[Git][security-tracker-team/security-tracker][master] 4 commits: Drop bookworm entries for gimp-dds (removed from bookworm)
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sat Dec 9 08:28:42 GMT 2023
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
67232404 by Salvatore Bonaccorso at 2023-12-07T23:04:33+01:00
Drop bookworm entries for gimp-dds (removed from bookworm)
- - - - -
cbd596b9 by Salvatore Bonaccorso at 2023-12-07T23:04:33+01:00
Merge linux changes for bookworm 12.3
- - - - -
385f91e6 by Salvatore Bonaccorso at 2023-12-07T23:07:28+01:00
Merge changes for updates with CVEs via bookworm 12.3
- - - - -
87a0bc01 by Salvatore Bonaccorso at 2023-12-09T08:28:30+00:00
Merge branch 'bookworm-12.3' into 'master'
Merge changes accepted for bookworm 12.3 release
See merge request security-tracker-team/security-tracker!154
- - - - -
2 changed files:
- data/CVE/list
- data/next-point-update.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2264,7 +2264,7 @@ CVE-2023-4252 (The EventPrime WordPress plugin through 3.2.9 specifies the price
NOT-FOR-US: WordPress plugin
CVE-2023-49316 (In Math/BinaryField.php in phpseclib 3 before 3.0.34, excessively larg ...)
- php-phpseclib3 3.0.34-1 (bug #1057008)
- [bookworm] - php-phpseclib3 <no-dsa> (Minor issue)
+ [bookworm] - php-phpseclib3 3.0.19-1+deb12u1
NOTE: Fixed by: https://github.com/phpseclib/phpseclib/commit/964d78101a70305df33f442f5490f0adb3b7e77f (3.0.34)
TODO: check if affecting ldap-account-manager or unused path
CVE-2023-49047 (Tenda AX1803 v1.0.0.1 contains a stack overflow via the devName parame ...)
@@ -2371,7 +2371,7 @@ CVE-2023-47039
- perl <not-affected> (Windows specific issue)
CVE-2023-47038 [Write past buffer end via illegal user-defined Unicode property]
- perl 5.36.0-10 (bug #1056746)
- [bookworm] - perl <no-dsa> (Minor issue; can be fixed via point release)
+ [bookworm] - perl 5.36.0-7+deb12u1
[bullseye] - perl <no-dsa> (Minor issue; can be fixed via point release)
[buster] - perl <not-affected> (Vulnerable code introduced later)
NOTE: Fixed by: https://github.com/Perl/perl5/commit/12c313ce49b36160a7ca2e9b07ad5bd92ee4a010 (v5.34.2)
@@ -3393,6 +3393,7 @@ CVE-2023-6174 (SSH dissector crash in Wireshark 4.0.0 to 4.0.10 allows denial of
NOTE: https://gitlab.com/wireshark/wireshark/-/issues/19369
CVE-2023-6121 (An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsy ...)
- linux <unfixed>
+ [bookworm] - linux 6.1.64-1
NOTE: https://lore.kernel.org/linux-nvme/b58a2dc6-cc8f-4d19-9efe-e1d5b4505efc@nvidia.com/T/
NOTE: https://lore.kernel.org/linux-nvme/CAK5usQvxAyC3LJ4OnqerS1P0JpbfFr9uRZmq6Jb4QhaB7AQCoQ@mail.gmail.com/T/
NOTE: https://git.kernel.org/linus/1c22e0295a5eb571c27b53c7371f95699ef705ff (6.7-rc3)
@@ -3617,14 +3618,14 @@ CVE-2023-47638
CVE-2023-43887 (Libde265 v1.0.12 was discovered to contain multiple buffer overflows v ...)
{DLA-3676-1}
- libde265 1.0.13-1
- [bookworm] - libde265 <no-dsa> (Minor issue)
+ [bookworm] - libde265 1.0.11-1+deb12u1
[bullseye] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/418
NOTE: https://github.com/strukturag/libde265/commit/63b596c915977f038eafd7647d1db25488a8c133 (v1.0.13)
CVE-2023-47471 (Buffer Overflow vulnerability in strukturag libde265 v1.10.12 allows a ...)
{DLA-3676-1}
- libde265 1.0.13-1 (bug #1056187)
- [bookworm] - libde265 <no-dsa> (Minor issue)
+ [bookworm] - libde265 1.0.11-1+deb12u1
[bullseye] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/426
NOTE: https://github.com/strukturag/libde265/commit/e36b4a1b0bafa53df47514c419d5be3e8916ebc7 (v1.0.13)
@@ -3720,7 +3721,7 @@ CVE-2023-5984 (A CWE-494 Download of Code Without Integrity Check vulnerability
CVE-2023-5981 (A vulnerability was found that the response times to malformed ciphert ...)
{DLA-3660-1}
- gnutls28 3.8.2-1 (bug #1056188)
- [bookworm] - gnutls28 <no-dsa> (Minor issue; can be fixed via point release)
+ [bookworm] - gnutls28 3.7.9-2+deb12u1
[bullseye] - gnutls28 <no-dsa> (Minor issue; can be fixed via point release)
NOTE: https://gitlab.com/gnutls/gnutls/-/issues/1511
NOTE: https://gnutls.org/security-new.html#GNUTLS-SA-2023-10-23
@@ -3946,7 +3947,6 @@ CVE-2023-44441 [GIMP DDS File Parsing Heap-based Buffer Overflow Remote Code Exe
- gimp 2.10.36-1 (bug #1055984)
[buster] - gimp <not-affected> (DDS plugin added in 2.10.10)
- gimp-dds <removed>
- [bookworm] - gimp-dds <no-dsa> (Obsoleted by src:gimp, should get dropped via Breaks)
[bullseye] - gimp-dds <no-dsa> (Obsoleted by src:gimp, should get dropped via Breaks)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1592/
NOTE: https://www.gimp.org/news/2023/11/07/gimp-2-10-36-released/#fixed-vulnerabilities
@@ -3978,6 +3978,7 @@ CVE-2023-6124 (Server-Side Request Forgery (SSRF) in GitHub repository salesagil
NOT-FOR-US: suitecrm
CVE-2023-6111 (A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab ...)
- linux 6.5.13-1
+ [bookworm] - linux 6.1.64-1
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/93995bf4af2c5a99e2a87f0cd5ce547d31eb7630 (6.7-rc1)
@@ -4599,13 +4600,13 @@ CVE-2023-46735 (Symfony is a PHP framework for web and console applications and
CVE-2023-46734 (Symfony is a PHP framework for web and console applications and a set ...)
{DLA-3664-1}
- symfony 5.4.31+dfsg-1 (bug #1055774)
- [bookworm] - symfony <no-dsa> (Minor issue)
+ [bookworm] - symfony 5.4.23+dfsg-1+deb12u1
[bullseye] - symfony <no-dsa> (Minor issue)
NOTE: https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3
NOTE: https://github.com/symfony/symfony/commit/9da9a145ce57e4585031ad4bee37c497353eec7c (v4.4.51, v5.4.31, v6.3.8)
CVE-2023-46733 (Symfony is a PHP framework for web and console applications and a set ...)
- symfony 5.4.31+dfsg-1 (bug #1055775)
- [bookworm] - symfony <no-dsa> (Minor issue)
+ [bookworm] - symfony 5.4.23+dfsg-1+deb12u1
[bullseye] - symfony <not-affected> (Vulnerable code introduced later)
[buster] - symfony <not-affected> (Vulnerable code introduced later)
NOTE: https://github.com/symfony/symfony/security/advisories/GHSA-m2wj-r6g3-fxfx
@@ -5424,7 +5425,7 @@ CVE-2023-4996 (Netskope was made aware of a security vulnerability in its NSClie
NOT-FOR-US: Netskope
CVE-2023-4535 (An out-of-bounds read vulnerability was found in OpenSC packages withi ...)
- opensc 0.23.0-2 (bug #1055520)
- [bookworm] - opensc <no-dsa> (Minor issue)
+ [bookworm] - opensc 0.23.0-0.3+deb12u1
[bullseye] - opensc <not-affected> (vulnerable code introduced later)
[buster] - opensc <not-affected> (vulnerable code introduced later)
NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2023-4535
@@ -5507,7 +5508,7 @@ CVE-2023-41378 (In certain conditions for Calico Typha (v3.26.2, v3.25.1 and bel
CVE-2023-40661 (Several memory vulnerabilities were identified within the OpenSC packa ...)
{DLA-3668-1}
- opensc 0.23.0-2 (bug #1055522)
- [bookworm] - opensc <no-dsa> (Minor issue)
+ [bookworm] - opensc 0.23.0-0.3+deb12u1
[bullseye] - opensc <no-dsa> (Minor issue)
NOTE: https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651
NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2023-40661
@@ -5515,7 +5516,7 @@ CVE-2023-40661 (Several memory vulnerabilities were identified within the OpenSC
CVE-2023-40660 (A flaw was found in OpenSC packages that allow a potential PIN bypass. ...)
{DLA-3668-1}
- opensc 0.23.0-2 (bug #1055521)
- [bookworm] - opensc <no-dsa> (Minor issue)
+ [bookworm] - opensc 0.23.0-0.3+deb12u1
[bullseye] - opensc <no-dsa> (Minor issue)
NOTE: https://github.com/OpenSC/OpenSC/issues/2792#issuecomment-1674806651
NOTE: https://github.com/OpenSC/OpenSC/wiki/CVE-2023-40660
@@ -6566,6 +6567,7 @@ CVE-2023-5836 (A vulnerability was found in SourceCodester Task Reminder System
NOT-FOR-US: SourceCodester Task Reminder System
CVE-2023-46862 (An issue was discovered in the Linux kernel through 6.5.9. During a ra ...)
- linux 6.5.10-1
+ [bookworm] - linux 6.1.64-1
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://bugzilla.kernel.org/show_bug.cgi?id=218032#c4
NOTE: https://git.kernel.org/linus/7644b1a1c9a7ae8ab99175989bfc8676055edb46
@@ -6575,7 +6577,7 @@ CVE-2023-46854 (Proxmox proxmox-widget-toolkit before 4.0.9, as used in multiple
NOT-FOR-US: Proxmox proxmox-widget-toolkit
CVE-2023-45897 (exfatprogs before 1.2.2 allows out-of-bounds memory access, such as in ...)
- exfatprogs 1.2.2-1
- [bookworm] - exfatprogs <no-dsa> (Minor issue)
+ [bookworm] - exfatprogs 1.2.0-1+deb12u1
[bullseye] - exfatprogs <no-dsa> (Minor issue)
NOTE: https://github.com/exfatprogs/exfatprogs/commit/ec78688e5fb5a70e13df82b4c0da1e6228d3ccdf (1.2.2)
NOTE: https://github.com/exfatprogs/exfatprogs/commit/22d0e43e8d24119cbfc6efafabb0dec6517a86c4 (1.2.2)
@@ -6852,6 +6854,7 @@ CVE-2023-33558 (An information disclosure vulnerability in the component users-g
NOT-FOR-US: OcoMon
CVE-2023-46813 (An issue was discovered in the Linux kernel before 6.5.9, exploitable ...)
- linux 6.5.10-1
+ [bookworm] - linux 6.1.64-1
NOTE: https://git.kernel.org/linus/63e44bc52047f182601e7817da969a105aa1f721 (6.6-rc7)
NOTE: https://git.kernel.org/linus/b9cb9c45583b911e0db71d09caa6b56469eb2bdf (6.6-rc7)
NOTE: https://git.kernel.org/linus/a37cd2a59d0cb270b1bba568fd3a3b8668b9d3ba (6.6-rc7)
@@ -7045,6 +7048,7 @@ CVE-2023-45872
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2246067
CVE-2023-5717 (A heap out-of-bounds write vulnerability in the Linux kernel's Linux K ...)
- linux 6.5.10-1
+ [bookworm] - linux 6.1.64-1
NOTE: https://git.kernel.org/linus/32671e3799ca2e4590773fd0e63aaa4229e50c06 (6.6-rc7)
CVE-2023-5678 (Issue summary: Generating excessively long X9.42 DH keys or checking e ...)
- openssl 3.0.12-2 (bug #1055473)
@@ -7787,7 +7791,7 @@ CVE-2023-46316 (In buc Traceroute 2.0.12 through 2.1.2 before 2.1.3, the wrapper
NOTE: https://sourceforge.net/projects/traceroute/files/traceroute/traceroute-2.1.3/
CVE-2023-46586
- weborf 1.0-1 (bug #1054417)
- [bookworm] - weborf <no-dsa> (Minor issue)
+ [bookworm] - weborf 0.19-2.1+deb12u1
[bullseye] - weborf <no-dsa> (Minor issue)
[buster] - weborf <no-dsa> (Minor issue)
NOTE: https://github.com/ltworf/weborf/pull/88
@@ -7883,6 +7887,7 @@ CVE-2023-46846 (SQUID is vulnerable to HTTP request smuggling, caused by chunked
NOTE: https://github.com/squid-cache/squid/security/advisories/GHSA-j83v-w3p4-5cqh
CVE-2023-5178 (A use-after-free vulnerability was found in drivers/nvme/target/tcp.c` ...)
- linux 6.5.8-1
+ [bookworm] - linux 6.1.64-1
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2241924
NOTE: https://git.kernel.org/linus/d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd
NOTE: https://www.openwall.com/lists/oss-security/2023/10/15/1
@@ -8142,6 +8147,7 @@ CVE-2023-34044 (VMware Workstation( 17.x prior to 17.5) and Fusion(13.x prior to
NOT-FOR-US: VMware
CVE-2023-5090 (A flaw was found in KVM. An improper check in svm_set_x2apic_msr_inter ...)
