[Git][security-tracker-team/security-tracker][master] Update information on CVE-2024-45845 and CVE-2024-45593
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b7eeed35 by Salvatore Bonaccorso at 2024-09-11T22:39:56+02:00 Update information on CVE-2024-45845 and CVE-2024-45593 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -339,7 +339,10 @@ CVE-2024-6876 (Out-of-Bounds read vulnerability in OSCAT Basic Library allows an CVE-2024-6282 (The Master Addons \u2013 Free Widgets, Hover Effects, Toggle, Conditio ...) NOT-FOR-US: WordPress plugin CVE-2024-45845 (nix 2.24 through 2.24.5 allows directory traversal via a symlink in a ...) - TODO: check + - nix (Vulnerable code introduced later) + NOTE: https://github.com/NixOS/nix/security/advisories/GHSA-h4vv-h3jq-v493 + NOTE: https://github.com/NixOS/nix/commit/eb11c1499876cd4c9c188cbda5b1003b36ce2e59 + NOTE: Duplicate of CVE-2024-45593 CVE-2024-45596 (Directus is a real-time API and App dashboard for managing SQL databas ...) NOT-FOR-US: Directus CVE-2024-45595 (D-Tale is a visualizer for Pandas data structures. Users hosting D-Tal ...) @@ -347,6 +350,7 @@ CVE-2024-45595 (D-Tale is a visualizer for Pandas data structures. Users hosting CVE-2024-45593 (Nix is a package manager for Linux and other Unix systems. A bug in Ni ...) - nix (Vulnerable code introduced later) NOTE: https://github.com/NixOS/nix/security/advisories/GHSA-h4vv-h3jq-v493 + NOTE: https://github.com/NixOS/nix/commit/eb11c1499876cd4c9c188cbda5b1003b36ce2e59 CVE-2024-45592 (auditor-bundle, formerly known as DoctrineAuditBundle, integrates audi ...) NOT-FOR-US: auditor-bundle / DoctrineAuditBundle CVE-2024-45591 (XWiki Platform is a generic wiki platform. The REST API exposes the hi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7eeed351e85dbfcfb9fa645a0856ceb86cc3700 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b7eeed351e85dbfcfb9fa645a0856ceb86cc3700 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f7a49d0e by Salvatore Bonaccorso at 2024-09-11T22:37:59+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31,13 +31,13 @@ CVE-2024-7609 (Improper Limitation of a Pathname to a Restricted Directory ('Pat CVE-2024-7312 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in P ...) NOT-FOR-US: Payara Platform Payara Server CVE-2024-6091 (A vulnerability in significant-gravitas/autogpt version 0.5.1 allows a ...) - TODO: check + NOT-FOR-US: significant-gravitas/autogpt CVE-2024-5760 (The Samsung Universal Print Driver for Windows is potentially vulnerab ...) NOT-FOR-US: Samsung CVE-2024-5416 (The Elementor Website Builder \u2013 More than Just a Page Builder plu ...) NOT-FOR-US: WordPress plugin CVE-2024-4465 (An access control vulnerability was discovered in the Reports section ...) - TODO: check + NOT-FOR-US: Guardian/CMC CVE-2024-45790 (This vulnerability exists in Reedos aiM-Star version 2.0.1 due to miss ...) NOT-FOR-US: Reedos aiM-Star CVE-2024-45789 (This vulnerability exists in Reedos aiM-Star version 2.0.1 due to impr ...) @@ -49,29 +49,29 @@ CVE-2024-45787 (This vulnerability exists in Reedos aiM-Star version 2.0.1 due t CVE-2024-45786 (This vulnerability exists in Reedos aiM-Star version 2.0.1 due to impr ...) NOT-FOR-US: Reedos aiM-Star CVE-2024-45327 (An improper authorization vulnerability [CWE-285] in FortiSOAR version ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2024-44851 (A stored cross-site scripting (XSS) vulnerability in the Discussion se ...) - TODO: check + NOT-FOR-US: Perfex CRM CVE-2024-44577 (RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injec ...) - TODO: check + NOT-FOR-US: Relyum RELY-PCIe CVE-2024-44575 (RELY-PCIe v22.2.1 to v23.1.0 does not set the Secure attribute for sen ...) - TODO: check + NOT-FOR-US: Relyum RELY-PCIe CVE-2024-44574 (RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injec ...) - TODO: check + NOT-FOR-US: Relyum RELY-PCIe CVE-2024-44573 (A stored cross-site scripting (XSS) vulnerability in the VLAN configur ...) - TODO: check + NOT-FOR-US: Relyum RELY-PCIe CVE-2024-44572 (RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injec ...) - TODO: check + NOT-FOR-US: Relyum RELY-PCIe CVE-2024-44571 (RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain incorrect acces ...) - TODO: check + NOT-FOR-US: Relyum RELY-PCIe CVE-2024-44570 (RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a code injectio ...) - TODO: check + NOT-FOR-US: Relyum RELY-PCIe CVE-2024-44541 (evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL I ...) - TODO: check + NOT-FOR-US: evilnapsis Inventio Lite CVE-2024-44466 (COMFAST CF-XR11 V2.7.2 has a command injection vulnerability in functi ...) - TODO: check + NOT-FOR-US: COMFAST CF-XR11 CVE-2024-43793 (Halo is an open source website building tool. A security vulnerability ...) - TODO: check + NOT-FOR-US: Halo CVE-2024-42760 (SQL Injection vulnerability in Ellevo v.6.2.0.38160 allows a remote at ...) TODO: check CVE-2024-41868 (Audition versions 24.4.1, 23.6.6 and earlier are affected by an out-of ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7a49d0e581d4b67cc13c386d80d58848be79237 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f7a49d0e581d4b67cc13c386d80d58848be79237 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4a4041e1 by Salvatore Bonaccorso at 2024-09-11T22:23:07+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,53 +1,53 @@ CVE-2024-8693 (A vulnerability, which was classified as problematic, has been found i ...) - TODO: check + NOT-FOR-US: Kaon CG3000 CVE-2024-8692 (A vulnerability classified as critical was found in TDuckCloud TDuckPr ...) - TODO: check + NOT-FOR-US: TDuckCloud TDuckPro CVE-2024-8691 (A vulnerability in the GlobalProtect portal in Palo Alto Networks PAN- ...) - TODO: check + NOT-FOR-US: Palo Alto Networks PAN-OS CVE-2024-8690 (A problem with a detection mechanism in the Palo Alto Networks Cortex ...) - TODO: check + NOT-FOR-US: Palo Alto Networks CVE-2024-8689 (A problem with the ActiveMQ integration for both Cortex XSOAR and Cort ...) - TODO: check + NOT-FOR-US: Palo Alto Networks CVE-2024-8688 (An improper neutralization of matching symbols vulnerability in the Pa ...) - TODO: check + NOT-FOR-US: Palo Alto Networks CVE-2024-8687 (An information exposure vulnerability exists in Palo Alto Networks PAN ...) - TODO: check + NOT-FOR-US: Palo Alto Networks CVE-2024-8686 (A command injection vulnerability in Palo Alto Networks PAN-OS softwar ...) - TODO: check + NOT-FOR-US: Palo Alto Networks CVE-2024-8646 (In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulne ...) TODO: check CVE-2024-8642 (In Eclipse Dataspace Components, from version 0.5.0 and before version ...) TODO: check CVE-2024-8306 (CWE-269: Improper Privilege Management vulnerability exists that could ...) - TODO: check + NOT-FOR-US: Schneider Electric CVE-2024-8277 (The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerab ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-8097 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: Payara Platform Payara Server CVE-2024-7805 REJECTED CVE-2024-7609 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) - TODO: check + NOT-FOR-US: Vidco Software VOC TESTER CVE-2024-7312 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in P ...) - TODO: check + NOT-FOR-US: Payara Platform Payara Server CVE-2024-6091 (A vulnerability in significant-gravitas/autogpt version 0.5.1 allows a ...) TODO: check CVE-2024-5760 (The Samsung Universal Print Driver for Windows is potentially vulnerab ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-5416 (The Elementor Website Builder \u2013 More than Just a Page Builder plu ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-4465 (An access control vulnerability was discovered in the Reports section ...) TODO: check CVE-2024-45790 (This vulnerability exists in Reedos aiM-Star version 2.0.1 due to miss ...) - TODO: check + NOT-FOR-US: Reedos aiM-Star CVE-2024-45789 (This vulnerability exists in Reedos aiM-Star version 2.0.1 due to impr ...) - TODO: check + NOT-FOR-US: Reedos aiM-Star CVE-2024-45788 (This vulnerability exists in Reedos aiM-Star version 2.0.1 due to miss ...) - TODO: check + NOT-FOR-US: Reedos aiM-Star CVE-2024-45787 (This vulnerability exists in Reedos aiM-Star version 2.0.1 due to tran ...) - TODO: check + NOT-FOR-US: Reedos aiM-Star CVE-2024-45786 (This vulnerability exists in Reedos aiM-Star version 2.0.1 due to impr ...) - TODO: check + NOT-FOR-US: Reedos aiM-Star CVE-2024-45327 (An improper authorization vulnerability [CWE-285] in FortiSOAR version ...) TODO: check CVE-2024-44851 (A stored cross-site scripting (XSS) vulnerability in the Discussion se ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a4041e1e8b783157ec5d1bcd6a6007e1c6d621d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4a4041e1e8b783157ec5d1bcd6a6007e1c6d621d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5232bca3 by security tracker role at 2024-09-11T20:12:48+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,95 +1,203 @@ -CVE-2024-46672 [wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion] +CVE-2024-8693 (A vulnerability, which was classified as problematic, has been found i ...) + TODO: check +CVE-2024-8692 (A vulnerability classified as critical was found in TDuckCloud TDuckPr ...) + TODO: check +CVE-2024-8691 (A vulnerability in the GlobalProtect portal in Palo Alto Networks PAN- ...) + TODO: check +CVE-2024-8690 (A problem with a detection mechanism in the Palo Alto Networks Cortex ...) + TODO: check +CVE-2024-8689 (A problem with the ActiveMQ integration for both Cortex XSOAR and Cort ...) + TODO: check +CVE-2024-8688 (An improper neutralization of matching symbols vulnerability in the Pa ...) + TODO: check +CVE-2024-8687 (An information exposure vulnerability exists in Palo Alto Networks PAN ...) + TODO: check +CVE-2024-8686 (A command injection vulnerability in Palo Alto Networks PAN-OS softwar ...) + TODO: check +CVE-2024-8646 (In Eclipse Glassfish versions prior to 7.0.10, a URL redirection vulne ...) + TODO: check +CVE-2024-8642 (In Eclipse Dataspace Components, from version 0.5.0 and before version ...) + TODO: check +CVE-2024-8306 (CWE-269: Improper Privilege Management vulnerability exists that could ...) + TODO: check +CVE-2024-8277 (The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerab ...) + TODO: check +CVE-2024-8097 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + TODO: check +CVE-2024-7805 + REJECTED +CVE-2024-7609 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) + TODO: check +CVE-2024-7312 (URL Redirection to Untrusted Site ('Open Redirect') vulnerability in P ...) + TODO: check +CVE-2024-6091 (A vulnerability in significant-gravitas/autogpt version 0.5.1 allows a ...) + TODO: check +CVE-2024-5760 (The Samsung Universal Print Driver for Windows is potentially vulnerab ...) + TODO: check +CVE-2024-5416 (The Elementor Website Builder \u2013 More than Just a Page Builder plu ...) + TODO: check +CVE-2024-4465 (An access control vulnerability was discovered in the Reports section ...) + TODO: check +CVE-2024-45790 (This vulnerability exists in Reedos aiM-Star version 2.0.1 due to miss ...) + TODO: check +CVE-2024-45789 (This vulnerability exists in Reedos aiM-Star version 2.0.1 due to impr ...) + TODO: check +CVE-2024-45788 (This vulnerability exists in Reedos aiM-Star version 2.0.1 due to miss ...) + TODO: check +CVE-2024-45787 (This vulnerability exists in Reedos aiM-Star version 2.0.1 due to tran ...) + TODO: check +CVE-2024-45786 (This vulnerability exists in Reedos aiM-Star version 2.0.1 due to impr ...) + TODO: check +CVE-2024-45327 (An improper authorization vulnerability [CWE-285] in FortiSOAR version ...) + TODO: check +CVE-2024-44851 (A stored cross-site scripting (XSS) vulnerability in the Discussion se ...) + TODO: check +CVE-2024-44577 (RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injec ...) + TODO: check +CVE-2024-44575 (RELY-PCIe v22.2.1 to v23.1.0 does not set the Secure attribute for sen ...) + TODO: check +CVE-2024-44574 (RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injec ...) + TODO: check +CVE-2024-44573 (A stored cross-site scripting (XSS) vulnerability in the VLAN configur ...) + TODO: check +CVE-2024-44572 (RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injec ...) + TODO: check +CVE-2024-44571 (RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain incorrect acces ...) + TODO: check +CVE-2024-44570 (RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a code injectio ...) + TODO: check +CVE-2024-44541 (evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL I ...) + TODO: check +CVE-2024-44466 (COMFAST CF-XR11 V2.7.2 has a command injection vulnerability in functi ...) + TODO: check +CVE-2024-43793 (Halo is an open source website building tool. A security vulnerability ...) + TODO: check +CVE-2024-42760 (SQL Injection vulnerability in Ellevo v.6.2.0.38160 allows a remote at ...) + TODO: check +CVE-2024-41868 (Audition versions 24.4.1, 23.6.6 and earlier are affected by an out-of ...) + TODO: check +CVE-2024-39378 (Audition versions 24.4.1, 23.6.6 and earlier are affected by an out-of ...) + TODO: check +CVE-2024-27115 (A unauthenticated Remote Code Execution (RCE) vulnerability is found i ...) + TODO: che
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-38531/nix via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 32aa9ad1 by Salvatore Bonaccorso at 2024-09-11T22:05:29+02:00 Track fixed version for CVE-2024-38531/nix via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -17273,7 +17273,7 @@ CVE-2024-3800 (Sites managed in S@M CMS (Concept Intermedia) might be vulnerable CVE-2024-39704 (Soft Circle French-Bread Melty Blood: Actress Again: Current Code thro ...) NOT-FOR-US: Soft Circle French-Bread Melty Blood: Actress Again CVE-2024-38531 (Nix is a package manager for Linux and other Unix systems that makes p ...) - - nix + - nix 2.23.3+dfsg-1 [bookworm] - nix (Minor issue) [bullseye] - nix (Minor issue) NOTE: https://github.com/NixOS/nix/pull/10501 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32aa9ad10bb09f59f330f7ca1c57f656d8dc5255 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32aa9ad10bb09f59f330f7ca1c57f656d8dc5255 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-45593/nix
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 88a9eafd by Salvatore Bonaccorso at 2024-09-11T22:01:09+02:00 Add CVE-2024-45593/nix - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -237,7 +237,8 @@ CVE-2024-45596 (Directus is a real-time API and App dashboard for managing SQL d CVE-2024-45595 (D-Tale is a visualizer for Pandas data structures. Users hosting D-Tal ...) NOT-FOR-US: D-Tale CVE-2024-45593 (Nix is a package manager for Linux and other Unix systems. A bug in Ni ...) - TODO: check + - nix (Vulnerable code introduced later) + NOTE: https://github.com/NixOS/nix/security/advisories/GHSA-h4vv-h3jq-v493 CVE-2024-45592 (auditor-bundle, formerly known as DoctrineAuditBundle, integrates audi ...) NOT-FOR-US: auditor-bundle / DoctrineAuditBundle CVE-2024-45591 (XWiki Platform is a generic wiki platform. The REST API exposes the hi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88a9eafdcba9c8eed9df216d37d43c5d3b65b5b4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/88a9eafdcba9c8eed9df216d37d43c5d3b65b5b4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2024-44070/frr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 34439179 by Salvatore Bonaccorso at 2024-09-11T20:42:28+02:00 Update status for CVE-2024-44070/frr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5025,9 +5025,10 @@ CVE-2024-44073 (The Miniscript (aka rust-miniscript) library before 12.2.0 for R NOT-FOR-US: Miniscript (aka rust-miniscript) CVE-2024-44070 (An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_enca ...) {DLA-3865-1} - - frr (bug #1079649) + - frr 10.1-0.2 (bug #1079649) NOTE: https://github.com/FRRouting/frr/pull/16497 - NOTE: Fixed by: https://github.com/FRRouting/frr/commit/3d56a1b4387c759b2c943e41d312ae0e6a7160b9 + NOTE: Fixed by: https://github.com/FRRouting/frr/commit/0998b38e4d61179441f90dd7e7fd6a3a8b7bd8c5 (master) + NOTE: Fixed by: https://github.com/FRRouting/frr/commit/b29169073bf38ff98fcfdd1e115a64203be13073 (frr-10.1) CVE-2024-44069 (Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= cal ...) NOT-FOR-US: Pi-hole CVE-2024-44067 (The T-Head XuanTie C910 CPU in the TH1520 SoC and the T-Head XuanTie C ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/344391799342ba2b9ff9a8e8a32f9c94400b53ed -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/344391799342ba2b9ff9a8e8a32f9c94400b53ed You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] 2 commits: Add reference to upstream tag for CVE-2024-43800
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2851dbd3 by Salvatore Bonaccorso at 2024-09-11T20:23:07+02:00 Add reference to upstream tag for CVE-2024-43800 - - - - - 1c6b6b09 by Salvatore Bonaccorso at 2024-09-11T20:27:30+02:00 Add CVE-2024-837{2,3}/angular.js - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -282,8 +282,8 @@ CVE-2024-44087 (A vulnerability has been identified in Automation License Manage CVE-2024-43800 (serve-static serves static files. serve-static passes untrusted user i ...) - node-serve-static NOTE: https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p - NOTE: https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b (1.x) - NOTE: https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa (v2.1.0) + NOTE: https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b (1.16.0) + NOTE: https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa (2.1.0) CVE-2024-43799 (Send is a library for streaming files from the file system as a http r ...) - node-send NOTE: https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg @@ -663,9 +663,11 @@ CVE-2024-8604 (A vulnerability classified as problematic has been found in Sourc CVE-2024-8601 (This vulnerability exists in TechExcel Back Office Software versions p ...) NOT-FOR-US: TechExcel Back Office Software CVE-2024-8373 (Improper sanitization of the value of the [srcset] attribute in + NOTE: https://codepen.io/herodevs/full/bGPQgMp/8da9ce87e99403ee13a295c305ebfa0b CVE-2024-8372 (Improper sanitization of the value of the '[srcset]' attribute in Angu ...) - TODO: check + - angular.js + NOTE: https://codepen.io/herodevs/full/xxoQRNL/0072e627abe03e9cda373bc75b4c1017 CVE-2024-8042 (Rapid7 Insight Platform versions between November 2019 and August 14, ...) NOT-FOR-US: Rapid7 Insight Platform CVE-2024-7341 (A session fixation issue was discovered in the SAML adapters provided ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/aa8f0d38b504f2b821af6c161ac28f9882eeab11...1c6b6b093dc954ffb9aaaf4b4586602c3d23876a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/aa8f0d38b504f2b821af6c161ac28f9882eeab11...1c6b6b093dc954ffb9aaaf4b4586602c3d23876a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add upstream tag reference for CVE-2024-43799 commit
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2b4e1762 by Salvatore Bonaccorso at 2024-09-11T17:47:19+02:00 Add upstream tag reference for CVE-2024-43799 commit - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -284,7 +284,7 @@ CVE-2024-43800 (serve-static serves static files. serve-static passes untrusted CVE-2024-43799 (Send is a library for streaming files from the file system as a http r ...) - node-send NOTE: https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg - NOTE: https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35 + NOTE: https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35 (0.19.0) CVE-2024-43796 (Express.js minimalist web framework for node. In express < 4.20.0, pas ...) - node-express NOTE: https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b4e1762cb56f04a86e604bb4d9803c850d5ee6e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2b4e1762cb56f04a86e604bb4d9803c850d5ee6e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Merge Linux CVEs from kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 849f7f01 by Salvatore Bonaccorso at 2024-09-11T17:26:45+02:00 Merge Linux CVEs from kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,97 @@ +CVE-2024-46672 [wifi: brcmfmac: cfg80211: Handle SSID based pmksa deletion] + - linux 6.10.7-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/2ad4e1ada8eebafa2d75a4b75eeeca882de6ada1 (6.11-rc4) +CVE-2024-45030 [igb: cope with large MAX_SKB_FRAGS] + - linux 6.10.7-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/8aba27c4a5020abdf60149239198297f88338a8d (6.11-rc5) +CVE-2024-45029 [i2c: tegra: Do not mark ACPI devices as irq safe] + - linux 6.10.7-1 + [bullseye] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/14d069d92951a3e150c0a81f2ca3b93e54da913b (6.11-rc4) +CVE-2024-45028 [mmc: mmc_test: Fix NULL dereference on allocation failure] + - linux 6.10.7-1 + NOTE: https://git.kernel.org/linus/a1e627af32ed60713941cbfc8075d44cad07f6dd (6.11-rc5) +CVE-2024-45027 [usb: xhci: Check for xhci->interrupters being allocated in xhci_mem_clearup()] + - linux 6.10.7-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/dcdb52d948f3a17ccd3fce757d9bd981d7c32039 (6.11-rc4) +CVE-2024-45026 [s390/dasd: fix error recovery leading to data corruption on ESE devices] + - linux 6.10.7-1 + NOTE: https://git.kernel.org/linus/7db4042336580dfd75cb5faa82c12cd51098c90b (6.11-rc4) +CVE-2024-45025 [fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE] + - linux 6.10.7-1 + NOTE: https://git.kernel.org/linus/9a2fa1472083580b6c66bdaf291f591e1170123a (6.11-rc4) +CVE-2024-45024 [mm/hugetlb: fix hugetlb vs. core-mm PT locking] + - linux 6.10.7-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/5f75cfbd6bb02295ddaed48adf667b6c828ce07b (6.11-rc4) +CVE-2024-45023 [md/raid1: Fix data corruption for degraded array with slow disk] + - linux 6.10.7-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/c916ca35308d3187c9928664f9be249b22a3a701 (6.11-rc4) +CVE-2024-45022 [mm/vmalloc: fix page mapping if vm_area_alloc_pages() with high order fallback to order 0] + - linux 6.10.7-1 + [bullseye] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/61ebe5a747da649057c37be1c37eb934b4af79ca (6.11-rc4) +CVE-2024-45021 [memcg_write_event_control(): fix a user-triggerable oops] + - linux 6.10.7-1 + NOTE: https://git.kernel.org/linus/046667c4d3196938e992fba0dfcde570aa85cd0e (6.11-rc4) +CVE-2024-45020 [bpf: Fix a kernel verifier crash in stacksafe()] + - linux 6.10.7-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/bed2eb964c70b780fb55925892a74f26cb590b25 (6.11-rc4) +CVE-2024-45019 [net/mlx5e: Take state lock during tx timeout reporter] + - linux 6.10.7-1 + [bullseye] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/e6b5afd30b99b43682a7764e1a74a42fe4d5f4b3 (6.11-rc4) +CVE-2024-45018 [netfilter: flowtable: initialise extack before use] + - linux 6.10.7-1 + NOTE: https://git.kernel.org/linus/e9767137308daf906496613fd879808a07f006a2 (6.11-rc4) +CVE-2024-45017 [net/mlx5: Fix IPsec RoCE MPV trace call] + - linux 6.10.7-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/607e1df7bd47fe91cab85a97f57870a26d066137 (6.11-rc5) +CVE-2024-45016 [netem: fix return value if duplicate enqueue fails] + - linux 6.10.7-1 + NOTE: https://git.kernel.org/linus/c07ff8592d57ed258afee5a5e04991a48dbaf382 (6.11-rc5) +CVE-2024-45015 [drm/msm/dpu: move dpu_encoder's connector assignment to atomic_enable()] + - linux 6.10.7-1 + NOTE: https://git.kernel.org/linus/aedf02e46eb549dac8db4821a6b9f0c6bf6e3990 (6.11-rc5) +CVE-2024-45014 [s390/boot: Avoid possible physmem_info segment corruption] + - linux 6.10.7-1 + [bookworm] - linux (Vulnerable code not present) + [bullseye] - linux (Vulnerable code not present) + NOTE: https://git.kernel.org/linus/d7fd2941ae9a67423d1c7bee985f2
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d141112 by Salvatore Bonaccorso at 2024-09-11T10:47:06+02:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,21 +25,21 @@ CVE-2024-7721 (The HTML5 Video Player \u2013 mp4 Video Player Plugin and Block p CVE-2024-7716 (The Logo Slider WordPress plugin before 3.6.9 does not sanitise and e ...) NOT-FOR-US: WordPress plugin CVE-2024-7626 (The WP Delicious \u2013 Recipe Plugin for Food Bloggers (formerly Deli ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-45597 (Pluto is a superset of Lua 5.4 with a focus on general-purpose program ...) TODO: check CVE-2024-44107 (DLL hijacking in the management console of Ivanti Workspace Control ve ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-44106 (Insufficient server-side controls in the management console of Ivanti ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-44105 (Cleartext transmission of sensitive information in the management cons ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-44104 (An incorrectly implemented authentication scheme that is subjected to ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-44103 (DLL hijacking in the management console of Ivanti Workspace Control ve ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-43690 (Inclusion of Functionality from Untrusted Control Sphere(CWE-829) in t ...) - TODO: check + NOT-FOR-US: Gallagher CVE-2024-40662 (In scheme of Uri.java, there is a possible way to craft a malformed Ur ...) TODO: check CVE-2024-40659 (In getRegistration of RemoteProvisioningService.java, there is a possi ...) @@ -145,7 +145,7 @@ CVE-2024-45595 (D-Tale is a visualizer for Pandas data structures. Users hosting CVE-2024-45593 (Nix is a package manager for Linux and other Unix systems. A bug in Ni ...) TODO: check CVE-2024-45592 (auditor-bundle, formerly known as DoctrineAuditBundle, integrates audi ...) - TODO: check + NOT-FOR-US: auditor-bundle / DoctrineAuditBundle CVE-2024-45591 (XWiki Platform is a generic wiki platform. The REST API exposes the hi ...) NOT-FOR-US: XWiki CVE-2024-45590 (body-parser is Node.js body parsing middleware. body-parser <1.20.3 is ...) @@ -155,9 +155,9 @@ CVE-2024-45412 (Yeti bridges the gap between CTI and DFIR practitioners by provi CVE-2024-45409 (The Ruby SAML library is for implementing the client side of a SAML au ...) TODO: check CVE-2024-45407 (Sunshine is a self-hosted game stream host for Moonlight. Clients that ...) - TODO: check + NOT-FOR-US: Sunshine CVE-2024-45393 (Computer Vision Annotation Tool (CVAT) is an interactive video and ima ...) - TODO: check + NOT-FOR-US: Computer Vision Annotation Tool (CVAT) CVE-2024-45323 (An improper access control vulnerability[CWE-284] in FortiEDR Manager ...) NOT-FOR-US: FortiGuard CVE-2024-45044 (Bareos is open source software for backup, archiving, and recovery of ...) @@ -178,9 +178,9 @@ CVE-2024-44867 (phpok v3.0 was discovered to contain an arbitrary file read vuln CVE-2024-44815 (Vulnerability in Hathway Skyworth Router CM5100 v.4.1.1.24 allows a ph ...) NOT-FOR-US: Hathway Skyworth Router CM5100 CVE-2024-44677 (eladmin v2.7 and before is vulnerable to Server-Side Request Forgery ( ...) - TODO: check + NOT-FOR-US: eladmin CVE-2024-44676 (eladmin v2.7 and before is vulnerable to Cross Site Scripting (XSS) wh ...) - TODO: check + NOT-FOR-US: eladmin CVE-2024-44667 (Shenzhen Haichangxing Technology Co., Ltd HCX H822 4G LTE Router M7628 ...) NOT-FOR-US: Shenzhen Haichangxing Technology Co., Ltd HCX H822 4G LTE Router CVE-2024-44087 (A vulnerability has been identified in Automation License Manager V5 ( ...) @@ -194,9 +194,9 @@ CVE-2024-43796 (Express.js minimalist web framework for node. In express < 4.20. CVE-2024-43781 (A vulnerability has been identified in SINUMERIK 828D V4 (All versions ...) NOT-FOR-US: Siemens CVE-2024-43647 (A vulnerability has been identified in SIMATIC S7-200 SMART CPU CR40 ( ...) - TODO: check + NOT-FOR-US: Siemens CVE-2024-43495 (Windows libarchive Remote Code Execution Vulnerability) - TODO: check + NOT-FOR-US: Microsoft CVE-2024-43492 (Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability) NOT-FOR-US: Microsoft CVE-2024-43491 (Microsoft is aware of a vulnerability in Servicing Stack that has roll ...) @@ -256,59 +256,59 @@ CVE-2024-43386 (A low privileged remote attacker can trigger the execution of ar CVE-2024-43385 (A low privileged remote attacker can trigger theexecution of arbitrary ...) TODO: check CVE-2024-43040 (Renwoxing Enterprise Inte
[Git][security-tracker-team/security-tracker][master] Process batch of NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 110e2172 by Salvatore Bonaccorso at 2024-09-11T10:37:43+02:00 Process batch of NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,29 +1,29 @@ CVE-2024-8441 (An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6 ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-8440 (The Essential Addons for Elementor \u2013 Best Elementor Templates, Wi ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-8322 (Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-8321 (Missing authentication in Network Isolation of Ivanti EPM before 2022 ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-8320 (Missing authentication in Network Isolation of Ivanti EPM before 2022 ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-8253 (The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-8191 (SQL injection in the management console of Ivanti EPM before 2022 SU6, ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-8190 (An OS command injection vulnerability in Ivanti Cloud Services Applian ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-8045 (The Advanced WordPress Backgrounds plugin for WordPress is vulnerable ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-8012 (An authentication bypass weakness in the message broker service of Iva ...) - TODO: check + NOT-FOR-US: Ivanti CVE-2024-7727 (The HTML5 Video Player \u2013 mp4 Video Player Plugin and Block plugin ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-7721 (The HTML5 Video Player \u2013 mp4 Video Player Plugin and Block plugin ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-7716 (The Logo Slider WordPress plugin before 3.6.9 does not sanitise and e ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-7626 (The WP Delicious \u2013 Recipe Plugin for Food Bloggers (formerly Deli ...) TODO: check CVE-2024-45597 (Pluto is a superset of Lua 5.4 with a focus on general-purpose program ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/110e217231ddc20832a95bd57ab6496bbe4f14d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/110e217231ddc20832a95bd57ab6496bbe4f14d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0bc45027 by Salvatore Bonaccorso at 2024-09-11T10:13:14+02:00 Add fixed version for chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -91,16 +91,16 @@ CVE-2024-23984 NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01103.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910 CVE-2024-8639 - - chromium + - chromium 128.0.6613.137-1 [bullseye] - chromium (see #1061268) CVE-2024-8638 - - chromium + - chromium 128.0.6613.137-1 [bullseye] - chromium (see #1061268) CVE-2024-8637 - - chromium + - chromium 128.0.6613.137-1 [bullseye] - chromium (see #1061268) CVE-2024-8636 - - chromium + - chromium 128.0.6613.137-1 [bullseye] - chromium (see #1061268) CVE-2024-8655 (A vulnerability was found in Mercury MNVR816 up to 2.0.1.0.5. It has b ...) NOT-FOR-US: Mercury MNVR816 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bc4502779aa7b0af6eb12c85b072a0191292d7a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0bc4502779aa7b0af6eb12c85b072a0191292d7a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7b4d88b6 by security tracker role at 2024-09-11T08:11:58+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,79 @@ +CVE-2024-8441 (An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6 ...) + TODO: check +CVE-2024-8440 (The Essential Addons for Elementor \u2013 Best Elementor Templates, Wi ...) + TODO: check +CVE-2024-8322 (Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, ...) + TODO: check +CVE-2024-8321 (Missing authentication in Network Isolation of Ivanti EPM before 2022 ...) + TODO: check +CVE-2024-8320 (Missing authentication in Network Isolation of Ivanti EPM before 2022 ...) + TODO: check +CVE-2024-8253 (The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable ...) + TODO: check +CVE-2024-8191 (SQL injection in the management console of Ivanti EPM before 2022 SU6, ...) + TODO: check +CVE-2024-8190 (An OS command injection vulnerability in Ivanti Cloud Services Applian ...) + TODO: check +CVE-2024-8045 (The Advanced WordPress Backgrounds plugin for WordPress is vulnerable ...) + TODO: check +CVE-2024-8012 (An authentication bypass weakness in the message broker service of Iva ...) + TODO: check +CVE-2024-7727 (The HTML5 Video Player \u2013 mp4 Video Player Plugin and Block plugin ...) + TODO: check +CVE-2024-7721 (The HTML5 Video Player \u2013 mp4 Video Player Plugin and Block plugin ...) + TODO: check +CVE-2024-7716 (The Logo Slider WordPress plugin before 3.6.9 does not sanitise and e ...) + TODO: check +CVE-2024-7626 (The WP Delicious \u2013 Recipe Plugin for Food Bloggers (formerly Deli ...) + TODO: check +CVE-2024-45597 (Pluto is a superset of Lua 5.4 with a focus on general-purpose program ...) + TODO: check +CVE-2024-44107 (DLL hijacking in the management console of Ivanti Workspace Control ve ...) + TODO: check +CVE-2024-44106 (Insufficient server-side controls in the management console of Ivanti ...) + TODO: check +CVE-2024-44105 (Cleartext transmission of sensitive information in the management cons ...) + TODO: check +CVE-2024-44104 (An incorrectly implemented authentication scheme that is subjected to ...) + TODO: check +CVE-2024-44103 (DLL hijacking in the management console of Ivanti Workspace Control ve ...) + TODO: check +CVE-2024-43690 (Inclusion of Functionality from Untrusted Control Sphere(CWE-829) in t ...) + TODO: check +CVE-2024-40662 (In scheme of Uri.java, there is a possible way to craft a malformed Ur ...) + TODO: check +CVE-2024-40659 (In getRegistration of RemoteProvisioningService.java, there is a possi ...) + TODO: check +CVE-2024-40658 (In getConfig of SoftVideoDecoderOMXComponent.cpp, there is a possible ...) + TODO: check +CVE-2024-40657 (In addPreferencesForType of AccountTypePreferenceLoader.java, there is ...) + TODO: check +CVE-2024-40656 (In handleCreateConferenceComplete of ConnectionServiceWrapper.java, th ...) + TODO: check +CVE-2024-40655 (In bindAndGetCallIdentification of CallScreeningServiceHelper.java, th ...) + TODO: check +CVE-2024-40654 (In multiple locations, there is a possible permission bypass due to a ...) + TODO: check +CVE-2024-40652 (In onCreate of SettingsHomepageActivity.java, there is a possible way ...) + TODO: check +CVE-2024-40650 (In wifi_item_edit_content of styles.xml , there is a possible FRP bypa ...) + TODO: check +CVE-2024-3899 (The Gallery Plugin for WordPress WordPress plugin before 1.8.15 does ...) + TODO: check +CVE-2024-39808 (Incorrect Calculation of Buffer Size (CWE-131) in the Controller 6000 ...) + TODO: check +CVE-2024-31336 (Imagination PowerVR-GPU in Android before 2024-09-05 has a High Severi ...) + TODO: check +CVE-2024-24972 (Buffer Copy without Checking Size of Input (CWE-120) in the Controller ...) + TODO: check +CVE-2024-23906 (Improper Neutralization of Input During Web Page Generation (CWE-79) i ...) + TODO: check +CVE-2024-23716 (In DevmemIntPFNotify of devicemem_server.c, there is a possible use-af ...) + TODO: check +CVE-2024-21529 (Versions of the package dset before 3.1.4 are vulnerable to Prototype ...) + TODO: check +CVE-2024-1656 (Affected versions of Octopus Server had a weak content security policy ...) + TODO: check CVE-2024-8096 [OCSP stapling bypass with GnuTLS] - curl [bookworm] - curl (Minor issue) @@ -99,7 +175,7 @@ CVE-2024-44871 (An arbitrary file upload vulnerability in the component /admin/i NOT-FOR-US: moziloCMS CVE-2024-44867 (phpok v3.0 was discovered to contain an arbitrary file read vulnerabil ...)
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-8096/curl
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 71a3b219 by Salvatore Bonaccorso at 2024-09-11T08:06:40+02:00 Add CVE-2024-8096/curl - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,9 @@ +CVE-2024-8096 [OCSP stapling bypass with GnuTLS] + - curl + [bookworm] - curl (Minor issue) + NOTE: https://curl.se/docs/CVE-2024-8096.html + NOTE: Introduced with: https://github.com/curl/curl/commit/f13669a375f5bfd14797bda91642cabe076974fa (curl-7_41_0) + NOTE: Fixed by: https://github.com/curl/curl/commit/aeb1a281cab13c7ba791cb104e556b20e713941f (curl-8_10_0) CVE-2024-24968 - intel-microcode (bug #1081363) [bookworm] - intel-microcode (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71a3b21997c995b0041df24a16c406aeb3e77329 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/71a3b21997c995b0041df24a16c406aeb3e77329 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove firefox-esr entry form dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 20103b8c by Salvatore Bonaccorso at 2024-09-11T07:52:16+02:00 Remove firefox-esr entry form dsa-needed list I forgot to remove it when addint the DSA entry. Fixes: 095180b791e3 ("Add entry for DSA-5765-1/firefox-esr") - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -20,8 +20,6 @@ dnsmasq expat Maintainer proposed debdiffs for review -- -firefox-esr (jmm) --- frr coordination with the maintainer ongoing -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20103b8c2192a4c42060858080d321153d20dcfb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/20103b8c2192a4c42060858080d321153d20dcfb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for intel-microcode issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9962e207 by Salvatore Bonaccorso at 2024-09-11T07:51:06+02:00 Add Debian bug reference for intel-microcode issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,10 +1,10 @@ CVE-2024-24968 - - intel-microcode + - intel-microcode (bug #1081363) [bookworm] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01097.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910 CVE-2024-23984 - - intel-microcode + - intel-microcode (bug #1081363) [bookworm] - intel-microcode (Minor issue) NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01103.html NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9962e20714aa436683a8628bc83c90558c97d0d1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9962e20714aa436683a8628bc83c90558c97d0d1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for thunderbird issues fixed via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a31b8966 by Salvatore Bonaccorso at 2024-09-11T07:47:00+02:00 Track fixed version for thunderbird issues fixed via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -744,7 +744,7 @@ CVE-2024-8509 (A vulnerability was found in Forklift Controller. There is no ver CVE-2024-8428 (The ForumWP \u2013 Forum & Discussion Board Plugin plugin for WordPres ...) NOT-FOR-US: WordPress plugin CVE-2024-8394 (When aborting the verification of an OTR chat session, an attacker cou ...) - - thunderbird + - thunderbird 1:128.2.0esr-1 [bookworm] - thunderbird (Vulnerable code not present) [bullseye] - thunderbird (Vulnerable code not present) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8394 @@ -1587,21 +1587,21 @@ CVE-2024-8388 (Multiple prompts and panels from both Firefox and the Android OS NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8388 CVE-2024-8387 (Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thun ...) - firefox 130.0-1 - - thunderbird + - thunderbird 1:128.2.0esr-1 [bookworm] - thunderbird (Vulnerable code not present) [bullseye] - thunderbird (Vulnerable code not present) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8387 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8387 CVE-2024-8386 (If a site had been granted the permission to open popup windows, it co ...) - firefox 130.0-1 - - thunderbird + - thunderbird 1:128.2.0esr-1 [bookworm] - thunderbird (Vulnerable code not present) [bullseye] - thunderbird (Vulnerable code not present) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8386 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8386 CVE-2024-8385 (A difference in the handling of StructFields and ArrayTypes in WASM co ...) - firefox 130.0-1 - - thunderbird + - thunderbird 1:128.2.0esr-1 [bookworm] - thunderbird (Vulnerable code not present) [bullseye] - thunderbird (Vulnerable code not present) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8385 @@ -1610,7 +1610,7 @@ CVE-2024-8384 (The JavaScript garbage collector could mis-color cross-compartmen {DSA-5767-1 DSA-5765-1 DLA-3882-1 DLA-3869-1} - firefox 130.0-1 - firefox-esr 115.15.0esr-1 - - thunderbird + - thunderbird 1:128.2.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8384 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/#CVE-2024-8384 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8384 @@ -1625,7 +1625,7 @@ CVE-2024-8382 (Internal browser event interfaces were exposed to web content whe {DSA-5767-1 DSA-5765-1 DLA-3882-1 DLA-3869-1} - firefox 130.0-1 - firefox-esr 115.15.0esr-1 - - thunderbird + - thunderbird 1:128.2.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8382 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/#CVE-2024-8382 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8382 @@ -1634,7 +1634,7 @@ CVE-2024-8381 (A potentially exploitable type confusion could be triggered when {DSA-5767-1 DSA-5765-1 DLA-3882-1 DLA-3869-1} - firefox 130.0-1 - firefox-esr 115.15.0esr-1 - - thunderbird + - thunderbird 1:128.2.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8381 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/#CVE-2024-8381 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8381 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a31b896643ec9a8acea0ff4e0388b1b5ef8ce0dc -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a31b896643ec9a8acea0ff4e0388b1b5ef8ce0dc You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add two new intel-microcode issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7e17a70b by Salvatore Bonaccorso at 2024-09-11T07:09:39+02:00 Add two new intel-microcode issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,13 @@ +CVE-2024-24968 + - intel-microcode + [bookworm] - intel-microcode (Minor issue) + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01097.html + NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910 +CVE-2024-23984 + - intel-microcode + [bookworm] - intel-microcode (Minor issue) + NOTE: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-01103.html + NOTE: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910 CVE-2024-8639 - chromium [bullseye] - chromium (see #1061268) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e17a70b74f39be6d26c884af9742a62f44fdd76 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7e17a70b74f39be6d26c884af9742a62f44fdd76 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference oss-security post for CVE-2024-6655
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2fafaa04 by Salvatore Bonaccorso at 2024-09-11T06:56:11+02:00 Reference oss-security post for CVE-2024-6655 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -14237,6 +14237,7 @@ CVE-2024-6655 (A flaw was found in the GTK library. Under certain conditions, it [bookworm] - gtk+2.0 2.24.33-2+deb12u1 [bullseye] - gtk+2.0 2.24.33-2+deb11u1 NOTE: https://gitlab.gnome.org/GNOME/gtk/-/issues/6786 + NOTE: https://www.openwall.com/lists/oss-security/2024/09/09/1 CVE-2024-6664 REJECTED CVE-2024-6663 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fafaa04e890dc11c74ec5084e063de94ba2a45a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2fafaa04e890dc11c74ec5084e063de94ba2a45a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add chromium to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 134b50d8 by Salvatore Bonaccorso at 2024-09-11T06:49:22+02:00 Add chromium to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -11,6 +11,8 @@ To pick an issue, simply add your uid behind it. If needed, specify the release by adding a slash after the name of the source package. +-- +chromium (dilinger) -- dnsmasq Lee Garrett showed interest to prepare an update for review View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/134b50d8d7b0c6d9b23cae0f88957e0a4d062fa5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/134b50d8d7b0c6d9b23cae0f88957e0a4d062fa5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new set of chromium issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6a176b05 by Salvatore Bonaccorso at 2024-09-11T06:47:30+02:00 Add new set of chromium issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,15 @@ +CVE-2024-8639 + - chromium + [bullseye] - chromium (see #1061268) +CVE-2024-8638 + - chromium + [bullseye] - chromium (see #1061268) +CVE-2024-8637 + - chromium + [bullseye] - chromium (see #1061268) +CVE-2024-8636 + - chromium + [bullseye] - chromium (see #1061268) CVE-2024-8655 (A vulnerability was found in Mercury MNVR816 up to 2.0.1.0.5. It has b ...) NOT-FOR-US: Mercury MNVR816 CVE-2024-8654 (MongoDB Server may access non-initialized region of memory leading to ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a176b05b585b244fc9e1379b127f71c7e06dd67 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6a176b05b585b244fc9e1379b127f71c7e06dd67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add expat to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e2425b7c by Salvatore Bonaccorso at 2024-09-11T06:43:41+02:00 Add expat to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -15,6 +15,9 @@ If needed, specify the release by adding a slash after the name of the source pa dnsmasq Lee Garrett showed interest to prepare an update for review -- +expat + Maintainer proposed debdiffs for review +-- firefox-esr (jmm) -- frr View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2425b7cb68e423f8483e0b6c231c6b9d9de3d72 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e2425b7cb68e423f8483e0b6c231c6b9d9de3d72 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2024-27082
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8c5dd2fb by Salvatore Bonaccorso at 2024-09-11T06:38:39+02:00 Update status for CVE-2024-27082 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -33256,6 +33256,7 @@ CVE-2024-28276 (Sourcecodester School Task Manager 1.0 is vulnerable to Cross Si CVE-2024-27082 (Cacti provides an operational monitoring and fault management framewor ...) - cacti 1.2.27+ds1-1 [bookworm] - cacti (Minor issue) + [bullseye] - cacti (Vulnerable code not present) NOTE: GitHub GHSA: https://github.com/Cacti/cacti/security/advisories/GHSA-j868-7vjp-rp9h NOTE: bug: https://github.com/Cacti/cacti/issues/5798 NOTE: Commit [1/6] https://github.com/Cacti/cacti/commit/58a980f335980ab57659420053d89d4e721ae3fc @@ -33264,6 +33265,8 @@ CVE-2024-27082 (Cacti provides an operational monitoring and fault management fr NOTE: Commit [4/6] https://github.com/Cacti/cacti/commit/59e39b34f8f1d80b28d38a391d7aa6e7a3302f5b NOTE: Commit [5/6] https://github.com/Cacti/cacti/commit/9c75f8da5b609d17c8c031fd46362f730358b792 NOTE: Commit [6/6] https://github.com/Cacti/cacti/commit/6a82fa1abe81d96238a87727087572ff749d0a8d + NOTE: Main commit for CVE-2024-27082 is considered [3/6], the other commits are either related + NOTE: as pre-requisites and relating to other present CVEs. CVE-2024-25662 (Oxygen XML Web Author v26.0.0 and older and Oxygen Content Fusion v6.1 ...) NOT-FOR-US: Oxygen XML Web Author and Oxygen Content Fusion CVE-2024-25641 (Cacti provides an operational monitoring and fault management framewor ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c5dd2fbd2d278f12612a4fe84d7c17dd75283f8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8c5dd2fbd2d278f12612a4fe84d7c17dd75283f8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Sync three CVEs for linux with kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b5d88798 by Salvatore Bonaccorso at 2024-09-11T06:08:02+02:00 Sync three CVEs for linux with kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5398,6 +5398,7 @@ CVE-2024-42272 (In the Linux kernel, the following vulnerability has been resolv CVE-2024-42271 (In the Linux kernel, the following vulnerability has been resolved: n ...) - linux 6.10.4-1 [bookworm] - linux 6.1.106-1 + [bullseye] - linux (s390x not supported in LTS) NOTE: https://git.kernel.org/linus/f558120cd709682b739207b48cf7479fd9568431 (6.11-rc2) CVE-2024-42270 (In the Linux kernel, the following vulnerability has been resolved: n ...) - linux 6.10.4-1 @@ -5417,6 +5418,7 @@ CVE-2024-42268 (In the Linux kernel, the following vulnerability has been resolv CVE-2024-42267 (In the Linux kernel, the following vulnerability has been resolved: r ...) - linux 6.10.4-1 [bookworm] - linux 6.1.106-1 + [bullseye] - linux (riscv64 not a release architecture and supported in LTS) NOTE: https://git.kernel.org/linus/0c710050c47d45eb77b28c271cddefc5c785cb40 (6.11-rc2) CVE-2024-42266 (In the Linux kernel, the following vulnerability has been resolved: b ...) - linux 6.10.4-1 @@ -9565,6 +9567,7 @@ CVE-2024-42127 (In the Linux kernel, the following vulnerability has been resolv CVE-2024-42126 (In the Linux kernel, the following vulnerability has been resolved: p ...) - linux 6.9.9-1 [bookworm] - linux 6.1.98-1 + [bullseye] - linux (Affected architectures not supported in LTS) NOTE: https://git.kernel.org/linus/0db880fc865ffb522141ced4bfa66c12ab1fbb70 (6.10-rc1) CVE-2024-42125 (In the Linux kernel, the following vulnerability has been resolved: w ...) - linux 6.9.9-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5d8879841d2c4030c3478a1a5f704c3903594a5 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b5d8879841d2c4030c3478a1a5f704c3903594a5 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-45044/bareos
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f61370d5 by Salvatore Bonaccorso at 2024-09-10T22:45:16+02:00 Add CVE-2024-45044/bareos - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -55,7 +55,10 @@ CVE-2024-45393 (Computer Vision Annotation Tool (CVAT) is an interactive video a CVE-2024-45323 (An improper access control vulnerability[CWE-284] in FortiEDR Manager ...) NOT-FOR-US: FortiGuard CVE-2024-45044 (Bareos is open source software for backup, archiving, and recovery of ...) - TODO: check + - bareos + NOTE: https://github.com/bareos/bareos/security/advisories/GHSA-jfww-q346-r2r8 + NOTE: https://github.com/bareos/bareos/pull/1875 + NOTE: Fixed by (merge commit): https://github.com/bareos/bareos/commit/2a026698b87d13bd1c6275726b5e826702f81dd5 CVE-2024-45032 (A vulnerability has been identified in Industrial Edge Management Pro ...) NOT-FOR-US: Industrial Edge Management CVE-2024-44893 (An issue in the component /jeecg-boot/jmreport/dict/list of JimuReport ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f61370d576d094aac3daffd5e999f87cbd07b1cb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f61370d576d094aac3daffd5e999f87cbd07b1cb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-8654/mongodb
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 790fc3d4 by Salvatore Bonaccorso at 2024-09-10T22:44:28+02:00 Add CVE-2024-8654/mongodb - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,7 +1,7 @@ CVE-2024-8655 (A vulnerability was found in Mercury MNVR816 up to 2.0.1.0.5. It has b ...) NOT-FOR-US: Mercury MNVR816 CVE-2024-8654 (MongoDB Server may access non-initialized region of memory leading to ...) - TODO: check + - mongodb CVE-2024-8645 (SPRT dissector crash in Wireshark 4.2.0 to 4.0.5 and 4.0.0 to 4.0.15 a ...) - wireshark 4.2.6-1 NOTE: https://www.wireshark.org/security/wnpa-sec-2024-10.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/790fc3d4cc7276633fe49cd7e049575c600c7983 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/790fc3d4cc7276633fe49cd7e049575c600c7983 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 451b1395 by Salvatore Bonaccorso at 2024-09-10T22:44:01+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,5 @@ CVE-2024-8655 (A vulnerability was found in Mercury MNVR816 up to 2.0.1.0.5. It has b ...) - TODO: check + NOT-FOR-US: Mercury MNVR816 CVE-2024-8654 (MongoDB Server may access non-initialized region of memory leading to ...) TODO: check CVE-2024-8645 (SPRT dissector crash in Wireshark 4.2.0 to 4.0.5 and 4.0.0 to 4.0.15 a ...) @@ -7,21 +7,21 @@ CVE-2024-8645 (SPRT dissector crash in Wireshark 4.2.0 to 4.0.5 and 4.0.0 to 4.0 NOTE: https://www.wireshark.org/security/wnpa-sec-2024-10.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19559 CVE-2024-8543 (The Slider comparison image before and after plugin for WordPress is v ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-8504 (An attacker with authenticated access to VICIdial as an "agent" can ex ...) - TODO: check + NOT-FOR-US: VICIdial CVE-2024-8503 (An unauthenticated attacker can leverage a time-based SQL injection vu ...) - TODO: check + NOT-FOR-US: VICIdial CVE-2024-8369 (The EventPrime \u2013 Events Calendar, Bookings and Tickets plugin for ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-8258 (Improper Control of Generation of Code ('Code Injection') in Electron ...) TODO: check CVE-2024-8241 (The Nova Blocks by Pixelgrade plugin for WordPress is vulnerable to St ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-8232 (SpiderControl SCADA Web Server has a vulnerability that could allow an ...) - TODO: check + NOT-FOR-US: SpiderControl SCADA Web Server CVE-2024-7770 (The Bit File Manager \u2013 100% Free & Open Source File Manager and C ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-7699 (An low privileged remote attacker can execute OS commands with root pr ...) TODO: check CVE-2024-7698 (A low privileged remote attacker canget access to CSRF tokens of highe ...) @@ -29,11 +29,11 @@ CVE-2024-7698 (A low privileged remote attacker canget access to CSRF tokens of CVE-2024-6876 (Out-of-Bounds read vulnerability in OSCAT Basic Library allows an loca ...) TODO: check CVE-2024-6282 (The Master Addons \u2013 Free Widgets, Hover Effects, Toggle, Conditio ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-45845 (nix 2.24 through 2.24.5 allows directory traversal via a symlink in a ...) TODO: check CVE-2024-45596 (Directus is a real-time API and App dashboard for managing SQL databas ...) - TODO: check + NOT-FOR-US: Directus CVE-2024-45595 (D-Tale is a visualizer for Pandas data structures. Users hosting D-Tal ...) TODO: check CVE-2024-45593 (Nix is a package manager for Linux and other Unix systems. A bug in Ni ...) @@ -41,7 +41,7 @@ CVE-2024-45593 (Nix is a package manager for Linux and other Unix systems. A bug CVE-2024-45592 (auditor-bundle, formerly known as DoctrineAuditBundle, integrates audi ...) TODO: check CVE-2024-45591 (XWiki Platform is a generic wiki platform. The REST API exposes the hi ...) - TODO: check + NOT-FOR-US: XWiki CVE-2024-45590 (body-parser is Node.js body parsing middleware. body-parser <1.20.3 is ...) TODO: check CVE-2024-45412 (Yeti bridges the gap between CTI and DFIR practitioners by providing a ...) @@ -53,29 +53,29 @@ CVE-2024-45407 (Sunshine is a self-hosted game stream host for Moonlight. Client CVE-2024-45393 (Computer Vision Annotation Tool (CVAT) is an interactive video and ima ...) TODO: check CVE-2024-45323 (An improper access control vulnerability[CWE-284] in FortiEDR Manager ...) - TODO: check + NOT-FOR-US: FortiGuard CVE-2024-45044 (Bareos is open source software for backup, archiving, and recovery of ...) TODO: check CVE-2024-45032 (A vulnerability has been identified in Industrial Edge Management Pro ...) - TODO: check + NOT-FOR-US: Industrial Edge Management CVE-2024-44893 (An issue in the component /jeecg-boot/jmreport/dict/list of JimuReport ...) - TODO: check + NOT-FOR-US: JimuReport CVE-2024-44872 (A reflected cross-site scripting (XSS) vulnerability in moziloCMS v3.0 ...) - TODO: check + NOT-FOR-US: moziloCMS CVE-2024-44871 (An arbitrary file upload vulnerability in the component /admin/index.p ...) - TODO: check + NOT-FOR-US: moziloCMS CVE-2024-44867 (phpok v3.0 was discovered to contain an arbitrary file read vulnerabil ...) - TODO: check + NOT-FOR-US: phpok CVE-2024-44815 (An issue in Hathway Skyworth Router CM5100 v.4.1.1.24 allows a physica
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-8645/wireshark
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6d81d7a4 by Salvatore Bonaccorso at 2024-09-10T22:43:02+02:00 Add CVE-2024-8645/wireshark - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3,7 +3,9 @@ CVE-2024-8655 (A vulnerability was found in Mercury MNVR816 up to 2.0.1.0.5. It CVE-2024-8654 (MongoDB Server may access non-initialized region of memory leading to ...) TODO: check CVE-2024-8645 (SPRT dissector crash in Wireshark 4.2.0 to 4.0.5 and 4.0.0 to 4.0.15 a ...) - TODO: check + - wireshark 4.2.6-1 + NOTE: https://www.wireshark.org/security/wnpa-sec-2024-10.html + NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19559 CVE-2024-8543 (The Slider comparison image before and after plugin for WordPress is v ...) TODO: check CVE-2024-8504 (An attacker with authenticated access to VICIdial as an "agent" can ex ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d81d7a4120fe510764e082df2ddd0896bc9b8b0 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6d81d7a4120fe510764e082df2ddd0896bc9b8b0 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process one NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e69f156e by Salvatore Bonaccorso at 2024-09-10T22:34:40+02:00 Process one NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -315,7 +315,7 @@ CVE-2024-31489 (AAn improper certificate validation vulnerability [CWE-295] in F CVE-2024-30073 (Windows Security Zone Mapping Security Feature Bypass Vulnerability) TODO: check CVE-2024-27257 (IBM OpenPages 8.3 and 9.0 potentially exposes information about client ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-26191 (Microsoft SQL Server Native Scoring Remote Code Execution Vulnerabilit ...) TODO: check CVE-2024-26186 (Microsoft SQL Server Native Scoring Remote Code Execution Vulnerabilit ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e69f156eacd36d9c851c097b1beeb6d512a373ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e69f156eacd36d9c851c097b1beeb6d512a373ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 500677f5 by security tracker role at 2024-09-10T20:12:10+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,359 @@ +CVE-2024-8655 (A vulnerability was found in Mercury MNVR816 up to 2.0.1.0.5. It has b ...) + TODO: check +CVE-2024-8654 (MongoDB Server may access non-initialized region of memory leading to ...) + TODO: check +CVE-2024-8645 (SPRT dissector crash in Wireshark 4.2.0 to 4.0.5 and 4.0.0 to 4.0.15 a ...) + TODO: check +CVE-2024-8543 (The Slider comparison image before and after plugin for WordPress is v ...) + TODO: check +CVE-2024-8504 (An attacker with authenticated access to VICIdial as an "agent" can ex ...) + TODO: check +CVE-2024-8503 (An unauthenticated attacker can leverage a time-based SQL injection vu ...) + TODO: check +CVE-2024-8369 (The EventPrime \u2013 Events Calendar, Bookings and Tickets plugin for ...) + TODO: check +CVE-2024-8258 (Improper Control of Generation of Code ('Code Injection') in Electron ...) + TODO: check +CVE-2024-8241 (The Nova Blocks by Pixelgrade plugin for WordPress is vulnerable to St ...) + TODO: check +CVE-2024-8232 (SpiderControl SCADA Web Server has a vulnerability that could allow an ...) + TODO: check +CVE-2024-7770 (The Bit File Manager \u2013 100% Free & Open Source File Manager and C ...) + TODO: check +CVE-2024-7699 (An low privileged remote attacker can execute OS commands with root pr ...) + TODO: check +CVE-2024-7698 (A low privileged remote attacker canget access to CSRF tokens of highe ...) + TODO: check +CVE-2024-6876 (Out-of-Bounds read vulnerability in OSCAT Basic Library allows an loca ...) + TODO: check +CVE-2024-6282 (The Master Addons \u2013 Free Widgets, Hover Effects, Toggle, Conditio ...) + TODO: check +CVE-2024-45845 (nix 2.24 through 2.24.5 allows directory traversal via a symlink in a ...) + TODO: check +CVE-2024-45596 (Directus is a real-time API and App dashboard for managing SQL databas ...) + TODO: check +CVE-2024-45595 (D-Tale is a visualizer for Pandas data structures. Users hosting D-Tal ...) + TODO: check +CVE-2024-45593 (Nix is a package manager for Linux and other Unix systems. A bug in Ni ...) + TODO: check +CVE-2024-45592 (auditor-bundle, formerly known as DoctrineAuditBundle, integrates audi ...) + TODO: check +CVE-2024-45591 (XWiki Platform is a generic wiki platform. The REST API exposes the hi ...) + TODO: check +CVE-2024-45590 (body-parser is Node.js body parsing middleware. body-parser <1.20.3 is ...) + TODO: check +CVE-2024-45412 (Yeti bridges the gap between CTI and DFIR practitioners by providing a ...) + TODO: check +CVE-2024-45409 (The Ruby SAML library is for implementing the client side of a SAML au ...) + TODO: check +CVE-2024-45407 (Sunshine is a self-hosted game stream host for Moonlight. Clients that ...) + TODO: check +CVE-2024-45393 (Computer Vision Annotation Tool (CVAT) is an interactive video and ima ...) + TODO: check +CVE-2024-45323 (An improper access control vulnerability[CWE-284] in FortiEDR Manager ...) + TODO: check +CVE-2024-45044 (Bareos is open source software for backup, archiving, and recovery of ...) + TODO: check +CVE-2024-45032 (A vulnerability has been identified in Industrial Edge Management Pro ...) + TODO: check +CVE-2024-44893 (An issue in the component /jeecg-boot/jmreport/dict/list of JimuReport ...) + TODO: check +CVE-2024-44872 (A reflected cross-site scripting (XSS) vulnerability in moziloCMS v3.0 ...) + TODO: check +CVE-2024-44871 (An arbitrary file upload vulnerability in the component /admin/index.p ...) + TODO: check +CVE-2024-44867 (phpok v3.0 was discovered to contain an arbitrary file read vulnerabil ...) + TODO: check +CVE-2024-44815 (An issue in Hathway Skyworth Router CM5100 v.4.1.1.24 allows a physica ...) + TODO: check +CVE-2024-44677 (eladmin v2.7 and before is vulnerable to Server-Side Request Forgery ( ...) + TODO: check +CVE-2024-44676 (eladmin v2.7 and before is vulnerable to Cross Site Scripting (XSS) wh ...) + TODO: check +CVE-2024-44667 (Shenzhen Haichangxing Technology Co., Ltd HCX H822 4G LTE Router M7628 ...) + TODO: check +CVE-2024-44087 (A vulnerability has been identified in Automation License Manager V5 ( ...) + TODO: check +CVE-2024-43800 (serve-static serves static files. serve-static passes untrusted user i ...) + TODO: check +CVE-2024-43799 (Send is a library for streaming files from the file system as a http r ...) + TODO: check +CVE-2024-43796 (Express.js minimalist web framework for node. In express < 4.20.0, pas ...) + T
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-45508/htmldoc via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9eba1ae4 by Salvatore Bonaccorso at 2024-09-10T19:23:17+02:00 Track fixed version for CVE-2024-45508/htmldoc via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1543,7 +1543,7 @@ CVE-2024-45522 (Linen before cd37c3e does not verify that the domain is linen.de CVE-2024-45509 (In MISP through 2.4.196, app/Controller/BookmarksController.php does n ...) NOT-FOR-US: MISP CVE-2024-45508 (HTMLDOC before 1.9.19 has an out-of-bounds write in parse_paragraph in ...) - - htmldoc (bug #1081236) + - htmldoc 1.9.18-2 (bug #1081236) [bookworm] - htmldoc (Minor issue) NOTE: https://github.com/michaelrsweet/htmldoc/issues/528 NOTE: https://github.com/michaelrsweet/htmldoc/commit/2d5b2ab9ddbf2aee2209010cebc11efdd1cab6e2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9eba1ae420f14b8926f1b66ff241bf89a76eac81 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9eba1ae420f14b8926f1b66ff241bf89a76eac81 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-6221
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a84b4d72 by Salvatore Bonaccorso at 2024-09-10T18:06:41+02:00 Add Debian bug reference for CVE-2024-6221 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4529,7 +4529,7 @@ CVE-2024-7905 (A vulnerability classified as critical has been found in DedeBIZ CVE-2024-7904 (A vulnerability was found in DedeBIZ 6.3.0. It has been rated as criti ...) NOT-FOR-US: DedeBIZ CVE-2024-6221 (A vulnerability in corydolphin/flask-cors version 4.0.1 allows the `Ac ...) - - python-flask-cors + - python-flask-cors (bug #1081300) [bookworm] - python-flask-cors (Minor issue) [bullseye] - python-flask-cors (Minor issue) NOTE: https://huntr.com/bounties/a42935fc-6f57-4818-bca4-3d528235df4d View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a84b4d722314d333e3f2f7cca6ce37e61168 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a84b4d722314d333e3f2f7cca6ce37e61168 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2024-7730/qemu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 89f3b3a1 by Salvatore Bonaccorso at 2024-09-10T17:56:20+02:00 Track fixed version for CVE-2024-7730/qemu - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5964,7 +5964,7 @@ CVE-2024-20083 (In venc, there is a possible out of bounds write due to a missin CVE-2024-20082 (In Modem, there is a possible memory corruption due to a missing bound ...) NOT-FOR-US: Mediatek CVE-2024-7730 - - qemu + - qemu 1:9.1.0+ds-1 [bookworm] - qemu (Minor issue) NOTE: https://lore.kernel.org/qemu-devel/virtio-snd-fuzz-2427-fix-v1-manos.pitsidiana...@linaro.org/ NOTE: https://gitlab.com/qemu-project/qemu/-/issues/2427 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89f3b3a18a09d02b690173dec1b0396e2571c1ae -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/89f3b3a18a09d02b690173dec1b0396e2571c1ae You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference for CVE-2024-6221
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c4a210e4 by Salvatore Bonaccorso at 2024-09-10T17:41:05+02:00 Add reference for CVE-2024-6221 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -4533,6 +4533,7 @@ CVE-2024-6221 (A vulnerability in corydolphin/flask-cors version 4.0.1 allows th [bookworm] - python-flask-cors (Minor issue) [bullseye] - python-flask-cors (Minor issue) NOTE: https://huntr.com/bounties/a42935fc-6f57-4818-bca4-3d528235df4d + NOTE: https://github.com/corydolphin/flask-cors/issues/337 CVE-2024-43353 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...) NOT-FOR-US: WordPress plugin CVE-2024-43352 (Improper Neutralization of Input During Web Page Generation (XSS or 'C ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4a210e4961ac3605f6613c8ee6ee191ff9f319c -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c4a210e4961ac3605f6613c8ee6ee191ff9f319c You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 73520a6a by security tracker role at 2024-09-10T08:12:35+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,93 @@ +CVE-2024-8611 (A vulnerability classified as critical was found in itsourcecode Tailo ...) + TODO: check +CVE-2024-8610 (A vulnerability classified as problematic has been found in SourceCode ...) + TODO: check +CVE-2024-8478 (The The Affiliate Super Assistent plugin for WordPress is vulnerable t ...) + TODO: check +CVE-2024-8268 (The Frontend Dashboard plugin for WordPress is vulnerable to unauthori ...) + TODO: check +CVE-2024-7955 (The Starbox WordPress plugin before 3.5.2 does not sanitise and escap ...) + TODO: check +CVE-2024-7891 (The Floating Contact Button WordPress plugin before 2.8 does not sanit ...) + TODO: check +CVE-2024-7784 (During internal Axis Security Development Model (ASDM) threat-modellin ...) + TODO: check +CVE-2024-7734 (An unauthenticated remote attacker canexploit the behavior of thepathf ...) + TODO: check +CVE-2024-7655 (The Community by PeepSo \u2013 Social Network, Membership, Registratio ...) + TODO: check +CVE-2024-7618 (The Community by PeepSo \u2013 Social Network, Membership, Registratio ...) + TODO: check +CVE-2024-6979 (Amin Aliakbari, member of the AXIS OS Bug Bounty Program, has found a ...) + TODO: check +CVE-2024-6596 (An unauthenticated remote attacker can run malicious c# code included ...) + TODO: check +CVE-2024-6509 (Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found th ...) + TODO: check +CVE-2024-6342 (**UNSUPPORTED WHEN ASSIGNED** A command injection vulnerability in the ...) + TODO: check +CVE-2024-6173 (51l3nc3, member of the AXIS OS Bug Bounty Program, has found that a Gu ...) + TODO: check +CVE-2024-45504 (Cross-site request forgery (CSRF) vulnerability in multiple Alps Syste ...) + TODO: check +CVE-2024-45286 (Due to lack of proper authorization checks when calling user, a functi ...) + TODO: check +CVE-2024-45285 (The RFC enabled function module allows a low privileged user to perfor ...) + TODO: check +CVE-2024-45284 (An authenticated attacker with high privilege can use functions of SLC ...) + TODO: check +CVE-2024-45283 (SAP NetWeaver AS for Java allows an authorized attacker to obtain sens ...) + TODO: check +CVE-2024-45281 (SAP BusinessObjects Business Intelligence Platform allows a high privi ...) + TODO: check +CVE-2024-45280 (Due to insufficient encoding of user-controlled inputs, SAP NetWeaver ...) + TODO: check +CVE-2024-45279 (Due to insufficient input validation, CRM Blueprint Application Builde ...) + TODO: check +CVE-2024-44411 (D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the ...) + TODO: check +CVE-2024-44410 (D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the ...) + TODO: check +CVE-2024-44121 (Under certain conditions Statutory Reports in SAP S/4 HANA allows an a ...) + TODO: check +CVE-2024-44120 (SAP NetWeaver Enterprise Portal is vulnerable to reflected cross site ...) + TODO: check +CVE-2024-44117 (The RFC enabled function module allows a low privileged user to perfor ...) + TODO: check +CVE-2024-44116 (The RFC enabled function module allows a low privileged user to add an ...) + TODO: check +CVE-2024-44115 (The RFC enabled function module allows a low privileged user to add UR ...) + TODO: check +CVE-2024-44114 (SAP NetWeaver Application Server for ABAP and ABAP Platform allow user ...) + TODO: check +CVE-2024-44113 (Due to missing authorization checks, SAP Business Warehouse (BEx Analy ...) + TODO: check +CVE-2024-44112 (Due to missing authorization check in SAP for Oil & Gas (Transportatio ...) + TODO: check +CVE-2024-44072 (OS command injection vulnerability exists in BUFFALO wireless LAN rout ...) + TODO: check +CVE-2024-42427 (Dell ThinOS versions 2402 and 2405, contains an Improper Neutralizatio ...) + TODO: check +CVE-2024-42424 (Dell Precision Rack, 14G Intel BIOS versions prior to 2.22.2, contains ...) + TODO: check +CVE-2024-42380 (The RFC enabled function module allows a low privileged user to read a ...) + TODO: check +CVE-2024-42378 (Due to weak encoding of user-controlled inputs, eProcurement on SAP S/ ...) + TODO: check +CVE-2024-42371 (The RFC enabled function module allows a low privileged user to delete ...) + TODO: check +CVE-2024-41729 (Due to missing authorization checks, SAP BEx Analyzer allows an authen ...) + TODO: check +CVE-2024-41728 (Due to missing authorization check, SAP NetWeaver Application Server f ...) + TO
[Git][security-tracker-team/security-tracker][master] Drop rejected CVE-2024-43898
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9a75ab3a by Salvatore Bonaccorso at 2024-09-10T09:28:16+02:00 Drop rejected CVE-2024-43898 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2622,9 +2622,8 @@ CVE-2024-43900 (In the Linux kernel, the following vulnerability has been resolv CVE-2024-43899 (In the Linux kernel, the following vulnerability has been resolved: d ...) - linux 6.10.6-1 NOTE: https://git.kernel.org/linus/ecbf60782662f0a388493685b85a645a0ba1613c (6.11-rc1) -CVE-2024-43898 (In the Linux kernel, the following vulnerability has been resolved: e ...) - - linux 6.10.6-1 - NOTE: https://git.kernel.org/linus/83f4414b8f84249d538905825b088ff3ae555652 (6.11-rc1) +CVE-2024-43898 + REJECTED CVE-2024-43897 (In the Linux kernel, the following vulnerability has been resolved: n ...) - linux 6.10.6-1 [bookworm] - linux 6.1.106-3 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a75ab3afe0eaea7dd1744039cd7ef4de5ee2197 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9a75ab3afe0eaea7dd1744039cd7ef4de5ee2197 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add universal-detector embedding for of uchardet
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9e05a4b5 by Salvatore Bonaccorso at 2024-09-10T08:18:31+02:00 Add universal-detector embedding for of uchardet Thanks: Yavor Doganov - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -3801,3 +3801,7 @@ node-dompurify - cacti 1.2.26+ds1-1 (embed) NOTE: Since 1.2.26+ds1-1 cacti depends on on node-dompurify and link purify.js instead of using NOTE: upstream vendored version. + +uchardet + - universal-detector (fork) + NOTE: https://lists.debian.org/debian-security-tracker/2024/09/msg5.html View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e05a4b5110eae60e930a92d3bc402c086edcda4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9e05a4b5110eae60e930a92d3bc402c086edcda4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-37288/kibana
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c55a346d by Salvatore Bonaccorso at 2024-09-10T07:57:47+02:00 Add CVE-2024-37288/kibana - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -66,7 +66,7 @@ CVE-2024-42500 (HPE has identified a denial of service vulnerability in HPE HP-U CVE-2024-40643 (Joplin is a free, open source note taking and to-do application. Jopli ...) - joplin (bug #931306) CVE-2024-37288 (A deserialization issue in Kibana can lead to arbitrary code execution ...) - TODO: check + - kibana (bug #700337) CVE-2024-27387 (An issue was discovered in Samsung Mobile Processor Exynos 980, Exynos ...) NOT-FOR-US: Samsung CVE-2024-27383 (An issue was discovered in Samsung Mobile Processor Exynos 980, Exynos ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c55a346d3dfc276ee5915557071d146dedea5cee -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c55a346d3dfc276ee5915557071d146dedea5cee You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-40643/joplin
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b28f57ad by Salvatore Bonaccorso at 2024-09-10T07:57:04+02:00 Add CVE-2024-40643/joplin - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -64,7 +64,7 @@ CVE-2024-42759 (An issue in Ellevo v.6.2.0.38160 allows a remote attacker to esc CVE-2024-42500 (HPE has identified a denial of service vulnerability in HPE HP-UX Syst ...) NOT-FOR-US: HPE CVE-2024-40643 (Joplin is a free, open source note taking and to-do application. Jopli ...) - TODO: check + - joplin (bug #931306) CVE-2024-37288 (A deserialization issue in Kibana can lead to arbitrary code execution ...) TODO: check CVE-2024-27387 (An issue was discovered in Samsung Mobile Processor Exynos 980, Exynos ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b28f57ad964981dfb344921319edd2b1a1d1fa07 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b28f57ad964981dfb344921319edd2b1a1d1fa07 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove uneeded TODO item
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 61886a73 by Salvatore Bonaccorso at 2024-09-10T07:43:31+02:00 Remove uneeded TODO item - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -31,7 +31,6 @@ CVE-2024-45411 (Twig is a template language for PHP. Under some circumstances, t NOTE: https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6 (v3.14.0) NOTE: https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de (v2.16.1) NOTE: https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233 (v1.44.8) - TODO: check CVE-2024-45406 (Craft is a content management system (CMS). Craft CMS 5 stored XSS can ...) NOT-FOR-US: Craft CMS CVE-2024-45296 (path-to-regexp turns path strings into a regular expressions. In certa ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61886a731237059253276f946013d1f4f9a8862e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/61886a731237059253276f946013d1f4f9a8862e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-6572/check-mk
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: cf32e8de by Salvatore Bonaccorso at 2024-09-10T07:41:15+02:00 Add CVE-2024-6572/check-mk - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -23,7 +23,7 @@ CVE-2024-6796 (In Baxter Connex health portal released before 8/30/2024, an impr CVE-2024-6795 (In Connex health portal released before8/30/2024, SQL injection vulner ...) NOT-FOR-US: Baxter Connex health portal CVE-2024-6572 (Improper host key checking in active check 'Check SFTP Service' and sp ...) - TODO: check + - check-mk CVE-2024-45411 (Twig is a template language for PHP. Under some circumstances, the san ...) - php-twig - twig View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf32e8deb28d74f44070527d0cbf21bc8a3ca669 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/cf32e8deb28d74f44070527d0cbf21bc8a3ca669 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-24510/sogo
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4d256ee0 by Salvatore Bonaccorso at 2024-09-10T07:38:01+02:00 Add CVE-2024-24510/sogo - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -81,7 +81,8 @@ CVE-2024-27366 (An issue was discovered in Samsung Mobile Processor, Wearable Pr CVE-2024-27364 (An issue was discovered in Mobile Processor, Wearable Processor Exynos ...) NOT-FOR-US: Samsung CVE-2024-24510 (Cross Site Scripting vulnerability in Alinto SOGo before 5.10.0 allows ...) - TODO: check + - sogo 5.10.0-1 + NOTE: Fixed by: https://github.com/Alinto/sogo/commit/21468700718ed71774eaf2979ee59330fc569424 (SOGo-5.10.0) CVE-2023-50883 (ONLYOFFICE Docs before 8.0.1 allows XSS because a macro is an immediat ...) NOT-FOR-US: ONLYOFFICE Docs CVE-2024-8586 (WebITR from Uniong has an Open Redirect vulnerability, which allows un ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d256ee0870a97ba89bb6f05d0dd9fe654ff73ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4d256ee0870a97ba89bb6f05d0dd9fe654ff73ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: fb74a2ae by Salvatore Bonaccorso at 2024-09-10T07:34:40+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -11,17 +11,17 @@ CVE-2024-8372 (Improper sanitization of the value of the '[srcset]' attribute in CVE-2024-8042 (Rapid7 Insight Platform versions between November 2019 and August 14, ...) NOT-FOR-US: Rapid7 Insight Platform CVE-2024-7341 (A session fixation issue was discovered in the SAML adapters provided ...) - TODO: check + NOT-FOR-US: Keycloak CVE-2024-7318 (A vulnerability was found in Keycloak. Expired OTP codes are still usa ...) NOT-FOR-US: Keycloak CVE-2024-7260 (An open redirect vulnerability was found in Keycloak. A specially craf ...) NOT-FOR-US: Keycloak CVE-2024-7015 (Improper Authentication, Missing Authentication for Critical Function, ...) - TODO: check + NOT-FOR-US: Profelis Informatics and Consulting PassBox CVE-2024-6796 (In Baxter Connex health portal released before 8/30/2024, an improper ...) - TODO: check + NOT-FOR-US: Baxter Connex health portal CVE-2024-6795 (In Connex health portal released before8/30/2024, SQL injection vulner ...) - TODO: check + NOT-FOR-US: Baxter Connex health portal CVE-2024-6572 (Improper host key checking in active check 'Check SFTP Service' and sp ...) TODO: check CVE-2024-45411 (Twig is a template language for PHP. Under some circumstances, the san ...) @@ -37,53 +37,53 @@ CVE-2024-45406 (Craft is a content management system (CMS). Craft CMS 5 stored X CVE-2024-45296 (path-to-regexp turns path strings into a regular expressions. In certa ...) TODO: check CVE-2024-45041 (External Secrets Operator is a Kubernetes operator that integrates ext ...) - TODO: check + NOT-FOR-US: External Secrets Kubernetes Operator CVE-2024-44902 (A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows at ...) - TODO: check + NOT-FOR-US: Thinkphp CVE-2024-44849 (Qualitor up to 8.24 is vulnerable to Remote Code Execution (RCE) via A ...) - TODO: check + NOT-FOR-US: Qualitor CVE-2024-44725 (AutoCMS v5.4 was discovered to contain a SQL injection vulnerability v ...) - TODO: check + NOT-FOR-US: AutoCMS CVE-2024-44724 (AutoCMS v5.4 was discovered to contain a PHP code injection vulnerabil ...) - TODO: check + NOT-FOR-US: AutoCMS CVE-2024-44721 (SeaCMS v13.1 was discovered to a Server-Side Request Forgery (SSRF) vi ...) - TODO: check + NOT-FOR-US: SeaCMS CVE-2024-44720 (SeaCMS v13.1 was discovered to an arbitrary file read vulnerability vi ...) - TODO: check + NOT-FOR-US: SeaCMS CVE-2024-44375 (D-Link DI-8100 v16.07.26A1 has a stack overflow vulnerability in the d ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-44335 (D-Link DI-7003G v19.12.24A1, DI-7003GV2 v24.04.18D1, DI-7100G+V2 v24.0 ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-44334 (D-Link DI-7003GV2 v24.04.18D1, DI-7100G+V2 v24.04.18D1, DI-7100GV2 v24 ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-44333 (D-Link DI-7003GV2 v24.04.18D1, DI-7100G+V2 v24.04.18D1, DI-7100GV2 v24 ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-44085 (ONLYOFFICE Docs before 8.1.0 allows XSS via a GeneratorFunction Object ...) - TODO: check + NOT-FOR-US: ONLYOFFICE Docs CVE-2024-42759 (An issue in Ellevo v.6.2.0.38160 allows a remote attacker to escalate ...) - TODO: check + NOT-FOR-US: Ellevo CVE-2024-42500 (HPE has identified a denial of service vulnerability in HPE HP-UX Syst ...) - TODO: check + NOT-FOR-US: HPE CVE-2024-40643 (Joplin is a free, open source note taking and to-do application. Jopli ...) TODO: check CVE-2024-37288 (A deserialization issue in Kibana can lead to arbitrary code execution ...) TODO: check CVE-2024-27387 (An issue was discovered in Samsung Mobile Processor Exynos 980, Exynos ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-27383 (An issue was discovered in Samsung Mobile Processor Exynos 980, Exynos ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-27368 (An issue was discovered in Samsung Mobile Processor Exynos Mobile Proc ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-27367 (An issue was discovered in Samsung Mobile Processor Exynos Wearable Pr ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-27366 (An issue was discovered in Samsung Mobile Processor, Wearable Processo ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-27364 (An issue was discovered in Mobile Processor, Wearable Processor Exynos ...) - TODO: check + NOT-FOR-US: Samsung CVE-2024-24510 (Cross
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-45411/php-twig
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5cf90ce2 by Salvatore Bonaccorso at 2024-09-09T22:23:01+02:00 Add CVE-2024-45411/php-twig - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,6 +25,12 @@ CVE-2024-6795 (In Connex health portal released before8/30/2024, SQL injection v CVE-2024-6572 (Improper host key checking in active check 'Check SFTP Service' and sp ...) TODO: check CVE-2024-45411 (Twig is a template language for PHP. Under some circumstances, the san ...) + - php-twig + - twig + NOTE: https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66 + NOTE: https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6 (v3.14.0) + NOTE: https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de (v2.16.1) + NOTE: https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233 (v1.44.8) TODO: check CVE-2024-45406 (Craft is a content management system (CMS). Craft CMS 5 stored XSS can ...) NOT-FOR-US: Craft CMS View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cf90ce230c5b3bbd861f8af3af37a6d2c5e8ac1 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5cf90ce230c5b3bbd861f8af3af37a6d2c5e8ac1 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ec350ae1 by Salvatore Bonaccorso at 2024-09-09T22:19:21+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,21 +1,21 @@ CVE-2024-8605 (A vulnerability classified as problematic was found in code-projects I ...) - TODO: check + NOT-FOR-US: code-projects Inventory Management CVE-2024-8604 (A vulnerability classified as problematic has been found in SourceCode ...) - TODO: check + NOT-FOR-US: SourceCodester Online Food Ordering System CVE-2024-8601 (This vulnerability exists in TechExcel Back Office Software versions p ...) - TODO: check + NOT-FOR-US: TechExcel Back Office Software CVE-2024-8373 (Improper sanitization of the value of the [srcset] attribute in https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec350ae1052348a6004792857748f0f942d0353f -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec350ae1052348a6004792857748f0f942d0353f You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-45508/htmldoc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d3f7de20 by Salvatore Bonaccorso at 2024-09-09T22:13:49+02:00 Add Debian bug reference for CVE-2024-45508/htmldoc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1447,7 +1447,7 @@ CVE-2024-45522 (Linen before cd37c3e does not verify that the domain is linen.de CVE-2024-45509 (In MISP through 2.4.196, app/Controller/BookmarksController.php does n ...) NOT-FOR-US: MISP CVE-2024-45508 (HTMLDOC before 1.9.19 has an out-of-bounds write in parse_paragraph in ...) - - htmldoc + - htmldoc (bug #1081236) [bookworm] - htmldoc (Minor issue) NOTE: https://github.com/michaelrsweet/htmldoc/issues/528 NOTE: https://github.com/michaelrsweet/htmldoc/commit/2d5b2ab9ddbf2aee2209010cebc11efdd1cab6e2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3f7de2064f741d2dbc17401fc587b00cbb409e3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d3f7de2064f741d2dbc17401fc587b00cbb409e3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: db200084 by security tracker role at 2024-09-09T20:12:40+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,83 @@ +CVE-2024-8605 (A vulnerability classified as problematic was found in code-projects I ...) + TODO: check +CVE-2024-8604 (A vulnerability classified as problematic has been found in SourceCode ...) + TODO: check +CVE-2024-8601 (This vulnerability exists in TechExcel Back Office Software versions p ...) + TODO: check +CVE-2024-8373 (Improper sanitization of the value of the [srcset] attribute in https://github.com/Cacti/cacti/security/advisories/GHSA-37x7-mfjv-mm7m @@ -32633,31 +32714,37 @@ CVE-2024-31810 (TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain CVE-2024-31771 (Insecure Permission vulnerability in TotalAV v.6.0.740 allows a local ...) NOT-FOR-US: TotalAV CVE-2024-31460 (Cacti provides an operational monitoring and fault management framewor ...) + {DLA-3884-1} - cacti 1.2.27+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u3 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-gj3f-p326-gh8r NOTE: https://github.com/Cacti/cacti/commit/8b516cb9a73322ad532231e74000c2ee097b495e CVE-2024-31459 (Cacti provides an operational monitoring and fault management framewor ...) + {DLA-3884-1} - cacti 1.2.27+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u3 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-cx8g-hvq8-p2rv NOTE: https://github.com/Cacti/cacti/commit/96d9a4c60693d87ba0e347f1c7d33047b4effc61 CVE-2024-31458 (Cacti provides an operational monitoring and fault management framewor ...) + {DLA-3884-1} - cacti 1.2.27+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u3 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-jrxg-8wh8-943x NOTE: https://github.com/Cacti/cacti/commit/9e87882007b6091171d1a4786f0de4ae20efef7b CVE-2024-31445 (Cacti provides an operational monitoring and fault management framewor ...) + {DLA-3884-1} - cacti 1.2.27+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u3 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-vjph-r677-6pcc NOTE: https://github.com/Cacti/cacti/commit/fd93c6e47651958b77c3bbe6a01fff695f81e886 CVE-2024-31444 (Cacti provides an operational monitoring and fault management framewor ...) + {DLA-3884-1} - cacti 1.2.27+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u3 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-p4ch-7hjw-6m87 NOTE: https://github.com/Cacti/cacti/commit/86d614c38c54e0ce58774d86617ecfbb853fb57b CVE-2024-31443 (Cacti provides an operational monitoring and fault management framewor ...) + {DLA-3884-1} - cacti 1.2.27+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u3 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-rqc8-78cm-85j3 @@ -32723,6 +32810,7 @@ CVE-2024-27082 (Cacti provides an operational monitoring and fault management fr CVE-2024-25662 (Oxygen XML Web Author v26.0.0 and older and Oxygen Content Fusion v6.1 ...) NOT-FOR-US: Oxygen XML Web Author and Oxygen Content Fusion CVE-2024-25641 (Cacti provides an operational monitoring and fault management framewor ...) + {DLA-3884-1} - cacti 1.2.27+ds1-1 [bookworm] - cacti 1.2.24+ds1-1+deb12u3 NOTE: https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88 @@ -53905,6 +53993,7 @@ CVE-2024-28111 (Canarytokens helps track activity and actions on a network. Cana CVE-2024-28110 (Go SDK for CloudEvents is the official CloudEvents SDK to integrate ap ...) NOT-FOR-US: cloudevents/sdk-go CVE-2024-28102 (JWCrypto implements JWK, JWS, and JWE specifications using python-cryp ...) + {DLA-3883-1} - python-jwcrypto 1.5.6-1 (bug #1065688) [bookworm] - python-jwcrypto 1.1.0-1+deb12u1 NOTE: https://github.com/latchset/jwcrypto/security/advisories/GHSA-j857-7rvv-vj97 @@ -156668,6 +156757,7 @@ CVE-2022-41446 (An access control issue in /Admin/dashboard.php of Record Manage CVE-2022-41445 (A cross-site scripting (XSS) vulnerability in Record Management System ...) NOT-FOR-US: Record Management System CVE-2022-41444 (Cross Site Scripting (XSS) vulnerability in Cacti 1.2.21 via crafted P ...) + {DLA-3884-1} - cacti 1.2.22+ds1-1 [buster] - cacti (Vulnerable code introduced later) NOTE: https://gist.github.com/enferas/9079535112e4f4ff2c1d2ce1c099d4c2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/db200084cec671e808d4b8d92d8121f3c3cce4d7 -- View it on GitLab: http
[Git][security-tracker-team/security-tracker][master] Update more ruby3.3 fixes
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 807f2b0d by Salvatore Bonaccorso at 2024-09-09T21:42:26+02:00 Update more ruby3.3 fixes ruby3.3/3.3.5-1 updates rexml gem to 3.3.6, which does fix all of the CVEs CVE-2024-43398, CVE-2024-41946 and CVE-2024-41123 which are fixed in rexml 3.3.6 and earlier. - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2968,7 +2968,7 @@ CVE-2024-43785 (gitoxide An idiomatic, lean, fast & safe pure Rust implementatio CVE-2024-43780 (Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9 ...) - mattermost-server (bug #823556) CVE-2024-43398 (REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS ...) - - ruby3.3 + - ruby3.3 3.3.5-1 - ruby3.2 - ruby3.1 [bookworm] - ruby3.1 (Minor issue) @@ -8323,7 +8323,7 @@ CVE-2024-41962 (Bostr is an nostr relay aggregator proxy that acts like a regula CVE-2024-41961 (Elektra is an opinionated Openstack Dashboard for Operators and Consum ...) NOT-FOR-US: Elektra CVE-2024-41946 (REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulner ...) - - ruby3.3 + - ruby3.3 3.3.5-1 - ruby3.2 - ruby3.1 [bookworm] - ruby3.1 (Minor issue) @@ -8344,7 +8344,7 @@ CVE-2024-41162 (Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7 CVE-2024-41144 (Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9. ...) - mattermost-server (bug #823556) CVE-2024-41123 (REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some ...) - - ruby3.3 + - ruby3.3 3.3.5-1 - ruby3.2 - ruby3.1 [bookworm] - ruby3.1 (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/807f2b0d2a0d7acea414aceb5d7e7403b55bf72e -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/807f2b0d2a0d7acea414aceb5d7e7403b55bf72e You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from rejected CVEs (they were duplicates)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1b825f32 by Salvatore Bonaccorso at 2024-09-09T15:29:14+02:00 Remove notes from rejected CVEs (they were duplicates) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -100297,7 +100297,6 @@ CVE-2023-34247 (Keystone is a content management system for Node.JS. There is an NOT-FOR-US: Keystone CMS CVE-2023-34122 REJECTED - NOT-FOR-US: Zoom CVE-2023-34121 (Improper input validation in the Zoom for Windows, Zoom Rooms, Zoom V ...) NOT-FOR-US: Zoom CVE-2023-34120 (Improper privilege management in Zoom for Windows, Zoom Rooms for Wind ...) @@ -100308,7 +100307,6 @@ CVE-2023-34114 (Exposure of resource to wrong sphere in Zoom for Windows and Zoo NOT-FOR-US: Zoom CVE-2023-34113 REJECTED - NOT-FOR-US: Zoom CVE-2023-33921 (A vulnerability has been identified in CP-8031 MASTER MODULE (All vers ...) NOT-FOR-US: Siemens CVE-2023-33920 (A vulnerability has been identified in CP-8031 MASTER MODULE (All vers ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b825f328c5200f99035cd27bfe1477b6e4d0938 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1b825f328c5200f99035cd27bfe1477b6e4d0938 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2024-6716 (not a valid security issue)
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 932c74b7 by Salvatore Bonaccorso at 2024-09-09T15:27:46+02:00 Remove notes from CVE-2024-6716 (not a valid security issue) - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -12751,11 +12751,6 @@ CVE-2024-6465 (The WP Links Page plugin for WordPress is vulnerable to unauthori NOT-FOR-US: WordPress plugin CVE-2024-6716 REJECTED - - tiff (unimportant) - NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2297636 - NOTE: https://gitlab.com/libtiff/libtiff/-/issues/620 - NOTE: https://gitlab.com/libtiff/libtiff/-/merge_requests/553 - NOTE: Negligible security impact if following documentation/recommendations CVE-2024-6574 (The Laposta plugin for WordPress is vulnerable to Full Path Disclosure ...) NOT-FOR-US: WordPress plugin CVE-2024-6070 (The If-So Dynamic Content Personalization WordPress plugin before 1.8. ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/932c74b78ecefc1cc6e2a17bbd601fcb93795dce -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/932c74b78ecefc1cc6e2a17bbd601fcb93795dce You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Remove notes from CVE-2024-42334
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8f4b15f3 by Salvatore Bonaccorso at 2024-09-09T15:26:27+02:00 Remove notes from CVE-2024-42334 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3988,7 +3988,6 @@ CVE-2024-42335 (7Twenty - CWE-79: Improper Neutralization of Input During Web Pa NOT-FOR-US: 7Twenty CVE-2024-42334 REJECTED - NOT-FOR-US: Hargal CVE-2024-42006 (Keyfactor AWS Orchestrator through 2.0 allows Information Disclosure.) NOT-FOR-US: Keyfactor AWS Orchestrator CVE-2024-41773 (IBM Global Configuration Management 7.0.2 and 7.0.3 could allow an aut ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f4b15f39fc69541ecbe3321deaa74c77d7970ad -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8f4b15f39fc69541ecbe3321deaa74c77d7970ad You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90c396f0 by Salvatore Bonaccorso at 2024-09-09T11:30:26+02:00 Process NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,23 +5,23 @@ CVE-2024-8585 (Orca HCM from LEARNING DIGITA does not properly restrict a specif CVE-2024-8584 (Orca HCM from LEARNING DIGITAL does not properly restrict access to a ...) TODO: check CVE-2024-8583 (A vulnerability was found in SourceCodester Online Bank Management Sys ...) - TODO: check + NOT-FOR-US: SourceCodester Online Bank Management System and Online Bank Management System CVE-2024-8582 (A vulnerability was found in SourceCodester Food Ordering Management S ...) - TODO: check + NOT-FOR-US: SourceCodester Food Ordering Management System CVE-2024-8580 (A vulnerability classified as critical was found in TOTOLINK AC1200 T8 ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2024-7918 (The Pocket Widget WordPress plugin through 0.1.3 does not sanitise and ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-7689 (The Snapshot Backup WordPress plugin through 2.1.1 does not have CSRF ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-7688 (The AZIndex WordPress plugin through 0.8.1 does not have CSRF checks i ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-7687 (The AZIndex WordPress plugin through 0.8.1 does not have CSRF check in ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-6910 (The EventON WordPress plugin before 2.2.17 does not sanitise and escap ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-5561 (The Popup Maker WordPress plugin before 1.19.1 does not sanitise and ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-45625 (Cross-site scripting vulnerability exists in Forminator versions prior ...) TODO: check CVE-2024-45203 (Improper authorization in handler for custom URL scheme issue in "@cos ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90c396f0f5d308562b968346f4695eb8b2b59715 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90c396f0f5d308562b968346f4695eb8b2b59715 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 140dbb05 by security tracker role at 2024-09-09T08:11:55+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,31 @@ +CVE-2024-8586 (WebITR from Uniong has an Open Redirect vulnerability, which allows un ...) + TODO: check +CVE-2024-8585 (Orca HCM from LEARNING DIGITA does not properly restrict a specific pa ...) + TODO: check +CVE-2024-8584 (Orca HCM from LEARNING DIGITAL does not properly restrict access to a ...) + TODO: check +CVE-2024-8583 (A vulnerability was found in SourceCodester Online Bank Management Sys ...) + TODO: check +CVE-2024-8582 (A vulnerability was found in SourceCodester Food Ordering Management S ...) + TODO: check +CVE-2024-8580 (A vulnerability classified as critical was found in TOTOLINK AC1200 T8 ...) + TODO: check +CVE-2024-7918 (The Pocket Widget WordPress plugin through 0.1.3 does not sanitise and ...) + TODO: check +CVE-2024-7689 (The Snapshot Backup WordPress plugin through 2.1.1 does not have CSRF ...) + TODO: check +CVE-2024-7688 (The AZIndex WordPress plugin through 0.8.1 does not have CSRF checks i ...) + TODO: check +CVE-2024-7687 (The AZIndex WordPress plugin through 0.8.1 does not have CSRF check in ...) + TODO: check +CVE-2024-6910 (The EventON WordPress plugin before 2.2.17 does not sanitise and escap ...) + TODO: check +CVE-2024-5561 (The Popup Maker WordPress plugin before 1.19.1 does not sanitise and ...) + TODO: check +CVE-2024-45625 (Cross-site scripting vulnerability exists in Forminator versions prior ...) + TODO: check +CVE-2024-45203 (Improper authorization in handler for custom URL scheme issue in "@cos ...) + TODO: check CVE-2024-6840 NOT-FOR-US: Ansible Automation Controller CVE-2024-8579 (A vulnerability classified as critical has been found in TOTOLINK AC12 ...) @@ -1018,7 +1046,7 @@ CVE-2024-8385 (A difference in the handling of StructFields and ArrayTypes in WA NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8385 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8385 CVE-2024-8384 (The JavaScript garbage collector could mis-color cross-compartment obj ...) - {DSA-5767-1 DSA-5765-1 DLA-3869-1} + {DSA-5767-1 DSA-5765-1 DLA-3882-1 DLA-3869-1} - firefox 130.0-1 - firefox-esr 115.15.0esr-1 - thunderbird @@ -1027,13 +1055,13 @@ CVE-2024-8384 (The JavaScript garbage collector could mis-color cross-compartmen NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8384 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-44/#CVE-2024-8384 CVE-2024-8383 (Firefox normally asks for confirmation before asking the operating sys ...) - {DSA-5767-1 DSA-5765-1 DLA-3869-1} + {DSA-5767-1 DSA-5765-1 DLA-3882-1 DLA-3869-1} - firefox 130.0-1 - firefox-esr 115.15.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8383 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/#CVE-2024-8383 CVE-2024-8382 (Internal browser event interfaces were exposed to web content when pri ...) - {DSA-5767-1 DSA-5765-1 DLA-3869-1} + {DSA-5767-1 DSA-5765-1 DLA-3882-1 DLA-3869-1} - firefox 130.0-1 - firefox-esr 115.15.0esr-1 - thunderbird @@ -1042,7 +1070,7 @@ CVE-2024-8382 (Internal browser event interfaces were exposed to web content whe NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8382 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-44/#CVE-2024-8382 CVE-2024-8381 (A potentially exploitable type confusion could be triggered when looki ...) - {DSA-5767-1 DSA-5765-1 DLA-3869-1} + {DSA-5767-1 DSA-5765-1 DLA-3882-1 DLA-3869-1} - firefox 130.0-1 - firefox-esr 115.15.0esr-1 - thunderbird @@ -45939,7 +45967,7 @@ CVE-2024-27706 (Cross Site Scripting vulnerability in Huly Platform v.0.6.202 al NOT-FOR-US: Huily Platform CVE-2024-27705 (Cross Site Scripting vulnerability in Leantime v3.0.6 allows attackers ...) NOT-FOR-US: Leantime -CVE-2024-26258 (OS command injection vulnerability in WRC-X3200GST3-B v1.25 and earlie ...) +CVE-2024-26258 (OS command injection vulnerability in ELECOM wireless LAN routers allo ...) NOT-FOR-US: WRC-X3200GST3-B CVE-2024-25568 (OS command injection vulnerability in ELECOM wireless LAN routers allo ...) NOT-FOR-US: WRC-X3200GST3-B @@ -91555,7 +91583,7 @@ CVE-2023-4409 (A vulnerability, which was classified as critical, has been found NOT-FOR-US: NBS&HappySoftWeChat CVE-2023-4407 (
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e985ed47 by Salvatore Bonaccorso at 2024-09-09T09:12:04+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,23 +1,23 @@ CVE-2024-8579 (A vulnerability classified as critical has been found in TOTOLINK AC12 ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2024-8578 (A vulnerability was found in TOTOLINK AC1200 T8 4.1.5cu.861_B20230220. ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2024-8577 (A vulnerability was found in TOTOLINK AC1200 T8 and AC1200 T10 4.1.5cu ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2024-8576 (A vulnerability was found in TOTOLINK AC1200 T8 and AC1200 T10 4.1.5cu ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2024-8575 (A vulnerability was found in TOTOLINK AC1200 T8 4.1.5cu.861_B20230220 ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2024-8574 (A vulnerability has been found in TOTOLINK AC1200 T8 4.1.5cu.861_B2023 ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2024-8573 (A vulnerability, which was classified as critical, was found in TOTOLI ...) - TODO: check + NOT-FOR-US: TOTOLINK CVE-2024-42343 (Loway - CWE-204: Observable Response Discrepancy) - TODO: check + NOT-FOR-US: Loway CVE-2024-42342 (Loway - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP ...) - TODO: check + NOT-FOR-US: Loway CVE-2024-42341 (Loway - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')) - TODO: check + NOT-FOR-US: Loway CVE-2024-8572 (A vulnerability was found in Gouniverse GoLang CMS 1.4.0. It has been ...) NOT-FOR-US: Gouniverse GoLang CMS CVE-2024-8571 (A vulnerability was found in erjemin roll_cms up to 1484fe2c4e0805946a ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e985ed47b89009b2388508ecc3d59d68c354dcf3 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e985ed47b89009b2388508ecc3d59d68c354dcf3 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 2a179b27 by security tracker role at 2024-09-08T20:12:32+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,23 @@ +CVE-2024-8579 (A vulnerability classified as critical has been found in TOTOLINK AC12 ...) + TODO: check +CVE-2024-8578 (A vulnerability was found in TOTOLINK AC1200 T8 4.1.5cu.861_B20230220. ...) + TODO: check +CVE-2024-8577 (A vulnerability was found in TOTOLINK AC1200 T8 and AC1200 T10 4.1.5cu ...) + TODO: check +CVE-2024-8576 (A vulnerability was found in TOTOLINK AC1200 T8 and AC1200 T10 4.1.5cu ...) + TODO: check +CVE-2024-8575 (A vulnerability was found in TOTOLINK AC1200 T8 4.1.5cu.861_B20230220 ...) + TODO: check +CVE-2024-8574 (A vulnerability has been found in TOTOLINK AC1200 T8 4.1.5cu.861_B2023 ...) + TODO: check +CVE-2024-8573 (A vulnerability, which was classified as critical, was found in TOTOLI ...) + TODO: check +CVE-2024-42343 (Loway - CWE-204: Observable Response Discrepancy) + TODO: check +CVE-2024-42342 (Loway - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP ...) + TODO: check +CVE-2024-42341 (Loway - CWE-601: URL Redirection to Untrusted Site ('Open Redirect')) + TODO: check CVE-2024-8572 (A vulnerability was found in Gouniverse GoLang CMS 1.4.0. It has been ...) NOT-FOR-US: Gouniverse GoLang CMS CVE-2024-8571 (A vulnerability was found in erjemin roll_cms up to 1484fe2c4e0805946a ...) @@ -996,7 +1016,7 @@ CVE-2024-8385 (A difference in the handling of StructFields and ArrayTypes in WA NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8385 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8385 CVE-2024-8384 (The JavaScript garbage collector could mis-color cross-compartment obj ...) - {DSA-5765-1 DLA-3869-1} + {DSA-5767-1 DSA-5765-1 DLA-3869-1} - firefox 130.0-1 - firefox-esr 115.15.0esr-1 - thunderbird @@ -1005,13 +1025,13 @@ CVE-2024-8384 (The JavaScript garbage collector could mis-color cross-compartmen NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8384 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-44/#CVE-2024-8384 CVE-2024-8383 (Firefox normally asks for confirmation before asking the operating sys ...) - {DSA-5765-1 DLA-3869-1} + {DSA-5767-1 DSA-5765-1 DLA-3869-1} - firefox 130.0-1 - firefox-esr 115.15.0esr-1 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8383 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/#CVE-2024-8383 CVE-2024-8382 (Internal browser event interfaces were exposed to web content when pri ...) - {DSA-5765-1 DLA-3869-1} + {DSA-5767-1 DSA-5765-1 DLA-3869-1} - firefox 130.0-1 - firefox-esr 115.15.0esr-1 - thunderbird @@ -1020,7 +1040,7 @@ CVE-2024-8382 (Internal browser event interfaces were exposed to web content whe NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8382 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-44/#CVE-2024-8382 CVE-2024-8381 (A potentially exploitable type confusion could be triggered when looki ...) - {DSA-5765-1 DLA-3869-1} + {DSA-5767-1 DSA-5765-1 DLA-3869-1} - firefox 130.0-1 - firefox-esr 115.15.0esr-1 - thunderbird @@ -3936,7 +3956,8 @@ CVE-2024-42336 (Servision - CWE-287: Improper Authentication) NOT-FOR-US: Servision CVE-2024-42335 (7Twenty - CWE-79: Improper Neutralization of Input During Web Page Gen ...) NOT-FOR-US: 7Twenty -CVE-2024-42334 (Hargal - CWE-284: Improper Access Control) +CVE-2024-42334 + REJECTED NOT-FOR-US: Hargal CVE-2024-42006 (Keyfactor AWS Orchestrator through 2.0 allows Information Disclosure.) NOT-FOR-US: Keyfactor AWS Orchestrator View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a179b27885e7e91d8877f52e1f1e4cef46090e6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a179b27885e7e91d8877f52e1f1e4cef46090e6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-45751/tgt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9154322c by Salvatore Bonaccorso at 2024-09-08T20:55:57+02:00 Add Debian bug reference for CVE-2024-45751/tgt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -301,7 +301,7 @@ CVE-2024-7349 (The LifterLMS \u2013 WP LMS for eLearning, Online Courses, & Quiz CVE-2024-6792 (The WP ULike WordPress plugin before 4.7.2.1 does not properly saniti ...) NOT-FOR-US: WordPress plugin CVE-2024-45751 (tgt (aka Linux target framework) before 1.0.93 attempts to achieve ent ...) - - tgt + - tgt (bug #1081158) NOTE: https://github.com/fujita/tgt/pull/67 NOTE: https://github.com/fujita/tgt/commit/abd8e0d987ab56013d360077202bf2aca20a42dd (v1.0.93) NOTE: https://www.openwall.com/lists/oss-security/2024/09/07/2 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9154322c59af26aa06e6b92942b61ff93aef00ba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9154322c59af26aa06e6b92942b61ff93aef00ba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Specify version where switch to links happened
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 21ec8e83 by Salvatore Bonaccorso at 2024-09-08T20:54:55+02:00 Specify version where switch to links happened - - - - - 1 changed file: - data/embedded-code-copies Changes: = data/embedded-code-copies = @@ -3798,4 +3798,6 @@ python-pyproject-hooks NOTE: https://lists.debian.org/debian-python/2021/09/msg00031.html node-dompurify - [bullseye] - cacti (embed) + - cacti 1.2.26+ds1-1 (embed) + NOTE: Since 1.2.26+ds1-1 cacti depends on on node-dompurify and link purify.js instead of using + NOTE: upstream vendored version. View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21ec8e8349f394d154bcf95a02afa146ec9f8c91 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/21ec8e8349f394d154bcf95a02afa146ec9f8c91 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add reference to oss-security ost for CVE-2024-45751/tgt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 1486a82c by Salvatore Bonaccorso at 2024-09-08T20:43:10+02:00 Add reference to oss-security ost for CVE-2024-45751/tgt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -304,6 +304,7 @@ CVE-2024-45751 (tgt (aka Linux target framework) before 1.0.93 attempts to achie - tgt NOTE: https://github.com/fujita/tgt/pull/67 NOTE: https://github.com/fujita/tgt/commit/abd8e0d987ab56013d360077202bf2aca20a42dd (v1.0.93) + NOTE: https://www.openwall.com/lists/oss-security/2024/09/07/2 CVE-2024-45400 (ckeditor-plugin-openlink is a plugin for the CKEditor JavaScript text ...) NOT-FOR-US: ckeditor-plugin-openlink CKEditor plugin CVE-2024-42495 (Credentials to access device configuration were transmitted using an u ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1486a82c08777bb9ca70861444079f886993e695 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1486a82c08777bb9ca70861444079f886993e695 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Merge rust-quinn-proto RUSTSEC-2024-0373 with CVE-2024-45311 entry
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6e711f7a by Salvatore Bonaccorso at 2024-09-08T20:32:38+02:00 Merge rust-quinn-proto RUSTSEC-2024-0373 with CVE-2024-45311 entry - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,6 +1,3 @@ -CVE-2024- [RUSTSEC-2024-0373] - - rust-quinn-proto (Only affects 0.11.x) - NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0373.html CVE-2024-8572 (A vulnerability was found in Gouniverse GoLang CMS 1.4.0. It has been ...) NOT-FOR-US: Gouniverse GoLang CMS CVE-2024-8571 (A vulnerability was found in erjemin roll_cms up to 1484fe2c4e0805946a ...) @@ -1220,7 +1217,9 @@ CVE-2024-45313 (Overleaf is a web-based collaborative LaTeX editor. When install CVE-2024-45312 (Overleaf is a web-based collaborative LaTeX editor. Overleaf Community ...) - overleaf (bug #973563) CVE-2024-45311 (Quinn is a pure-Rust, async-compatible implementation of the IETF QUIC ...) - TODO: check + - rust-quinn-proto (Only affects 0.11.x) + NOTE: https://rustsec.org/advisories/RUSTSEC-2024-0373.html + NOTE: https://github.com/advisories/GHSA-vr26-jcq5-fjj8 CVE-2024-45308 (HedgeDoc is an open source, real-time, collaborative, markdown notes a ...) NOT-FOR-US: HedgeDoc CVE-2024-45306 (Vim is an open source, command line text editor. Patch v9.1.0038 optim ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e711f7a880507931db4c0b1fccd3c055f1bdfba -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6e711f7a880507931db4c0b1fccd3c055f1bdfba You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: ec50febb by security tracker role at 2024-09-08T08:12:29+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,37 @@ +CVE-2024-8572 (A vulnerability was found in Gouniverse GoLang CMS 1.4.0. It has been ...) + TODO: check +CVE-2024-8571 (A vulnerability was found in erjemin roll_cms up to 1484fe2c4e0805946a ...) + TODO: check +CVE-2024-8570 (A vulnerability was found in itsourcecode Tailoring Management System ...) + TODO: check +CVE-2024-8569 (A vulnerability has been found in code-projects Hospital Management Sy ...) + TODO: check +CVE-2024-8568 (A vulnerability, which was classified as critical, was found in Mini-T ...) + TODO: check +CVE-2024-8567 (A vulnerability, which was classified as critical, has been found in i ...) + TODO: check +CVE-2024-8566 (A vulnerability classified as problematic was found in code-projects O ...) + TODO: check +CVE-2024-8565 (A vulnerability was found in SourceCodesters Clinics Patient Managemen ...) + TODO: check +CVE-2024-8564 (A vulnerability was found in SourceCodester PHP CRUD 1.0. It has been ...) + TODO: check +CVE-2024-6928 (The Opti Marketing WordPress plugin through 2.0.9 does not properly sa ...) + TODO: check +CVE-2024-6925 (The TrueBooker WordPress plugin before 1.0.3 does not have CSRF check ...) + TODO: check +CVE-2024-6924 (The TrueBooker WordPress plugin before 1.0.3 does not properly saniti ...) + TODO: check +CVE-2024-6859 (The WP MultiTasking WordPress plugin through 0.1.12 does not validate ...) + TODO: check +CVE-2024-6856 (The WP MultiTasking WordPress plugin through 0.1.12 does not have CSR ...) + TODO: check +CVE-2024-6855 (The WP MultiTasking WordPress plugin through 0.1.12 does not have CSR ...) + TODO: check +CVE-2024-6853 (The WP MultiTasking WordPress plugin through 0.1.12 does not have CSR ...) + TODO: check +CVE-2024-6852 (The WP MultiTasking WordPress plugin through 0.1.12 does not have CSR ...) + TODO: check CVE-2024-8563 (A vulnerability was found in SourceCodester PHP CRUD 1.0. It has been ...) NOT-FOR-US: SourceCodester PHP CRUD CVE-2024-8562 (A vulnerability was found in SourceCodester PHP CRUD 1.0 and classifie ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec50febb1eecb402cb0eb2960a29ce223f945ef4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec50febb1eecb402cb0eb2960a29ce223f945ef4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for asterisk issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f402f14b by Salvatore Bonaccorso at 2024-09-08T07:02:58+02:00 Track fixed version for asterisk issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -381,7 +381,11 @@ CVE-2024-44587 (itsourcecode Alton Management System 1.0 is vulnerable to SQL In CVE-2024-42885 (SQL Injection vulnerability in ESAFENET CDG 5.6 and before allows an a ...) NOT-FOR-US: ESAFENET CDG CVE-2024-42491 (Asterisk is an open-source private branch exchange (PBX). Prior to ver ...) - TODO: check + - asterisk 1:20.9.3~dfsg+~cs6.14.60671435-1 + NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-v428-g3cw-7hv9 + NOTE: https://github.com/asterisk/asterisk/commit/50bf8d4d3064930d28ecf1ce3397b14574d514d2 (18.24.3) + NOTE: https://github.com/asterisk/asterisk/commit/a15050650abf09c10a3c135fab148220cd41d3a0 (20.9.3) + NOTE: https://github.com/asterisk/asterisk/commit/4f01669c7c41c9184f3cce9a3cf1b2ebf6201742 (21.4.3) CVE-2024-24759 (MindsDB is a platform for building artificial intelligence from enterp ...) NOT-FOR-US: MindsDB CVE-2023-51712 (An issue was discovered in Trusted Firmware-M through 2.0.0. The lack ...) @@ -6667,7 +6671,7 @@ CVE-2024-42408 (The InfoScan client download page can be intercepted with a prox CVE-2024-42366 (VRCX is an assistant/companion application for VRChat. In versions pri ...) NOT-FOR-US: VRCX CVE-2024-42365 (Asterisk is an open source private branch exchange (PBX) and telephony ...) - - asterisk (bug #1078574) + - asterisk 1:20.9.3~dfsg+~cs6.14.60671435-1 (bug #1078574) NOTE: https://github.com/asterisk/asterisk/security/advisories/GHSA-c4cg-9275-6w44 NOTE: https://github.com/asterisk/asterisk/commit/b4063bf756272254b160b6d1bd6e9a3f8e16cc71 (21.4.2) NOTE: https://github.com/asterisk/asterisk/commit/bbe68db10ab8a80c29db383e4dfe14f6eafaf993 (20.9.2) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f402f14b5feb0f5c1d06b92f2c47350b640e20bf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f402f14b5feb0f5c1d06b92f2c47350b640e20bf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed verison for ruby-sidekiq issue
