms CVE-2024-31395 (Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x seri ...) - TODO: check + NOT-FOR-US: a-blog cms CVE-2024-31394 (Directory traversal vulnerability exists in a-blog cms Ver.3.1.x serie ...) - TODO: check + NOT-FOR-US: a-blog cms CVE-2024-31340 (TP-Link Tether versions prior to 4.5.13 and TP-Link Tapo versions prio ...) - TODO: check + NOT-FOR-US: TP-Link CVE-2024-30420 (Server-side request forgery (SSRF) vulnerability exists in a-blog cms ...) - TODO: check + NOT-FOR-US: a-blog cms CVE-2024-30419 (Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x seri ...) - TODO: check + NOT-FOR-US: a-blog cms CVE-2024-2953 (The LuckyWP Table of Contents plugin for WordPress is vulnerable to St ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2163 (The Ninja Beaver Add-ons for Beaver Builder plugin for WordPress is vu ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2119 (The LuckyWP Table of Contents plugin for WordPress is vulnerable to Re ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-2088 (The NextScripts: Social Networks Auto-Poster plugin for WordPress is v ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-21683 (This High severity RCE (Remote Code Execution) vulnerability was intro ...) - TODO: check + NOT-FOR-US: Atlassian CVE-2024-1762 (The NextScripts: Social Networks Auto-Poster plugin for WordPress is v ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1446 (The NextScri
[Git][security-tracker-team/security-tracker][master] Triage CVE-2023-45733, CVE-2023-45745, CVE-2023-46103 & CVE-2023-47855 in...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: a0cd2a32 by Chris Lamb at 2024-05-22T09:12:31+01:00 Triage CVE-2023-45733, CVE-2023-45745, CVE-2023-46103 & CVE-2023-47855 in intel-microcode for buster LTS. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4499,24 +4499,28 @@ CVE-2023-47855 (Improper input validation in some Intel(R) TDX module software b - intel-microcode 3.20240514.1 [bookworm] - intel-microcode (Minor issue; can be fixed in point release) [bullseye] - intel-microcode (Minor issue; can be fixed in point release) + [buster] - intel-microcode (Minor issue; can be fixed in next update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01036.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514 CVE-2023-45745 (Improper input validation in some Intel(R) TDX module software before ...) - intel-microcode 3.20240514.1 [bookworm] - intel-microcode (Minor issue; can be fixed in point release) [bullseye] - intel-microcode (Minor issue; can be fixed in point release) + [buster] - intel-microcode (Minor issue; can be fixed in next update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01036.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514 CVE-2023-46103 (Sequence of processor instructions leads to unexpected behavior in Int ...) - intel-microcode 3.20240514.1 [bookworm] - intel-microcode (Minor issue; can be fixed in point release) [bullseye] - intel-microcode (Minor issue; can be fixed in point release) + [buster] - intel-microcode (Minor issue; can be fixed in next update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01052.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514 CVE-2023-45733 (Hardware logic contains race conditions in some Intel(R) Processors ma ...) - intel-microcode 3.20240514.1 [bookworm] - intel-microcode (Minor issue; can be fixed in point release) [bullseye] - intel-microcode (Minor issue; can be fixed in point release) + [buster] - intel-microcode (Minor issue; can be fixed in next update) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01051.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240514 CVE-2024-5023 (Improper Neutralization of Special Elements used in a Command ('Comman ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0cd2a32bc4f5d0de27aa95b531c8b3c237a76e9 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a0cd2a32bc4f5d0de27aa95b531c8b3c237a76e9 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1876ffd6 by security tracker role at 2024-05-22T08:12:20+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,192 +1,268 @@ -CVE-2021-47473 [scsi: qla2xxx: Fix a memory leak in an error path of qla2x00_process_els()] +CVE-2024-5190 + REJECTED +CVE-2024-5147 (The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPr ...) + TODO: check +CVE-2024-5092 (The Elegant Addons for elementor plugin for WordPress is vulnerable to ...) + TODO: check +CVE-2024-5040 (There are multiple ways in LCDS LAquis SCADA for an attacker to acces ...) + TODO: check +CVE-2024-4980 (The WPKoi Templates for Elementor plugin for WordPress is vulnerable t ...) + TODO: check +CVE-2024-4971 (The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vul ...) + TODO: check +CVE-2024-4443 (The Business Directory Plugin \u2013 Easy Listing Directories for Word ...) + TODO: check +CVE-2024-4157 (The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & D ...) + TODO: check +CVE-2024-3927 (The Element Pack Elementor Addons (Header Footer, Template Library, Dy ...) + TODO: check +CVE-2024-3671 (The Print-O-Matic plugin for WordPress is vulnerable to Stored Cross-S ...) + TODO: check +CVE-2024-3666 (The Opal Estate Pro \u2013 Property Management and Submission plugin f ...) + TODO: check +CVE-2024-3663 (The WP Scraper plugin for WordPress is vulnerable to unauthorized acce ...) + TODO: check +CVE-2024-3611 (The Toolbar Extras for Elementor & More \u2013 WordPress Admin Bar Enh ...) + TODO: check +CVE-2024-3519 (The Media Library Assistant plugin for WordPress