[Git][security-tracker-team/security-tracker][master] bugnums
Moritz Muehlenhoff (@jmm)
jmm at debian.org
Fri Dec 22 13:22:43 GMT 2023
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
32e9a182 by Moritz Muehlenhoff at 2023-12-22T14:22:18+01:00
bugnums
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -1039,7 +1039,7 @@ CVE-2023-48795 (The SSH transport protocol with certain OpenSSH extensions, foun
- putty 0.80-1
- python-asyncssh <unfixed> (bug #1059007)
- tinyssh 20230101-4 (bug #1059058; unimportant)
- - trilead-ssh2 <unfixed>
+ - trilead-ssh2 <unfixed> (bug #1059294)
NOTE: https://terrapin-attack.com/
NOTE: https://www.openwall.com/lists/oss-security/2023/12/18/3
NOTE: dropbear: https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356
@@ -2147,7 +2147,7 @@ CVE-2023-50782 [Bleichenbacher timing oracle attack against RSA decryption - inc
NOTE: https://github.com/openssl/openssl/pull/13817
NOTE: CVE is for incomplete fix of CVE-2020-25659
CVE-2023-50781 [Bleichenbacher timing attacks in the RSA decryption API - incomplete fix for CVE-2020-25657]
- - m2crypto <unfixed>
+ - m2crypto <unfixed> (bug #1059292)
[buster] - m2crypto <no-dsa> (Minor issue; it's an incomplete fix of CVE-2020-25657)
NOTE: https://gitlab.com/m2crypto/m2crypto/-/issues/342
NOTE: https://people.redhat.com/~hkario/marvin/
@@ -17201,7 +17201,7 @@ CVE-2023-37755 (i-doit pro 25 and below and I-doit open 25 and below are configu
CVE-2023-37739 (i-doit Pro v25 and below was discovered to be vulnerable to path trave ...)
NOT-FOR-US: I-doit pro
CVE-2023-36250 (CSV Injection vulnerability in GNOME time tracker version 3.0.2, allow ...)
- - hamster-time-tracker <unfixed>
+ - hamster-time-tracker <unfixed> (bug #1059296)
NOTE: https://github.com/BrunoTeixeira1996/CVE-2023-36250/blob/main/README.md
NOTE: Report sounds a little dubious, it's not really clear whether this cross any security boundary
CVE-2023-2848 (Movim prior to version 0.22 is affected by a Cross-Site WebSocket Hija ...)
@@ -21134,7 +21134,7 @@ CVE-2023-39970 (Unrestricted Upload of File with Dangerous Type vulnerability in
CVE-2023-39743 (lrzip-next LZMA v23.01 was discovered to contain an access violation v ...)
- lrzip-next <itp> (bug #1042088)
CVE-2023-39741 (lrzip v0.651 was discovered to contain a heap overflow via the libzpaq ...)
- - lrzip <unfixed>
+ - lrzip <unfixed> (bug #1059293)
[bookworm] - lrzip <no-dsa> (Minor issue)
[bullseye] - lrzip <no-dsa> (Minor issue)
[buster] - lrzip <no-dsa> (Minor issue)
@@ -24077,7 +24077,7 @@ CVE-2023-32427 (This issue was addressed by using HTTPS when sending information
NOT-FOR-US: Apple
CVE-2023-37369 (In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before ...)
{DLA-3539-1}
- - qt6-base <unfixed>
+ - qt6-base <unfixed> (bug #1059302)
[bookworm] - qt6-base <no-dsa> (Minor issue)
- qtbase-opensource-src-gles 5.15.10+dfsg-2
[bookworm] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
@@ -31766,7 +31766,7 @@ CVE-2023-28370 (Open redirect vulnerability in Tornado versions 6.3.1 and earlie
[bookworm] - python-tornado <no-dsa> (Minor issue)
[bullseye] - python-tornado <no-dsa> (Minor issue)
[buster] - python-tornado <no-dsa> (Minor issue)
- - salt <unfixed>
+ - salt <unfixed> (bug #1059297)
NOTE: https://github.com/tornadoweb/tornado/commit/32ad07c54e607839273b4e1819c347f5c8976b2f (v6.3.2)
CVE-2023-27529 (Wacom Tablet Driver installer prior to 6.4.2-1 (for macOS) contains an ...)
NOT-FOR-US: Wacom Tablet Driver installer
@@ -42676,7 +42676,7 @@ CVE-2023-28439 (CKEditor4 is an open source what-you-see-is-what-you-get HTML ed
[bookworm] - ckeditor <no-dsa> (Minor issue)
[bullseye] - ckeditor <no-dsa> (Minor issue)
[buster] - ckeditor <no-dsa> (Minor issue)
- - ckeditor3 <unfixed>
+ - ckeditor3 <unfixed> (bug #1059301)
[bookworm] - ckeditor3 <no-dsa> (Minor issue)
[bullseye] - ckeditor3 <no-dsa> (Minor issue)
[buster] - ckeditor3 <end-of-life> (No longer supported in LTS)
@@ -47077,7 +47077,8 @@ CVE-2023-27045
CVE-2023-27044
RESERVED
CVE-2023-27043 (The email module of Python through 3.11.3 incorrectly parses e-mail ad ...)
- - python3.11 <unfixed>
+ - python3.12 <unfixed> (bug #1059299)
+ - python3.11 <unfixed> (bug #1059298)
[bookworm] - python3.11 <no-dsa> (Minor issue)
- python3.10 <unfixed>
- python3.9 <removed>
@@ -49404,7 +49405,7 @@ CVE-2023-26143 (Versions of the package blamer before 1.0.4 are vulnerable to Ar
CVE-2023-26142 (All versions of the package crow are vulnerable to HTTP Response Split ...)
NOT-FOR-US: Crow
CVE-2023-26141 (Versions of the package sidekiq before 7.1.3 are vulnerable to Denial ...)
- - ruby-sidekiq <unfixed>
+ - ruby-sidekiq <unfixed> (bug #1059300)
[bookworm] - ruby-sidekiq <no-dsa> (Minor issue)
[bullseye] - ruby-sidekiq <no-dsa> (Minor issue)
[buster] - ruby-sidekiq <no-dsa> (Minor issue, DoS still possible)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32e9a182dfc320faff1d9e876f43c482a5e0f8f1
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/32e9a182dfc320faff1d9e876f43c482a5e0f8f1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231222/8be6cb0f/attachment.htm>
More information about the debian-security-tracker-commits
mailing list