- linux 6.5.8-1
+ [bookworm] - linux 6.1.64-1
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/b65235f6e102354ccafda601eaa1c5bef5284d21
@@ -9260,7 +9266,7 @@ CVE-2023-45853 (MiniZip in zlib through 1.3 has an integer overflow and resultan
[bullseye] - zlib <ignored> (contrib/minizip not built and producing binary packages)
[buster] - zlib <ignored> (contrib/minizip not built and producing binary packages)
- minizip <removed> (bug #1056718)
- [bookworm] - minizip <no-dsa> (Minor issue; can be fixed in point release)
+ [bookworm] - minizip 1.1-8+deb12u1
[bullseye] - minizip <no-dsa> (Minor issue; can be fixed in point release)
NOTE: https://github.com/madler/zlib/pull/843
NOTE: https://github.com/madler/zlib/commit/73331a6a0481067628f065ffe87bb1d8f787d10c
@@ -9457,7 +9463,7 @@ CVE-2023-5045 (Improper Neutralization of Special Elements used in an SQL Comman
NOT-FOR-US: Kayisi
CVE-2023-45143 (Undici is an HTTP/1.1 client written from scratch for Node.js. Prior t ...)
- node-undici 5.26.3+dfsg1+~cs23.10.12-1 (bug #1053879)
- [bookworm] - node-undici <no-dsa> (Minor issue)
+ [bookworm] - node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2
NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
NOTE: https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp
NOTE: https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76 (v5.26.2)
@@ -10380,47 +10386,48 @@ CVE-2023-44487 (The HTTP/2 protocol allows a denial of service (server resource
NOTE: - lighttpd: https://www.openwall.com/lists/oss-security/2023/10/13/9
CVE-2023-34324 [linux/xen: Possible deadlock in Linux kernel event handling]
- linux 6.5.8-1
+ [bookworm] - linux 6.1.64-1
NOTE: https://xenbits.xen.org/xsa/advisory-441.html
NOTE: https://git.kernel.org/linus/87797fad6cce28ec9be3c13f031776ff4f104cfc (6.6-rc6)
CVE-2023-46836 [x86: BTC/SRSO fixes not fully effective]
- xen 4.17.2+76-ge1f9cb16e2-1 (bug #1056928)
- [bookworm] - xen <no-dsa> (Will be fixed via point release)
+ [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://xenbits.xen.org/xsa/advisory-446.html
CVE-2023-46835 [x86/AMD: mismatch in IOMMU quarantine page table levels]
- xen 4.17.2+76-ge1f9cb16e2-1 (bug #1056928)
- [bookworm] - xen <no-dsa> (Will be fixed via point release)
+ [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://xenbits.xen.org/xsa/advisory-445.html
CVE-2023-34328 [A PV vCPU can place a breakpoint over the live GDT]
- xen 4.17.2+55-g0b56bed864-1
- [bookworm] - xen <no-dsa> (Will be fixed via point release)
+ [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://xenbits.xen.org/xsa/advisory-444.html
CVE-2023-34327 [An HVM vCPU can end up operating in the context of a previous vCPUs debug mask state]
- xen 4.17.2+55-g0b56bed864-1
- [bookworm] - xen <no-dsa> (Will be fixed via point release)
+ [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://xenbits.xen.org/xsa/advisory-444.html
CVE-2023-34325 [Multiple vulnerabilities in libfsimage disk handling]
- xen 4.17.2+55-g0b56bed864-1
- [bookworm] - xen <no-dsa> (Will be fixed via point release)
+ [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://xenbits.xen.org/xsa/advisory-443.html
CVE-2023-34326 [x86/AMD: missing IOMMU TLB flushing]
- xen 4.17.2+55-g0b56bed864-1
- [bookworm] - xen <no-dsa> (Will be fixed via point release)
+ [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://xenbits.xen.org/xsa/advisory-442.html
CVE-2023-34323 [xenstored: A transaction conflict can crash C Xenstored]
- xen 4.17.2+55-g0b56bed864-1 (unimportant)
- [bookworm] - xen <no-dsa> (Will be fixed via point release)
+ [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://xenbits.xen.org/xsa/advisory-440.html
@@ -11425,6 +11432,7 @@ CVE-2023-5346 (Type confusion in V8 in Google Chrome prior to 117.0.5938.149 all
[buster] - chromium <end-of-life> (see DSA 5046)
CVE-2023-5345 (A use-after-free vulnerability in the Linux kernel's fs/smb/client com ...)
- linux 6.5.6-1
+ [bookworm] - linux 6.1.64-1
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/e6e43b8aa7cd3c3af686caf0c2e11819a886d705
@@ -12120,7 +12128,7 @@ CVE-2023-38870 (A SQL injection vulnerability exists in gugoan Economizzer commi
NOT-FOR-US: gugoan's Economizzer
CVE-2023-42119 [Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability]
- exim4 4.97~RC2-2
- [bookworm] - exim4 <no-dsa> (Minor issue; use Exim4 with a trustworthy DNS resolver able to validate the data according to the DNS record types)
+ [bookworm] - exim4 4.96-15+deb12u3
[bullseye] - exim4 <no-dsa> (Minor issue; use Exim4 with a trustworthy DNS resolver able to validate the data according to the DNS record types)
[buster] - exim4 <no-dsa> (Minor issue; use Exim4 with a trustworthy DNS resolver able to validate the data according to the DNS record types)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1473/
@@ -12147,7 +12155,7 @@ CVE-2023-42118 [Exim libspf2 Integer Underflow Remote Code Execution Vulnerabili
NOTE: another buffer fills up." and 2. that this is the same issue as CVE-2023-42118 .
CVE-2023-42117 [Exim Improper Neutralization of Special Elements Remote Code Execution Vulnerability]
- exim4 4.97~RC2-2
- [bookworm] - exim4 <no-dsa> (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy)
+ [bookworm] - exim4 4.96-15+deb12u3
[bullseye] - exim4 <no-dsa> (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy)
[buster] - exim4 <no-dsa> (Only an issue if Exim4 run behind an untrusted proxy-protocol proxy)
NOTE: https://www.zerodayinitiative.com/advisories/ZDI-23-1471/
@@ -12704,6 +12712,7 @@ CVE-2023-43040 [Improperly verified POST keys]
NOTE: Fixed by: https://github.com/ceph/ceph/commit/100d81aa060f061271499f1fa28dbdc06de443fd (main)
CVE-2023-5197 (A use-after-free vulnerability in the Linux kernel's netfilter: nf_tab ...)
- linux 6.5.6-1
+ [bookworm] - linux 6.1.64-1
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://git.kernel.org/linus/f15f29fd4779be8a418b66e9d52979bb6d6c2325 (6.6-rc3)
NOTE: https://kernel.dance/f15f29fd4779be8a418b66e9d52979bb6d6c2325
@@ -12911,6 +12920,7 @@ CVE-2023-5165 (Docker Desktop before 4.23.0 allows an unprivileged user to bypas
NOT-FOR-US: Docker Desktop
CVE-2023-5158 (A flaw was found in vringh_kiov_advance in drivers/vhost/vringh.c in t ...)
- linux 6.5.8-1
+ [bookworm] - linux 6.1.64-1
[bullseye] - linux <not-affected> (Vulnerable code not present)
[buster] - linux <not-affected> (Vulnerable code not present)
NOTE: https://lore.kernel.org/virtualization/20230925103057.104541-1-sgarzare@redhat.com/T/#u
@@ -13907,12 +13917,12 @@ CVE-2023-41889 (SHIRASAGI is a Content Management System. Prior to version 1.18.
NOT-FOR-US: SHIRASAGI
CVE-2023-41887 (OpenRefine is a powerful free, open source tool for working with messy ...)
- openrefine 3.7.5-1
- [bookworm] - openrefine <no-dsa> (Minor issue)
+ [bookworm] - openrefine 3.6.2-2+deb12u2
NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-p3r5-x3hr-gpg5
NOTE: https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511 (3.7.5)
CVE-2023-41886 (OpenRefine is a powerful free, open source tool for working with messy ...)
- openrefine 3.7.5-1
- [bookworm] - openrefine <no-dsa> (Minor issue)
+ [bookworm] - openrefine 3.6.2-2+deb12u2
NOTE: https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m
NOTE: https://github.com/OpenRefine/OpenRefine/commit/2de1439f5be63d9d0e89bbacbd24fa28c8c3e29d (master)
NOTE: https://github.com/OpenRefine/OpenRefine/commit/693fde606d4b5b78b16391c29d110389eb605511 (3.7.5)
@@ -14712,7 +14722,7 @@ CVE-2023-40150 (Softneta MedDream PACS does not perform an authentication check
NOT-FOR-US: Softneta MedDream PACS
CVE-2023-40032 (libvips is a demand-driven, horizontally threaded image processing lib ...)
- vips 8.14.4-1
- [bookworm] - vips <no-dsa> (Minor issue)
+ [bookworm] - vips 8.14.1-3+deb12u1
[bullseye] - vips <not-affected> (Vulnerable code not present)
[buster] - vips <not-affected> (Vulnerable code not present)
NOTE: https://github.com/libvips/libvips/pull/3604
@@ -14765,7 +14775,7 @@ CVE-2023-42470 (The Imou Life com.mm.android.smartlifeiot application through 6.
NOT-FOR-US: Imou Life com.mm.android.smartlifeiot application
CVE-2023-42467 (QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset ...)
- qemu 1:8.1.1+ds-1 (bug #1051899)
- [bookworm] - qemu <no-dsa> (Minor issue)
+ [bookworm] - qemu 1:7.2+dfsg-7+deb12u3
[bullseye] - qemu <no-dsa> (Minor issue)
[buster] - qemu <no-dsa> (Minor issue)
NOTE: https://gitlab.com/qemu-project/qemu/-/issues/1813
@@ -15423,19 +15433,19 @@ CVE-2023-2453 (There is insufficient sanitization of tainted file names that are
CVE-2023-40743 (** UNSUPPORTED WHEN ASSIGNED ** When integrating Apache Axis 1.x in an ...)
{DLA-3622-1}
- axis 1.4-29 (bug #1051288)
- [bookworm] - axis <no-dsa> (Minor issue)
+ [bookworm] - axis 1.4-28+deb12u1
[bullseye] - axis <no-dsa> (Minor issue)
NOTE: https://www.openwall.com/lists/oss-security/2023/09/05/1
NOTE: https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210
CVE-2023-34322 [top-level shadow reference dropped too early for 64-bit PV guests]
- xen 4.17.2+55-g0b56bed864-1
- [bookworm] - xen <no-dsa> (Will be fixed via point release)
+ [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://xenbits.xen.org/xsa/advisory-438.html
CVE-2023-34321 [arm32: The cache may not be properly cleaned/invalidated]
- xen 4.17.2+55-g0b56bed864-1 (bug #1051954)
- [bookworm] - xen <no-dsa> (Will be fixed via point release)
+ [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://xenbits.xen.org/xsa/advisory-437.html
@@ -20267,7 +20277,7 @@ CVE-2023-3971 (An HTML injection flaw was found in Controller in the user interf
NOT-FOR-US: Red Hat Ansible Automation Controller
CVE-2023-34320 (Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412 where ...)
- xen 4.17.2-1
- [bookworm] - xen <no-dsa> (Will be fixed via point release)
+ [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://www.openwall.com/lists/oss-security/2023/08/01/1
@@ -23510,7 +23520,7 @@ CVE-2023-29156 (DroneScout ds230 Remote ID receiver from BlueMark Innovationsis
CVE-2022-48521 (An issue was discovered in OpenDKIM through 2.10.3, and 2.11.x through ...)
{DLA-3680-1}
- opendkim 2.11.0~beta2-9 (bug #1041107)
- [bookworm] - opendkim <no-dsa> (Minor issue)
+ [bookworm] - opendkim 2.11.0~beta2-8+deb12u1
[bullseye] - opendkim <no-dsa> (Minor issue)
NOTE: https://github.com/trusteddomainproject/OpenDKIM/issues/148
CVE-2023-36543 (Apache Airflow, versions before 2.6.3, has a vulnerability where an au ...)
@@ -25997,6 +26007,7 @@ CVE-2023-35828 (An issue was discovered in the Linux kernel before 6.3.2. A use-
NOTE: Only "exploitable" by removing the module which needs root privileges
CVE-2023-35827 (An issue was discovered in the Linux kernel through 6.3.8. A use-after ...)
- linux 6.5.8-1
+ [bookworm] - linux 6.1.64-1
NOTE: https://lore.kernel.org/lkml/cca0b40b-d6f8-54c7-1e46-83cb62d0a2f1%40huawei.com/T/
CVE-2023-35826 (An issue was discovered in the Linux kernel before 6.3.2. A use-after- ...)
- linux 6.3.7-1 (unimportant)
@@ -31317,15 +31328,15 @@ CVE-2023-31023 (NVIDIA Display Driver for Windows contains a vulnerability where
NOT-FOR-US: NVIDIA
CVE-2023-31022 (NVIDIA GPU Display Driver for Windows and Linux contains a vulnerabili ...)
- nvidia-graphics-drivers 525.147.05-1 (bug #1055136)
- [bookworm] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-graphics-drivers 525.147.05-1~deb12u1
[bullseye] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
[buster] - nvidia-graphics-drivers <no-dsa> (Non-free not supported)
- nvidia-open-gpu-kernel-modules 525.147.05-1 (bug #1055144)
- [bookworm] - nvidia-open-gpu-kernel-modules <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-open-gpu-kernel-modules 525.147.05-1~deb12u1
- nvidia-graphics-drivers-tesla 525.147.05-1 (bug #1055143)
- [bookworm] - nvidia-graphics-drivers-tesla <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-graphics-drivers-tesla 525.147.05-3~deb12u1
- nvidia-graphics-drivers-tesla-470 470.223.02-1 (bug #1055142)
- [bookworm] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
+ [bookworm] - nvidia-graphics-drivers-tesla-470 470.223.02-1~deb12u1
[bullseye] - nvidia-graphics-drivers-tesla-470 <no-dsa> (Non-free not supported)
- nvidia-graphics-drivers-tesla-460 460.106.00-3 (bug #1055141)
[bullseye] - nvidia-graphics-drivers-tesla-460 <no-dsa> (Non-free not supported)
@@ -32723,7 +32734,7 @@ CVE-2023-30578
CVE-2023-30577 (AMANDA (Advanced Maryland Automatic Network Disk Archiver) before tag- ...)
{DLA-3681-1}
- amanda 1:3.5.1-11.1 (bug #1055253)
- [bookworm] - amanda <no-dsa> (Minor issue)
+ [bookworm] - amanda 1:3.5.1-11+deb12u1
[bullseye] - amanda <no-dsa> (Minor issue)
NOTE: https://github.com/zmanda/amanda/security/advisories/GHSA-crrw-v393-h5q3
NOTE: https://github.com/zmanda/amanda/pull/228
@@ -43791,14 +43802,14 @@ CVE-2023-27104
CVE-2023-27103 (Libde265 v1.0.11 was discovered to contain a heap buffer overflow via ...)
{DLA-3676-1}
- libde265 1.0.12-1 (bug #1033257)
- [bookworm] - libde265 <no-dsa> (Minor issue)
+ [bookworm] - libde265 1.0.11-1+deb12u1
[bullseye] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/394
NOTE: https://github.com/strukturag/libde265/commit/d6bf73e765b7a23627bfd7a8645c143fd9097995 (v1.0.12)
CVE-2023-27102 (Libde265 v1.0.11 was discovered to contain a segmentation violation vi ...)
{DLA-3676-1}
- libde265 1.0.12-1 (bug #1033257)
- [bookworm] - libde265 <no-dsa> (Minor issue)
+ [bookworm] - libde265 1.0.11-1+deb12u1
[bullseye] - libde265 <no-dsa> (Minor issue)
NOTE: https://github.com/strukturag/libde265/issues/393
NOTE: https://github.com/strukturag/libde265/commit/0b1752abff97cb542941d317a0d18aa50cb199b1 (v1.0.12)
@@ -74258,7 +74269,7 @@ CVE-2023-20588 (A division-by-zero error on some AMD processors can potentially
- linux 6.4.13-1
[bullseye] - linux 5.10.197-1
- xen 4.17.2+55-g0b56bed864-1
- [bookworm] - xen <no-dsa> (Will be fixed via point release)
+ [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
[bullseye] - xen <end-of-life> (EOLed in Bullseye)
[buster] - xen <end-of-life> (DSA 4677-1)
NOTE: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7007.html
@@ -484397,7 +484408,7 @@ CVE-2016-1245 (It was discovered that the zebra daemon in Quagga before 1.0.2016
CVE-2016-1244 (The extractTree function in unADF allows remote attackers to execute a ...)
{DSA-3676-1 DLA-631-1}
- unadf 0.7.11a-6 (bug #838248)
- [bookworm] - unadf <no-dsa> (Minor issue)
+ [bookworm] - unadf 0.7.11a-5+deb12u1
[bullseye] - unadf <no-dsa> (Minor issue)
[buster] - unadf <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd
@@ -484405,7 +484416,7 @@ CVE-2016-1244 (The extractTree function in unADF allows remote attackers to exec
CVE-2016-1243 (Stack-based buffer overflow in the extractTree function in unADF allow ...)
{DSA-3676-1 DLA-631-1}
- unadf 0.7.11a-6 (bug #838248)
- [bookworm] - unadf <no-dsa> (Minor issue)
+ [bookworm] - unadf 0.7.11a-5+deb12u1
[bullseye] - unadf <no-dsa> (Minor issue)
[buster] - unadf <no-dsa> (Minor issue)
NOTE: Fixed by: https://github.com/lclevy/ADFlib/commit/8e973d7b894552c3a3de0ccd2d1e9cb0b8e618dd
=====================================
data/next-point-update.txt
=====================================
@@ -1,108 +1,3 @@
-CVE-2023-41887
- [bookworm] - openrefine 3.6.2-2+deb12u2
-CVE-2023-41886
- [bookworm] - openrefine 3.6.2-2+deb12u2
-CVE-2023-40743
- [bookworm] - axis 1.4-28+deb12u1
-CVE-2023-45143
- [bookworm] - node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2
-CVE-2023-46586
- [bookworm] - weborf 0.19-2.1+deb12u1
-CVE-2023-42117
- [bookworm] - exim4 4.96-15+deb12u3
-CVE-2023-42119
- [bookworm] - exim4 4.96-15+deb12u3
-CVE-2023-45897
- [bookworm] - exfatprogs 1.2.0-1+deb12u1
-CVE-2023-4535
- [bookworm] - opensc 0.23.0-0.3+deb12u1
-CVE-2023-40660
- [bookworm] - opensc 0.23.0-0.3+deb12u1
-CVE-2023-40661
- [bookworm] - opensc 0.23.0-0.3+deb12u1
-CVE-2023-40032
- [bookworm] - vips 8.14.1-3+deb12u1
-CVE-2023-46734
- [bookworm] - symfony 5.4.23+dfsg-1+deb12u1
-CVE-2023-46733
- [bookworm] - symfony 5.4.23+dfsg-1+deb12u1
-CVE-2016-1243
- [bookworm] - unadf 0.7.11a-5+deb12u1
-CVE-2016-1244
- [bookworm] - unadf 0.7.11a-5+deb12u1
-CVE-2023-45853
- [bookworm] - minizip 1.1-8+deb12u1
-CVE-2023-31022
- [bookworm] - nvidia-graphics-drivers-tesla-470 470.223.02-1~deb12u1
- [bookworm] - nvidia-open-gpu-kernel-modules 525.147.05-1~deb12u1
- [bookworm] - nvidia-graphics-drivers 525.147.05-1~deb12u1
- [bookworm] - nvidia-graphics-drivers-tesla 525.147.05-3~deb12u1
-CVE-2022-48521
- [bookworm] - opendkim 2.11.0~beta2-8+deb12u1
-CVE-2023-47038
- [bookworm] - perl 5.36.0-7+deb12u1
-CVE-2023-27102
- [bookworm] - libde265 1.0.11-1+deb12u1
-CVE-2023-27103
- [bookworm] - libde265 1.0.11-1+deb12u1
-CVE-2023-43887
- [bookworm] - libde265 1.0.11-1+deb12u1
-CVE-2023-47471
- [bookworm] - libde265 1.0.11-1+deb12u1
-CVE-2023-49316
- [bookworm] - php-phpseclib3 3.0.19-1+deb12u1
-CVE-2023-5981
- [bookworm] - gnutls28 3.7.9-2+deb12u1
-CVE-2023-34320
- [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
-CVE-2023-34328
- [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
-CVE-2023-34327
- [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
-CVE-2023-34326
- [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
-CVE-2023-34325
- [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
-CVE-2023-34323
- [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
-CVE-2023-20588
- [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
-CVE-2023-34322
- [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
-CVE-2023-34321
- [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
-CVE-2023-46835
- [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
-CVE-2023-46836
- [bookworm] - xen 4.17.2+76-ge1f9cb16e2-1~deb12u1
-CVE-2023-30577
- [bookworm] - amanda 1:3.5.1-11+deb12u1
-CVE-2023-42467
- [bookworm] - qemu 1:7.2+dfsg-7+deb12u3
-CVE-2023-34324
- [bookworm] - linux 6.1.64-1
-CVE-2023-35827
- [bookworm] - linux 6.1.64-1
-CVE-2023-46813
- [bookworm] - linux 6.1.64-1
-CVE-2023-46862
- [bookworm] - linux 6.1.64-1
-CVE-2023-5090
- [bookworm] - linux 6.1.64-1
-CVE-2023-5158
- [bookworm] - linux 6.1.64-1
-CVE-2023-5178
- [bookworm] - linux 6.1.64-1
-CVE-2023-5197
- [bookworm] - linux 6.1.64-1
-CVE-2023-5345
- [bookworm] - linux 6.1.64-1
-CVE-2023-5717
- [bookworm] - linux 6.1.64-1
-CVE-2023-6111
- [bookworm] - linux 6.1.64-1
-CVE-2023-6121
- [bookworm] - linux 6.1.64-1
CVE-2023-3153
[bookworm] - ovn 23.03.1-1~deb12u1
CVE-2023-43040
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cc8ff646a883bce340c9f279932012ab8fb31503...87a0bc01d0bd46a4af831e40f293247f76675921
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/cc8ff646a883bce340c9f279932012ab8fb31503...87a0bc01d0bd46a4af831e40f293247f76675921
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231209/c237d5bc/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list