is vulnerable to Refl ...) + TODO: check +CVE-2024-3518 (The Media Library Assistant plugin for WordPress is vulnerable to SQL ...) + TODO: check +CVE-2024-3198 (The WP Font Awesome Share Icons plugin for WordPress is vulnerable to ...) + TODO: check +CVE-2024-3066 (The Elegant Addons for elementor plugin for WordPress is vulnerable to ...) + TODO: check +CVE-2024-35220 (@fastify/session is a session plugin for fastify. Requires the @fastif ...) + TODO: check +CVE-2024-35162 (Path traversal vulnerability exists in Download Plugins and Themes fro ...) + TODO: check +CVE-2024-32988 ('OfferBox' App for Android versions 2.0.0 to 2.3.17 and 'OfferBox' App ...) + TODO: check +CVE-2024-31396 (Code injection vulnerability exists in a-blog cms Ver.3.1.x series ver ...) + TODO: check +CVE-2024-31395 (Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x seri ...) + TODO: check +CVE-2024-31394 (Directory traversal vulnerability exists in a-blog cms Ver.3.1.x serie ...) + TODO: check +CVE-2024-31340 (TP-Link Tether versions prior to 4.5.13 and TP-Link Tapo versions prio ...) + TODO: check +CVE-2024-30420 (Server-side request forgery (SSRF) vulnerability exists in a-blog cms ...) + TODO: check +CVE-2024-30419 (Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x seri ...) + TODO: check +CVE-2024-2953 (The LuckyWP Table of Contents plugin for WordPress is vulnerable to St ...) + TODO: check +CVE-2024-2163 (The Ninja Beaver Add-ons for Beaver Builder plugin for WordPress is vu ...) + TODO: check +CVE-2024-2119 (The LuckyWP Table of Contents plugin for WordPress is vulnerable to Re ...) + TODO: check +CVE-2024-2088 (The NextScripts: Social Networks Auto-Poster plugin for WordPress is v ...) + TODO: check +CVE-2024-21683 (This High severity RCE (Remote Code Execution) vulnerability was intro ...) + TODO: check +CVE-2024-1762 (The NextScripts: Social Networks Auto-Poster plugin for WordPress is v ...) + TODO: check +CVE-2024-1446 (The NextScripts: Social Networks Auto-Poster plugin for WordPress is v ...) + TODO: check +CVE-2024-0632 (The Automatic Translator with Google Translate plugin for WordPress is ...) + TODO: check +CVE-2024-0453 (The AI ChatBot plugin for WordPress is vulnerable to unauthorized modi ...) + TODO: check +CVE-2024-0452 (The AI ChatBot plugin for WordPress is vulnerable to unauthorized modi ...) + TODO: check +CVE-2024-0451 (The AI ChatBot plugin for WordPress is vulnerable to unauthorized acce ...) + TODO: check +CVE-2023-6487 (The LuckyWP Table of Contents plugin for WordPress is vulnerable to St ...) + TODO: check +CVE-2021-47473 (In the Linux kernel, the following vulnerability has been resolved: s ...) - linux 5.14.16-1 [bullseye] - linux 5.10.84-1 NOTE: https://git.kernel.org/linus/7fb223d0ad801f633c78cbe42b1d1b55f5d163ad (5.15-rc7) -CVE-2021-47472 [net: mdiobus: Fix memory leak in __mdiobus_register] +CVE-2
[Git][security-tracker-team/security-tracker][master] NFUs (concludes external check)
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: d7c6d543 by Moritz Muehlenhoff at 2024-05-22T09:48:47+02:00 NFUs (concludes external check) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2198,7 +2198,7 @@ CVE-2024-31714 (Buffer Overflow vulnerability in Waxlab wax v.0.9-3 and before a CVE-2024-2835 (A Stored Cross-Site Scripting (XSS) vulnerability has been identified ...) TODO: check CVE-2024-29651 (A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v. ...) - TODO: check + NOT-FOR-US: Node json-schema-ref-parser CVE-2024-29000 (The SolarWinds Platform was determined to be affected by a reflected c ...) NOT-FOR-US: SolarWinds CVE-2024-27312 (Zoho ManageEngine PAM360 version 6601 is vulnerable to authorization v ...) @@ -4972,7 +4972,7 @@ CVE-2024-3749 (The SP Project & Document Manager WordPress plugin through 4.71 l CVE-2024-3748 (The SP Project & Document Manager WordPress plugin through 4.71 is mis ...) NOT-FOR-US: WordPress plugin CVE-2024-3744 (A security issue was discovered in azure-file-csi-driver where an acto ...) - TODO: check + NOT-FOR-US: azure-file-csi-driver CVE-2024-3634 (The month name translation benaceur WordPress plugin before 2.3.8 does ...) NOT-FOR-US: WordPress plugin CVE-2024-3631 (The HL Twitter WordPress plugin through 2014.1.18 does not have CSRF c ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7c6d5437cc84f9418dff32712882bf5280b331e -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d7c6d5437cc84f9418dff32712882bf5280b331e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add commit reference for CVE-2024-3044/libreoffice
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 85877b1d by Salvatore Bonaccorso at 2024-05-22T09:19:09+02:00 Add commit reference for CVE-2024-3044/libreoffice - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5045,6 +5045,7 @@ CVE-2024-3044 (Unchecked script execution in Graphic on-click binding in affecte {DSA-5690-1} - libreoffice 4:24.2.3~rc1-2 NOTE: https://www.libreoffice.org/about-us/security/advisories/cve-2024-3044/ + NOTE: https://git.libreoffice.org/core/+/8b2402b16df185119c91222b33ff1b8d55e0afe4%5E%21 CVE-2024-4871 (A vulnerability was found in Satellite. When running a remote executio ...) NOT-FOR-US: Red Hat Satellite CVE-2024-4860 (The 'WordPress RSS Aggregator' WordPress Plugin, versions < 4.23.9 are ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85877b1d0b35636800a4a7d5ba98671c3c694e71 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/85877b1d0b35636800a4a7d5ba98671c3c694e71 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits