Bug#1059313: libxml-security-java: CVE-2023-44483

2023-12-22 Thread Moritz Mühlenhoff
Source: libxml-security-java X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libxml-security-java. CVE-2023-44483[0]: | All versions of Apache Santuario - XML Security for Java prior to | 2.2.6, 2.3.4, and 3.0.3, when us

Bug#1059315: tinyxml: CVE-2023-34194 CVE-2023-40462 CVE-2023-40458

2023-12-22 Thread Moritz Mühlenhoff
Source: tinyxml X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, https://www.forescout.com/resources/sierra21-vulnerabilities mentions three security issues in Tinyxml: CVE-2023-34194[0]: | StringEqual in TiXmlDeclaration::Parse in tinyxmlparser.cpp in | TinyXML throu

Bug#1059316: epics-base: CVE-2023-33460

2023-12-22 Thread Moritz Mühlenhoff
Source: epics-base X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for yajl, which is embedded by epics-base: CVE-2023-33460[0]: | There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse | function. which will cause out

Bug#1059317: r-cran-jsonlite: CVE-2023-33460

2023-12-22 Thread Moritz Mühlenhoff
Source: r-cran-jsonlite X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for yajl, which is embedded by r-cran-jsonlite: CVE-2023-33460[0]: | There's a memory leak in yajl 2.1.0 with use of yajl_tree_parse | function. which will

Bug#1059318: libitext-java: CVE-2021-37819

2023-12-22 Thread Moritz Mühlenhoff
Source: libitext-java X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for PdfReader, which is embedded by libitext-java. CVE-2021-37819[0]: | PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite | loop via the compo

Bug#1059319: libitext1-java: CVE-2021-37819

2023-12-22 Thread Moritz Mühlenhoff
Source: libitext1-java X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for PdfReader, which is embedded in libitext1-java. CVE-2021-37819[0]: | PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite | loop via the com

Bug#1059320: libitext5-java: CVE-2021-37819

2023-12-22 Thread Moritz Mühlenhoff
Source: libitext5-java X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for PDfReader, which is embedded in libitext5-java. CVE-2021-37819[0]: | PDF Labs pdftk-java v3.2.3 was discovered to contain an infinite | loop via the com

Bug#1059322: zfs-linux: CVE-2013-20001

2023-12-22 Thread Moritz Mühlenhoff
Source: zfs-linux X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for zfs-linux. CVE-2013-20001[0]: | An issue was discovered in OpenZFS through 2.0.3. When an NFS share | is exported to IPv6 addresses via the sharenfs featu

Bug#1059367: clickhouse: CVE-2023-48704

2023-12-23 Thread Moritz Mühlenhoff
Source: clickhouse X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for clickhouse. CVE-2023-48704[0]: | ClickHouse is an open-source column-oriented database management | system that allows generating analytical data reports

Bug#1039990: [Pkg-javascript-devel] Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590

2023-12-27 Thread Moritz Mühlenhoff
[ Also adding Paul Gevers for awareness, for context we're bumping nodejs in Bookworm to the latest 18.x security/LTS release ] On Wed, Dec 27, 2023 at 03:03:20PM +0100 Jérémy Lal wrote: > I don't think so, there are all either node-undici-related, or just test > suites regressions. > Here are

Bug#1039990: [Pkg-javascript-devel] Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590

2023-12-27 Thread Moritz Mühlenhoff
Am Wed, Dec 27, 2023 at 05:18:52PM +0100 schrieb Jérémy Lal: > Le mer. 27 déc. 2023 à 17:16, Moritz Mühlenhoff a écrit : > > > [ Also adding Paul Gevers for awareness, for context we're bumping nodejs > > in Bookworm to the latest 18.x security/LTS release ] > > &

Bug#1067177: black: CVE-2024-21503

2024-03-19 Thread Moritz Mühlenhoff
Source: black X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for black. CVE-2024-21503[0]: | Versions of the package black before 24.3.0 are vulnerable to | Regular Expression Denial of Service (ReDoS) via the | lines_with_

Bug#1067178: clickhouse: CVE-2024-22412

2024-03-19 Thread Moritz Mühlenhoff
Source: clickhouse X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for clickhouse. CVE-2024-22412[0]: | ClickHouse is an open-source column-oriented database management | system. A bug exists in the cloud ClickHouse offering

Bug#1067179: ldap-account-manager: CVE-2024-23333

2024-03-19 Thread Moritz Mühlenhoff
Source: ldap-account-manager X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ldap-account-manager. CVE-2024-2[0]: | LDAP Account Manager (LAM) is a webfrontend for managing entries | stored in an LDAP directory. LAM'

Bug#1067180: fastdds: CVE-2024-26369

2024-03-19 Thread Moritz Mühlenhoff
Source: fastdds X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for fastdds. CVE-2024-26369[0]: | An issue in the HistoryQosPolicy component of FastDDS v2.12.x, | v2.11.x, v2.10.x, and v2.6.x leads to a SIGABRT (signal abort

Bug#1067456: erlang-jose: CVE-2023-50966

2024-03-21 Thread Moritz Mühlenhoff
Source: erlang-jose X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for erlang-jose. CVE-2023-50966[0]: | erlang-jose (aka JOSE for Erlang and Elixir) through 1.11.6 allow | attackers to cause a denial of service (CPU consum

Bug#1067457: jose: CVE-2023-50967

2024-03-21 Thread Moritz Mühlenhoff
Source: jose X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for jose. CVE-2023-50967[0]: | latchset jose through version 11 allows attackers to cause a denial | of service (CPU consumption) via a large p2c (aka PBES2 Count)

Bug#1060407: gtkwave update for {bookworm,bullseye,buster}-security

2024-03-31 Thread Moritz Mühlenhoff
Hi Adrian, > attached are proposed debdiffs for updating gtkwave to 3.3.118 in > {bookworm,bullseye,buster}-security for review for a DSA > (and as preview for buster). Thanks! > General notes: > > I checked a handful CVEs, and they were also present in buster. > If anyone insists that I check

Bug#1068144: slang2: CVE-2023-45927 CVE-2023-45929

2024-03-31 Thread Moritz Mühlenhoff
Source: slang2 X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerabilities were published for slang2. From my perspective they have no real security impact, but we can still treat/fix them as regular bugs: CVE-2023-45927[0]: | S-Lang 2.3.2 was discove

Bug#1068346: node-express: CVE-2024-29041

2024-04-03 Thread Moritz Mühlenhoff
Source: node-express X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-express. CVE-2024-29041[0]: | Express.js minimalist web framework for node. Versions of Express.js | prior to 4.19.0 and all pre-release alpha and

Bug#1068347: nodejs: CVE-2024-27983 CVE-2024-27982

2024-04-03 Thread Moritz Mühlenhoff
Source: nodejs X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for nodejs. CVE-2024-27983[0]: https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/ CVE-2024-27982[1]: https://nodejs.org/en/blog/vulnerability

Bug#1068412: apache2: CVE-2024-27316 CVE-2024-24795 CVE-2023-38709

2024-04-04 Thread Moritz Mühlenhoff
Source: apache2 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for apache2. CVE-2024-27316[0]: https://www.kb.cert.org/vuls/id/421644 https://www.openwall.com/lists/oss-security/2024/04/04/4 CVE-2024-24795[1]: https://www.o

Bug#1068452: request-tracker4: CVE-2024-3262

2024-04-05 Thread Moritz Mühlenhoff
Source: request-tracker4 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for request-tracker4. CVE-2024-3262[0]: | Information exposure vulnerability in RT software affecting version | 4.4.1. This vulnerability allows an attacke

Bug#1068453: request-tracker5: CVE-2024-3262

2024-04-05 Thread Moritz Mühlenhoff
Source: request-tracker5 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for request-tracker5. CVE-2024-3262[0]: | Information exposure vulnerability in RT software affecting version | 4.4.1. This vulnerability allows an attacke

Bug#1068454: qt6-base: CVE-2024-30161

2024-04-05 Thread Moritz Mühlenhoff
Source: qt6-base X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qt6-base. CVE-2024-30161[0]: | In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component may | access QNetworkReply header data via a dangling pointer.

Bug#1068457: azure-uamqp-python: CVE-2024-29195

2024-04-05 Thread Moritz Mühlenhoff
Source: azure-uamqp-python X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for azure-uamqp-python. CVE-2024-29195[0]: | The azure-c-shared-utility is a C library for AMQP/MQTT | communication to Azure Cloud Services. This librar

Bug#1068455: varnish: CVE-2024-30156

2024-04-05 Thread Moritz Mühlenhoff
Source: varnish X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for varnish. CVE-2024-30156[0]: | Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 | LTS), and Varnish Enterprise 6 before 6.0.12r6, allows

Bug#1068459: murano: CVE-2024-29156

2024-04-05 Thread Moritz Mühlenhoff
Source: murano X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for murano. CVE-2024-29156[0]: | In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, | the Murano service's MuranoPL extension to the YAQL langua

Bug#1068460: docker.io: CVE-2024-29018

2024-04-05 Thread Moritz Mühlenhoff
Source: docker.io X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for docker.io. CVE-2024-29018[0]: | Moby is an open source container framework that is a key component | of Docker Engine, Docker Desktop, and other distribut

Bug#1068461: freeimage: CVE-2024-28562 CVE-2024-28563 CVE-2024-28564 CVE-2024-28565 CVE-2024-28566 CVE-2024-28567 CVE-2024-28568 CVE-2024-28569 CVE-2024-28570 CVE-2024-28571 CVE-2024-28572 CVE-2024-28

2024-04-05 Thread Moritz Mühlenhoff
Source: freeimage X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for freeimage. They are all only published at https://github.com/Ruanxingzhi/vul-report/tree/master/freeimage-r1909 and don't appear to be forwarded upstre

Bug#1068462: gpac: CVE-2024-28318 CVE-2024-28319 CVE-2023-46426 CVE-2023-46427 CVE-2024-24265 CVE-2024-24266 CVE-2024-24267

2024-04-05 Thread Moritz Mühlenhoff
Source: gpac X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gpac. CVE-2024-28318[0]: | gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain a | out of boundary write vulnerability via swf_get_string at | scene

Bug#1070860: musescore3: CVE-2023-44428

2024-05-12 Thread Moritz Mühlenhoff
Am Fri, May 10, 2024 at 06:39:20PM + schrieb Thorsten Glaser: > This is a bit like the limited security support for binutils, > I suppose. Could/should we document that in the same places? Sure thing, this sounds similar to what was done for Lilypond, best to simply ship a similar README.Debia

Bug#1071627: ruby3.2: CVE-2024-35176

2024-05-22 Thread Moritz Mühlenhoff
Source: ruby3.2 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ruby3.2. CVE-2024-35176[0]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a | denial of service vulnerability when it parses an XML tha

Bug#1071626: ruby3.1: CVE-2024-35176

2024-05-22 Thread Moritz Mühlenhoff
Source: ruby3.1 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for ruby3.1. CVE-2024-35176[0]: | REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a | denial of service vulnerability when it parses an XML tha

Bug#1071628: python-pymysql: CVE-2024-36039

2024-05-22 Thread Moritz Mühlenhoff
Source: python-pymysql X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-pymysql. We should also fix this in a DSA, could you prepare debdiffs for bookworm-security and bullseye-security? CVE-2024-36039[0]: | PyMySQL t

Bug#1071630: maxima: CVE-2024-34490

2024-05-22 Thread Moritz Mühlenhoff
Source: maxima X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for maxima. CVE-2024-34490[0]: | In Maxima through 5.47.0 before 51704c, the plotting facilities make | use of predictable names under /tmp. Thus, the contents m

Bug#1071631: node-micromatch: CVE-2024-4067

2024-05-22 Thread Moritz Mühlenhoff
Source: node-micromatch X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-micromatch. CVE-2024-4067[0]: | The NPM package `micromatch` is vulnerable to Regular Expression | Denial of Service (ReDoS). The vulnerability

Bug#1071632: node-braces: CVE-2024-4068

2024-05-22 Thread Moritz Mühlenhoff
Source: node-braces X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-braces. CVE-2024-4068[0]: | The NPM package `braces`, versions prior to 3.0.3, fails to limit | the number of characters it can handle, which could

Bug#1071633: libmodbus: CVE-2024-34244

2024-05-22 Thread Moritz Mühlenhoff
Source: libmodbus X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libmodbus. CVE-2024-34244[0]: | libmodbus v3.1.10 is vulnerable to Buffer Overflow via the | modbus_write_bits function. This issue can be triggered when

Bug#1053004: CVE-2019-10784 and CVE-2023-40619

2024-05-22 Thread Moritz Mühlenhoff
Am Wed, Mar 06, 2024 at 06:39:01AM -0300 schrieb Leandro Cunha: > Hi Christoph Berg, > > On Wed, Mar 6, 2024 at 5:42 AM Christoph Berg wrote: > > > > Re: Leandro Cunha > > > The > > > next job would be to make it available through backports and I would > > > choose to remove this package from sta

Bug#1071742: cjson: CVE-2024-31755

2024-05-24 Thread Moritz Mühlenhoff
Source: cjson X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for cjson. CVE-2024-31755[0]: | cJSON v1.7.17 was discovered to contain a segmentation violation, | which can trigger through the second parameter of function | c

Bug#1071743: lief: CVE-2024-31636

2024-05-24 Thread Moritz Mühlenhoff
Source: lief X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for lief. CVE-2024-31636[0]: | An issue in LIEF v.0.14.1 allows a local attacker to obtain | sensitive information via the name parameter of the machd_reader.c | c

Bug#1071745: docker.io: CVE-2024-24557

2024-05-24 Thread Moritz Mühlenhoff
Source: docker.io X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for docker.io. CVE-2024-24557[0]: | Moby is an open-source project created by Docker to enable software | containerization. The classic builder cache system i

Bug#1071746: clojure: CVE-2024-22871

2024-05-24 Thread Moritz Mühlenhoff
Source: clojure X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for clojure. CVE-2024-22871[0]: | An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an | attacker to cause a denial of service (DoS) via the | clojure.c

Bug#1071747: bpfcc: CVE-2024-2314

2024-05-24 Thread Moritz Mühlenhoff
Source: bpfcc X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for bpfcc. CVE-2024-2314[0]: | If kernel headers need to be extracted, bcc will attempt to load | them from a temporary directory. An unprivileged attacker could

Bug#1071748: bpftrace: CVE-2024-2313

2024-05-24 Thread Moritz Mühlenhoff
Source: bpftrace X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for bpftrace. CVE-2024-2313[0]: | If kernel headers need to be extracted, bpftrace will attempt to | load them from a temporary directory. An unprivileged atta

Bug#1071750: dnsdist: CVE-2024-25581

2024-05-24 Thread Moritz Mühlenhoff
Source: dnsdist X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for dnsdist. CVE-2024-25581[0]: | When incoming DNS over HTTPS support is enabled using the nghttp2 | provider, and queries are routed to a tcp-only or DNS over

Bug#1071751: iperf3: CVE-2024-26306

2024-05-24 Thread Moritz Mühlenhoff
Source: iperf3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for iperf3. CVE-2024-26306[0]: | iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server | with RSA authentication, allows a timing side channel in R

Bug#1072118: liboqs: CVE-2024-31510

2024-05-28 Thread Moritz Mühlenhoff
Source: liboqs X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for liboqs. CVE-2024-31510[0]: | An issue in Open Quantum Safe liboqs v.10.0 allows a remote attacker | to escalate privileges via the crypto_sign_signature para

Bug#1072119: python-aiosmtpd: CVE-2024-34083

2024-05-28 Thread Moritz Mühlenhoff
Source: python-aiosmtpd X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for python-aiosmtpd. CVE-2024-34083[0]: | aiosmptd is a reimplementation of the Python stdlib smtpd.py based | on asyncio. Prior to version 1.4.6, servers

Bug#1072120: zabbix: CVE-2024-22120

2024-05-28 Thread Moritz Mühlenhoff
Source: zabbix X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for zabbix. CVE-2024-22120[0]: | Zabbix server can perform command execution for configured scripts. | After command is executed, audit entry is added to "Audit Log"

Bug#1072121: node-ip: CVE-2024-29415

2024-05-28 Thread Moritz Mühlenhoff
Source: node-ip X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for node-ip. CVE-2024-29415[0]: | The ip package through 2.0.1 for Node.js might allow SSRF because | some IP addresses (such as 127.1, 01200034567, 012.1.2.3,

Bug#1072123: jayway-jsonpath: CVE-2023-51074

2024-05-28 Thread Moritz Mühlenhoff
Source: jayway-jsonpath X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for jayway-jsonpath. CVE-2023-51074[0]: | json-path v2.8.0 was discovered to contain a stack overflow via the | Criteria.parse() method. https://github

Bug#1072124: gnome-shell: CVE-2024-36472

2024-05-28 Thread Moritz Mühlenhoff
Source: gnome-shell X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for gnome-shell. CVE-2024-36472[0]: | In GNOME Shell through 45.7, a portal helper can be launched | automatically (without user confirmation) based on network

Bug#1070377: frr: CVE-2024-34088

2024-05-28 Thread Moritz Mühlenhoff
Am Sat, May 04, 2024 at 06:00:24PM +0200 schrieb Moritz Mühlenhoff: > Source: frr > X-Debbugs-CC: t...@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for frr. > > CVE-2024-34088[0]: > | In F

Bug#1072125: frr: CVE-2024-31949

2024-05-28 Thread Moritz Mühlenhoff
Source: frr X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for frr. CVE-2024-31949[0]: | In FRRouting (FRR) through 9.1, an infinite loop can occur when | receiving a MP/GR capability as a dynamic capability because | malfo

Bug#1072126: frr: CVE-2024-31948

2024-05-28 Thread Moritz Mühlenhoff
Source: frr X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for frr. CVE-2024-31948[0]: | In FRRouting (FRR) through 9.1, an attacker using a malformed Prefix | SID attribute in a BGP UPDATE packet can cause the bgpd daemon to |

Bug#1069762: pdns-recursor: CVE-2024-25583

2024-04-24 Thread Moritz Mühlenhoff
Source: pdns-recursor X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for pdns-recursor. CVE-2024-25583[0]: PowerDNS Security Advisory 2024-02: if recursive forwarding is configured, crafted responses can lead to a denial of ser

Bug#1069763: matrix-synapse: CVE-2024-31208

2024-04-24 Thread Moritz Mühlenhoff
Source: matrix-synapse X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for matrix-synapse. CVE-2024-31208[0]: | Synapse is an open-source Matrix homeserver. A remote Matrix user | with malicious intent, sharing a room with Synap

Bug#1069764: python-flask-cors: CVE-2024-1681

2024-04-24 Thread Moritz Mühlenhoff
Source: python-flask-cors X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for python-flask-cors. CVE-2024-1681[0]: | corydolphin/flask-cors is vulnerable to log injection when the log | level is set to debug. An attacker can

Bug#1070370: dmitry: CVE-2017-7938 CVE-2020-14931 CVE-2024-31837

2024-05-04 Thread Moritz Mühlenhoff
Source: dmitry X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for dmitry. CVE-2017-7938[0]: | Stack-based buffer overflow in DMitry (Deepmagic Information | Gathering Tool) version 1.3a (Unix) allows attackers to cause a

Bug#1070371: ofono: CVE-2023-4232 CVE-2023-4233 CVE-2023-4234 CVE-2023-4235

2024-05-04 Thread Moritz Mühlenhoff
Source: ofono X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for ofono. It's not clear whether they were actually reported upstream or only submitted to Red Hat Bugzilla: CVE-2023-4232[0]: | A flaw was found in ofono, a

Bug#1070372: tqdm: CVE-2024-34062

2024-05-04 Thread Moritz Mühlenhoff
Source: tqdm X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for tqdm. CVE-2024-34062[0]: | tqdm is an open source progress bar for Python and CLI. Any optional | non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, | `-

Bug#1070374: social-auth-app-django: CVE-2024-32879

2024-05-04 Thread Moritz Mühlenhoff
Source: social-auth-app-django X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for social-auth-app-django. CVE-2024-32879[0]: | Python Social Auth is a social authentication/registration | mechanism. Prior to version 5.4.1,

Bug#1070373: quickjs: CVE-2024-33263

2024-05-04 Thread Moritz Mühlenhoff
Source: quickjs X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for quickjs. CVE-2024-33263[0]: | QuickJS commit 3b45d15 was discovered to contain an Assertion | Failure via JS_FreeRuntime(JSRuntime *) at quickjs.c. https:/

Bug#1070375: python-jose: CVE-2024-33663 CVE-2024-33664

2024-05-04 Thread Moritz Mühlenhoff
Source: python-jose X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for python-jose. CVE-2024-33663[0]: | python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA | keys and other key formats. This is similar

Bug#1070376: uriparser: CVE-2024-34402 CVE-2024-34403

2024-05-04 Thread Moritz Mühlenhoff
Source: uriparser X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for uriparser. CVE-2024-34402[0]: | An issue was discovered in uriparser through 0.9.7. | ComposeQueryEngine in UriQuery.c has an integer overflow via long

Bug#1070377: frr: CVE-2024-34088

2024-05-04 Thread Moritz Mühlenhoff
Source: frr X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for frr. CVE-2024-34088[0]: | In FRRouting (FRR) through 9.1, it is possible for the get_edge() | function in ospf_te.c in the OSPF daemon to return a NULL pointer.

Bug#1070378: docker.io: CVE-2024-32473

2024-05-04 Thread Moritz Mühlenhoff
Source: docker.io X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for docker.io. CVE-2024-32473[0]: | Moby is an open source container framework that is a key component | of Docker Engine, Docker Desktop, and other distribut

Bug#1070379: pytorch: CVE-2024-31580 CVE-2024-31583 CVE-2024-31584

2024-05-04 Thread Moritz Mühlenhoff
Source: pytorch X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for pytorch. CVE-2024-31580[0]: | PyTorch before v2.2.0 was discovered to contain a heap buffer | overflow vulnerability in the component | /runtime/vararg_f

Bug#1070380: llvm-toolchain-18: CVE-2024-31852

2024-05-04 Thread Moritz Mühlenhoff
Source: llvm-toolchain-18 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-18. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved t

Bug#1070381: llvm-toolchain-17: CVE-2024-31852

2024-05-04 Thread Moritz Mühlenhoff
Source: llvm-toolchain-17 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-17. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved t

Bug#1070382: llvm-toolchain-16: CVE-2024-31852

2024-05-04 Thread Moritz Mühlenhoff
Source: llvm-toolchain-16 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-16. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved t

Bug#1070383: llvm-toolchain-15: CVE-2024-31852

2024-05-04 Thread Moritz Mühlenhoff
Source: llvm-toolchain-15 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-15. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved t

Bug#1070384: llvm-toolchain-14: CVE-2024-31852

2024-05-04 Thread Moritz Mühlenhoff
Source: llvm-toolchain-14 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for llvm-toolchain-14. CVE-2024-31852[0]: | LLVM before 18.1.3 generates code in which the LR register can be | overwritten without data being saved t

Bug#1070387: gdcm: CVE-2024-25569 CVE-2024-22373 CVE-2024-22391

2024-05-04 Thread Moritz Mühlenhoff
Source: gdcm X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for gdcm. These are fixed in 3.0.24: CVE-2024-25569[0]: | An out-of-bounds read vulnerability exists in the | RAWCodec::DecodeBytes functionality of Mathieu Malate

Bug#1070388: jupyterhub: CVE-2024-28233

2024-05-04 Thread Moritz Mühlenhoff
Source: jupyterhub X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for jupyterhub. CVE-2024-28233[0]: | JupyterHub is an open source multi-user server for Jupyter | notebooks. By tricking a user into visiting a malicious subdoma

Bug#1070390: opendmarc: CVE-2024-25768

2024-05-04 Thread Moritz Mühlenhoff
Source: opendmarc X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerability was published for opendmarc. It's unclear whether this is actually a security issue, it doesn't appear to have been reported upstream... CVE-2024-25768[0]: | OpenDMARC 1.4.2 c

Bug#1070393: gobgp: CVE-2023-46565

2024-05-04 Thread Moritz Mühlenhoff
Source: gobgp X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for gobgp. CVE-2023-46565[0]: | Buffer Overflow vulnerability in osrg gobgp commit | 419c50dfac578daa4d11256904d0dc182f1a9b22 allows a remote attacker to | cause

Bug#1070392: exiv2: CVE-2024-24826 CVE-2024-25112

2024-05-04 Thread Moritz Mühlenhoff
Source: exiv2 X-Debbugs-CC: t...@security.debian.org Severity: normal Tags: security Hi, The following vulnerabilities were published for exiv2. The advisories are a little misleading, they mention it as new in v0.28.0, but that only applies to the "main" branch, where it was removed and later r

Bug#1070394: libstb: CVE-2023-47212

2024-05-04 Thread Moritz Mühlenhoff
Source: libstb X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for libstb. CVE-2023-47212[0]: | A heap-based buffer overflow vulnerability exists in the comment | functionality of stb _vorbis.c v1.22. A specially crafted .og

Bug#1070395: tinyproxy: CVE-2023-40533 CVE-2023-49606

2024-05-04 Thread Moritz Mühlenhoff
Source: tinyproxy X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for tinyproxy. CVE-2023-40533[0]: | An uninitialized memory use vulnerability exists in Tinyproxy 1.11.1 | while parsing HTTP requests. In certain configuratio

Bug#1070858: golang-github-opencontainers-go-digest: CVE-2024-3727

2024-05-10 Thread Moritz Mühlenhoff
Source: golang-github-opencontainers-go-digest X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for golang-github-opencontainers-go-digest. CVE-2024-3727[0]: | A flaw was found in the github.com/containers/image library. Thi

Bug#1070859: npgsql: CVE-2024-32655

2024-05-10 Thread Moritz Mühlenhoff
Source: npgsql X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for npgsql. CVE-2024-32655[0]: | Npgsql is the .NET data provider for PostgreSQL. The `WriteBind()` | method in `src/Npgsql/Internal/NpgsqlConnector.FrontendMessages

Bug#1070860: musescore3: CVE-2023-44428

2024-05-10 Thread Moritz Mühlenhoff
Source: musescore3 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for musescore3. CVE-2023-44428[0]: | MuseScore CAP File Parsing Heap-based Buffer Overflow Remote Code | Execution Vulnerability. This vulnerability allows r

Bug#1070861: hdf5: CVE-2024-33877 CVE-2024-33876 CVE-2024-33875 CVE-2024-33874 CVE-2024-33873 CVE-2024-32624 CVE-2024-32623 CVE-2024-32622 CVE-2024-32621 CVE-2024-32620 CVE-2024-32619 CVE-2024-32618 C

2024-05-10 Thread Moritz Mühlenhoff
Source: hdf5 X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for hdf5: https://www.hdfgroup.org/2024/05/new-hdf5-cve-issues-fixed-in-1-14-4/ CVE-2024-33877[0]: | HDF5 Library through 1.14.3 has a heap-based buffer overflo

Bug#1068629: testng7 backport for bullseye needed for latest Java LTS releases

2024-04-11 Thread Moritz Mühlenhoff
Am Tue, Apr 09, 2024 at 02:02:13PM +1200 schrieb Vladimir Petko: > Hi, > > I have realized that I have not submitted the bug report for this > issue, so the decision to try vendoring dependencies for JTREG is not > visible anywhere. > > Starting from the April OpenJDK release, JTREG 7.3 will be u

Bug#1068815: undertow: CVE-2023-1973

2024-04-11 Thread Moritz Mühlenhoff
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for undertow. CVE-2023-1973[0]: The only reference is at Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=2185662 If you fix the vulnerability please al

Bug#1068816: undertow: CVE-2024-1459

2024-04-11 Thread Moritz Mühlenhoff
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for undertow. CVE-2024-1459[0]: | A path traversal vulnerability was found in Undertow. This issue may | allow a remote attacker to append a specially-crafted sequ

Bug#1068817: undertow: CVE-2024-1635

2024-04-11 Thread Moritz Mühlenhoff
Source: undertow X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for undertow. CVE-2024-1635[0]: | A vulnerability was found in Undertow. This vulnerability impacts a | server that supports the wildfly-http-client protocol.

Bug#1068818: sngrep: CVE-2024-3119 CVE-2024-3120

2024-04-11 Thread Moritz Mühlenhoff
Source: sngrep X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for sngrep. CVE-2024-3119[0]: | A buffer overflow vulnerability exists in all versions of sngrep | since v0.4.2, due to improper handling of 'Call-ID' and 'X-Call

Bug#1068819: qemu: CVE-2024-26327 CVE-2024-26328

2024-04-11 Thread Moritz Mühlenhoff
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerabilities were published for qemu. CVE-2024-26327[0]: | An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in | hw/pci/pcie_sriov.c mishandles the situation where a guest

Bug#1068820: qemu: CVE-2024-3446

2024-04-11 Thread Moritz Mühlenhoff
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qemu. CVE-2024-3446[0]: | A double free vulnerability was found in QEMU virtio devices | (virtio-gpu, virtio-serial-bus, virtio-crypto), where the | mem_reentr

Bug#1068821: qemu: CVE-2024-3447

2024-04-11 Thread Moritz Mühlenhoff
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qemu. CVE-2024-3447[0]: https://patchew.org/QEMU/20240404085549.16987-1-phi...@linaro.org/ https://patchew.org/QEMU/20240409145524.27913-1-phi...@linaro.org/

Bug#1068822: qemu: CVE-2024-3567

2024-04-11 Thread Moritz Mühlenhoff
Source: qemu X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qemu. CVE-2024-3567[0]: | A flaw was found in QEMU. An assertion failure was present in the | update_sctp_checksum() function in hw/net/net_tx_pkt.c when tryin

Bug#1068694: bullseye-pu: package json-smart/2.2-2+deb11u1

2024-04-13 Thread Moritz Mühlenhoff
Am Tue, Apr 09, 2024 at 10:01:11AM +0200 schrieb Andreas Beckmann: > Package: release.debian.org > Severity: normal > Tags: bullseye > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: Bastien Roucariès > Control: affects -1 + src:json-smart > Control: block 1039985 with

Bug#1069189: mysql-8.0: CVE-2024-21102 CVE-2024-21096 CVE-2024-21087 CVE-2024-21069 CVE-2024-21062 CVE-2024-21060 CVE-2024-21054 CVE-2024-21047 CVE-2024-21013 CVE-2024-21009 CVE-2024-21008 CVE-2024-21

2024-04-17 Thread Moritz Mühlenhoff
Source: mysql-8.0 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for mysql-8.0. CVE-2024-21102[0]: | Vulnerability in the MySQL Server product of Oracle MySQL | (component: Server: Thread Pooling). Supported versions that a

Bug#1069677: rust-rustls: CVE-2024-32650

2024-04-22 Thread Moritz Mühlenhoff
Source: rust-rustls X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for rust-rustls. CVE-2024-32650[0]: | Rustls is a modern TLS library written in Rust. | `rustls::ConnectionCommon::complete_io` could fall into an infinite | lo

Bug#1069678: openjdk-8: CVE-2024-21011 CVE-2024-21068 CVE-2024-21085 CVE-2024-21094

2024-04-22 Thread Moritz Mühlenhoff
Source: openjdk-8 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for openjdk-8. CVE-2024-21011[0]: | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle | GraalVM Enterprise Edition product of Oracle Java SE

Bug#1069679: ofono: CVE-2023-2794

2024-04-22 Thread Moritz Mühlenhoff
Source: ofono X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for ofono. CVE-2023-2794[0]: | A flaw was found in ofono, an Open Source Telephony on Linux. A | stack overflow bug is triggered within the decode_deliver() function

<    4   5   6   7   8   9   10   11   12   13   >