[Git][security-tracker-team/security-tracker][master] automatic update
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Wed Aug 30 09:12:28 BST 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
2c3f58e5 by security tracker role at 2023-08-30T08:12:16+00:00
automatic update
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1,4 +1,38 @@
-CVE-2023-4611
+CVE-2023-4609
+ REJECTED
+CVE-2023-4599 (The Slimstat Analytics plugin for WordPress is vulnerable to Stored Cr ...)
+ TODO: check
+CVE-2023-4597 (The Slimstat Analytics plugin for WordPress is vulnerable to Stored Cr ...)
+ TODO: check
+CVE-2023-4596 (The Forminator plugin for WordPress is vulnerable to arbitrary file up ...)
+ TODO: check
+CVE-2023-4526
+ REJECTED
+CVE-2023-4525
+ REJECTED
+CVE-2023-4522 (An issue has been discovered in GitLab affecting all versions starting ...)
+ TODO: check
+CVE-2023-4296 (If an attacker tricks an admin user of PTC Codebeamer into clicking on ...)
+ TODO: check
+CVE-2023-41269
+ REJECTED
+CVE-2023-41266 (A path traversal vulnerability found in Qlik Sense Enterprise for Wind ...)
+ TODO: check
+CVE-2023-41265 (An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise ...)
+ TODO: check
+CVE-2023-41153 (A Stored Cross-Site Scripting (XSS) vulnerability in the SSH configura ...)
+ TODO: check
+CVE-2023-39559 (AudimexEE 15.0 was discovered to contain a full path disclosure vulner ...)
+ TODO: check
+CVE-2023-39558 (AudimexEE v15.0 was discovered to contain multiple reflected cross-sit ...)
+ TODO: check
+CVE-2023-38975 (* Buffer Overflow vulnerability in qdrant v.1.3.2 allows a remote atta ...)
+ TODO: check
+CVE-2023-38971 (Cross Site Scripting vulnerabiltiy in Badaso v.0.0.1 thru v.2.9.7 allo ...)
+ TODO: check
+CVE-2023-32241 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPDevelo ...)
+ TODO: check
+CVE-2023-4611 (A use-after-free flaw was found in mm/mempolicy.c in the memory manage ...)
- linux 6.4.11-1
[bookworm] - linux <not-affected> (Vulnerable code not present)
[bullseye] - linux <not-affected> (Vulnerable code not present)
@@ -25491,7 +25525,7 @@ CVE-2023-27586 (CairoSVG is an SVG converter based on Cairo, a 2D graphics libra
NOTE: https://github.com/Kozea/CairoSVG/security/advisories/GHSA-rwmf-w63j-p7gv
NOTE: Introduced in https://github.com/Kozea/CairoSVG/commit/1ee0889f4015ebaddcf9976d43222e673155797c (0.3)
CVE-2023-27585 (PJSIP is a free and open source multimedia communication library writt ...)
- {DSA-5438-1 DLA-3394-1}
+ {DSA-5438-1 DLA-3549-1 DLA-3394-1}
- asterisk 1:20.4.0~dfsg+~cs6.13.40431414-1 (bug #1036697)
- pjproject <removed>
- ring <unfixed>
@@ -38027,7 +38061,7 @@ CVE-2023-23357
RESERVED
CVE-2023-23356
RESERVED
-CVE-2023-23355 (A vulnerability has been reported to affect QNAP operating systems. If ...)
+CVE-2023-23355 (An OS command injection vulnerability has been reported to affect QNAP ...)
NOT-FOR-US: QNAP
CVE-2023-23354
RESERVED
@@ -71192,7 +71226,7 @@ CVE-2022-39246 (matrix-android-sdk2 is the Matrix SDK for Android. Prior to vers
CVE-2022-39245 (Mist is the command-line interface for the makedeb Package Repository. ...)
NOT-FOR-US: Makedeb Mist
CVE-2022-39244 (PJSIP is a free and open source multimedia communication library writt ...)
- {DSA-5358-1 DLA-3335-1}
+ {DSA-5358-1 DLA-3549-1 DLA-3335-1}
- asterisk 1:20.0.1~dfsg+~cs6.12.40431414-1
- pjproject <removed>
- ring 20230206.0~ds1-1
@@ -94189,7 +94223,7 @@ CVE-2022-31033 (The Mechanize library is used for automating interaction with we
CVE-2022-31032 (Tuleap is a Free & Open Source Suite to improve management of software ...)
NOT-FOR-US: Tuleap
CVE-2022-31031 (PJSIP is a free and open source multimedia communication library writt ...)
- {DSA-5358-1 DLA-3335-1}
+ {DSA-5358-1 DLA-3549-1 DLA-3335-1}
- asterisk 1:20.0.1~dfsg+~cs6.12.40431414-1 (bug #1017004)
- pjproject <removed>
- ring 20230206.0~ds1-1 (bug #1017005)
@@ -112782,7 +112816,7 @@ CVE-2022-24795 (yajl-ruby is a C binding to the YAJL JSON parsing and generation
CVE-2022-24794 (Express OpenID Connect is an Express JS middleware implementing sign o ...)
NOT-FOR-US: Express OpenID Connect
CVE-2022-24793 (PJSIP is a free and open source multimedia communication library writt ...)
- {DSA-5285-1 DLA-3194-1 DLA-3036-1}
+ {DSA-5285-1 DLA-3549-1 DLA-3194-1 DLA-3036-1}
- asterisk 1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1 (bug #1014976)
[stretch] - asterisk <not-affected> (Vulnerable code not present)
- pjproject <removed>
@@ -112911,7 +112945,7 @@ CVE-2022-24765 (Git for Windows is a fork of Git containing Windows-specific pat
NOTE: https://github.blog/2022-04-12-git-security-vulnerability-announced/
NOTE: See CVE-2022-29187 for further fixes
CVE-2022-24764 (PJSIP is a free and open source multimedia communication library writt ...)
- {DSA-5285-1 DLA-3194-1 DLA-2962-1}
+ {DSA-5285-1 DLA-3549-1 DLA-3194-1 DLA-2962-1}
- asterisk 1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1 (bug #1014976)
[stretch] - asterisk <not-affected> (Vulnerable code not present)
- pjproject <unfixed>
@@ -112919,7 +112953,7 @@ CVE-2022-24764 (PJSIP is a free and open source multimedia communication library
NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-f5qg-pqcg-765m
NOTE: https://github.com/pjsip/pjproject/commit/560a1346f87aabe126509bb24930106dea292b00
CVE-2022-24763 (PJSIP is a free and open source multimedia communication library writt ...)
- {DSA-5285-1 DLA-3194-1 DLA-3036-1}
+ {DSA-5285-1 DLA-3549-1 DLA-3194-1 DLA-3036-1}
- asterisk 1:18.14.0~~rc1~dfsg+~cs6.12.40431414-1 (bug #1014976)
[stretch] - asterisk <not-affected> (Vulnerable code not present)
- pjproject <removed>
@@ -112967,7 +113001,7 @@ CVE-2022-24755 (Bareos is open source software for backup, archiving, and recove
NOTE: https://github.com/bareos/bareos/pull/1121
NOTE: https://huntr.dev/bounties/480121f2-bc3c-427e-986e-5acffb1606c5/
CVE-2022-24754 (PJSIP is a free and open source multimedia communication library writt ...)
- {DLA-2962-1}
+ {DLA-3549-1 DLA-2962-1}
- asterisk <not-affected> (Vulnerable code not present)
- pjproject <removed>
- ring 20230206.0~ds1-1 (bug #1014998)
@@ -117234,7 +117268,7 @@ CVE-2022-23610 (wire-server provides back end services for Wire, an open source
CVE-2022-23609 (iTunesRPC-Remastered is a Discord Rich Presence for iTunes on Windows ...)
NOT-FOR-US: iTunesRPC-Remastered
CVE-2022-23608 (PJSIP is a free and open source multimedia communication library writt ...)
- {DSA-5285-1 DLA-3194-1 DLA-2962-1}
+ {DSA-5285-1 DLA-3549-1 DLA-3194-1 DLA-2962-1}
- asterisk 1:18.10.1~dfsg+~cs6.10.40431411-1
[stretch] - asterisk <not-affected> (Vulnerable code not present)
- pjproject <removed>
@@ -117371,14 +117405,14 @@ CVE-2022-23549 (Discourse is an option source discussion platform. Prior to vers
CVE-2022-23548 (Discourse is an option source discussion platform. Prior to version 2. ...)
NOT-FOR-US: Discourse
CVE-2022-23537 (PJSIP is a free and open source multimedia communication library writt ...)
- {DSA-5358-1 DLA-3335-1}
+ {DSA-5358-1 DLA-3549-1 DLA-3335-1}
- asterisk 1:20.4.0~dfsg+~cs6.13.40431414-1 (bug #1032092)
- ring 20230206.0~ds1-1
- pjproject <removed>
NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w
NOTE: https://github.com/pjsip/pjproject/commit/d8440f4d711a654b511f50f79c0445b26f9dd1e1
CVE-2022-23547 (PJSIP is a free and open source multimedia communication library writt ...)
- {DSA-5358-1 DLA-3335-1}
+ {DSA-5358-1 DLA-3549-1 DLA-3335-1}
- asterisk 1:20.4.0~dfsg+~cs6.13.40431414-1 (bug #1032092)
- ring 20230206.0~ds1-1
- pjproject <removed>
@@ -129762,7 +129796,7 @@ CVE-2022-21724 (pgjdbc is the offical PostgreSQL JDBC Driver. A security hole wa
NOTE: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4
NOTE: https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813 (REL42.3.2)
CVE-2022-21723 (PJSIP is a free and open source multimedia communication library writt ...)
- {DSA-5285-1 DLA-3194-1 DLA-2962-1}
+ {DSA-5285-1 DLA-3549-1 DLA-3194-1 DLA-2962-1}
- asterisk 1:18.10.1~dfsg+~cs6.10.40431411-1
[stretch] - asterisk <not-affected> (Vulnerable code not present)
- pjproject <removed>
@@ -129773,7 +129807,7 @@ CVE-2022-21723 (PJSIP is a free and open source multimedia communication library
NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-7fw8-54cv-r7pm
NOTE: https://github.com/pjsip/pjproject/commit/077b465c33f0aec05a49cd2ca456f9a1b112e896
CVE-2022-21722 (PJSIP is a free and open source multimedia communication library writt ...)
- {DSA-5285-1 DLA-3194-1 DLA-2962-1}
+ {DSA-5285-1 DLA-3549-1 DLA-3194-1 DLA-2962-1}
- asterisk 1:18.12.0~dfsg+~cs6.12.40431413-1
[stretch] - asterisk <not-affected> (Vulnerable code not present)
- pjproject <removed>
@@ -130321,7 +130355,7 @@ CVE-2021-43847 (HumHub is an open-source social network kit written in PHP. Prio
CVE-2021-43846 (`solidus_frontend` is the cart and storefront for the Solidus e-commer ...)
NOT-FOR-US: solidus_frontend
CVE-2021-43845 (PJSIP is a free and open source multimedia communication library. In v ...)
- {DSA-5285-1 DLA-3194-1 DLA-2962-1}
+ {DSA-5285-1 DLA-3549-1 DLA-3194-1 DLA-2962-1}
- asterisk 1:18.12.0~dfsg+~cs6.12.40431413-1
[stretch] - asterisk <not-affected> (Vulnerable code not present)
- pjproject <removed>
@@ -130426,7 +130460,7 @@ CVE-2021-43806 (Tuleap is a Libre and Open Source tool for end to end traceabili
CVE-2021-43805 (Solidus is a free, open-source ecommerce platform built on Rails. Vers ...)
NOT-FOR-US: Solidus
CVE-2021-43804 (PJSIP is a free and open source multimedia communication library writt ...)
- {DSA-5285-1 DLA-3194-1 DLA-2962-1}
+ {DSA-5285-1 DLA-3549-1 DLA-3194-1 DLA-2962-1}
- asterisk 1:18.12.0~dfsg+~cs6.12.40431413-1
[stretch] - asterisk <not-affected> (Vulnerable code not present)
- pjproject <removed>
@@ -132828,7 +132862,7 @@ CVE-2021-43304 (Heap buffer overflow in Clickhouse's LZ4 compression codec when
NOTE: https://github.com/ClickHouse/ClickHouse/pull/27136
NOTE: https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-dbms/
CVE-2021-43303 (Buffer overflow in PJSUA API when calling pjsua_call_dump. An attacker ...)
- {DSA-5285-1 DLA-3194-1 DLA-2962-1}
+ {DSA-5285-1 DLA-3549-1 DLA-3194-1 DLA-2962-1}
- asterisk 1:18.11.1~dfsg+~cs6.10.40431413-1
[stretch] - asterisk <not-affected> (Vulnerable code not present)
- pjproject <removed>
@@ -132836,7 +132870,7 @@ CVE-2021-43303 (Buffer overflow in PJSUA API when calling pjsua_call_dump. An at
NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
CVE-2021-43302 (Read out-of-bounds in PJSUA API when calling pjsua_recorder_create. An ...)
- {DSA-5285-1 DLA-3194-1 DLA-2962-1}
+ {DSA-5285-1 DLA-3549-1 DLA-3194-1 DLA-2962-1}
- asterisk 1:18.11.1~dfsg+~cs6.10.40431413-1
[stretch] - asterisk <not-affected> (Vulnerable code not present)
- pjproject <removed>
@@ -132844,7 +132878,7 @@ CVE-2021-43302 (Read out-of-bounds in PJSUA API when calling pjsua_recorder_crea
NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
CVE-2021-43301 (Stack overflow in PJSUA API when calling pjsua_playlist_create. An att ...)
- {DSA-5285-1 DLA-3194-1 DLA-2962-1}
+ {DSA-5285-1 DLA-3549-1 DLA-3194-1 DLA-2962-1}
- asterisk 1:18.11.1~dfsg+~cs6.10.40431413-1
[stretch] - asterisk <not-affected> (Vulnerable code not present)
- pjproject <removed>
@@ -132852,7 +132886,7 @@ CVE-2021-43301 (Stack overflow in PJSUA API when calling pjsua_playlist_create.
NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
CVE-2021-43300 (Stack overflow in PJSUA API when calling pjsua_recorder_create. An att ...)
- {DSA-5285-1 DLA-3194-1 DLA-2962-1}
+ {DSA-5285-1 DLA-3549-1 DLA-3194-1 DLA-2962-1}
- asterisk 1:18.11.1~dfsg+~cs6.10.40431413-1
[stretch] - asterisk <not-affected> (Vulnerable code not present)
- pjproject <removed>
@@ -132860,7 +132894,7 @@ CVE-2021-43300 (Stack overflow in PJSUA API when calling pjsua_recorder_create.
NOTE: https://github.com/pjsip/pjproject/security/advisories/GHSA-qcvw-h34v-c7r9
NOTE: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
CVE-2021-43299 (Stack overflow in PJSUA API when calling pjsua_player_create. An attac ...)
- {DSA-5285-1 DLA-3194-1 DLA-2962-1}
+ {DSA-5285-1 DLA-3549-1 DLA-3194-1 DLA-2962-1}
- asterisk 1:18.11.1~dfsg+~cs6.10.40431413-1
[stretch] - asterisk <not-affected> (Vulnerable code not present)
- pjproject <removed>
@@ -149685,7 +149719,7 @@ CVE-2021-37708 (Shopware is an open source eCommerce platform. Versions prior to
CVE-2021-37707 (Shopware is an open source eCommerce platform. Versions prior to 6.4.3 ...)
NOT-FOR-US: Shopware
CVE-2021-37706 (PJSIP is a free and open source multimedia communication library writt ...)
- {DSA-5285-1 DLA-3194-1 DLA-2962-1}
+ {DSA-5285-1 DLA-3549-1 DLA-3194-1 DLA-2962-1}
- asterisk 1:18.10.1~dfsg+~cs6.10.40431411-1
[stretch] - asterisk <not-affected> (Vulnerable code not present)
- pjproject <removed>
@@ -151419,6 +151453,7 @@ CVE-2021-36980 (Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-a
CVE-2021-36979 (Unicorn Engine 1.0.2 has an out-of-bounds write in tb_flush_armeb (cal ...)
NOT-FOR-US: Unicorn Engine
CVE-2021-36978 (QPDF 9.x through 9.1.1 and 10.x through 10.0.4 has a heap-based buffer ...)
+ {DLA-3548-1}
- qpdf 10.1.0-1
[stretch] - qpdf <no-dsa> (Minor issue)
NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28262
@@ -180291,6 +180326,7 @@ CVE-2021-25788
CVE-2021-25787
RESERVED
CVE-2021-25786 (An issue was discovered in QPDF version 10.0.4, allows remote attacker ...)
+ {DLA-3548-1}
- qpdf 10.1.0-1
NOTE: https://github.com/qpdf/qpdf/issues/492
NOTE: https://github.com/qpdf/qpdf/commit/dc92574c10f3e2516ec6445b88c5d584f40df4e5 (release-qpdf-10.1.0)
@@ -227278,8 +227314,8 @@ CVE-2020-18914
RESERVED
CVE-2020-18913 (EARCLINK ESPCMS-P8 was discovered to contain a SQL injection vulnerabi ...)
NOT-FOR-US: EARCLINK ESPCMS-P8
-CVE-2020-18912
- RESERVED
+CVE-2020-18912 (An issue found in Earcms Ear App v.20181124 allows a remote attacker t ...)
+ TODO: check
CVE-2020-18911
RESERVED
CVE-2020-18910
@@ -338385,6 +338421,7 @@ CVE-2018-18022
CVE-2012-6710 (ext_find_user in eXtplorer through 2.1.2 allows remote attackers to by ...)
- extplorer <removed>
CVE-2018-18020 (In QPDF 8.2.1, in libqpdf/QPDFWriter.cc, QPDFWriter::unparseObject and ...)
+ {DLA-3548-1}
- qpdf 9.0.0-1
[stretch] - qpdf <no-dsa> (Minor issue)
[jessie] - qpdf <no-dsa> (Minor issue)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c3f58e52c565879ef0de303fcaf40cb82681a2b
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2c3f58e52c565879ef0de303fcaf40cb82681a2b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230830/ac62d21c/attachment.htm>
More information about the debian-security-tracker-commits
mailing list