[Git][security-tracker-team/security-tracker][master] automatic update

Salvatore Bonaccorso (@carnil) carnil at debian.org
Fri Mar 3 20:10:51 GMT 2023



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1892e4f9 by security tracker role at 2023-03-03T20:10:37+00:00
automatic update

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,27 @@
+CVE-2023-1168
+	RESERVED
+CVE-2023-1167
+	RESERVED
+CVE-2023-1166
+	RESERVED
+CVE-2022-4929
+	RESERVED
+CVE-2022-4928
+	RESERVED
+CVE-2022-4927
+	RESERVED
+CVE-2021-4329
+	RESERVED
+CVE-2015-10088
+	RESERVED
+CVE-2014-125091
+	RESERVED
+CVE-2014-125090
+	RESERVED
+CVE-2008-10003
+	RESERVED
+CVE-2008-10002
+	RESERVED
 CVE-2023-27560 (Math/PrimeField.php in phpseclib through 2.0.41 has an infinite loop w ...)
 	TODO: check
 CVE-2023-27559
@@ -42,7 +66,7 @@ CVE-2023-27540
 	RESERVED
 CVE-2023-1165 (A vulnerability was found in Zhong Bang CRMEB Java 1.3.4. It has been  ...)
 	NOT-FOR-US: Zhong Bang CRMEB Java
-CVE-2023-1164 (A vulnerability was found in kylin-activation and classified as critic ...)
+CVE-2023-1164 (A vulnerability was found in KylinSoft kylin-activation and classified ...)
 	TODO: check
 CVE-2023-1163 (A vulnerability has been found in DrayTek Vigor 2960 1.5.1.4 and class ...)
 	NOT-FOR-US: DrayTek Vigor 2960
@@ -2204,8 +2228,8 @@ CVE-2023-26606 (In the Linux kernel 6.0.8, there is a use-after-free in ntfs_tri
 CVE-2023-26605 (In the Linux kernel 6.0.8, there is a use-after-free in inode_cgwb_mov ...)
 	- linux <unfixed>
 	NOTE: https://lkml.org/lkml/2023/2/22/3
-CVE-2023-26604
-	RESERVED
+CVE-2023-26604 (systemd before 247 does not adequately block local privilege escalatio ...)
+	TODO: check
 CVE-2023-26603
 	RESERVED
 CVE-2022-48363 (In MPD before 0.23.8, as used on Automotive Grade Linux and other plat ...)
@@ -6240,6 +6264,7 @@ CVE-2023-25223
 CVE-2023-25222 (A heap-based buffer overflow vulnerability exits in GNU LibreDWG v0.12 ...)
 	- libredwg <itp> (bug #595191)
 CVE-2023-25221 (Libde265 v1.0.10 was discovered to contain a heap-buffer-overflow vuln ...)
+	{DSA-5346-1}
 	- libde265 1.0.11-1
 	NOTE: https://github.com/strukturag/libde265/issues/388
 	NOTE: https://github.com/strukturag/libde265/commit/857290982330e82d9e25d9d39527c6737021aa7d (v1.0.11)
@@ -7523,32 +7548,39 @@ CVE-2023-24760
 CVE-2023-24759
 	RESERVED
 CVE-2023-24758 (libde265 v1.0.10 was discovered to contain a NULL pointer dereference  ...)
+	{DSA-5346-1}
 	- libde265 1.0.11-1
 	NOTE: https://github.com/strukturag/libde265/issues/383
 	NOTE: https://github.com/strukturag/libde265/commit/bfb6de155f9fb015d2904cb4ef07809f17995276 (v1.0.11)
 CVE-2023-24757 (libde265 v1.0.10 was discovered to contain a NULL pointer dereference  ...)
+	{DSA-5346-1}
 	- libde265 1.0.11-1
 	NOTE: https://github.com/strukturag/libde265/issues/385
 	NOTE: https://github.com/strukturag/libde265/commit/48eb7dafe204b825b4a62948ed171a0cd3f1bda2 (v1.0.11)
 CVE-2023-24756 (libde265 v1.0.10 was discovered to contain a NULL pointer dereference  ...)
+	{DSA-5346-1}
 	- libde265 1.0.11-1
 	NOTE: https://github.com/strukturag/libde265/issues/380
 	NOTE: https://github.com/strukturag/libde265/commit/48eb7dafe204b825b4a62948ed171a0cd3f1bda2 (v1.0.11)
 CVE-2023-24755 (libde265 v1.0.10 was discovered to contain a NULL pointer dereference  ...)
+	{DSA-5346-1}
 	- libde265 1.0.11-1
 	NOTE: https://github.com/strukturag/libde265/issues/384
 	NOTE: https://github.com/strukturag/libde265/commit/48eb7dafe204b825b4a62948ed171a0cd3f1bda2 (v1.0.11)
 CVE-2023-24754 (libde265 v1.0.10 was discovered to contain a NULL pointer dereference  ...)
+	{DSA-5346-1}
 	- libde265 1.0.11-1
 	NOTE: https://github.com/strukturag/libde265/issues/382
 	NOTE: https://github.com/strukturag/libde265/commit/bfb6de155f9fb015d2904cb4ef07809f17995276 (v1.0.11)
 CVE-2023-24753
 	RESERVED
 CVE-2023-24752 (libde265 v1.0.10 was discovered to contain a NULL pointer dereference  ...)
+	{DSA-5346-1}
 	- libde265 1.0.11-1
 	NOTE: https://github.com/strukturag/libde265/issues/378
 	NOTE: https://github.com/strukturag/libde265/commit/052bacb2535cf0024042eefde58e48df2c778f7c (v1.0.11)
 CVE-2023-24751 (libde265 v1.0.10 was discovered to contain a NULL pointer dereference  ...)
+	{DSA-5346-1}
 	- libde265 1.0.11-1
 	NOTE: https://github.com/strukturag/libde265/issues/379
 	NOTE: https://github.com/strukturag/libde265/commit/7ea8e3cbb010bc02fa38419e87ed2281d7933850 (v1.0.11)
@@ -12436,6 +12468,7 @@ CVE-2023-23011 (Cross Site Scripting (XSS) vulnerability in InvoicePlane 1.6 via
 CVE-2023-23010 (Cross Site Scripting (XSS) vulnerability in Ecommerce-CodeIgniter-Boot ...)
 	NOT-FOR-US: Ecommerce-CodeIgniter-Bootstrap
 CVE-2023-23009 (Libreswan 4.9 allows remote attackers to cause a denial of service (as ...)
+	{DSA-5368-1}
 	- libreswan 4.9-2 (bug #1031821)
 	NOTE: https://github.com/libreswan/libreswan/issues/954
 	NOTE: https://libreswan.org/security/CVE-2023-23009/CVE-2023-23009.txt
@@ -12511,7 +12544,7 @@ CVE-2023-22986
 	RESERVED
 CVE-2023-22985
 	RESERVED
-CVE-2023-22984 (A Vulnerability was discovered in Axis 207W network camera. There is a ...)
+CVE-2023-22984 (** UNSUPPORTED WHEN ASSIGNED ** A Vulnerability was discovered in Axis ...)
 	NOT-FOR-US: Axis 207W network camera
 CVE-2023-22983
 	RESERVED
@@ -15992,8 +16025,8 @@ CVE-2022-4647 (Cross-site Scripting (XSS) - Stored in GitHub repository microweb
 	NOT-FOR-US: microweber
 CVE-2022-4646 (Cross-Site Request Forgery (CSRF) in GitHub repository ikus060/rdiffwe ...)
 	- rdiffweb <itp> (bug #969974)
-CVE-2022-4645
-	RESERVED
+CVE-2022-4645 (LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:94 ...)
+	TODO: check
 CVE-2022-4644 (Open Redirect in GitHub repository ikus060/rdiffweb prior to 2.5.4. ...)
 	- rdiffweb <itp> (bug #969974)
 CVE-2022-4643 (A vulnerability was found in docconv up to 1.2.0. It has been declared ...)
@@ -16614,10 +16647,10 @@ CVE-2022-47667
 	RESERVED
 CVE-2022-47666
 	RESERVED
-CVE-2022-47665
-	RESERVED
-CVE-2022-47664
-	RESERVED
+CVE-2022-47665 (Libde265 1.0.9 has a heap buffer overflow vulnerability in de265_image ...)
+	TODO: check
+CVE-2022-47664 (Libde265 1.0.9 is vulnerable to Buffer Overflow in ff_hevc_put_hevc_qp ...)
+	TODO: check
 CVE-2022-47663 (GPAC MP4box 2.1-DEV-rev649-ga8f438d20 is vulnerable to buffer overflow ...)
 	- gpac <unfixed>
 	[bullseye] - gpac <no-dsa> (Minor issue)
@@ -23020,8 +23053,8 @@ CVE-2022-45990 (A cross-site scripting (XSS) vulnerability in the component /sig
 	NOT-FOR-US: Ecommerce-Website
 CVE-2022-45989
 	RESERVED
-CVE-2022-45988
-	RESERVED
+CVE-2022-45988 (starsoftcomm CooCare 5.304 allows local attackers to escalate privileg ...)
+	TODO: check
 CVE-2022-45987
 	RESERVED
 CVE-2022-45986
@@ -24060,12 +24093,12 @@ CVE-2022-45555
 	RESERVED
 CVE-2022-45554
 	RESERVED
-CVE-2022-45553
-	RESERVED
-CVE-2022-45552
-	RESERVED
-CVE-2022-45551
-	RESERVED
+CVE-2022-45553 (An issue discovered in Shenzhen Zhibotong Electronics WBT WE1626 Route ...)
+	TODO: check
+CVE-2022-45552 (An Insecure Permissions vulnerability in Shenzhen Zhiboton Electronics ...)
+	TODO: check
+CVE-2022-45551 (An issue discovered in Shenzhen Zhiboton Electronics ZBT WE1626 Router ...)
+	TODO: check
 CVE-2022-45550 (AyaCMS 3.1.2 is vulnerable to Remote Code Execution (RCE). ...)
 	NOT-FOR-US: AyaCMS
 CVE-2022-45549
@@ -31214,8 +31247,8 @@ CVE-2023-20106
 	RESERVED
 CVE-2023-20105
 	RESERVED
-CVE-2023-20104
-	RESERVED
+CVE-2023-20104 (A vulnerability in the file upload functionality of Cisco Webex App fo ...)
+	TODO: check
 CVE-2023-20103
 	RESERVED
 CVE-2023-20102
@@ -31246,8 +31279,8 @@ CVE-2023-20090
 	RESERVED
 CVE-2023-20089 (A vulnerability in the Link Layer Discovery Protocol (LLDP) feature fo ...)
 	NOT-FOR-US: Cisco
-CVE-2023-20088
-	RESERVED
+CVE-2023-20088 (A vulnerability in the nginx configurations that are provided as part  ...)
+	TODO: check
 CVE-2023-20087
 	RESERVED
 CVE-2023-20086
@@ -31264,10 +31297,10 @@ CVE-2023-20081
 	RESERVED
 CVE-2023-20080
 	RESERVED
-CVE-2023-20079
-	RESERVED
-CVE-2023-20078
-	RESERVED
+CVE-2023-20079 (Multiple vulnerabilities in the web-based management interface of cert ...)
+	TODO: check
+CVE-2023-20078 (Multiple vulnerabilities in the web-based management interface of cert ...)
+	TODO: check
 CVE-2023-20077
 	RESERVED
 CVE-2023-20076 (A vulnerability in the Cisco IOx application hosting environment could ...)
@@ -31284,8 +31317,8 @@ CVE-2023-20071
 	RESERVED
 CVE-2023-20070
 	RESERVED
-CVE-2023-20069
-	RESERVED
+CVE-2023-20069 (A vulnerability in the web-based management interface of Cisco Prime I ...)
+	TODO: check
 CVE-2023-20068
 	RESERVED
 CVE-2023-20067
@@ -31298,10 +31331,10 @@ CVE-2023-20064
 	RESERVED
 CVE-2023-20063
 	RESERVED
-CVE-2023-20062
-	RESERVED
-CVE-2023-20061
-	RESERVED
+CVE-2023-20062 (Multiple vulnerabilities in Cisco Unified Intelligence Center could al ...)
+	TODO: check
+CVE-2023-20061 (Multiple vulnerabilities in Cisco Unified Intelligence Center could al ...)
+	TODO: check
 CVE-2023-20060
 	RESERVED
 CVE-2023-20059
@@ -37279,8 +37312,7 @@ CVE-2022-41864
 	RESERVED
 CVE-2022-41863
 	RESERVED
-CVE-2022-41862
-	RESERVED
+CVE-2022-41862 (In PostgreSQL, a modified, unauthenticated server can send an untermin ...)
 	- postgresql-15 15.2-1
 	- postgresql-13 <removed>
 	[bullseye] - postgresql-13 <no-dsa> (Minor issue)
@@ -44373,6 +44405,7 @@ CVE-2022-3073 (Quanos "SCHEMA ST4" example web templates in version Bootstrap 20
 CVE-2022-3072 (Cross-site Scripting (XSS) - Stored in GitHub repository francoisjacqu ...)
 	NOT-FOR-US: francoisjacquet/rosariosis
 CVE-2006-20001 (A carefully crafted If: request header can cause a memory read, or wri ...)
+	{DLA-3351-1}
 	- apache2 2.4.55-1
 	[bullseye] - apache2 <no-dsa> (Minor update; update proposed via bullseye-pu)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/5
@@ -46748,13 +46781,11 @@ CVE-2022-2839 (The Zephyr Project Manager WordPress plugin before 3.2.55 does no
 	NOT-FOR-US: WordPress plugin
 CVE-2022-2838 (In Eclipse Sphinx™ before version 0.13.1, Apache Xerces XML Pars ...)
 	NOT-FOR-US: Eclipse Sphinx
-CVE-2022-2837
-	RESERVED
+CVE-2022-2837 (A flaw was found in coreDNS. This flaw allows a malicious user to redi ...)
 	- coredns <itp> (bug #880676)
 CVE-2022-2836
 	RESERVED
-CVE-2022-2835
-	RESERVED
+CVE-2022-2835 (A flaw was found in coreDNS. This flaw allows a malicious user to rero ...)
 	- coredns <itp> (bug #880676)
 CVE-2022-2834 (The Helpful WordPress plugin before 4.5.26 puts the exported logs and  ...)
 	NOT-FOR-US: WordPress plugin
@@ -49127,6 +49158,7 @@ CVE-2022-37438 (In Splunk Enterprise versions in the following table, an authent
 CVE-2022-37437 (When using Ingest Actions to configure a destination that resides on A ...)
 	NOT-FOR-US: Splunk
 CVE-2022-37436 (Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the  ...)
+	{DLA-3351-1}
 	- apache2 2.4.55-1
 	[bullseye] - apache2 <no-dsa> (Minor update; update proposed via bullseye-pu)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/7
@@ -51054,6 +51086,7 @@ CVE-2022-36762
 CVE-2022-36761
 	RESERVED
 CVE-2022-36760 (Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling' ...)
+	{DLA-3351-1}
 	- apache2 2.4.55-1
 	[bullseye] - apache2 <no-dsa> (Minor update; update proposed via bullseye-pu)
 	NOTE: https://www.openwall.com/lists/oss-security/2023/01/17/6
@@ -82127,6 +82160,7 @@ CVE-2022-21227 (The package sqlite3 before 5.0.3 are vulnerable to Denial of Ser
 CVE-2022-21223 (The package cocoapods-downloader before 1.6.2 are vulnerable to Comman ...)
 	NOT-FOR-US: cocoapods-downloader
 CVE-2022-21222 (The package css-what before 2.1.3 are vulnerable to Regular Expression ...)
+	{DLA-3350-1}
 	- node-css-what 5.0.1-1 (bug #1032188)
 	[bullseye] - node-css-what <no-dsa> (Minor issue)
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488
@@ -131822,6 +131856,7 @@ CVE-2021-33589
 CVE-2021-33588
 	RESERVED
 CVE-2021-33587 (The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure t ...)
+	{DLA-3350-1}
 	- node-css-what 5.0.1-1 (bug #989264)
 	[bullseye] - node-css-what <ignored> (Minor issue, intrusive to backport fixes to older series)
 	[buster] - node-css-what <ignored> (Minor issue, intrusive to backport fixes to older series)
@@ -132891,6 +132926,7 @@ CVE-2021-33194 (golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allow
 	NOTE: https://groups.google.com/g/golang-dev/c/28x0nthP-c8/m/KqWVTjsnBAAJ
 	NOTE: https://github.com/golang/go/issues/46288
 CVE-2021-33193 (A crafted method sent through HTTP/2 will bypass validation and be for ...)
+	{DLA-3351-1}
 	- apache2 2.4.48-4
 	[bullseye] - apache2 2.4.48-3.1+deb11u1
 	[stretch] - apache2 <postponed> (Revisit when a suitable backport is available for 2.4.25)
@@ -244678,7 +244714,7 @@ CVE-2020-1929 (The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 ha
 CVE-2020-1928 (An information disclosure vulnerability was found in Apache NiFi 1.10. ...)
 	NOT-FOR-US: Apache NiFi
 CVE-2020-1927 (In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_r ...)
-	{DSA-4757-1 DLA-2706-1}
+	{DSA-4757-1 DLA-3351-1 DLA-2706-1}
 	- apache2 2.4.43-1 (low)
 	[jessie] - apache2 <ignored> (Minor issue)
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-1927
@@ -306381,6 +306417,7 @@ CVE-2019-0217 (In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condit
 CVE-2019-0216 (A malicious admin user could edit the state of objects in the Airflow  ...)
 	- airflow <itp> (bug #819700)
 CVE-2019-0215 (In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl ...)
+	{DLA-3351-1}
 	- apache2 2.4.38-3
 	[stretch] - apache2 <not-affected> (Vulnerable code introduced later)
 	[jessie] - apache2 <not-affected> (Vulnerable code introduced later)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1892e4f9e351d289c5f08eba04ba02d6b6c0a843

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1892e4f9e351d289c5f08eba04ba02d6b6c0a843
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230303/6f26c365/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list