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7f94b60d by Salvatore Bonaccorso at 2024-09-08T06:54:57+02:00 Track fixed verison for ruby-sidekiq issue - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -120014,7 +120014,7 @@ CVE-2023-26143 (Versions of the package blamer before 1.0.4 are vulnerable to Ar CVE-2023-26142 (All versions of the package crow are vulnerable to HTTP Response Split ...) NOT-FOR-US: Crow CVE-2023-26141 (Versions of the package sidekiq before 7.1.3 are vulnerable to Denial ...) - - ruby-sidekiq (bug #1059300) + - ruby-sidekiq 7.2.1+dfsg-2 (bug #1059300) [bookworm] - ruby-sidekiq (Minor issue) [bullseye] - ruby-sidekiq (Minor issue) [buster] - ruby-sidekiq (Minor issue, DoS still possible) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f94b60d1c36a9d8a4b358cf8ba584d2197e91ef -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7f94b60d1c36a9d8a4b358cf8ba584d2197e91ef You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a91ac033 by Salvatore Bonaccorso at 2024-09-07T23:02:17+02:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -29,49 +29,49 @@ CVE-2024-6849 (The Preloader Plus \u2013 WordPress Loading Screen Plugin plugin CVE-2024-6010 (The Cost Calculator Builder PRO plugin for WordPress is vulnerable to ...) NOT-FOR-US: WordPress plugin CVE-2024-42024 (A vulnerability that allows an attacker in possession of the Veeam ONE ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-42023 (An improper access control vulnerability allows low-privileged users t ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-42022 (An incorrect permission assignment vulnerability allows an attacker to ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-42021 (An improper access control vulnerability allows an attacker with valid ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-42020 (A Cross-site-scripting (XSS) vulnerability exists in the Reporter Widg ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-42019 (A vulnerability that allows an attacker to access the NTLM hash of the ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-40718 (A server side request forgery vulnerability allows a low-privileged us ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-40714 (An improper certificate validation vulnerability in TLS certificate va ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-40713 (A vulnerability that allows a user who has been assigned a low-privile ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-40712 (A path traversal vulnerability allows an attacker with a low-privilege ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-40711 (A deserialization of untrusted data vulnerability with a malicious pay ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-40710 (A series of related high-severity vulnerabilities, the most notable en ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-40709 (A missing authorization vulnerability allows a local low-privileged us ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-40681 (IBM MQ Operator 2.0.26 and 3.2.4 could allow an authenticated user in ...) NOT-FOR-US: IBM CVE-2024-40680 (IBM MQ Operator 2.0.26 and 3.2.4 could allow a local user to cause a d ...) NOT-FOR-US: IBM CVE-2024-39718 (An improper input validation vulnerability that allows a low-privilege ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-39715 (A code injection vulnerability that allows a low-privileged user with ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-39714 (A code injection vulnerability that permits a low-privileged user to u ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-38651 (A code injection vulnerability can allow a low-privileged user to over ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-38650 (An authentication bypass vulnerability can allow a low privileged atta ...) - TODO: check + NOT-FOR-US: Veeam CVE-2024-37068 (IBM Maximo Application Suite - Manage Component 8.10, 8.11, and 9.0 us ...) NOT-FOR-US: IBM CVE-2024-1596 (The Ninja Forms - File Uploads plugin for WordPress is vulnerable to S ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-8521 (A vulnerability, which was classified as problematic, was found in Wav ...) NOT-FOR-US: Wavelog CVE-2024-8439 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a91ac033f070b8e749fb7531a0436ac07748dd01 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a91ac033f070b8e749fb7531a0436ac07748dd01 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 90476f59 by Salvatore Bonaccorso at 2024-09-07T22:56:03+02:00 Process more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -55,9 +55,9 @@ CVE-2024-40710 (A series of related high-severity vulnerabilities, the most nota CVE-2024-40709 (A missing authorization vulnerability allows a local low-privileged us ...) TODO: check CVE-2024-40681 (IBM MQ Operator 2.0.26 and 3.2.4 could allow an authenticated user in ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-40680 (IBM MQ Operator 2.0.26 and 3.2.4 could allow a local user to cause a d ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-39718 (An improper input validation vulnerability that allows a low-privilege ...) TODO: check CVE-2024-39715 (A code injection vulnerability that allows a low-privileged user with ...) @@ -69,7 +69,7 @@ CVE-2024-38651 (A code injection vulnerability can allow a low-privileged user t CVE-2024-38650 (An authentication bypass vulnerability can allow a low privileged atta ...) TODO: check CVE-2024-37068 (IBM Maximo Application Suite - Manage Component 8.10, 8.11, and 9.0 us ...) - TODO: check + NOT-FOR-US: IBM CVE-2024-1596 (The Ninja Forms - File Uploads plugin for WordPress is vulnerable to S ...) TODO: check CVE-2024-8521 (A vulnerability, which was classified as problematic, was found in Wav ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90476f59be8c9b9fed90b4a29ee84eab6adfc4f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/90476f59be8c9b9fed90b4a29ee84eab6adfc4f7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFU
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: edd0cd43 by Salvatore Bonaccorso at 2024-09-07T22:54:14+02:00 Process some NFU - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,33 +1,33 @@ CVE-2024-8563 (A vulnerability was found in SourceCodester PHP CRUD 1.0. It has been ...) - TODO: check + NOT-FOR-US: SourceCodester PHP CRUD CVE-2024-8562 (A vulnerability was found in SourceCodester PHP CRUD 1.0 and classifie ...) - TODO: check + NOT-FOR-US: SourceCodester PHP CRUD CVE-2024-8561 (A vulnerability has been found in SourceCodester PHP CRUD 1.0 and clas ...) - TODO: check + NOT-FOR-US: SourceCodester PHP CRUD CVE-2024-8560 (A vulnerability, which was classified as critical, was found in Source ...) - TODO: check + NOT-FOR-US: SourceCodester Simple Invoice Generator System CVE-2024-8559 (A vulnerability, which was classified as critical, has been found in S ...) - TODO: check + NOT-FOR-US: SourceCodester Online Food Menu CVE-2024-8558 (A vulnerability classified as problematic was found in SourceCodester ...) - TODO: check + NOT-FOR-US: SourceCodester Food Ordering Management System CVE-2024-8557 (A vulnerability classified as critical has been found in SourceCodeste ...) - TODO: check + NOT-FOR-US: SourceCodester Food Ordering Management System CVE-2024-8555 (A vulnerability was found in SourceCodester Clinics Patient Management ...) - TODO: check + NOT-FOR-US: SourceCodester Clinics Patient Management System CVE-2024-8554 (A vulnerability was found in SourceCodester Clinics Patient Management ...) - TODO: check + NOT-FOR-US: SourceCodester Clinics Patient Management System CVE-2024-8538 (The Big File Uploads \u2013 Increase Maximum File Upload Size plugin f ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-8523 (A vulnerability was found in lmxcms up to 1.4 and classified as critic ...) - TODO: check + NOT-FOR-US: lmxcms CVE-2024-7620 (The Customizer Export/Import plugin for WordPress is vulnerable to arb ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-7112 (The Pinpoint Booking System \u2013 #1 WordPress Booking Plugin plugin ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-6849 (The Preloader Plus \u2013 WordPress Loading Screen Plugin plugin for W ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-6010 (The Cost Calculator Builder PRO plugin for WordPress is vulnerable to ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-42024 (A vulnerability that allows an attacker in possession of the Veeam ONE ...) TODO: check CVE-2024-42023 (An improper access control vulnerability allows low-privileged users t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edd0cd433d664bb790b890adc3fcbc1207fcce67 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/edd0cd433d664bb790b890adc3fcbc1207fcce67 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 03c6f15c by security tracker role at 2024-09-07T20:12:02+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,77 @@ +CVE-2024-8563 (A vulnerability was found in SourceCodester PHP CRUD 1.0. It has been ...) + TODO: check +CVE-2024-8562 (A vulnerability was found in SourceCodester PHP CRUD 1.0 and classifie ...) + TODO: check +CVE-2024-8561 (A vulnerability has been found in SourceCodester PHP CRUD 1.0 and clas ...) + TODO: check +CVE-2024-8560 (A vulnerability, which was classified as critical, was found in Source ...) + TODO: check +CVE-2024-8559 (A vulnerability, which was classified as critical, has been found in S ...) + TODO: check +CVE-2024-8558 (A vulnerability classified as problematic was found in SourceCodester ...) + TODO: check +CVE-2024-8557 (A vulnerability classified as critical has been found in SourceCodeste ...) + TODO: check +CVE-2024-8555 (A vulnerability was found in SourceCodester Clinics Patient Management ...) + TODO: check +CVE-2024-8554 (A vulnerability was found in SourceCodester Clinics Patient Management ...) + TODO: check +CVE-2024-8538 (The Big File Uploads \u2013 Increase Maximum File Upload Size plugin f ...) + TODO: check +CVE-2024-8523 (A vulnerability was found in lmxcms up to 1.4 and classified as critic ...) + TODO: check +CVE-2024-7620 (The Customizer Export/Import plugin for WordPress is vulnerable to arb ...) + TODO: check +CVE-2024-7112 (The Pinpoint Booking System \u2013 #1 WordPress Booking Plugin plugin ...) + TODO: check +CVE-2024-6849 (The Preloader Plus \u2013 WordPress Loading Screen Plugin plugin for W ...) + TODO: check +CVE-2024-6010 (The Cost Calculator Builder PRO plugin for WordPress is vulnerable to ...) + TODO: check +CVE-2024-42024 (A vulnerability that allows an attacker in possession of the Veeam ONE ...) + TODO: check +CVE-2024-42023 (An improper access control vulnerability allows low-privileged users t ...) + TODO: check +CVE-2024-42022 (An incorrect permission assignment vulnerability allows an attacker to ...) + TODO: check +CVE-2024-42021 (An improper access control vulnerability allows an attacker with valid ...) + TODO: check +CVE-2024-42020 (A Cross-site-scripting (XSS) vulnerability exists in the Reporter Widg ...) + TODO: check +CVE-2024-42019 (A vulnerability that allows an attacker to access the NTLM hash of the ...) + TODO: check +CVE-2024-40718 (A server side request forgery vulnerability allows a low-privileged us ...) + TODO: check +CVE-2024-40714 (An improper certificate validation vulnerability in TLS certificate va ...) + TODO: check +CVE-2024-40713 (A vulnerability that allows a user who has been assigned a low-privile ...) + TODO: check +CVE-2024-40712 (A path traversal vulnerability allows an attacker with a low-privilege ...) + TODO: check +CVE-2024-40711 (A deserialization of untrusted data vulnerability with a malicious pay ...) + TODO: check +CVE-2024-40710 (A series of related high-severity vulnerabilities, the most notable en ...) + TODO: check +CVE-2024-40709 (A missing authorization vulnerability allows a local low-privileged us ...) + TODO: check +CVE-2024-40681 (IBM MQ Operator 2.0.26 and 3.2.4 could allow an authenticated user in ...) + TODO: check +CVE-2024-40680 (IBM MQ Operator 2.0.26 and 3.2.4 could allow a local user to cause a d ...) + TODO: check +CVE-2024-39718 (An improper input validation vulnerability that allows a low-privilege ...) + TODO: check +CVE-2024-39715 (A code injection vulnerability that allows a low-privileged user with ...) + TODO: check +CVE-2024-39714 (A code injection vulnerability that permits a low-privileged user to u ...) + TODO: check +CVE-2024-38651 (A code injection vulnerability can allow a low-privileged user to over ...) + TODO: check +CVE-2024-38650 (An authentication bypass vulnerability can allow a low privileged atta ...) + TODO: check +CVE-2024-37068 (IBM Maximo Application Suite - Manage Component 8.10, 8.11, and 9.0 us ...) + TODO: check +CVE-2024-1596 (The Ninja Forms - File Uploads plugin for WordPress is vulnerable to S ...) + TODO: check CVE-2024-8521 (A vulnerability, which was classified as problematic, was found in Wav ...) NOT-FOR-US: Wavelog CVE-2024-8439 @@ -30,6 +104,7 @@ CVE-2024-8394 (When aborting the verification of an OTR chat session, an attacke [bullseye] - thunderbird (Vulnerable code not present) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8394 CVE-2024-7652 (An error in the ECMA-262 specification
[Git][security-tracker-team/security-tracker][master] Add upstream commit references for CVE-2023-27043
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 6f2dee33 by Salvatore Bonaccorso at 2024-09-07T17:25:57+02:00 Add upstream commit references for CVE-2023-27043 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -117603,6 +117603,10 @@ CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses e-m [bullseye] - pypy3 (Minor issue, wait until upstream has decided whether to backport to older branches) [buster] - pypy3 (Minor issue, wait until upstream has decided whether to backport to older branches) NOTE: https://github.com/python/cpython/issues/102988 + NOTE: https://github.com/python/cpython/commit/15068242bd4405475f70a81805a8895ca309a310 (v3.12.6) + NOTE: https://github.com/python/cpython/commit/bc4a703a934a59657ecd018320ef990bc5542803 (v3.11.10) + NOTE: https://github.com/python/cpython/commit/2a9273a0e4466e2f057f9ce6fe98cd8ce570331b (v3.10.15) + NOTE: https://github.com/python/cpython/commit/ee953f2b8fc12ee9b8209ab60a2f06c603e5a624 (v3.9.20) CVE-2023-27042 (Tenda AX3 V16.03.12.11 is vulnerable to Buffer Overflow via /goform/Se ...) NOT-FOR-US: Tenda CVE-2023-27041 (School Registration and Fee System v1.0 was discovered to contain a SQ ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f2dee333925977a95e5ce02f4518fba4a49eabf -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/6f2dee333925977a95e5ce02f4518fba4a49eabf You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for various python3.12 issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50e58df8 by Salvatore Bonaccorso at 2024-09-07T17:23:15+02:00 Track fixed version for various python3.12 issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -988,7 +988,7 @@ CVE-2023-49233 (Insufficient access checks in Visual Planning Admin Center 8 bef NOT-FOR-US: Visual Planning Admin Center CVE-2024-6232 (There is a MEDIUM severity vulnerability affecting CPython. Regul ...) - python3.13 3.13.0~rc2-1 - - python3.12 + - python3.12 3.12.6-1 - python3.11 - python3.9 - python2.7 @@ -2732,7 +2732,7 @@ CVE-2023-7260 (Path Traversal vulnerability discovered in OpenText\u2122 CX-E Vo CVE-2024-8088 (There is a HIGH severity vulnerability affecting the CPython "zipfile" ...) {DSA-5759-1} - python3.13 3.13.0~rc2-1 - - python3.12 + - python3.12 3.12.6-1 - python3.11 - python3.9 - python2.7 @@ -3973,7 +3973,7 @@ CVE-2024-7922 (A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, NOT-FOR-US: D-Link CVE-2024-7592 (There is a LOW severity vulnerability affecting CPython, specifically ...) - python3.13 3.13.0~rc2-1 - - python3.12 + - python3.12 3.12.6-1 - python3.11 [bookworm] - python3.11 (Minor issue, wait until merged into 3.11 branch) - python3.9 @@ -117587,7 +117587,7 @@ CVE-2023-27045 CVE-2023-27044 RESERVED CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses e-mail ad ...) - - python3.12 (bug #1059299) + - python3.12 3.12.6-1 (bug #1059299) - python3.11 (bug #1059298) [bookworm] - python3.11 (Minor issue, wait until upstream has decided whether to backport to older branches) - python3.10 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50e58df88012f002fd3a4d21375465aa729910d6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50e58df88012f002fd3a4d21375465aa729910d6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-7652
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f6f89764 by Salvatore Bonaccorso at 2024-09-07T14:33:44+02:00 Add CVE-2024-7652 - - - - - 2 changed files: - data/CVE/list - data/DSA/list Changes: = data/CVE/list = @@ -30,7 +30,14 @@ CVE-2024-8394 (When aborting the verification of an OTR chat session, an attacke [bullseye] - thunderbird (Vulnerable code not present) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8394 CVE-2024-7652 (An error in the ECMA-262 specification relating to Async Generators co ...) - TODO: check + - firefox 128.0-1 + - firefox-esr 115.13.0esr-1 + - thunderbird 1:115.13.0-1 + NOTE: https://bugzilla.mozilla.org/show_bug.cgi?id=1901411 + NOTE: https://github.com/tc39/ecma262/security/advisories/GHSA-g38c-wh3c-5h9r + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-29/#CVE-2024-7652 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-30/#CVE-2024-7652 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-31/#CVE-2024-7652 CVE-2024-7622 (The Revision Manager TMC plugin for WordPress is vulnerable to unautho ...) NOT-FOR-US: WordPress plugin CVE-2024-7611 (The Enter Addons \u2013 Ultimate Template Builder for Elementor plugin ...) = data/DSA/list = @@ -109,7 +109,7 @@ [bullseye] - bind9 1:9.16.50-1~deb11u1 [bookworm] - bind9 1:9.18.28-1~deb12u1 [18 Jul 2024] DSA-5733-1 thunderbird - security update - {CVE-2024-6601 CVE-2024-6602 CVE-2024-6603 CVE-2024-6604} + {CVE-2024-6601 CVE-2024-6602 CVE-2024-6603 CVE-2024-6604 CVE-2024-7652} [bullseye] - thunderbird 1:115.13.0-1~deb11u1 [bookworm] - thunderbird 1:115.13.0-1~deb12u1 [18 Jul 2024] DSA-5732-1 chromium - security update @@ -130,7 +130,7 @@ [bullseye] - exim4 4.94.2-7+deb11u3 [bookworm] - exim4 4.96-15+deb12u5 [10 Jul 2024] DSA-5727-1 firefox-esr - security update - {CVE-2024-6601 CVE-2024-6602 CVE-2024-6603 CVE-2024-6604} + {CVE-2024-6601 CVE-2024-6602 CVE-2024-6603 CVE-2024-6604 CVE-2024-7652} [bullseye] - firefox-esr 115.13.0esr-1~deb11u1 [bookworm] - firefox-esr 115.13.0esr-1~deb12u1 [05 Jul 2024] DSA-5726-1 krb5 - security update View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6f89764af7f96b5d77f7809a613aa04ee558fa6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f6f89764af7f96b5d77f7809a613aa04ee558fa6 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track proposed update for mariadb for bookworm-pu
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 54d74a70 by Salvatore Bonaccorso at 2024-09-07T14:19:14+02:00 Track proposed update for mariadb for bookworm-pu - - - - - 1 changed file: - data/next-point-update.txt Changes: = data/next-point-update.txt = @@ -70,3 +70,5 @@ CVE-2024-31755 [bookworm] - cjson 1.7.15-1+deb12u2 CVE-2023-52890 [bookworm] - ntfs-3g 1:2022.10.3-1+deb12u1 +CVE-2024-21096 + [bookworm] - mariadb 1:10.11.9-0+deb12u1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54d74a70b2d7f7db87544f89567d5e1a66872a36 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/54d74a70b2d7f7db87544f89567d5e1a66872a36 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream tags for CVE-2024-6232
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8471a180 by Salvatore Bonaccorso at 2024-09-07T13:53:25+02:00 Reference upstream tags for CVE-2024-6232 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -988,10 +988,10 @@ CVE-2024-6232 (There is a MEDIUM severity vulnerability affecting CPython. [bullseye] - python2.7 (Unsupported in Bullseye, only included to build a few applications) NOTE: https://github.com/python/cpython/issues/121285 NOTE: https://github.com/python/cpython/pull/121286 - NOTE: https://github.com/python/cpython/commit/ed3a49ea734ada357ff4442996fd4ae71d253373 (3.13-branch) - NOTE: https://github.com/python/cpython/commit/4eaf4891c12589e3c7bdad5f5b076e4c8392dd06 (3.12-branch) - NOTE: https://github.com/python/cpython/commit/d449caf8a179e3b954268b3a88eb9170be3c8fbf (3.11-branch) - NOTE: https://github.com/python/cpython/commit/743acbe872485dc18df4d8ab2dc7895187f062c4 (3.10-branch) + NOTE: https://github.com/python/cpython/commit/ed3a49ea734ada357ff4442996fd4ae71d253373 (v3.13.0rc2) + NOTE: https://github.com/python/cpython/commit/4eaf4891c12589e3c7bdad5f5b076e4c8392dd06 (v3.12.6) + NOTE: https://github.com/python/cpython/commit/d449caf8a179e3b954268b3a88eb9170be3c8fbf (v3.11.10) + NOTE: https://github.com/python/cpython/commit/743acbe872485dc18df4d8ab2dc7895187f062c4 (v3.10.15) CVE-2024-45231 - python-django 3:4.2.16-1 [bookworm] - python-django (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8471a180aeee97d0add60d5546622ac6d90d81d7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8471a180aeee97d0add60d5546622ac6d90d81d7 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference upstream tags for CVE-2024-8088
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5ce594d1 by Salvatore Bonaccorso at 2024-09-07T13:49:42+02:00 Reference upstream tags for CVE-2024-8088 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2733,13 +2733,13 @@ CVE-2024-8088 (There is a HIGH severity vulnerability affecting the CPython "zip NOTE: https://mail.python.org/archives/list/security-annou...@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/ NOTE: https://github.com/python/cpython/pull/122906 NOTE: https://github.com/python/cpython/issues/122905 - NOTE: https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64 (3.13-branch) - NOTE: https://github.com/python/cpython/commit/dcc5182f27c156a1ef78e10613bb45788dea (3.12-branch) - NOTE: https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e (3.11-branch) - NOTE: https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db (3.10-branch) + NOTE: https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64 (v3.13.0rc2) + NOTE: https://github.com/python/cpython/commit/dcc5182f27c156a1ef78e10613bb45788dea (v3.12.6) + NOTE: https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e (v3.11.10) + NOTE: https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db (v3.10.15) NOTE: Regression (cf. #1080245): https://github.com/python/cpython/issues/123270 - NOTE: Regression fixed by https://github.com/python/cpython/commit/fc0b8259e693caa8400fa8b6ac1e494e47ea7798 (3.11-branch) - NOTE: Regression fixed by https://github.com/python/cpython/commit/962055268ed4f2ca1d717bfc8b6385de50a23ab7 (3.9-branch) + NOTE: Regression fixed by: https://github.com/python/cpython/commit/fc0b8259e693caa8400fa8b6ac1e494e47ea7798 (v3.11.10) + NOTE: Regression fixed by: https://github.com/python/cpython/commit/962055268ed4f2ca1d717bfc8b6385de50a23ab7 (v3.9.20) CVE-2024-8077 (A vulnerability was found in TOTOLINK AC1200 T8 4.1.5cu.862_B20230228. ...) NOT-FOR-US: TOTOLINK CVE-2024-8076 (A vulnerability was found in TOTOLINK AC1200 T8 4.1.5cu.862_B20230228 ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ce594d1cc1002e84af6929e3b0364d31fbfb0a2 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5ce594d1cc1002e84af6929e3b0364d31fbfb0a2 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Track fixed version for CVE-2023-49582/apr
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b99ac55a by Salvatore Bonaccorso at 2024-09-07T13:45:08+02:00 Track fixed version for CVE-2023-49582/apr - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -2251,7 +2251,7 @@ CVE-2024-34087 (An SEH-based buffer overflow in the BPQ32 HTTP Server in BPQ32 6 CVE-2024-28077 (A denial-of-service issue was discovered on certain GL-iNet devices. S ...) NOT-FOR-US: GL-iNet devices CVE-2023-49582 (Lax permissions set by the Apache Portable Runtime library on Unix pla ...) - - apr (bug #1080375) + - apr 1.7.5-1 (bug #1080375) [bookworm] - apr (Minor issue) [bullseye] - apr (Minor issue; can be fixed in next update) NOTE: https://www.openwall.com/lists/oss-security/2024/08/26/1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b99ac55a2ee4f2f46069b254753627210514a280 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b99ac55a2ee4f2f46069b254753627210514a280 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2024-7592
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 78150762 by Salvatore Bonaccorso at 2024-09-07T13:43:46+02:00 Update status for CVE-2024-7592 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -3973,6 +3973,11 @@ CVE-2024-7592 (There is a LOW severity vulnerability affecting CPython, specific [bullseye] - python3.9 (Minor issue, wait until merged into 3.9 branch) NOTE: https://github.com/python/cpython/pull/123075 NOTE: https://github.com/python/cpython/issues/123067 + NOTE: https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621 (v3.13.0rc2) + NOTE: https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1 (v3.12.6) + NOTE: https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f (v3.11.10) + NOTE: https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a (v3.10.15) + NOTE: https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774 (v3.9.20) NOTE: https://mail.python.org/archives/list/security-annou...@python.org/thread/HXJLNUNGCQUS2W7WR6GFIZIHFOOK/ CVE-2024-6348 (Predictable seed generation in the security access mechanism of UDS in ...) NOT-FOR-US: Nissan View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/781507624347205c5d0e0133d9846e6f422546ea -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/781507624347205c5d0e0133d9846e6f422546ea You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2024-6923
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: bfa3c548 by Salvatore Bonaccorso at 2024-09-07T13:38:47+02:00 Update status for CVE-2024-6923 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -8110,7 +8110,7 @@ CVE-2024-7211 (The 1E Platform's component utilized the third-party Duende Ident NOT-FOR-US: 1E Platform CVE-2024-6923 (There is a MEDIUM severity vulnerability affecting CPython. The emai ...) - python3.13 3.13.0~rc2-1 - - python3.12 + - python3.12 3.12.5-1 - python3.11 [bookworm] - python3.11 (Minor issue, wait until merged into 3.11 branch) - python3.9 @@ -8119,6 +8119,11 @@ CVE-2024-6923 (There is a MEDIUM severity vulnerability affecting CPython. The [bullseye] - python2.7 (Unsupported in Bullseye, only included to build a few applications) NOTE: https://github.com/python/cpython/issues/121650 NOTE: https://github.com/python/cpython/pull/122233 + NOTE: https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0 (v3.13.0rc2) + NOTE: https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7 (v3.12.5) + NOTE: https://github.com/python/cpython/commit/f7c0f09e69e950cf3c5ada9dbde93898eb975533 (v3.11.10) + NOTE: https://github.com/python/cpython/commit/06f28dc236708f72871c64d4bc4b4ea144c50147 (v3.10.15) + NOTE: https://github.com/python/cpython/commit/f7be505d137a22528cb0fc004422c0081d5d90e6 (v3.9.20) CVE-2024-6873 (It is possible to crash or redirect the execution flow of the ClickHou ...) - clickhouse (bug #1077820) [bookworm] - clickhouse (Minor issue) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfa3c5481d64b788d3af20f74efd4c695b4887b8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bfa3c5481d64b788d3af20f74efd4c695b4887b8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 50dfd2af by Salvatore Bonaccorso at 2024-09-07T10:44:32+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,17 +1,17 @@ CVE-2024-8521 (A vulnerability, which was classified as problematic, was found in Wav ...) - TODO: check + NOT-FOR-US: Wavelog CVE-2024-8439 REJECTED CVE-2024-45771 (RapidCMS v1.3.1 was discovered to contain a SQL injection vulnerabilit ...) - TODO: check + NOT-FOR-US: RapidCMS CVE-2024-44845 (DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated ...) - TODO: check + NOT-FOR-US: DrayTek Vigor3900 CVE-2024-44844 (DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated ...) - TODO: check + NOT-FOR-US: DrayTek Vigor3900 CVE-2024-44839 (RapidCMS v1.3.1 was discovered to contain a SQL injection vulnerabilit ...) - TODO: check + NOT-FOR-US: RapidCMS CVE-2024-44838 (RapidCMS v1.3.1 was discovered to contain a SQL injection vulnerabilit ...) - TODO: check + NOT-FOR-US: RapidCMS CVE-2024-8443 - opensc [bookworm] - opensc (Minor issue) @@ -21,7 +21,7 @@ CVE-2024-8517 (SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command NOTE: https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html?lang=fr NOTE: https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/ CVE-2024-8509 (A vulnerability was found in Forklift Controller. There is no verifica ...) - TODO: check + NOT-FOR-US: Forklift Controller CVE-2024-8428 (The ForumWP \u2013 Forum & Discussion Board Plugin plugin for WordPres ...) NOT-FOR-US: WordPress plugin CVE-2024-8394 (When aborting the verification of an OTR chat session, an attacker cou ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50dfd2af7d9399ef75336407f6568bfccb5f3f5a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/50dfd2af7d9399ef75336407f6568bfccb5f3f5a You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: df75550d by security tracker role at 2024-09-07T08:12:33+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,17 @@ +CVE-2024-8521 (A vulnerability, which was classified as problematic, was found in Wav ...) + TODO: check +CVE-2024-8439 + REJECTED +CVE-2024-45771 (RapidCMS v1.3.1 was discovered to contain a SQL injection vulnerabilit ...) + TODO: check +CVE-2024-44845 (DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated ...) + TODO: check +CVE-2024-44844 (DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated ...) + TODO: check +CVE-2024-44839 (RapidCMS v1.3.1 was discovered to contain a SQL injection vulnerabilit ...) + TODO: check +CVE-2024-44838 (RapidCMS v1.3.1 was discovered to contain a SQL injection vulnerabilit ...) + TODO: check CVE-2024-8443 - opensc [bookworm] - opensc (Minor issue) @@ -107,11 +121,11 @@ CVE-2023-34979 (An OS command injection vulnerability has been reported to affec NOT-FOR-US: QNAP CVE-2023-34974 (An OS command injection vulnerability has been reported to affect seve ...) NOT-FOR-US: QNAP -CVE-2024-45498 +CVE-2024-45498 (Example DAG: example_inlet_event_extra.py shipped with Apache Airflow ...) - airflow (bug #819700) -CVE-2024-45034 +CVE-2024-45034 (Apache Airflow versions before 2.10.1 have a vulnerability that allows ...) - airflow (bug #819700) -CVE-2024-34158 +CVE-2024-34158 (Calling Parse on a "// +build" build tag line with deeply nested expre ...) - golang-1.23 - golang-1.22 - golang-1.21 @@ -122,7 +136,7 @@ CVE-2024-34158 NOTE: https://go.dev/issue/69141 NOTE: https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1) NOTE: https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7) -CVE-2024-34156 +CVE-2024-34156 (Calling Decoder.Decode on a message which contains deeply nested struc ...) - golang-1.23 - golang-1.22 - golang-1.21 @@ -133,7 +147,7 @@ CVE-2024-34156 NOTE: https://go.dev/issue/69139 NOTE: https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1) NOTE: https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7) -CVE-2024-34155 +CVE-2024-34155 (Calling any of the Parse functions on Go source code which contains de ...) - golang-1.23 - golang-1.22 - golang-1.21 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df75550d9cd46dced8112ea4793a2e6396e1fafb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/df75550d9cd46dced8112ea4793a2e6396e1fafb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-8443/opensc
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 0b58f91f by Salvatore Bonaccorso at 2024-09-07T09:39:57+02:00 Add CVE-2024-8443/opensc - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,7 @@ +CVE-2024-8443 + - opensc + [bookworm] - opensc (Minor issue) + NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2310494 CVE-2024-8517 (SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command inje ...) - spip 4.3.2+dfsg-1 NOTE: https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html?lang=fr View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b58f91feb40dadb0acf7637c82e8045d9f940c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0b58f91feb40dadb0acf7637c82e8045d9f940c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4dd85d12 by Salvatore Bonaccorso at 2024-09-07T09:37:36+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -34,11 +34,11 @@ CVE-2024-45299 (alf.io is an open source ticket reservation system for conferenc CVE-2024-45295 REJECTED CVE-2024-45294 (The HL7 FHIR Core Artifacts repository provides the java core object h ...) - TODO: check + NOT-FOR-US: HL7 FHIR Core Artifacts CVE-2024-45040 (gnark is a fast zk-SNARK library that offers a high-level API to desig ...) - TODO: check + NOT-FOR-US: gnark CVE-2024-45039 (gnark is a fast zk-SNARK library that offers a high-level API to desig ...) - TODO: check + NOT-FOR-US: gnark CVE-2024-44837 (A cross-site scripting (XSS) vulnerability in the component \bean\Mana ...) NOT-FOR-US: Drug CVE-2024-44739 (Sourcecodester Simple Forum Website v1.0 has a SQL injection vulnerabi ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4dd85d1271854cdf4a1ba6a26472a2d967d6b051 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4dd85d1271854cdf4a1ba6a26472a2d967d6b051 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Update status for CVE-2024-8418/aardvark-dns
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 92c7f28e by Salvatore Bonaccorso at 2024-09-07T09:32:14+02:00 Update status for CVE-2024-8418/aardvark-dns - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -330,11 +330,14 @@ CVE-2024-20505 (A vulnerability in the PDF parsing module of Clam AntiVirus (Cla NOTE: https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html CVE-2024-8418 (A flaw was found in Aardvark-dns versions 1.12.0 and 1.12.1. They cont ...) - aardvark-dns 1.12.2-1 (bug #1080964) - [bookworm] - aardvark-dns (Minor issue) + [bookworm] - aardvark-dns (Vulnerable code not present) NOTE: https://github.com/containers/aardvark-dns/issues/500 NOTE: https://github.com/containers/aardvark-dns/pull/503 - NOTE: https://github.com/containers/aardvark-dns/commit/6d76c50978755b8162d176ec7eea0e09f8d57a42 - NOTE: https://github.com/containers/aardvark-dns/commit/39d0043c306c936fb5b6480b456cc1fdec869e25 + NOTE: Introduced with https://github.com/containers/aardvark-dns/commit/a3ffae3ba9efa5c6dc9d332b792aeab3cb71832e (v1.12.0) + NOTE: https://github.com/containers/aardvark-dns/commit/6d76c50978755b8162d176ec7eea0e09f8d57a42 (main) + NOTE: https://github.com/containers/aardvark-dns/commit/39d0043c306c936fb5b6480b456cc1fdec869e25 (main) + NOTE: https://github.com/containers/aardvark-dns/commit/aa109bbd6743abd7027e589cc4b871dd2dce7d50 (v1.12.2) + NOTE: https://github.com/containers/aardvark-dns/commit/4a27dcfea4e3f203f169c28e1a2ea8a6fe193912 (v1.12.2) CVE-2024-8417 (A vulnerability was found in \u4e91\u8bfe\u7f51\u7edc\u79d1\u6280\u670 ...) NOT-FOR-US: Yunke Online School System CVE-2024-8416 (A vulnerability was found in SourceCodester Food Ordering Management S ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92c7f28e53742d683b206ca8486ffac55eba9783 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/92c7f28e53742d683b206ca8486ffac55eba9783 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e08a5e5b by Salvatore Bonaccorso at 2024-09-06T22:51:34+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -22,15 +22,15 @@ CVE-2024-7599 (The Advanced Sermons plugin for WordPress is vulnerable to Stored CVE-2024-7493 (The WPCOM Member plugin for WordPress is vulnerable to privilege escal ...) NOT-FOR-US: WordPress plugin CVE-2024-6445 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) - TODO: check + NOT-FOR-US: DataFlowX Technology DataDiodeX CVE-2024-45758 (H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JD ...) TODO: check CVE-2024-45405 (`gix-path` is a crate of the `gitoxide` project (an implementation of ...) TODO: check CVE-2024-45300 (alf.io is an open source ticket reservation system for conferences, tr ...) - TODO: check + NOT-FOR-US: Alf.io CVE-2024-45299 (alf.io is an open source ticket reservation system for conferences, tr ...) - TODO: check + NOT-FOR-US: Alf.io CVE-2024-45295 REJECTED CVE-2024-45294 (The HL7 FHIR Core Artifacts repository provides the java core object h ...) @@ -40,69 +40,69 @@ CVE-2024-45040 (gnark is a fast zk-SNARK library that offers a high-level API to CVE-2024-45039 (gnark is a fast zk-SNARK library that offers a high-level API to desig ...) TODO: check CVE-2024-44837 (A cross-site scripting (XSS) vulnerability in the component \bean\Mana ...) - TODO: check + NOT-FOR-US: Drug CVE-2024-44739 (Sourcecodester Simple Forum Website v1.0 has a SQL injection vulnerabi ...) - TODO: check + NOT-FOR-US: Sourcecodester Simple Forum Website CVE-2024-44408 (D-Link DIR-823G v1.0.2B05_20181207 is vulnerable to Information Disclo ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-44402 (D-Link DI-8100G 17.12.20A1 is vulnerable to Command Injection via msp_ ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-44401 (D-Link DI-8100G 17.12.20A1 is vulnerable to Command Injection via sub4 ...) - TODO: check + NOT-FOR-US: D-Link CVE-2024-38642 (An improper certificate validation vulnerability has been reported to ...) - TODO: check + NOT-FOR-US: QNAP CVE-2024-38641 (An OS command injection vulnerability has been reported to affect seve ...) - TODO: check + NOT-FOR-US: QNAP CVE-2024-38640 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) - TODO: check + NOT-FOR-US: QNAP CVE-2024-32771 (An improper restriction of excessive authentication attempts vulnerabi ...) - TODO: check + NOT-FOR-US: QNAP CVE-2024-32763 (A buffer copy without checking size of input vulnerability has been re ...) - TODO: check + NOT-FOR-US: QNAP CVE-2024-32762 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) - TODO: check + NOT-FOR-US: QNAP CVE-2024-27126 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) - TODO: check + NOT-FOR-US: QNAP CVE-2024-27125 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) - TODO: check + NOT-FOR-US: QNAP CVE-2024-27122 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) - TODO: check + NOT-FOR-US: QNAP CVE-2024-25584 (Dovecot accepts dot LF DOT LF symbol as end of DATA command. RFC requi ...) - TODO: check + NOT-FOR-US: OX Dovecot Pro core CVE-2024-21906 (An OS command injection vulnerability has been reported to affect seve ...) - TODO: check + NOT-FOR-US: QNAP CVE-2024-21904 (A path traversal vulnerability has been reported to affect several QNA ...) - TODO: check + NOT-FOR-US: QNAP CVE-2024-21903 (An OS command injection vulnerability has been reported to affect seve ...) - TODO: check + NOT-FOR-US: QNAP CVE-2024-21898 (An OS command injection vulnerability has been reported to affect seve ...) - TODO: check + NOT-FOR-US: QNAP CVE-2024-21897 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) - TODO: check + NOT-FOR-US: QNAP CVE-2024-1744 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) - TODO: check + NOT-FOR-US: Ariva Computer Accord ORS CVE-2023-51368 (A NULL pointer dereference vulnerability has been reported to affect s ...) - TODO: check + NOT-FOR-US: QNAP CVE-2023-51367 (A buffer copy without checking size of input vulnerability has been re ...) - TODO: check + NOT-FOR-US: QNAP CVE-2023-51366 (A path traversal vulnerability has been reported to affect several QNA ...) - TODO: check + NOT-FOR-US: QNAP CVE-202
[Git][security-tracker-team/security-tracker][master] Add thunderbird to dsa-needed list
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 51ce462d by Salvatore Bonaccorso at 2024-09-06T22:42:16+02:00 Add thunderbird to dsa-needed list - - - - - 1 changed file: - data/dsa-needed.txt Changes: = data/dsa-needed.txt = @@ -48,6 +48,8 @@ smarty3 -- smarty4 -- +thunderbird (jmm) +-- twisted -- xen View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51ce462dffeae6bf8e151aef6c8f07d90b544b31 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/51ce462dffeae6bf8e151aef6c8f07d90b544b31 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new thunderbird issues from mfsa2024-{43,44}
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f4eaf708 by Salvatore Bonaccorso at 2024-09-06T22:40:37+02:00 Add new thunderbird issues from mfsa2024-{43,44} - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,7 +7,10 @@ CVE-2024-8509 (A vulnerability was found in Forklift Controller. There is no ver CVE-2024-8428 (The ForumWP \u2013 Forum & Discussion Board Plugin plugin for WordPres ...) NOT-FOR-US: WordPress plugin CVE-2024-8394 (When aborting the verification of an OTR chat session, an attacker cou ...) - TODO: check + - thunderbird + [bookworm] - thunderbird (Vulnerable code not present) + [bullseye] - thunderbird (Vulnerable code not present) + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8394 CVE-2024-7652 (An error in the ECMA-262 specification relating to Async Generators co ...) TODO: check CVE-2024-7622 (The Revision Manager TMC plugin for WordPress is vulnerable to unautho ...) @@ -829,19 +832,34 @@ CVE-2024-8388 (Multiple prompts and panels from both Firefox and the Android OS NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8388 CVE-2024-8387 (Memory safety bugs present in Firefox 129, Firefox ESR 128.1, and Thun ...) - firefox 130.0-1 + - thunderbird + [bookworm] - thunderbird (Vulnerable code not present) + [bullseye] - thunderbird (Vulnerable code not present) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8387 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8387 CVE-2024-8386 (If a site had been granted the permission to open popup windows, it co ...) - firefox 130.0-1 + - thunderbird + [bookworm] - thunderbird (Vulnerable code not present) + [bullseye] - thunderbird (Vulnerable code not present) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8386 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8386 CVE-2024-8385 (A difference in the handling of StructFields and ArrayTypes in WASM co ...) - firefox 130.0-1 + - thunderbird + [bookworm] - thunderbird (Vulnerable code not present) + [bullseye] - thunderbird (Vulnerable code not present) NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8385 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8385 CVE-2024-8384 (The JavaScript garbage collector could mis-color cross-compartment obj ...) {DSA-5765-1 DLA-3869-1} - firefox 130.0-1 - firefox-esr 115.15.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8384 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/#CVE-2024-8384 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8384 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-44/#CVE-2024-8384 CVE-2024-8383 (Firefox normally asks for confirmation before asking the operating sys ...) {DSA-5765-1 DLA-3869-1} - firefox 130.0-1 @@ -852,14 +870,20 @@ CVE-2024-8382 (Internal browser event interfaces were exposed to web content whe {DSA-5765-1 DLA-3869-1} - firefox 130.0-1 - firefox-esr 115.15.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8382 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/#CVE-2024-8382 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8382 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-44/#CVE-2024-8382 CVE-2024-8381 (A potentially exploitable type confusion could be triggered when looki ...) {DSA-5765-1 DLA-3869-1} - firefox 130.0-1 - firefox-esr 115.15.0esr-1 + - thunderbird NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/#CVE-2024-8381 NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-41/#CVE-2024-8381 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-43/#CVE-2024-8381 + NOTE: https://www.mozilla.org/en-US/security/advisories/mfsa2024-44/#CVE-2024-8381 CVE-2024-8374 (UltiMaker Cura slicer versions 5.7.0-beta.1 through 5.7.2 are vulnerab ...) - cura (Vulnerable code not present) NOTE: Introduced by: https://github.com/Ultimaker/Cura/commit/55e5cd8982e266a8b28b062fb113e150aaef815d (5.7.0-beta.1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f4eaf708eef0a5d30d721ce0a5fd
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: a45297b7 by Salvatore Bonaccorso at 2024-09-06T22:33:42+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -5,19 +5,19 @@ CVE-2024-8517 (SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command CVE-2024-8509 (A vulnerability was found in Forklift Controller. There is no verifica ...) TODO: check CVE-2024-8428 (The ForumWP \u2013 Forum & Discussion Board Plugin plugin for WordPres ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-8394 (When aborting the verification of an OTR chat session, an attacker cou ...) TODO: check CVE-2024-7652 (An error in the ECMA-262 specification relating to Async Generators co ...) TODO: check CVE-2024-7622 (The Revision Manager TMC plugin for WordPress is vulnerable to unautho ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-7611 (The Enter Addons \u2013 Ultimate Template Builder for Elementor plugin ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-7599 (The Advanced Sermons plugin for WordPress is vulnerable to Stored Cros ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-7493 (The WPCOM Member plugin for WordPress is vulnerable to privilege escal ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-6445 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) TODO: check CVE-2024-45758 (H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JD ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a45297b7876d085745fd34914e82728e18b5ba62 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a45297b7876d085745fd34914e82728e18b5ba62 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-8517/spip
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 381ebdc4 by Salvatore Bonaccorso at 2024-09-06T22:28:47+02:00 Add CVE-2024-8517/spip - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,5 +1,7 @@ CVE-2024-8517 (SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command inje ...) - TODO: check + - spip 4.3.2+dfsg-1 + NOTE: https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html?lang=fr + NOTE: https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/ CVE-2024-8509 (A vulnerability was found in Forklift Controller. There is no verifica ...) TODO: check CVE-2024-8428 (The ForumWP \u2013 Forum & Discussion Board Plugin plugin for WordPres ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/381ebdc4cf6dc97b8f99053e670f888d311e6242 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/381ebdc4cf6dc97b8f99053e670f888d311e6242 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 741dd860 by security tracker role at 2024-09-06T20:12:45+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,103 @@ +CVE-2024-8517 (SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command inje ...) + TODO: check +CVE-2024-8509 (A vulnerability was found in Forklift Controller. There is no verifica ...) + TODO: check +CVE-2024-8428 (The ForumWP \u2013 Forum & Discussion Board Plugin plugin for WordPres ...) + TODO: check +CVE-2024-8394 (When aborting the verification of an OTR chat session, an attacker cou ...) + TODO: check +CVE-2024-7652 (An error in the ECMA-262 specification relating to Async Generators co ...) + TODO: check +CVE-2024-7622 (The Revision Manager TMC plugin for WordPress is vulnerable to unautho ...) + TODO: check +CVE-2024-7611 (The Enter Addons \u2013 Ultimate Template Builder for Elementor plugin ...) + TODO: check +CVE-2024-7599 (The Advanced Sermons plugin for WordPress is vulnerable to Stored Cros ...) + TODO: check +CVE-2024-7493 (The WPCOM Member plugin for WordPress is vulnerable to privilege escal ...) + TODO: check +CVE-2024-6445 (Improper Limitation of a Pathname to a Restricted Directory ('Path Tra ...) + TODO: check +CVE-2024-45758 (H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JD ...) + TODO: check +CVE-2024-45405 (`gix-path` is a crate of the `gitoxide` project (an implementation of ...) + TODO: check +CVE-2024-45300 (alf.io is an open source ticket reservation system for conferences, tr ...) + TODO: check +CVE-2024-45299 (alf.io is an open source ticket reservation system for conferences, tr ...) + TODO: check +CVE-2024-45295 + REJECTED +CVE-2024-45294 (The HL7 FHIR Core Artifacts repository provides the java core object h ...) + TODO: check +CVE-2024-45040 (gnark is a fast zk-SNARK library that offers a high-level API to desig ...) + TODO: check +CVE-2024-45039 (gnark is a fast zk-SNARK library that offers a high-level API to desig ...) + TODO: check +CVE-2024-44837 (A cross-site scripting (XSS) vulnerability in the component \bean\Mana ...) + TODO: check +CVE-2024-44739 (Sourcecodester Simple Forum Website v1.0 has a SQL injection vulnerabi ...) + TODO: check +CVE-2024-44408 (D-Link DIR-823G v1.0.2B05_20181207 is vulnerable to Information Disclo ...) + TODO: check +CVE-2024-44402 (D-Link DI-8100G 17.12.20A1 is vulnerable to Command Injection via msp_ ...) + TODO: check +CVE-2024-44401 (D-Link DI-8100G 17.12.20A1 is vulnerable to Command Injection via sub4 ...) + TODO: check +CVE-2024-38642 (An improper certificate validation vulnerability has been reported to ...) + TODO: check +CVE-2024-38641 (An OS command injection vulnerability has been reported to affect seve ...) + TODO: check +CVE-2024-38640 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) + TODO: check +CVE-2024-32771 (An improper restriction of excessive authentication attempts vulnerabi ...) + TODO: check +CVE-2024-32763 (A buffer copy without checking size of input vulnerability has been re ...) + TODO: check +CVE-2024-32762 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) + TODO: check +CVE-2024-27126 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) + TODO: check +CVE-2024-27125 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) + TODO: check +CVE-2024-27122 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) + TODO: check +CVE-2024-25584 (Dovecot accepts dot LF DOT LF symbol as end of DATA command. RFC requi ...) + TODO: check +CVE-2024-21906 (An OS command injection vulnerability has been reported to affect seve ...) + TODO: check +CVE-2024-21904 (A path traversal vulnerability has been reported to affect several QNA ...) + TODO: check +CVE-2024-21903 (An OS command injection vulnerability has been reported to affect seve ...) + TODO: check +CVE-2024-21898 (An OS command injection vulnerability has been reported to affect seve ...) + TODO: check +CVE-2024-21897 (A cross-site scripting (XSS) vulnerability has been reported to affect ...) + TODO: check +CVE-2024-1744 (Exposure of Sensitive Information to an Unauthorized Actor vulnerabili ...) + TODO: check +CVE-2023-51368 (A NULL pointer dereference vulnerability has been reported to affect s ...) + TODO: check +CVE-2023-51367 (A buffer copy without checking size of input vulnerability has been re ...) + TODO: check +CVE-2023-51366 (A path traversal vulnerability has been reported
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: d9853b55 by Salvatore Bonaccorso at 2024-09-06T22:09:23+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -64,9 +64,9 @@ CVE-2024-45751 (tgt (aka Linux target framework) before 1.0.93 attempts to achie NOTE: https://github.com/fujita/tgt/pull/67 NOTE: https://github.com/fujita/tgt/commit/abd8e0d987ab56013d360077202bf2aca20a42dd (v1.0.93) CVE-2024-45400 (ckeditor-plugin-openlink is a plugin for the CKEditor JavaScript text ...) - TODO: check + NOT-FOR-US: ckeditor-plugin-openlink CKEditor plugin CVE-2024-42495 (Credentials to access device configuration were transmitted using an u ...) - TODO: check + NOT-FOR-US: Hughes Network Systems CVE-2024-40865 (The issue was addressed by suspending Persona when the virtual keyboar ...) TODO: check CVE-2024-39585 (Dell SmartFabric OS10 Software, version(s) 10.5.5.4 through 10.5.5.10 ...) @@ -777,7 +777,7 @@ CVE-2024-6473 (Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking CVE-2024-4629 (A vulnerability was found in Keycloak. This flaw allows attackers to b ...) NOT-FOR-US: Keycloak CVE-2024-4259 (Improper Privilege Management vulnerability in SAMPA\u015e Holding AKO ...) - TODO: check + NOT-FOR-US: SAMPAS Holding AKOS CVE-2024-45678 (Yubico YubiKey 5 Series devices with firmware before 5.7.0 and YubiHSM ...) NOT-FOR-US: YubiKeys CVE-2024-45588 (This vulnerability exists in Symphony XTS Web Trading platform version ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9853b55729ac9a3d563de5b52b0d41e832f7e0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d9853b55729ac9a3d563de5b52b0d41e832f7e0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add notes for CVE-2024-3647 hardening
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: b3e040f8 by Salvatore Bonaccorso at 2024-09-06T21:36:09+02:00 Add notes for CVE-2024-3647 hardening - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -24756,6 +24756,9 @@ CVE-2024-36472 (In GNOME Shell through 45.7, a portal helper can be launched aut [bullseye] - gnome-shell (Minor issue) [buster] - gnome-shell (Minor issue) NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/issues/7688 + NOTE: https://gitlab.gnome.org/GNOME/gnome-shell/-/commit/4ab1ccf3f21b754ce4be77becf5df46084a893d8 (47.beta) + NOTE: As hardening related to CVE-2024-36472, version gnome-shell/47~rc-3 disabled + NOTE: the portal helper popup window and uses the notification/browser method. CVE-2024-36110 (ansibleguy-webui is an open source WebUI for using Ansible. Multiple f ...) NOT-FOR-US: ansibleguy-webui CVE-2024-36109 (CoCalc is web-based software that enables collaboration in research, t ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3e040f8ba12bbb38736fd9b13677584946a4244 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b3e040f8ba12bbb38736fd9b13677584946a4244 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Reference fix for CVE-2024-8250
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f888128b by Salvatore Bonaccorso at 2024-09-06T21:18:21+02:00 Reference fix for CVE-2024-8250 - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1534,6 +1534,7 @@ CVE-2024-8250 (NTLMSSP dissector crash in Wireshark 4.2.0 to 4.0.6 and 4.0.0 to [bookworm] - wireshark (Minor issue) NOTE: https://www.wireshark.org/security/wnpa-sec-2024-11.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19943 + NOTE: Fixed by: https://gitlab.com/wireshark/wireshark/-/commit/66dcd56f1eae615697b6588ac4778a61a5576391 (v4.3.1) CVE-2024-8198 (Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.113 ...) {DSA-5761-1} - chromium 128.0.6613.113-1 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f888128b91c207177c3cdfcf8c9e0a7be14445d4 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f888128b91c207177c3cdfcf8c9e0a7be14445d4 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add commit references for golang issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 8fc528d2 by Salvatore Bonaccorso at 2024-09-06T21:08:35+02:00 Add commit references for golang issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -7,6 +7,8 @@ CVE-2024-34158 - golang-1.15 NOTE: https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc NOTE: https://go.dev/issue/69141 + NOTE: https://github.com/golang/go/commit/032ac075c20c01c6c35a672d1542d3e98eab84ea (go1.23.1) + NOTE: https://github.com/golang/go/commit/d4c53812e6ce2ac368173d7fcd31d0ecfcffb002 (go1.22.7) CVE-2024-34156 - golang-1.23 - golang-1.22 @@ -16,6 +18,8 @@ CVE-2024-34156 - golang-1.15 NOTE: https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc NOTE: https://go.dev/issue/69139 + NOTE: https://github.com/golang/go/commit/fa8ff1a46deb6c816304441ec6740ec112e19012 (go1.23.1) + NOTE: https://github.com/golang/go/commit/2092294f2b097c5828f4eace6c98a322c1510b01 (go1.22.7) CVE-2024-34155 - golang-1.23 - golang-1.22 @@ -25,6 +29,8 @@ CVE-2024-34155 - golang-1.15 NOTE: https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc NOTE: https://go.dev/issue/69138 + NOTE: https://github.com/golang/go/commit/53487e5477151ed75da50e50a0ba8f1ca64c00a3 (go1.23.1) + NOTE: https://github.com/golang/go/commit/b232596139dbe96a62edbe3a2a203e856bf556eb (go1.22.7) CVE-2023-52916 [media: aspeed: Fix memory overwrite if timing is 1600x900] - linux 6.6.8-1 NOTE: https://git.kernel.org/linus/c281355068bc258fd619c5aefd978595bede7bfe (6.6-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fc528d216298e0d398a28b7fd66b202dcb8b189 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8fc528d216298e0d398a28b7fd66b202dcb8b189 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add new go issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 22aae87d by Salvatore Bonaccorso at 2024-09-06T11:46:22+02:00 Add new go issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,27 @@ +CVE-2024-34158 + - golang-1.23 + - golang-1.22 + - golang-1.21 + - golang-1.19 + - golang-1.15 + NOTE: https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + NOTE: https://go.dev/issue/69141 +CVE-2024-34156 + - golang-1.23 + - golang-1.22 + - golang-1.21 + - golang-1.19 + - golang-1.15 + NOTE: https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + NOTE: https://go.dev/issue/69139 +CVE-2024-34155 + - golang-1.23 + - golang-1.22 + - golang-1.21 + - golang-1.19 + - golang-1.15 + NOTE: https://groups.google.com/g/golang-announce/c/K-cEzDeCtpc + NOTE: https://go.dev/issue/69138 CVE-2023-52916 [media: aspeed: Fix memory overwrite if timing is 1600x900] - linux 6.6.8-1 NOTE: https://git.kernel.org/linus/c281355068bc258fd619c5aefd978595bede7bfe (6.6-rc1) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22aae87d75b5997fc1a3dfdbe6d7938ae7838126 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/22aae87d75b5997fc1a3dfdbe6d7938ae7838126 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Merge Linux CVEs from kernel-sec
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 615cc0cb by Salvatore Bonaccorso at 2024-09-06T11:36:26+02:00 Merge Linux CVEs from kernel-sec - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,11 @@ +CVE-2023-52916 [media: aspeed: Fix memory overwrite if timing is 1600x900] + - linux 6.6.8-1 + NOTE: https://git.kernel.org/linus/c281355068bc258fd619c5aefd978595bede7bfe (6.6-rc1) +CVE-2023-52915 [media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer] + - linux 6.5.6-1 + [bookworm] - linux 6.1.55-1 + [bullseye] - linux 5.10.197-1 + NOTE: https://git.kernel.org/linus/7bf744f2de0a848fb1d717f5831b03db96feae89 (6.6-rc1) CVE-2024-8480 (The Image Optimizer, Resizer and CDN \u2013 Sirv plugin for WordPress ...) NOT-FOR-US: WordPress plugin CVE-2024-8427 (The Frontend Post Submission Manager Lite \u2013 Frontend Posting Word ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/615cc0cb7221f4bc9f51caff95a2efb1961c7afb -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/615cc0cb7221f4bc9f51caff95a2efb1961c7afb You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process two more NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: c2452208 by Salvatore Bonaccorso at 2024-09-06T10:20:15+02:00 Process two more NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -25,11 +25,11 @@ CVE-2024-42495 (Credentials to access device configuration were transmitted usin CVE-2024-40865 (The issue was addressed by suspending Persona when the virtual keyboar ...) TODO: check CVE-2024-39585 (Dell SmartFabric OS10 Software, version(s) 10.5.5.4 through 10.5.5.10 ...) - TODO: check + NOT-FOR-US: Dell CVE-2024-39278 (Credentials to access device configuration information stored unencryp ...) TODO: check CVE-2024-38486 (Dell SmartFabric OS10 Software, version(s) 10.5.5.4 through 10.5.5.10 ...) - TODO: check + NOT-FOR-US: Dell CVE-2024-8473 (Cross-Site Scripting (XSS) vulnerability, whereby user-controlled inpu ...) NOT-FOR-US: Job Portal CVE-2024-8472 (Cross-Site Scripting (XSS) vulnerability, whereby user-controlled inpu ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2452208e93cc9f120537f33aed271dc7b82d282 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c2452208e93cc9f120537f33aed271dc7b82d282 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add CVE-2024-45751/tgt
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 9ee77e5f by Salvatore Bonaccorso at 2024-09-06T10:18:34+02:00 Add CVE-2024-45751/tgt - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -15,7 +15,9 @@ CVE-2024-7349 (The LifterLMS \u2013 WP LMS for eLearning, Online Courses, & Quiz CVE-2024-6792 (The WP ULike WordPress plugin before 4.7.2.1 does not properly saniti ...) NOT-FOR-US: WordPress plugin CVE-2024-45751 (tgt (aka Linux target framework) before 1.0.93 attempts to achieve ent ...) - TODO: check + - tgt + NOTE: https://github.com/fujita/tgt/pull/67 + NOTE: https://github.com/fujita/tgt/commit/abd8e0d987ab56013d360077202bf2aca20a42dd (v1.0.93) CVE-2024-45400 (ckeditor-plugin-openlink is a plugin for the CKEditor JavaScript text ...) TODO: check CVE-2024-42495 (Credentials to access device configuration were transmitted using an u ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ee77e5f586d3c98cf349bef19842ff4205f0c28 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9ee77e5f586d3c98cf349bef19842ff4205f0c28 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Process some NFUs
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: e39afa59 by Salvatore Bonaccorso at 2024-09-06T10:16:17+02:00 Process some NFUs - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,19 +1,19 @@ CVE-2024-8480 (The Image Optimizer, Resizer and CDN \u2013 Sirv plugin for WordPress ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-8427 (The Frontend Post Submission Manager Lite \u2013 Frontend Posting Word ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-8317 (The WP AdCenter \u2013 Ad Manager & Adsense Ads plugin for WordPress i ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-8292 (The WP-Recall \u2013 Registration, Profile, Commerce & More plugin for ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-8247 (The Newsletters plugin for WordPress is vulnerable to privilege escala ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-7415 (The Remember Me Controls plugin for WordPress is vulnerable to Full Pa ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-7349 (The LifterLMS \u2013 WP LMS for eLearning, Online Courses, & Quizzes p ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-6792 (The WP ULike WordPress plugin before 4.7.2.1 does not properly saniti ...) - TODO: check + NOT-FOR-US: WordPress plugin CVE-2024-45751 (tgt (aka Linux target framework) before 1.0.93 attempts to achieve ent ...) TODO: check CVE-2024-45400 (ckeditor-plugin-openlink is a plugin for the CKEditor JavaScript text ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e39afa59d4021a34c14e34a270e81cd6654a8aa8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e39afa59d4021a34c14e34a270e81cd6654a8aa8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 7cb106dc by security tracker role at 2024-09-06T08:11:52+00:00 automatic update - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -1,3 +1,33 @@ +CVE-2024-8480 (The Image Optimizer, Resizer and CDN \u2013 Sirv plugin for WordPress ...) + TODO: check +CVE-2024-8427 (The Frontend Post Submission Manager Lite \u2013 Frontend Posting Word ...) + TODO: check +CVE-2024-8317 (The WP AdCenter \u2013 Ad Manager & Adsense Ads plugin for WordPress i ...) + TODO: check +CVE-2024-8292 (The WP-Recall \u2013 Registration, Profile, Commerce & More plugin for ...) + TODO: check +CVE-2024-8247 (The Newsletters plugin for WordPress is vulnerable to privilege escala ...) + TODO: check +CVE-2024-7415 (The Remember Me Controls plugin for WordPress is vulnerable to Full Pa ...) + TODO: check +CVE-2024-7349 (The LifterLMS \u2013 WP LMS for eLearning, Online Courses, & Quizzes p ...) + TODO: check +CVE-2024-6792 (The WP ULike WordPress plugin before 4.7.2.1 does not properly saniti ...) + TODO: check +CVE-2024-45751 (tgt (aka Linux target framework) before 1.0.93 attempts to achieve ent ...) + TODO: check +CVE-2024-45400 (ckeditor-plugin-openlink is a plugin for the CKEditor JavaScript text ...) + TODO: check +CVE-2024-42495 (Credentials to access device configuration were transmitted using an u ...) + TODO: check +CVE-2024-40865 (The issue was addressed by suspending Persona when the virtual keyboar ...) + TODO: check +CVE-2024-39585 (Dell SmartFabric OS10 Software, version(s) 10.5.5.4 through 10.5.5.10 ...) + TODO: check +CVE-2024-39278 (Credentials to access device configuration information stored unencryp ...) + TODO: check +CVE-2024-38486 (Dell SmartFabric OS10 Software, version(s) 10.5.5.4 through 10.5.5.10 ...) + TODO: check CVE-2024-8473 (Cross-Site Scripting (XSS) vulnerability, whereby user-controlled inpu ...) NOT-FOR-US: Job Portal CVE-2024-8472 (Cross-Site Scripting (XSS) vulnerability, whereby user-controlled inpu ...) @@ -620,7 +650,7 @@ CVE-2024-20440 (A vulnerability in Cisco Smart Licensing Utility could allow an NOT-FOR-US: Cisco CVE-2024-20439 (A vulnerability in Cisco Smart Licensing Utility could allow an unauth ...) NOT-FOR-US: Cisco -CVE-2024-44082 +CVE-2024-44082 (In OpenStack Ironic before 26.0.1 and ironic-python-agent before 9.13. ...) - ironic - ironic-python-agent NOTE: https://www.openwall.com/lists/oss-security/2024/09/04/4 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cb106dc616713ab9479349d54812c380a394e0d -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/7cb106dc616713ab9479349d54812c380a394e0d You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add fixed version for CVE-2024-8418/aardvark-dns via unstable
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: f590a3a2 by Salvatore Bonaccorso at 2024-09-06T06:26:44+02:00 Add fixed version for CVE-2024-8418/aardvark-dns via unstable - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -147,7 +147,7 @@ CVE-2024-20505 (A vulnerability in the PDF parsing module of Clam AntiVirus (Cla [bookworm] - clamav (clamav is updated via -updates) NOTE: https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html CVE-2024-8418 (A flaw was found in Aardvark-dns versions 1.12.0 and 1.12.1. They cont ...) - - aardvark-dns (bug #1080964) + - aardvark-dns 1.12.2-1 (bug #1080964) NOTE: https://github.com/containers/aardvark-dns/issues/500 NOTE: https://github.com/containers/aardvark-dns/pull/503 NOTE: https://github.com/containers/aardvark-dns/commit/6d76c50978755b8162d176ec7eea0e09f8d57a42 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f590a3a2f29bdac563775e714ec0c3c02900ad8b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/f590a3a2f29bdac563775e714ec0c3c02900ad8b You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for CVE-2024-8418/aardvark-dns
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 4e79e1e0 by Salvatore Bonaccorso at 2024-09-06T00:16:00+02:00 Add Debian bug reference for CVE-2024-8418/aardvark-dns - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -147,7 +147,7 @@ CVE-2024-20505 (A vulnerability in the PDF parsing module of Clam AntiVirus (Cla [bookworm] - clamav (clamav is updated via -updates) NOTE: https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html CVE-2024-8418 (A flaw was found in Aardvark-dns versions 1.12.0 and 1.12.1. They cont ...) - - aardvark-dns + - aardvark-dns (bug #1080964) NOTE: https://github.com/containers/aardvark-dns/issues/500 NOTE: https://github.com/containers/aardvark-dns/pull/503 NOTE: https://github.com/containers/aardvark-dns/commit/6d76c50978755b8162d176ec7eea0e09f8d57a42 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e79e1e008edeee8def580d530980870ff0fbcda -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/4e79e1e008edeee8def580d530980870ff0fbcda You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
[Git][security-tracker-team/security-tracker][master] Add Debian bug reference for clamav issues
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker Commits: 5bf0be48 by Salvatore Bonaccorso at 2024-09-06T00:13:06+02:00 Add Debian bug reference for clamav issues - - - - - 1 changed file: - data/CVE/list Changes: = data/CVE/list = @@ -139,11 +139,11 @@ CVE-2024-32668 (An insufficient boundary validation in the USB code could lead t CVE-2024-2166 (Improper Neutralization of Input During Web Page Generation ('Cross-si ...) NOT-FOR-US: Forcepoint Email Security CVE-2024-20506 (A vulnerability in the ClamD service module of Clam AntiVirus (ClamAV) ...) - - clamav + - clamav (bug #1080962) [bookworm] - clamav (clamav is updated via -updates) NOTE: https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html CVE-2024-20505 (A vulnerability in the PDF parsing module of Clam AntiVirus (ClamAV) v ...) - - clamav + - clamav (bug #1080962) [bookworm] - clamav (clamav is updated via -updates) NOTE: https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html CVE-2024-8418 (A flaw was found in Aardvark-dns versions 1.12.0 and 1.12.1. They cont ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5bf0be480947efaa9c063114a0a2e9b092a1b1c8 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5bf0be480947efaa9c063114a0a2e9b092a1b1c8 You're receiving this email because of your account on salsa.debian.org. ___ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits