[Git][security-tracker-team/security-tracker][master] Add CVE-2024-37568/python-authlib
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0a396b4f by Salvatore Bonaccorso at 2024-06-13T08:25:00+02:00 Add CVE-2024-37568/python-authlib - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1053,7 +1053,7 @@ CVE-2024-37570 (On Mitel 6869i 4.5.0.41 devices, the Manual Firmware Update (upg CVE-2024-37569 (An issue was discovered on Mitel 6869i through 4.5.0.41 and 5.x throug ...) NOT-FOR-US: Mitel CVE-2024-37568 (lepture Authlib before 1.3.1 has algorithm confusion with asymmetric p ...) - - python-authlib + - python-authlib 1.3.1-1 NOTE: https://github.com/lepture/authlib/issues/654 NOTE: https://github.com/lepture/authlib/commit/3bea812acefebc9ee108aa24557be3ba8971daf1 (v1.3.1) CVE-2024-35748 (Missing Authorization vulnerability in OPMC WooCommerce Dropshipping.T ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a396b4f4682f18a265d1b0a5a579ed2d6347d24 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0a396b4f4682f18a265d1b0a5a579ed2d6347d24 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug references for CVE-2024-3524{1,2}/composer
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 871286b4 by Salvatore Bonaccorso at 2024-06-13T08:22:40+02:00 Add Debian bug references for CVE-2024-3524{1,2}/composer - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -737,12 +737,12 @@ CVE-2024-36302 (An origin validation vulnerability in the Trend Micro Apex One s CVE-2024-35329 (libyaml 0.2.5 is vulnerable to a heap-based Buffer Overflow in yaml_do ...) NOTE: disputed libyaml issue, to be rejected CVE-2024-35242 (Composer is a dependency manager for PHP. On the 2.x branch prior to v ...) - - composer + - composer (bug #1073126) NOTE: https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf NOTE: https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467 (2.2.24) NOTE: https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396 (2.7.7) CVE-2024-35241 (Composer is a dependency manager for PHP. On the 2.x branch prior to v ...) - - composer + - composer (bug #1073125) NOTE: https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c NOTE: https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4 (2.2.24) NOTE: https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704 (2.7.7) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/871286b4a2b870ff9bc03e4f20d2b51b03a3593e -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/871286b4a2b870ff9bc03e4f20d2b51b03a3593e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] add references to slic3r-prusa/libigl issues
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 3e6f467e by Moritz Muehlenhoff at 2024-06-12T23:53:54+02:00 add references to slic3r-prusa/libigl issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3984,24 +3984,34 @@ CVE-2024-24851 (A heap-based buffer overflow vulnerability exists in the Program NOT-FOR-US: AutomationDirect CVE-2024-24686 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1929 CVE-2024-24685 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1929 CVE-2024-24684 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1929 CVE-2024-24584 (Multiple out-of-bounds read vulnerabilities exist in the readMSH funct ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1928 CVE-2024-24583 (Multiple out-of-bounds read vulnerabilities exist in the readMSH funct ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1928 CVE-2024-23951 (Multiple improper array index validation vulnerabilities exist in the ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1926 CVE-2024-23950 (Multiple improper array index validation vulnerabilities exist in the ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1926 CVE-2024-23949 (Multiple improper array index validation vulnerabilities exist in the ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1926 CVE-2024-23948 (Multiple improper array index validation vulnerabilities exist in the ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1926 CVE-2024-23947 (Multiple improper array index validation vulnerabilities exist in the ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1926 CVE-2024-23601 (A code injection vulnerability exists in the scan_lib.bin functionalit ...) NOT-FOR-US: AutomationDirect CVE-2024-23315 (A read-what-where vulnerability exists in the Programming Software Con ...) @@ -4012,10 +4022,12 @@ CVE-2024-22187 (A write-what-where vulnerability exists in the Programming Softw NOT-FOR-US: AutomationDirect CVE-2024-22181 (An out-of-bounds write vulnerability exists in the readNODE functional ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1930 CVE-2024-21785 (A leftover debug code vulnerability exists in the Telnet Diagnostic In ...) NOT-FOR-US: AutomationDirect CVE-2023-49600 (An out-of-bounds write vulnerability exists in the PlyFile ply_cast_as ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1879 CVE-2023-46694 (Vtenext 21.02 allows an authenticated attacker to upload arbitrary fil ...) NOT-FOR-US: Vtenext CVE-2023-43850 (Improper input validation in the user management function of web inter ...) @@ -4040,14 +4052,19 @@ CVE-2023-37411 (IBM Aspera Faspex 5.0.0 through 5.0.6 is vulnerable to cross-sit NOT-FOR-US: IBM CVE-2023-35953 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1784 CVE-2023-35952 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1784 CVE-2023-35951 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1784 CVE-2023-35950 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1784 CVE-2023-35949 (Multiple stack-based buffer overflow vulnerabilities exist in the read ...) - slic3r-prusa + NOTE: https://talosintelligence.com/vulnerability_reports/TALOS-2023-1784 CVE-2024-4741 [Use After Free with SSL_free_buffers] - openssl 3.2.2-1 (bug #1072113) [bookworm] - openssl (Minor issue, fix along with next update round) View it on GitLab: https://salsa.debian.org/security-tracker
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5233344d by Salvatore Bonaccorso at 2024-06-12T22:44:07+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -79,7 +79,7 @@ CVE-2024-36761 (naga v0.14.0 was discovered to contain a stack overflow via the CVE-2024-36699 (GNU Debugger v8.2 to v14.2 was discovered to contain a buffer overflow ...) TODO: check CVE-2024-36691 (Insecure permissions in the AdminController.AjaxSave() method of PPGo_ ...) - TODO: check + NOT-FOR-US: PPGo_Jobs CVE-2024-36265 (** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability ...) NOT-FOR-US: Apache Submarine Server Core CVE-2024-36264 (** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability ...) @@ -87,83 +87,83 @@ CVE-2024-36264 (** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerab CVE-2024-36263 (** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Special Ele ...) NOT-FOR-US: Apache Submarine Server Core CVE-2024-34065 (Strapi is an open-source content management system. By combining two v ...) - TODO: check + NOT-FOR-US: Strapi CVE-2024-31881 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5 ...) NOT-FOR-US: IBM CVE-2024-31217 (Strapi is an open-source content management system. Prior to version 4 ...) - TODO: check + NOT-FOR-US: Strapi CVE-2024-2747 (CWE-428: Unquoted search path or element vulnerability exists in Easer ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2024-2300 (HP Advance Mobile Applications for iOS and Android are potentially vul ...) - TODO: check + NOT-FOR-US: HP Advance Mobile Applications for iOS and Android CVE-2024-2230 REJECTED CVE-2024-2092 (The Elementor Addon Elements plugin for WordPress is vulnerable to Sto ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-29181 (Strapi is an open-source content management system. Prior to version 4 ...) - TODO: check + NOT-FOR-US: Strapi CVE-2024-28964 (Dell Common Event Enabler, version 8.9.10.0 and prior, contain an inse ...) - TODO: check + NOT-FOR-US: Dell CVE-2024-28762 (IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 ...) NOT-FOR-US: IBM CVE-2024-25949 (Dell OS10 Networking Switches, versions10.5.6.x, 10.5.5.x, 10.5.4.x an ...) - TODO: check + NOT-FOR-US: Dell CVE-2024-24051 (Improper input validation of printing files in Monoprice Select Mini V ...) - TODO: check + NOT-FOR-US: Monoprice Select Mini CVE-2024-22855 (A cross-site scripting (XSS) vulnerability in the User Maintenance sec ...) - TODO: check + NOT-FOR-US: ITSS iMLog CVE-2024-1891 (A stored cross site scripting vulnerability exists in Tenable Security ...) - TODO: check + NOT-FOR-US: Tenable Security Center CVE-2024-1766 (The Download Manager plugin for WordPress is vulnerable to Stored Cros ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-1659 (Arbitrary File Upload vulnerability in MegaBIP software allows attacke ...) - TODO: check + NOT-FOR-US: MegaBIP CVE-2024-1577 (Remote Code Execution vulnerability in MegaBIP software allows to exec ...) - TODO: check + NOT-FOR-US: MegaBIP CVE-2024-1576 (SQL Injection vulnerability in MegaBIP software allows attacker to obt ...) - TODO: check + NOT-FOR-US: MegaBIP CVE-2024-0865 (CWE-798: Use of hard-coded credentials vulnerability exists that could ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2023-52177 (Missing Authorization vulnerability in SoftLab Integrate Google Drive. ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-52117 (Missing Authorization vulnerability in Metagauss ProfileGrid.This issu ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51680 (Missing Authorization vulnerability in TechnoVama Quotes for WooCommer ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51679 (Missing Authorization vulnerability in BulkGate BulkGate SMS Plugin fo ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51671 (Missing Authorization vulnerability in FunnelKit FunnelKit Checkout.Th ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51670 (Missing Authorization vulnerability in FunnelKit FunnelKit Checkout.Th ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51537 (Missing Authorization vulnerability in Awesome Support Team Awesome Su ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2023-51526 (Missing Authorization vulnerability in Brett Shumaker Simple Staff Lis ...) - TODO: check + NOT-FOR-US
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fc7b6fe7 by Salvatore Bonaccorso at 2024-06-12T22:26:24+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,79 +1,79 @@ CVE-2024-5909 (A problem with a protection mechanism in the Palo Alto Networks Cortex ...) - TODO: check + NOT-FOR-US: Palo Alto Networks CVE-2024-5908 (A problem with the Palo Alto Networks GlobalProtect app can result in ...) - TODO: check + NOT-FOR-US: Palo Alto Networks CVE-2024-5907 (A privilege escalation (PE) vulnerability in the Palo Alto Networks Co ...) - TODO: check + NOT-FOR-US: Palo Alto Networks CVE-2024-5906 (A cross-site scripting (XSS) vulnerability in Palo Alto Networks Prism ...) - TODO: check + NOT-FOR-US: Palo Alto Networks CVE-2024-5905 (A problem with a protection mechanism in the Palo Alto Networks Cortex ...) - TODO: check + NOT-FOR-US: Palo Alto Networks CVE-2024-5898 (A vulnerability was found in itsourcecode Payroll Management System 1. ...) - TODO: check + NOT-FOR-US: itsourcecode Payroll Management System CVE-2024-5897 (A vulnerability has been found in SourceCodester Employee and Visitor ...) - TODO: check + NOT-FOR-US: SourceCodester Employee and Visitor Gate Pass Logging System CVE-2024-5896 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Employee and Visitor Gate Pass Logging System CVE-2024-5895 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Employee and Visitor Gate Pass Logging System CVE-2024-5894 (A vulnerability classified as critical was found in SourceCodester Onl ...) - TODO: check + NOT-FOR-US: SourceCodester Online Eyewear Shop CVE-2024-5893 (A vulnerability classified as critical has been found in SourceCodeste ...) - TODO: check + NOT-FOR-US: SourceCodester Cab Management System CVE-2024-5891 (A vulnerability was found in Quay. If an attacker can obtain the clien ...) - TODO: check + NOT-FOR-US: Quay CVE-2024-5798 (Vault and Vault Enterprise did not properly validate the JSON Web Toke ...) - TODO: check + NOT-FOR-US: HashiCorp Vault CVE-2024-5759 (An improper privilege management vulnerability exists in Tenable Secur ...) - TODO: check + NOT-FOR-US: Tenable Security Center CVE-2024-5674 (The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerabl ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-5560 (CWE-125: Out-of-bounds Read vulnerability exists that could cause deni ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2024-5559 (CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerabilit ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2024-5558 (CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerabili ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2024-5557 (CWE-532: Insertion of Sensitive Information into Log File vulnerabilit ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2024-5468 (The WordPress Header Builder Plugin \u2013 Pearl plugin for WordPress ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-5313 (CWE-668: Exposure of the Resource Wrong Sphere vulnerability exists th ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2024-5266 (The Download Manager Pro plugin for WordPress is vulnerable to Stored ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-5211 (A path traversal vulnerability in mintplex-labs/anything-llm allowed a ...) - TODO: check + NOT-FOR-US: mintplex-labs/anything-llm CVE-2024-5056 (CWE-552: Files or Directories Accessible to External Parties vulnerabi ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2024-4898 (The InstaWP Connect \u2013 1-click WP Staging & Migration plugin for W ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4845 (The Icegram Express plugin for WordPress is vulnerable to SQL Injectio ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3492 (The Events Manager \u2013 Calendar, Bookings, Tickets, and more! plugi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-37878 (Cross Site Scripting vulnerability in TWCMS v.2.0.3 allows a remote at ...) - TODO: check + NOT-FOR-US: TWCMS CVE-2024-37629 (SummerNote 0.8.18 is vulnerable to Cross Site Scripting (XSS) via the ...) - TODO: check + NOT-FOR-US: SummerNote CVE-2024-37304 (NuGet Gallery is a package repository that powers nuget.org. The NuGet ...)
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: edc888df by Salvatore Bonaccorso at 2024-06-12T22:18:59+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -89,7 +89,7 @@ CVE-2024-36263 (** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Speci CVE-2024-34065 (Strapi is an open-source content management system. By combining two v ...) TODO: check CVE-2024-31881 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5 ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-31217 (Strapi is an open-source content management system. Prior to version 4 ...) TODO: check CVE-2024-2747 (CWE-428: Unquoted search path or element vulnerability exists in Easer ...) @@ -105,7 +105,7 @@ CVE-2024-29181 (Strapi is an open-source content management system. Prior to ver CVE-2024-28964 (Dell Common Event Enabler, version 8.9.10.0 and prior, contain an inse ...) TODO: check CVE-2024-28762 (IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 10.5 ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-25949 (Dell OS10 Networking Switches, versions10.5.6.x, 10.5.5.x, 10.5.4.x an ...) TODO: check CVE-2024-24051 (Improper input validation of printing files in Monoprice Select Mini V ...) @@ -88719,7 +88719,7 @@ CVE-2023-29269 CVE-2023-29268 (The Splus Server component of TIBCO Software Inc.'s TIBCO Spotfire Sta ...) NOT-FOR-US: TIBCO CVE-2023-29267 (IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5 ...) - TODO: check + NOT-FOR-US: IBM CVE-2023-29266 RESERVED CVE-2023-29265 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edc888df29f0d04de52a2e78ce1fcf8eaeec0412 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edc888df29f0d04de52a2e78ce1fcf8eaeec0412 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df97ab30 by security tracker role at 2024-06-12T20:12:26+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,169 @@ +CVE-2024-5909 (A problem with a protection mechanism in the Palo Alto Networks Cortex ...) + TODO: check +CVE-2024-5908 (A problem with the Palo Alto Networks GlobalProtect app can result in ...) + TODO: check +CVE-2024-5907 (A privilege escalation (PE) vulnerability in the Palo Alto Networks Co ...) + TODO: check +CVE-2024-5906 (A cross-site scripting (XSS) vulnerability in Palo Alto Networks Prism ...) + TODO: check +CVE-2024-5905 (A problem with a protection mechanism in the Palo Alto Networks Cortex ...) + TODO: check +CVE-2024-5898 (A vulnerability was found in itsourcecode Payroll Management System 1. ...) + TODO: check +CVE-2024-5897 (A vulnerability has been found in SourceCodester Employee and Visitor ...) + TODO: check +CVE-2024-5896 (A vulnerability, which was classified as critical, was found in Source ...) + TODO: check +CVE-2024-5895 (A vulnerability, which was classified as critical, has been found in S ...) + TODO: check +CVE-2024-5894 (A vulnerability classified as critical was found in SourceCodester Onl ...) + TODO: check +CVE-2024-5893 (A vulnerability classified as critical has been found in SourceCodeste ...) + TODO: check +CVE-2024-5891 (A vulnerability was found in Quay. If an attacker can obtain the clien ...) + TODO: check +CVE-2024-5798 (Vault and Vault Enterprise did not properly validate the JSON Web Toke ...) + TODO: check +CVE-2024-5759 (An improper privilege management vulnerability exists in Tenable Secur ...) + TODO: check +CVE-2024-5674 (The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerabl ...) + TODO: check +CVE-2024-5560 (CWE-125: Out-of-bounds Read vulnerability exists that could cause deni ...) + TODO: check +CVE-2024-5559 (CWE-327: Use of a Broken or Risky Cryptographic Algorithm vulnerabilit ...) + TODO: check +CVE-2024-5558 (CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerabili ...) + TODO: check +CVE-2024-5557 (CWE-532: Insertion of Sensitive Information into Log File vulnerabilit ...) + TODO: check +CVE-2024-5468 (The WordPress Header Builder Plugin \u2013 Pearl plugin for WordPress ...) + TODO: check +CVE-2024-5313 (CWE-668: Exposure of the Resource Wrong Sphere vulnerability exists th ...) + TODO: check +CVE-2024-5266 (The Download Manager Pro plugin for WordPress is vulnerable to Stored ...) + TODO: check +CVE-2024-5211 (A path traversal vulnerability in mintplex-labs/anything-llm allowed a ...) + TODO: check +CVE-2024-5056 (CWE-552: Files or Directories Accessible to External Parties vulnerabi ...) + TODO: check +CVE-2024-4898 (The InstaWP Connect \u2013 1-click WP Staging & Migration plugin for W ...) + TODO: check +CVE-2024-4845 (The Icegram Express plugin for WordPress is vulnerable to SQL Injectio ...) + TODO: check +CVE-2024-3492 (The Events Manager \u2013 Calendar, Bookings, Tickets, and more! plugi ...) + TODO: check +CVE-2024-37878 (Cross Site Scripting vulnerability in TWCMS v.2.0.3 allows a remote at ...) + TODO: check +CVE-2024-37629 (SummerNote 0.8.18 is vulnerable to Cross Site Scripting (XSS) via the ...) + TODO: check +CVE-2024-37304 (NuGet Gallery is a package repository that powers nuget.org. The NuGet ...) + TODO: check +CVE-2024-37300 (OAuthenticator is software that allows OAuth2 identity providers to be ...) + TODO: check +CVE-2024-37297 (WooCommerce is an open-source e-commerce platform built on WordPress. ...) + TODO: check +CVE-2024-37040 (CWE-120: Buffer Copy without Checking Size of Input (\u2018Classic Buf ...) + TODO: check +CVE-2024-37039 (CWE-252: Unchecked Return Value vulnerability exists that could cause ...) + TODO: check +CVE-2024-37038 (CWE-276: Incorrect Default Permissions vulnerability exists that could ...) + TODO: check +CVE-2024-37037 (CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\ ...) + TODO: check +CVE-2024-37036 (CWE-787: Out-of-bounds Write vulnerability exists that could result in ...) + TODO: check +CVE-2024-36840 (SQL Injection vulnerability in Boelter Blue System Management v.1.3 al ...) + TODO: check +CVE-2024-36761 (naga v0.14.0 was discovered to contain a stack overflow via the compon ...) + TODO: check +CVE-2024-36699 (GNU Debugger v8.2 to v14.2 was discovered to contain a buffer overflow ...) + TODO: check +CVE-2024-36691 (Insecure permissions in the AdminController.AjaxSave() method of PPGo_ ...) + TODO: check +
[Git][security-tracker-team/security-tracker][master] 2 commits: Add Debian bug reference for CVE-2024-27322
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5675c8df by Salvatore Bonaccorso at 2024-06-12T20:35:16+02:00 Add Debian bug reference for CVE-2024-27322 - - - - - 3cc99587 by Salvatore Bonaccorso at 2024-06-12T20:36:36+02:00 Update severity for CVE-2024-27322 and add notes from upstream viewpoint - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16661,11 +16661,13 @@ CVE-2024-28961 (Dell OpenManage Enterprise, versions 4.0.0 and 4.0.1, contains a CVE-2024-28320 (Insecure Direct Object References (IDOR) vulnerability in Hospital Man ...) NOT-FOR-US: Hospital Management System CVE-2024-27322 (Deserialization of untrusted data can occur in the R statistical progr ...) - - r-base 4.4.0-2 + - r-base 4.4.0-2 (bug #1073061; unimportant) NOTE: https://hiddenlayer.com/research/r-bitrary-code-execution/ NOTE: https://kb.cert.org/vuls/id/238194 NOTE: https://src.fedoraproject.org/rpms/R/blob/f39/f/R-CVE-2024-27322.patch NOTE: https://github.com/r-devel/r-svn/commit/f7c46500f455eb4edfc3656c3fa20af61b16abb7 + NOTE: https://blog.r-project.org/2024/05/10/statement-on-cve-2024-27322/index.html + NOTE: Not considered a security issue by R Core (upstream) and the R Foundation. CVE-2024-23995 (Cross Site Scripting (XSS) in Beekeeper Studio 4.1.13 and earlier allo ...) NOT-FOR-US: Beekeeper Studio CVE-2024-1969 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/90ea4f5760b633bd31002102f1c34c16f643ae35...3cc99587fb035e2718f716a01f82df34deab5f88 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/90ea4f5760b633bd31002102f1c34c16f643ae35...3cc99587fb035e2718f716a01f82df34deab5f88 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] firefox-esr DSA
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: 90ea4f57 by Moritz Mühlenhoff at 2024-06-12T19:50:58+02:00 firefox-esr DSA - - - - - 2 changed files: - data/DSA/list - data/dsa-needed.txt Changes: = data/DSA/list = @@ -1,3 +1,7 @@ +[12 Jun 2024] DSA-5709-1 firefox-esr - security update + {CVE-2024-5688 CVE-2024-5690 CVE-2024-5691 CVE-2024-5693 CVE-2024-5696 CVE-2024-5700 CVE-2024-5702} + [bullseye] - firefox-esr 115.12.0esr-1~deb11u1 + [bookworm] - firefox-esr 115.12.0esr-1~deb12u1 [11 Jun 2024] DSA-5708-1 cyrus-imapd - security update {CVE-2024-34055} [bookworm] - cyrus-imapd 3.6.1-4+deb12u2 = data/dsa-needed.txt = @@ -20,8 +20,6 @@ dnsdist (jmm) -- dnsmasq -- -firefox-esr (jmm) --- frr Tobias Frost (tobi) proposed to work on preparing an update, but discussion with Debian maintainer for status on bullseye + updates View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90ea4f5760b633bd31002102f1c34c16f643ae35 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90ea4f5760b633bd31002102f1c34c16f643ae35 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] NFUs
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: f27cc17a by Moritz Muehlenhoff at 2024-06-12T18:39:08+02:00 NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -133,7 +133,7 @@ CVE-2024-5830 (Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allo [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) CVE-2024-5851 (A vulnerability classified as problematic has been found in playSMS up ...) - TODO: check + NOT-FOR-US: playSMS CVE-2024-5829 (A vulnerability classified as problematic was found in smallweigit Avu ...) NOT-FOR-US: smallweigit Avue CVE-2024-5825 @@ -159,17 +159,17 @@ CVE-2024-4190 (Stored Cross-Site Scripting (XSS) vulnerabilities have been ident CVE-2024-4155 REJECTED CVE-2024-37325 (Azure Science Virtual Machine (DSVM) Elevation of Privilege Vulnerabil ...) - TODO: check + NOT-FOR-US: Azure CVE-2024-37301 (Document Merge Service is a document template merge service providing ...) - TODO: check + NOT-FOR-US: Document Merge Service CVE-2024-37296 (The Aimeos HTML client provides Aimeos HTML components for e-commerce ...) - TODO: check + NOT-FOR-US: Aimeos CVE-2024-37295 (Aimeos is an Open Source e-commerce framework for online shops. Starti ...) - TODO: check + NOT-FOR-US: Aimeos CVE-2024-37294 (Aimeos is an Open Source e-commerce framework for online shops. All Sa ...) - TODO: check + NOT-FOR-US: Aimeos CVE-2024-37293 (The AWS Deployment Framework (ADF) is a framework to manage and deploy ...) - TODO: check + NOT-FOR-US: AWS Deployment Framework CVE-2024-37161 (MeterSphere is an open source continuous testing platform. Prior to ve ...) NOT-FOR-US: MeterSphere CVE-2024-36821 (Insecure permissions in Linksys Velop WiFi 5 (WHW01v1) 1.1.13.202617 a ...) @@ -221,7 +221,7 @@ CVE-2024-35249 (Microsoft Dynamics 365 Business Central Remote Code Execution Vu CVE-2024-35248 (Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnera ...) NOT-FOR-US: Microsoft CVE-2024-35213 (An improper input validation vulnerability in the SGI Image Codec of Q ...) - TODO: check + NOT-FOR-US: QNX CVE-2024-35212 (A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822 ...) NOT-FOR-US: Siemens CVE-2024-35211 (A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822 ...) @@ -530,7 +530,7 @@ CVE-2024-37169 (@jmondi/url-to-png is a self-hosted URL to PNG utility. Versions CVE-2024-37168 (@grpc/grps-js implements the core functionality of gRPC purely in Java ...) NOT-FOR-US: @grpc/grps-js CVE-2024-37166 (ghtml is software that uses tagged templates for template engine funct ...) - TODO: check + NOT-FOR-US: ghtml CVE-2024-37130 (Dell OpenManage Server Administrator, versions 11.0.1.0 and prior, con ...) NOT-FOR-US: Dell CVE-2024-36473 (Trend Micro VPN Proxy One Pro, version 5.8.1012 and below is vulnerabl ...) @@ -1374,17 +1374,17 @@ CVE-2024-3380 CVE-2024-3133 REJECTED CVE-2024-37388 (An XML External Entity (XXE) vulnerability in the ebookmeta.get_metada ...) - TODO: check + NOT-FOR-US: ebookmeta CVE-2024-37163 (SkyScrape is a GUI Dashboard for AWS Infrastructure and Managing Resou ...) NOT-FOR-US: SkyScrape CVE-2024-37162 (zsa is a library for building typesafe server actions in Next.js. All ...) - TODO: check + NOT-FOR-US: zsa CVE-2024-37160 (Formwork is a flat file-based Content Management System (CMS). An atta ...) NOT-FOR-US: Formwork CMS CVE-2024-36827 (An XML External Entity (XXE) vulnerability in the ebookmeta.get_metada ...) - TODO: check + NOT-FOR-US: ebookmeta CVE-2024-36811 (An arbitrary file upload vulnerability in the image upload function of ...) - TODO: check + NOT-FOR-US: Aimeos CVE-2024-36792 (An issue in the implementation of the WPS in Netgear WNR614 JNR1010V2/ ...) NOT-FOR-US: Netgear CVE-2024-36790 (Netgear WNR614 JNR1010V2/N300-V1.1.0.54_1.0.1 was discovered to store ...) @@ -158027,7 +158027,7 @@ CVE-2022-32899 (The issue was addressed with improved memory handling. This issu CVE-2022-32898 (The issue was addressed with improved memory handling. This issue is f ...) NOT-FOR-US: Apple CVE-2022-32897 (A memory corruption issue was addressed with improved validation. This ...) - TODO: check + NOT-FOR-US: Apple CVE-2022-32896 (This issue was addressed by enabling hardened runtime. This issue is f ...) NOT-FOR-US: Apple CVE-2022-32895 (A race condition was addressed with improved state handling. This issu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f27cc17a08a7a2485b476cb2f
[Git][security-tracker-team/security-tracker][master] libyaml issue seems bogus per upstream
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker Commits: abc26daa by Moritz Muehlenhoff at 2024-06-12T18:34:26+02:00 libyaml issue seems bogus per upstream - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -562,8 +562,7 @@ CVE-2024-36303 (An origin validation vulnerability in the Trend Micro Apex One s CVE-2024-36302 (An origin validation vulnerability in the Trend Micro Apex One securit ...) NOT-FOR-US: Trend Micro CVE-2024-35329 (libyaml 0.2.5 is vulnerable to a heap-based Buffer Overflow in yaml_do ...) - - libyaml - TODO: check, too few details, just known that 0.2.5 is affected + NOTE: disputed libyaml issue, to be rejected CVE-2024-35242 (Composer is a dependency manager for PHP. On the 2.x branch prior to v ...) - composer NOTE: https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf @@ -1055,7 +1054,6 @@ CVE-2024-2408 (The openssl_private_decrypt function in PHP, when using PKCS1 pad - php7.4 - php7.3 NOTE: https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864 - TODO: double-check for tracking CVE-2024-25929 (Missing Authorization vulnerability in MultiVendorX Product Catalog En ...) NOT-FOR-US: WordPress plugin CVE-2024-25092 (Missing Authorization vulnerability in XLPlugins NextMove Lite.This is ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abc26daa61413f809790f907728ab2d25d1d8ca3 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abc26daa61413f809790f907728ab2d25d1d8ca3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2024-26979
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 73f3aa7b by Salvatore Bonaccorso at 2024-06-12T18:11:10+02:00 Remove notes from CVE-2024-26979 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -16080,12 +16080,8 @@ CVE-2024-26980 (In the Linux kernel, the following vulnerability has been resolv {DSA-5680-1} - linux 6.8.9-1 NOTE: https://git.kernel.org/linus/c119f4ede3fa90a9463f50831761c28f989bfb20 (6.9-rc6) -CVE-2024-26979 (In the Linux kernel, the following vulnerability has been resolved: d ...) - {DSA-5681-1} - - linux 6.7.12-1 - [bookworm] - linux 6.1.85-1 - [buster] - linux (Vulnerable code not present) - NOTE: https://git.kernel.org/linus/517621b7060096e48e42f545fa6646fc00252eac (6.9-rc1) +CVE-2024-26979 + REJECTED CVE-2024-26978 (In the Linux kernel, the following vulnerability has been resolved: s ...) {DSA-5681-1} - linux 6.7.12-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73f3aa7bf670b51c13236212a2bd545b5a6a9acb -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/73f3aa7bf670b51c13236212a2bd545b5a6a9acb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] CVE-2024-34055/cyrus-imapd: Ignore also in buster
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: abc9f015 by Adrian Bunk at 2024-06-12T17:43:12+03:00 CVE-2024-34055/cyrus-imapd: Ignore also in buster - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: = data/CVE/list = @@ -2087,6 +2087,7 @@ CVE-2024-34055 (Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows auth {DSA-5708-1} - cyrus-imapd 3.8.3-1 [bullseye] - cyrus-imapd (Too intrusive to backport) + [buster] - cyrus-imapd (Too intrusive to backport) NOTE: https://cyrus.topicbox.com/groups/announce/Ta8e3998446caf7f8/cyrus-imap-3-8-3-3-6-5-and-3-4-8-released CVE-2024-5463 (A vulnerability regarding buffer copy without checking the size of inp ...) NOT-FOR-US: Synology = data/dla-needed.txt = @@ -54,6 +54,7 @@ cups (Thorsten Alteholz) -- cyrus-imapd NOTE: 20240609: Added by Front-Desk (apo) + NOTE: 20240612: Asked coordinators to review CVE-2024-34055. (bunk) -- dcmtk (Adrian Bunk) NOTE: 20240428: Added by Front-Desk (ta) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abc9f0155088bbbc1ef36e674b95c8adf9326e90 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/abc9f0155088bbbc1ef36e674b95c8adf9326e90 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] dla: take r-base
Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker Commits: ab857b30 by Adrian Bunk at 2024-06-12T15:34:40+03:00 dla: take r-base - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -281,7 +281,7 @@ python-asyncssh NOTE: 20240116: Added by Front-Desk (lamby) NOTE: 20240131: Patch for CVE-2023-46445 and CVE-2023-46446 backported and in Git, but one test is failing. Waiting for feedback before release. (dleidert) -- -r-base +r-base (Adrian Bunk) NOTE: 20240609: Added by Front-Desk (apo) -- rails View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab857b305a0a3cd437e5e7a011c3da362df87138 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab857b305a0a3cd437e5e7a011c3da362df87138 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] lts: take firefox-esr
Emilio Pozuelo Monfort pushed to branch master at Debian Security Tracker / security-tracker Commits: 996160a1 by Emilio Pozuelo Monfort at 2024-06-12T13:37:53+02:00 lts: take firefox-esr - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -99,7 +99,7 @@ edk2 NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) -- -firefox-esr +firefox-esr (Emilio) NOTE: 20240612: Added by Front-Desk (lamby) -- firmware-nonfree View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/996160a19c84ed0d933692c1d9179c7e7c9d2b5b -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/996160a19c84ed0d933692c1d9179c7e7c9d2b5b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cd9e49b5 by Salvatore Bonaccorso at 2024-06-12T11:04:37+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -39,25 +39,25 @@ CVE-2024-4315 (parisneo/lollms version 9.5 is vulnerable to Local File Inclusion CVE-2024-3925 (The Element Pack Elementor Addons (Header Footer, Template Library, Dy ...) NOT-FOR-US: WordPress plugin CVE-2024-3559 (The Custom Field Suite plugin for WordPress is vulnerable to Stored Cr ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-36856 (RMQTT Broker 0.4.0 allows remote attackers to cause a Denial of Servic ...) TODO: check CVE-2024-36454 (Use of uninitialized resource issue exists in IPCOM EX2 Series (V01L0x ...) - TODO: check + NOT-FOR-US: IPCOM CVE-2024-36103 (OS command injection vulnerability in WRC-X5400GS-B v1.0.10 and earlie ...) - TODO: check + NOT-FOR-US: WRC-X5400GS-B CVE-2024-35225 (Jupyter Server Proxy allows users to run arbitrary external processes ...) TODO: check CVE-2024-33606 (An attacker could retrieve sensitive files (medical images) as well as ...) - TODO: check + NOT-FOR-US: MicroDicom DICOM Viewer system CVE-2024-28970 (Dell Client BIOS contains an Out-of-bounds Write vulnerability. A loca ...) - TODO: check + NOT-FOR-US: Dell CVE-2024-28877 (MicroDicom DICOM Viewer is vulnerable to a stack-based buffer overflow ...) - TODO: check + NOT-FOR-US: MicroDicom DICOM Viewer CVE-2024-0427 (The ARForms - Premium WordPress Form Builder Plugin WordPress plugin b ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-0160 (Dell Client Platform contains an incorrect authorization vulnerability ...) - TODO: check + NOT-FOR-US: Dell CVE-2024-25131 NOT-FOR-US: MustGather.managed.openshift.io Custom Defined Resource (CRD) CVE-2024-5847 (Use after free in PDFium in Google Chrome prior to 126.0.6478.54 allow ...) @@ -175,7 +175,7 @@ CVE-2024-37161 (MeterSphere is an open source continuous testing platform. Prior CVE-2024-36821 (Insecure permissions in Linksys Velop WiFi 5 (WHW01v1) 1.1.13.202617 a ...) NOT-FOR-US: Linksys CVE-2024-36702 (libiec61850 v1.5 was discovered to contain a heap overflow via the Ber ...) - TODO: check + NOT-FOR-US: libIEC61850 CVE-2024-36650 (TOTOLINK AC1200 Wireless Dual Band Gigabit Router firmware A3100R V4.1 ...) NOT-FOR-US: TOTOLINK CVE-2024-36266 (A vulnerability has been identified in PowerSys (All versions < V3.11) ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd9e49b578850a53832cb135780819f74610c714 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cd9e49b578850a53832cb135780819f74610c714 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] data/dla-needed.txt: Triage firefox-esr for buster LTS (CVE-2024-5688,...
Chris Lamb pushed to branch master at Debian Security Tracker / security-tracker Commits: 930dfc56 by Chris Lamb at 2024-06-12T09:51:00+01:00 data/dla-needed.txt: Triage firefox-esr for buster LTS (CVE-2024-5688, CVE-2024-5690, CVE-2024-5691 & etc) - - - - - 1 changed file: - data/dla-needed.txt Changes: = data/dla-needed.txt = @@ -99,6 +99,9 @@ edk2 NOTE: 20231230: CVE-2019-11098 fixed via bullseye 11.2 (lamby) NOTE: 20240312: CVE-2023-48733 fixed via DSA-5624-1 (Beuc/front-desk) -- +firefox-esr + NOTE: 20240612: Added by Front-Desk (lamby) +-- firmware-nonfree NOTE: 20240502: Added by Front-Desk (Beuc) -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/930dfc5650753e9c11d8439ca4e1d772f78c59a1 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/930dfc5650753e9c11d8439ca4e1d772f78c59a1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] One CVE rejected by Linux kernel CNA
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6339cf57 by Salvatore Bonaccorso at 2024-06-12T10:33:05+02:00 One CVE rejected by Linux kernel CNA - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -9290,10 +9290,8 @@ CVE-2023-52667 (In the Linux kernel, the following vulnerability has been resolv [bullseye] - linux (Vulnerable code not present) [buster] - linux (Vulnerable code not present) NOTE: https://git.kernel.org/linus/aef855df7e1bbd5aa4484851561211500b22707e (6.8-rc2) -CVE-2023-52666 (In the Linux kernel, the following vulnerability has been resolved: k ...) - - linux 6.6.15-1 - [bookworm] - linux 6.1.76-1 - NOTE: https://git.kernel.org/linus/6fc0a265e1b932e5e97a038f99e29400a93baad0 (6.8-rc1) +CVE-2023-52666 + REJECTED CVE-2023-52665 REJECTED CVE-2023-52664 (In the Linux kernel, the following vulnerability has been resolved: n ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6339cf578e03f788b8bd0b333c7214c7cdb23e2b -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6339cf578e03f788b8bd0b333c7214c7cdb23e2b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d794ed59 by Salvatore Bonaccorso at 2024-06-12T10:31:05+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2024-5892 (The Divi Torque Lite \u2013 Divi Theme and Extra Theme plugin for Word ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-5873 REJECTED CVE-2024-5783 @@ -19,25 +19,25 @@ CVE-2024-5777 CVE-2024-5776 REJECTED CVE-2024-5739 (The in-app browser of LINE iOS versions below 14.9.0 contains a Univer ...) - TODO: check + NOT-FOR-US: LINE iOS CVE-2024-5646 (The Futurio Extra plugin for WordPress is vulnerable to Stored Cross-S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-5553 (The Premium Addons for Elementor plugin for WordPress is vulnerable to ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-5543 (The Slideshow Gallery LITE plugin for WordPress is vulnerable to time- ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4924 (The Social Sharing Plugin WordPress plugin before 3.3.63 does not san ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4892 (The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4669 (The Events Addon for Elementor plugin for WordPress is vulnerable to S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4564 (The CoDesigner WooCommerce Builder for Elementor \u2013 Customize Chec ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4315 (parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI ...) - TODO: check + NOT-FOR-US: parisneo/lollms CVE-2024-3925 (The Element Pack Elementor Addons (Header Footer, Template Library, Dy ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-3559 (The Custom Field Suite plugin for WordPress is vulnerable to Stored Cr ...) TODO: check CVE-2024-36856 (RMQTT Broker 0.4.0 allows remote attackers to cause a Denial of Servic ...) @@ -135,7 +135,7 @@ CVE-2024-5830 (Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allo CVE-2024-5851 (A vulnerability classified as problematic has been found in playSMS up ...) TODO: check CVE-2024-5829 (A vulnerability classified as problematic was found in smallweigit Avu ...) - TODO: check + NOT-FOR-US: smallweigit Avue CVE-2024-5825 REJECTED CVE-2024-5813 (A medium severity vulnerability in BIPS has been identified where an a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d794ed59ccb2c75575606a5d4dbc5186e33aa477 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d794ed59ccb2c75575606a5d4dbc5186e33aa477 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 702c090a by security tracker role at 2024-06-12T08:12:22+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,74 +1,134 @@ +CVE-2024-5892 (The Divi Torque Lite \u2013 Divi Theme and Extra Theme plugin for Word ...) + TODO: check +CVE-2024-5873 + REJECTED +CVE-2024-5783 + REJECTED +CVE-2024-5782 + REJECTED +CVE-2024-5781 + REJECTED +CVE-2024-5780 + REJECTED +CVE-2024-5779 + REJECTED +CVE-2024-5778 + REJECTED +CVE-2024-5777 + REJECTED +CVE-2024-5776 + REJECTED +CVE-2024-5739 (The in-app browser of LINE iOS versions below 14.9.0 contains a Univer ...) + TODO: check +CVE-2024-5646 (The Futurio Extra plugin for WordPress is vulnerable to Stored Cross-S ...) + TODO: check +CVE-2024-5553 (The Premium Addons for Elementor plugin for WordPress is vulnerable to ...) + TODO: check +CVE-2024-5543 (The Slideshow Gallery LITE plugin for WordPress is vulnerable to time- ...) + TODO: check +CVE-2024-4924 (The Social Sharing Plugin WordPress plugin before 3.3.63 does not san ...) + TODO: check +CVE-2024-4892 (The BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site ...) + TODO: check +CVE-2024-4669 (The Events Addon for Elementor plugin for WordPress is vulnerable to S ...) + TODO: check +CVE-2024-4564 (The CoDesigner WooCommerce Builder for Elementor \u2013 Customize Chec ...) + TODO: check +CVE-2024-4315 (parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI ...) + TODO: check +CVE-2024-3925 (The Element Pack Elementor Addons (Header Footer, Template Library, Dy ...) + TODO: check +CVE-2024-3559 (The Custom Field Suite plugin for WordPress is vulnerable to Stored Cr ...) + TODO: check +CVE-2024-36856 (RMQTT Broker 0.4.0 allows remote attackers to cause a Denial of Servic ...) + TODO: check +CVE-2024-36454 (Use of uninitialized resource issue exists in IPCOM EX2 Series (V01L0x ...) + TODO: check +CVE-2024-36103 (OS command injection vulnerability in WRC-X5400GS-B v1.0.10 and earlie ...) + TODO: check +CVE-2024-35225 (Jupyter Server Proxy allows users to run arbitrary external processes ...) + TODO: check +CVE-2024-33606 (An attacker could retrieve sensitive files (medical images) as well as ...) + TODO: check +CVE-2024-28970 (Dell Client BIOS contains an Out-of-bounds Write vulnerability. A loca ...) + TODO: check +CVE-2024-28877 (MicroDicom DICOM Viewer is vulnerable to a stack-based buffer overflow ...) + TODO: check +CVE-2024-0427 (The ARForms - Premium WordPress Form Builder Plugin WordPress plugin b ...) + TODO: check +CVE-2024-0160 (Dell Client Platform contains an incorrect authorization vulnerability ...) + TODO: check CVE-2024-25131 NOT-FOR-US: MustGather.managed.openshift.io Custom Defined Resource (CRD) -CVE-2024-5847 +CVE-2024-5847 (Use after free in PDFium in Google Chrome prior to 126.0.6478.54 allow ...) - chromium [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) -CVE-2024-5846 +CVE-2024-5846 (Use after free in PDFium in Google Chrome prior to 126.0.6478.54 allow ...) - chromium [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) -CVE-2024-5845 +CVE-2024-5845 (Use after free in Audio in Google Chrome prior to 126.0.6478.54 allowe ...) - chromium [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) -CVE-2024-5844 +CVE-2024-5844 (Heap buffer overflow in Tab Strip in Google Chrome prior to 126.0.6478 ...) - chromium [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) -CVE-2024-5843 +CVE-2024-5843 (Inappropriate implementation in Downloads in Google Chrome prior to 12 ...) - chromium [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) -CVE-2024-5842 +CVE-2024-5842 (Use after free in Browser UI in Google Chrome prior to 126.0.6478.54 a ...) - chromium [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) -CVE-2024-5841 +CVE-2024-5841 (Use after free in V8 in Google Chrome prior to 126.0.6478.54 allowed a ...) - chromium [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) -CVE-2024-5840 +CVE-2024-5840 (Policy bypass in CORS in Google Chrome prior to 126.0.6478.54 allowed ...) - chromium [bullseye] - chromium (see #1061268) [buster] - chromium (see DSA 5046) -CVE-2024-5839 +CVE-2024-5839 (Inappropriate Implementation in Memory Allocator in Google Chrome prio ...) - chromium
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-2408/php
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1e065ba1 by Salvatore Bonaccorso at 2024-06-12T09:25:26+02:00 Add CVE-2024-2408/php - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -991,7 +991,11 @@ CVE-2024-30465 (Missing Authorization vulnerability in Pagelayer Team PageLayer. CVE-2024-30464 (Missing Authorization vulnerability in WPZOOM Social Icons Widget & Bl ...) NOT-FOR-US: WordPress plugin CVE-2024-2408 (The openssl_private_decrypt function in PHP, when using PKCS1 padding ...) - TODO: check + - php8.2 + - php7.4 + - php7.3 + NOTE: https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864 + TODO: double-check for tracking CVE-2024-25929 (Missing Authorization vulnerability in MultiVendorX Product Catalog En ...) NOT-FOR-US: WordPress plugin CVE-2024-25092 (Missing Authorization vulnerability in XLPlugins NextMove Lite.This is ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e065ba13fa7f584ff503ab3f2f2b413c2397fd3 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1e065ba13fa7f584ff503ab3f2f2b413c2397fd3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2023-4727/dogtag-pki
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 58ea7789 by Salvatore Bonaccorso at 2024-06-12T09:22:40+02:00 Add CVE-2023-4727/dogtag-pki - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -367,7 +367,8 @@ CVE-2023-51498 (Missing Authorization vulnerability in Woo WooCommerce Canada Po CVE-2023-50763 (A vulnerability has been identified in SIMATIC CP 1542SP-1 (6GK7542-6U ...) NOT-FOR-US: Siemens CVE-2023-4727 (A flaw was found in dogtag-pki and pki-core. The token authentication ...) - TODO: check + - dogtag-pki + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2232218 CVE-2023-48273 (Missing Authorization vulnerability in WP OnlineSupport, Essential Plu ...) NOT-FOR-US: WordPress plugin CVE-2023-46720 (A stack-based buffer overflow in Fortinet FortiOS version 7.4.0 throug ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58ea7789a304273d12a0cb96c49415f57f4d9289 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/58ea7789a304273d12a0cb96c49415f57f4d9289 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-35329/libyaml
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f1ee367c by Salvatore Bonaccorso at 2024-06-12T09:20:34+02:00 Add CVE-2024-35329/libyaml - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -501,7 +501,8 @@ CVE-2024-36303 (An origin validation vulnerability in the Trend Micro Apex One s CVE-2024-36302 (An origin validation vulnerability in the Trend Micro Apex One securit ...) NOT-FOR-US: Trend Micro CVE-2024-35329 (libyaml 0.2.5 is vulnerable to a heap-based Buffer Overflow in yaml_do ...) - TODO: check + - libyaml + TODO: check, too few details, just known that 0.2.5 is affected CVE-2024-35242 (Composer is a dependency manager for PHP. On the 2.x branch prior to v ...) - composer NOTE: https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1ee367c31f49303729a2d3d5dc723e7e668882c -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f1ee367c31f49303729a2d3d5dc723e7e668882c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 09acf6b4 by Salvatore Bonaccorso at 2024-06-12T09:03:36+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,5 @@ +CVE-2024-25131 + NOT-FOR-US: MustGather.managed.openshift.io Custom Defined Resource (CRD) CVE-2024-5847 - chromium [bullseye] - chromium (see #1061268) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09acf6b4025c41666e1c49791dad331a481bdbad -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/09acf6b4025c41666e1c49791dad331a481bdbad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-35235/cups
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 060303d2 by Salvatore Bonaccorso at 2024-06-12T08:58:44+02:00 Track fixed version for CVE-2024-35235/cups - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -437,7 +437,7 @@ CVE-2024-5687 (If a specific sequence of actions is performed when opening a new - firefox (Android-specific) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-25/#CVE-2024-5687 CVE-2024-35235 (OpenPrinting CUPS is an open source printing system for Linux and othe ...) - - cups (bug #1073002) + - cups 2.4.7-2 (bug #1073002) [bookworm] - cups (Minor issue) [bullseye] - cups (Minor issue) NOTE: https://www.openwall.com/lists/oss-security/2024/06/11/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/060303d26c8ccd4577e8a93855a91f3f2554424e -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/060303d26c8ccd4577e8a93855a91f3f2554424e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits